GitHub
commit
4a5e91fb67
|
|
@ -3,13 +3,6 @@ let
|
|||
hostname = "mail.${config.fsr.domain}";
|
||||
domain = config.fsr.domain;
|
||||
rspamd-domain = "rspamd.${config.fsr.domain}";
|
||||
# brauchen wir das überhaupt?
|
||||
#ldap-aliases = pkgs.writeText "ldap-aliases.cf" ''
|
||||
#server_host = ldap://localhost
|
||||
#search_base = dc=ifsr, dc=de
|
||||
#query_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||
#result_attribute=mail
|
||||
#'';
|
||||
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
|
||||
uris = ldap://localhost
|
||||
dn = uid=search, ou=users, dc=ifsr, dc=de
|
||||
|
|
@ -19,20 +12,27 @@ let
|
|||
ldap_version = 3
|
||||
scope = subtree
|
||||
base = dc=ifsr, dc=de
|
||||
user_filter = (&(objectClass=posixAccount)(mail=%u))
|
||||
pass_filter = (&(objectClass=posixAccount)(mail=%u))
|
||||
user_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||
pass_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||
'';
|
||||
in
|
||||
{
|
||||
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
|
||||
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
|
||||
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 25 465 993 ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
25 # insecure SMTP
|
||||
465
|
||||
587 # SMTP
|
||||
993 # IMAP
|
||||
];
|
||||
users.users.postfix.extraGroups = [ "opendkim" ];
|
||||
|
||||
services = {
|
||||
postfix = {
|
||||
enable = true;
|
||||
enableSubmission = true;
|
||||
enableSubmissions = true;
|
||||
hostname = "${hostname}";
|
||||
domain = "${domain}";
|
||||
|
|
@ -67,21 +67,21 @@ in
|
|||
config = {
|
||||
home_mailbox = "Maildir/";
|
||||
smtp_use_tls = true;
|
||||
smtp_tls_security_level = "encrypt";
|
||||
# smtp_tls_security_level = "encrypt";
|
||||
smtpd_use_tls = true;
|
||||
smtpd_tls_security_level = lib.mkForce "encrypt";
|
||||
smtpd_tls_auth_only = true;
|
||||
# smtpd_tls_security_level = lib.mkForce "encrypt";
|
||||
# smtpd_tls_auth_only = true;
|
||||
smtpd_tls_protocols = [
|
||||
"!SSLv2"
|
||||
"!SSLv3"
|
||||
"!TLSv1"
|
||||
"!TLSv1.1"
|
||||
];
|
||||
# "reject_non_fqdn_hostname"
|
||||
smtpd_recipient_restrictions = [
|
||||
"permit_sasl_authenticated"
|
||||
"permit_mynetworks"
|
||||
"reject_unauth_destination"
|
||||
"reject_non_fqdn_hostname"
|
||||
"reject_non_fqdn_sender"
|
||||
"reject_non_fqdn_recipient"
|
||||
"reject_unknown_sender_domain"
|
||||
|
|
@ -95,7 +95,9 @@ in
|
|||
"permit_mynetworks"
|
||||
"reject_unauth_destination"
|
||||
];
|
||||
#alias_maps = [ "ldap:${ldap-aliases}" ];
|
||||
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
|
||||
alias_maps = [ "hash:/etc/aliases" ];
|
||||
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
|
||||
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
|
||||
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
|
||||
smtpd_sasl_auth_enable = true;
|
||||
|
|
@ -103,7 +105,7 @@ in
|
|||
smtpd_sasl_type = "dovecot";
|
||||
#mailman stuff
|
||||
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" ];
|
||||
};
|
||||
};
|
||||
dovecot2 = {
|
||||
|
|
@ -198,4 +200,10 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
security.acme.certs."${domain}" = {
|
||||
reloadServices = [
|
||||
"postfix.service"
|
||||
"dovecot2.service"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
webHosts = [ "lists.${config.fsr.domain}" ];
|
||||
hyperkitty.enable = true;
|
||||
enablePostfix = true;
|
||||
siteOwner = "root@${config.fsr.domain}";
|
||||
siteOwner = "mailman@${config.fsr.domain}";
|
||||
ldap = {
|
||||
enable = true;
|
||||
serverUri = "ldap://localhost";
|
||||
|
|
@ -23,7 +23,9 @@
|
|||
groupSearch = {
|
||||
ou = "ou=groups, dc=ifsr, dc=de";
|
||||
query = "(objectClass=groupOfNames)";
|
||||
type = "groupOfNames";
|
||||
};
|
||||
superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."lists.${config.fsr.domain}" = {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,10 @@
|
|||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${config.fsr.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
appendHttpConfig = ''
|
||||
map $remote_addr $remote_addr_anon {
|
||||
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
|
||||
|
|
|
|||
|
|
@ -15,7 +15,8 @@ mediawiki:
|
|||
postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
|
||||
initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
|
||||
ldapprovider: ENC[AES256_GCM,data:CPsrWmUviUpFIVVN/2a1lRjJCoZCWR9zrHm3T5Tv/YuXSYXStZGfBgXN96zhJUUpZcwiJq95o1sajyit+6itZCcGAPu0BTHSnNXRu1fgifonXE0ghw6rvzwkYpfBS+rfmBcG2wxX+7uZG3ulANYpvvGMxpKgM5IzQjE1sAytRDir6QeMGcFHP2gV4xQAdTNUZK2V+EKOlrcV5vTSzDSy3eXg18TVUgZqdxaQFfwnr2UN0eEEZ4Dn83G3QWsROZ0A7R3tuEmdAzmR8AdWBxfqCcOA8vZaOIOWb1AyobLCUaqQOj/SbGdgehMOQn1UcbRHpYQ2E9mvxD572uc/U5kzy/TbOLM34pkvckNrGfxwvqwbvXZrVP3gONY5CnJpk5XfVdT5Au/uwE5ZRs83ZEx31+85mpK3HecyBWRfWID0z2XS8PAU6G7ASQsXCh6sd5LFhL7zhxBQ4ENjT8pDi0OLYvw9VzPhPrdzooULeMytGitVWRtLsSzCn/D+U4x6EJLivLW6jv9SAIKg54fAjNEBYHh7GuHbr/VGtmiWKj6av2e3/BLgPOIyINzNv+X5QSsopZ2/yamPs+ARTOqAZvSyRgqereYoLZ5ZV15jIWiGc7HVfj/+Bk7cN4+VwFhzSuttp1DmvNNIWueeX69rdSqe41Y2lqKZ4ajOSIJ+YLP/dR0wvrVbd7QSP2OVRAnMugmeekbIuyIKPNsNJ183Z4y1m/ihIdRAzLnjSYuYCdWw3LXl5gM0ZTtGb7K+cIYcyJrS3fcaErDmqyI/LJoXNTo5CJI=,iv:ycKt8/awCo3HoO6Oa8H77GH9+m+xgR4kiXb7Cbf0wSY=,tag:b6pBoZs+E4CP+V9oZXrcoQ==,type:str]
|
||||
mautrix-telegram_env: ENC[AES256_GCM,data:aksa5kx1fwRz9gu8rNsR6MclUFIttJxMchwLi7yH99T1cYn9YUskeORkvNcgaIPpd4dSPUZMbfWU3gbTlWh8ettI1uCdChg5EXbdOv2CIXfXCsvHx8a6lZPUOcWjoUXGh3693a5xiGv6jeKH4D0Hu50KN70a0XcMyLuW9mBcRnNqpHnzHkFWQNLYw7aHpNOYOz9D0s14DypHkJnVh43SjWvhFZF3tZjGI+kr/I/ZMvQ3/ujx42nuDqNSzT6Qk5e9,iv:JBijgTMjuXhUI2e8RqkLAr/ZRbJJtZTYOYSSX8zsflA=,tag:o1GY3LP7Jk/NnX1EMgEXfg==,type:str]
|
||||
postfix_ldap_aliases: ENC[AES256_GCM,data:SFCncYQAY2ZOA4d8YO58HQvUIRpevU6dX3BDv/pnB1JlvNmQH7oy4NZ4zf24/1i11EV7Z0NvPsa4sAqj8xRR++yyzeG9RQk3Pcst3AkFtA+MkNP0ueZJYsvLKyUE6G7UpzVVuLI+L5R121JrRp6+r5xqckOBNCBo73ulb7tC67hSfLA+ZNmDw+bKbshHej4l3hvM/c2sHLbcPp/+vxLXqthPR+y8lf6J/QgZ8Yzw1JxFVDO8ypaWpWZZvA3HbAzRJXxk2zxg+lpmgFsyzTXLZGhvf7NdRHUmTP9OgDFt/efhxpUvDYpDinzVOuFrYJGL/4U0LLvxtGQQaQ==,iv:dUx+BsJWaiZ6MeNB+OhrSxQf+co2USjJM5rKt7OP5GI=,tag:nOVLxEyIRSNnxGa8eHMmFQ==,type:str]
|
||||
mautrix-telegram_env: ENC[AES256_GCM,data:2p5vYV+/vEDrrZItTcT1vxddv2tM7dLGBUmG+OXHccTzJ2UhyYpDGgUMr5KgObxvyssYBZTsvbV7QFN3sjcU/jVPx1qEUn6zyKO0HBQjrviVU3urx5zNOnCEHwDKyDrZ1Hu/CE6lpGNrtGlpewgOs/+84JZIZhC9qSuzDhN38sr4OGfMr29fMzafYC+TGHoZyA64GI9xz0KvXhwg6ci1hLtVWYEOFW2Nf8uLY8qkNLuDzA6bYx8rn3CEXoxiv0n4,iv:jmcWTyVkqu9nDc1ws2NxkMKrHPZ13i3jqDkk4Y0kejw=,tag:BjhmPc4lSbsZBmZ/q2CqGg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -31,8 +32,8 @@ sops:
|
|||
NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk
|
||||
+LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-05-04T14:41:24Z"
|
||||
mac: ENC[AES256_GCM,data:fdQazIIIZJWo5QjbMC9kH1Bu8s9L229q60Zg+8H85JVVpfgwATDTjfg2XcDTEFglpTQAUXCh34AkkX3We5faGb9W6GhX9kc4vc6qwOusX849cojNOVussnZYDSBRmlOLMtQKcArG2yVTjRtOm9jf8Lbff5xts2lsZkXS2iz6qb8=,iv:QWmNyKUCY2LoE0c3dEIsvlg50o0txMjhCvnwjy4xwA8=,tag:JIJ5vEiKoEJ08oehVZZ5Bw==,type:str]
|
||||
lastmodified: "2023-07-04T07:41:45Z"
|
||||
mac: ENC[AES256_GCM,data:YLC02dhSSLl9C1B7wo/AJcY4a4zc1LIaA0PKH0H8uZ8I9Kh105yk4sc2cz15FVMLtkMeIdfnhmWxbnPyLbM0mA9bAYT9MQn65quEgDumr+XH0UW6m1e2S23/2fxTFH1xRWsu7/Kon/gdzLb5hf2m30eJAP7MrdpxDz28Q7ut1P4=,iv:9UC71WxpDt1bxWSu16Sc+OKpy6KmX0Ru+Q54LYuQCBU=,tag:CpNKSJem+XHimm+yzRpwaw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-04-23T17:48:54Z"
|
||||
enc: |
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ mediawiki:
|
|||
initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
|
||||
ldapprovider: ENC[AES256_GCM,data:dVrCFVgm4BDtUhcj9rSKXwnaIKsC5GGsDUoPJH1q5F4inskuSbFigcLM/UJFNOcr5R1dL+mYUOvnmIcoWA5AsuFKs3NzSYJVtVAm0x7vYSkHnfXu93V2F8Lc1xX/kZrFfnmNUXwhv2I+hknPUApY7wpmZOdk9NLKv4tbsgVTbfmR/WM6soOurh3b6b4cknfxqSeLZLeOIKL5WL8842t5SethyCfPsCm74JCpwHmflkCyT/lzIP1Kghab+xGWWyN9OAENlDZrJE6VAdctR+MKYZnhA7dXKeQPjKii9MZsDYFYTL5YDRysam4r7Jog/fozgWkXNrCUan29efnnBwpLz5hgV1MguIpvU8ccDQLNvgJCOdp6FgH45ZRlCxx29EWzh9iTDGPqmNsctUknFdfUVfIg9ziz/97i/kGcwy5N1oOsoUf7iRj5zLyLP6OlXGNThowF4jlNdI2b+caQGz7H6ZkJfUPWULotBUrjxrZo3pSYRkpJ77xbGUZf35ysxTHpfsmhyyO9HRhhgNkilEHlcsi8u+AC0su+Htg/Io332tSX+W6Gj6R6Q23hQ0gf8on5Y2xx34ysobEh8cMS4+Kj0nwasMHjW70g3qWpKkG1LSOIgXiA7hcusGCo8xPZ1y3gIyRiTxVTPJHh63Ecd0O37P4NWVSKEpsIM5pkngMN5L5K/ymtZ0kjREX2q4qpXf2xJiTTdAkeTMcmDs9HHjOzIIynYouY7P6qdXUpXjyGwqfovmnIv5icQ6sqFA==,iv:sPRnnIEif6W1SPy5SKiUuY681HeLPcR19U4p1mdUGdc=,tag:zeMdtTRk8ULP4GYDQLIU7A==,type:str]
|
||||
mautrix-telegram_env: ENC[AES256_GCM,data:vqHmM3mRrIYMT4760sglAlBZoOb7siqx3alvQE5rpq8z6FgOqJxHqGaN1quhpAVVe9ugtlvezVh8eSFX+45Y5rtqJ7iylxmC+y8JGsyLIflf674Si7h07bedCcT0wBg1ioI/JILDwICiAf0=,iv:BAPKiVt2l3E7z1Wk9ky6WFYr6hn62d+X5r0NMdUYwJQ=,tag:CRddpVMHQLwhwUF1hn0JKA==,type:str]
|
||||
postfix_ldap_aliases: ENC[AES256_GCM,data:cpMrQE7cQafsB+cBJWhj+XrMKntZvYle19d4JojAoLKXT/D7XauR6IPYhiT+X3g6iQI1HZ6BGbEp9CnhK3KvPdx5R7S6vs0wZYdcRHh0HImI1P/j6ffALlYTVojJ7AazDM/DEf53+qndbU1sqykjAOhXRkBfZnlDLooETuPsRpLL/4ZE1NuntVyKLlG/u10/moUgS/Gsrkk0K7ns5WFJjUcQq8P9gakc9mcJw32DHTiVV0UbZoFqkMI3LD7zFr17klXtKYYWcOcH5ZGmJax1X+PaAzogOf2/JFVNSae2Uvk=,iv:eSE+ADQI9QeN083ECwcekPJIKGEImoJrP7b/JSemDkY=,tag:g9V3ZDXi1x0wNVvGyA/wnQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -31,8 +32,8 @@ sops:
|
|||
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
|
||||
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-05-04T14:41:09Z"
|
||||
mac: ENC[AES256_GCM,data:qY1fcRl53tcvgYAqhvWLfAxe6MRvcXcbkeLMtQShQtyKRv4BW0AMOh0OOKFcxxcMbucG4j9yufvK18Q8COIslsOtm5wZhEjK8+sK0RT3l6uX0EPn/aNwGWwScXjMOeKJEBEozA4xPHt7+flTsRDAzjRz+ixC/cevm1Iu/ok17lE=,iv:OTtpuinzQXZ6nykpH8/XwIUYDNf+DNWrbDxCmJpdqAc=,tag:ng3dWwOdj60iy4yT4Ux8Cw==,type:str]
|
||||
lastmodified: "2023-07-04T07:48:57Z"
|
||||
mac: ENC[AES256_GCM,data:eJH7Ng7qBO8XtKjAn2grHYlgOhivsD20QqFrUXncte8REpcUac7Td3OSogjXdky7DLhk9Pw0HML/fUu3DmtSFpdPkfg+kpprRXIK8QjYCB3OlDVqsnZiDkUitELtonNLddUKPOJW8B6EOiLPFyESJzBKGA0NqY7GVVFe7JSI1P4=,iv:G0ug1InP53pWOcVFTkhEa1l3HLS3w8RDZi3HXSBK9/8=,tag:cDwqTw4z0ideXewB/M0hHg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-11-18T16:37:58Z"
|
||||
enc: |
|
||||
|
|
|
|||
Loading…
Reference in a new issue