configured tls and rspamd

This commit is contained in:
Rouven Seifert 2023-01-06 16:57:26 +01:00
parent e569bdec50
commit a11a3614a9
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
3 changed files with 30 additions and 30 deletions

View file

@ -1,10 +1,13 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
hostname = "mail.test.stramke.com"; hostname = "mail.${config.fsr.domain}";
domain = "test.stramke.com"; domain = config.fsr.domain;
in in
{ {
networking.firewall.allowedTCPPorts = [ 25 587 143 ]; sops.secrets."rspamd-password".owner = config.users.user.rspamd.name;
networking.firewall.allowedTCPPorts = [ 25 465 993 ];
services = { services = {
postfix = { postfix = {
enable = true; enable = true;
@ -13,6 +16,8 @@ in
relayHost = ""; relayHost = "";
origin = "${domain}"; origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ]; destination = [ "${hostname}" "${domain}" "localhost" ];
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem";
config = { config = {
smtpd_recipient_restrictions = [ smtpd_recipient_restrictions = [
"reject_unauth_destination" "reject_unauth_destination"
@ -21,17 +26,15 @@ in
]; ];
smtpd_sasl_auth_enable = true; smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_path = "/var/lib/postfix/auth";
virtual_mailbox_base = "/var/spool/mail";
# put in opendkim (port 8891) and rspamd (port 11333) as mail filter
smtpd_milters = [ "inet:localhost:8891" "inet:localhost:11333" ];
non_smtpd_milters = "$smtpd_milters";
milter_default_action = "accept";
}; };
}; };
dovecot2 = { dovecot2 = {
enable = true; enable = true;
enableImap = true; enableImap = true;
enableQuota = false; enableQuota = false;
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
mailboxes = { mailboxes = {
Spam = { Spam = {
auto = "create"; auto = "create";
@ -51,7 +54,7 @@ in
}; };
}; };
extraConfig = '' extraConfig = ''
mail_location = maildir:/var/spool/mail/%u mail_location = maildir:/var/mail/%u
auth_mechanisms = plain login auth_mechanisms = plain login
disable_plaintext_auth = no disable_plaintext_auth = no
userdb { userdb {
@ -64,27 +67,22 @@ in
mode = 0660 mode = 0660
user = postfix user = postfix
} }
} }
''; '';
}; };
rspamd = { rspamd = {
enable = true; enable = true;
workers = { postfix.enable = true;
normal = { locals = {
bindSockets = [ "*:11333" ]; # interface for the mailfilter "worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
};
controller = {
bindSockets = [ "*:11334" ]; # webinterface
}; };
}; };
}; nginx = {
opendkim = {
enable = true; enable = true;
selector = "default"; virtualHosts."${hostname}" = {
domains = "csl:${domain}"; forceSSL = true;
socket = "inet:8891"; enableACME = true;
};
}; };
}; };
} }

View file

@ -5,7 +5,8 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str] portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str]
rspamd-password: ENC[AES256_GCM,data:bOW6eAwr18Guq+BQt68It6O6i3aAthDv1ANZ02Q8zAZgV+UlfsJk9IELIA==,iv:7O48+wB7zJUIp3lQDTC7tkP1UFvmDfjs50x1Zo3hOhw=,tag:MNdiDF22a3n1ZrE6qTDVLA==,type:str]
mediawiki: mediawiki:
postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@ -25,8 +26,8 @@ sops:
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-17T22:50:14Z" lastmodified: "2023-02-03T14:46:12Z"
mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str] mac: ENC[AES256_GCM,data:Bg5S8lSYnCUhlYFObVpmPXsp2IVxm1vfDdyzEmGGoKNU9lit/0nxrmgv3ZvOfzrcilQQHLzAfPIM5HXTCVtoPPWmkicQ72SdNWLJbY9p1+MFQgiqFZcVAYb+FMm9s1IOxBgXx/OQWmQxDmTA6jZHqgYBZnrBMgjeo0ol1Zp60uY=,iv:FlCsVbOBQC43yrmAKv8j7b0DTuhZXmeURxWWkbIcRQQ=,tag:e9vubxFQOK6h1fHQ8GHLvQ==,type:str]
pgp: pgp:
- created_at: "2022-11-18T16:37:48Z" - created_at: "2022-11-18T16:37:48Z"
enc: | enc: |

View file

@ -6,6 +6,7 @@ hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str] portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str]
mediawiki: mediawiki:
postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str]
initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
@ -25,8 +26,8 @@ sops:
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-17T22:26:52Z" lastmodified: "2023-02-03T14:47:01Z"
mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str] mac: ENC[AES256_GCM,data:qSuGdUOgVDhZ25zYGfZ6+GC7XxsoGV9dUSKM0YstpSQgR7u9S8fQVkcbz5gNTVhG8bdGQVxmMPTW3QyMI6s76yngs6kBxwnBSycAFowJlO6P/cRPqRlAuVhJy82hq0lOJem93vOnRPBQsb6Da0OS/7+SKoRd/I66BtPNKMmxEdo=,iv:IXy3cuZfUK2k8TIA7LpIbPSzcxXtiW4pmdILO6441Is=,tag:PuACj+FwaTxoTCFLytXoiw==,type:str]
pgp: pgp:
- created_at: "2022-11-18T16:37:58Z" - created_at: "2022-11-18T16:37:58Z"
enc: | enc: |