diff --git a/flake.nix b/flake.nix index 335440c..ef4e809 100755 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,7 @@ ./modules/sops.nix ./modules/ldap.nix # ./modules/keycloak.nix replaced by portunus + ./modules/mail.nix ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix diff --git a/modules/mail.nix b/modules/mail.nix new file mode 100644 index 0000000..14c009c --- /dev/null +++ b/modules/mail.nix @@ -0,0 +1,165 @@ +{ config, pkgs, ... }: +let + hostname = "mail.${config.fsr.domain}"; + domain = config.fsr.domain; + rspamd-domain = "rspamd.${config.fsr.domain}"; + # brauchen wir das überhaupt? + #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' + #server_host = ldap://localhost + #search_base = ou=mail, dc=ifsr, dc=de + #''; + dovecot-ldap-args = pkgs.writeText "ldap-args" '' + uris = ldap://localhost + dn = uid=search, ou=users, dc=ifsr, dc=de + auth_bind = yes + dnpass = $(${pkgs.coreutils}/bin/cat ${config.sops.secrets."portunus_search".path}) + + ldap_version = 3 + scope = subtree + base = dc=ifsr, dc=de + user_filter = (&(ou=mail)(uid=%n)) + pass_filter = (&(ou=mail)(uid=%n)) + ''; +in +{ + sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; + + networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + + services = { + postfix = { + enable = true; + hostname = "${hostname}"; + domain = "${domain}"; + relayHost = ""; + origin = "${domain}"; + destination = [ "${hostname}" "${domain}" "localhost" ]; + sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslKey = "/var/lib/acme/${hostname}/key.pem"; + config = { + smtpd_recipient_restrictions = [ + "reject_unauth_destination" + "permit_sasl_authenticated" + "permit_mynetworks" + ]; + #alias_maps = [ "ldap:${ldap-aliases}" ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; + virtual_mailbox_base = "/var/lib/mail"; + }; + }; + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = false; + sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslServerKey = "/var/lib/acme/${hostname}/key.pem"; + mailboxes = { + Spam = { + auto = "create"; + specialUse = "Junk"; + }; + Sent = { + auto = "create"; + specialUse = "Sent"; + }; + Drafts = { + auto = "create"; + specialUse = "Drafts"; + }; + Trash = { + auto = "create"; + specialUse = "Trash"; + }; + }; + extraConfig = '' + mail_location = maildir:/var/lib/mail/%u + passdb { + driver = ldap + args = ${dovecot-ldap-args} + } + userdb { + driver = ldap + args = ${dovecot-ldap-args} + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + } + ''; + }; + rspamd = { + enable = true; + postfix.enable = true; + locals = { + "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; + "redis.conf".text = '' + read_servers = "127.0.0.1"; + write_servers = "127.0.0.1"; + ''; + "dkim_signing.conf".text = '' + path = "/var/lib/rspamd/dkim/$domain.$selector.key"; + selector = "quitte"; + sign_authenticated = true; + use_domain = "header"; + ''; + }; + }; + redis = { + vmOverCommit = true; + servers.rspamd = { + enable = true; + port = 6379; + }; + }; + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."${hostname}" = { + forceSSL = true; + enableACME = true; + }; + virtualHosts."${rspamd-domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:11334"; + proxyWebsockets = true; + }; + }; + }; + }; + }; +} + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index c01f749..9a186ee 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -5,7 +5,8 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] -portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str] +portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str] +rspamd-password: ENC[AES256_GCM,data:bOW6eAwr18Guq+BQt68It6O6i3aAthDv1ANZ02Q8zAZgV+UlfsJk9IELIA==,iv:7O48+wB7zJUIp3lQDTC7tkP1UFvmDfjs50x1Zo3hOhw=,tag:MNdiDF22a3n1ZrE6qTDVLA==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -25,8 +26,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-17T22:50:14Z" - mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str] + lastmodified: "2023-02-03T14:46:12Z" + mac: ENC[AES256_GCM,data:Bg5S8lSYnCUhlYFObVpmPXsp2IVxm1vfDdyzEmGGoKNU9lit/0nxrmgv3ZvOfzrcilQQHLzAfPIM5HXTCVtoPPWmkicQ72SdNWLJbY9p1+MFQgiqFZcVAYb+FMm9s1IOxBgXx/OQWmQxDmTA6jZHqgYBZnrBMgjeo0ol1Zp60uY=,iv:FlCsVbOBQC43yrmAKv8j7b0DTuhZXmeURxWWkbIcRQQ=,tag:e9vubxFQOK6h1fHQ8GHLvQ==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | diff --git a/secrets/test.yaml b/secrets/test.yaml index bc0d72f..f1163c6 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -6,6 +6,7 @@ hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str] +rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] @@ -25,8 +26,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-17T22:26:52Z" - mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str] + lastmodified: "2023-02-03T14:47:01Z" + mac: ENC[AES256_GCM,data:qSuGdUOgVDhZ25zYGfZ6+GC7XxsoGV9dUSKM0YstpSQgR7u9S8fQVkcbz5gNTVhG8bdGQVxmMPTW3QyMI6s76yngs6kBxwnBSycAFowJlO6P/cRPqRlAuVhJy82hq0lOJem93vOnRPBQsb6Da0OS/7+SKoRd/I66BtPNKMmxEdo=,iv:IXy3cuZfUK2k8TIA7LpIbPSzcxXtiW4pmdILO6441Is=,tag:PuACj+FwaTxoTCFLytXoiw==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: |