modules: some refactoring #85

Merged
rouven0 merged 7 commits from refactoring into main 2024-03-14 18:52:14 +01:00
34 changed files with 491 additions and 462 deletions

View file

@ -44,7 +44,7 @@
quitte = self.nixosConfigurations.quitte.config.system.build.toplevel; quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
tomate = self.nixosConfigurations.tomate.config.system.build.toplevel; tomate = self.nixosConfigurations.tomate.config.system.build.toplevel;
}); });
formatters = forAllSystems (system: rec { formatters = forAllSystems (system: {
default = pkgs.${system}.nixpkgs-fmt; default = pkgs.${system}.nixpkgs-fmt;
}); });
hydraJobs = forAllSystems (system: { hydraJobs = forAllSystems (system: {
@ -71,47 +71,24 @@
course-management.nixosModules.default course-management.nixosModules.default
vscode-server.nixosModules.default vscode-server.nixosModules.default
./hosts/quitte/configuration.nix ./hosts/quitte/configuration.nix
./modules/bacula.nix ./options
./modules/options.nix
./modules/base.nix
./modules/sops.nix
./modules/kpp.nix
./modules/ese-website.nix
./modules/core
./modules/ldap ./modules/ldap
./modules/sssd.nix
./modules/mail ./modules/mail
./modules/mailman.nix ./modules/web
./modules/mysql.nix ./modules/courses
./modules/wiki
./modules/matrix
./modules/nix-serve.nix ./modules/nix-serve.nix
./modules/nginx.nix
# ./modules/hydra.nix
./modules/userdir.nix
./modules/hedgedoc.nix ./modules/hedgedoc.nix
./modules/padlist.nix ./modules/padlist.nix
./modules/postgres.nix
./modules/wiki
./modules/ftp.nix
#./modules/stream.nix
./modules/nextcloud.nix ./modules/nextcloud.nix
./modules/matrix.nix
./modules/mautrix-telegram.nix
./modules/sogo.nix
./modules/vaultwarden.nix ./modules/vaultwarden.nix
./modules/website.nix
./modules/zsh.nix
./modules/course-management.nix
./modules/courses-phil.nix
./modules/gitea.nix ./modules/gitea.nix
./modules/fail2ban.nix
./modules/kanboard.nix ./modules/kanboard.nix
./modules/infoscreen.nix
./modules/manual.nix
./modules/sharepic.nix
./modules/zammad.nix ./modules/zammad.nix
./modules/initrd-ssh.nix
./modules/fsrewsp.nix
./modules/nightline.nix
./modules/decisions.nix ./modules/decisions.nix
./modules/struktur-bot.nix ./modules/struktur-bot.nix
{ {
@ -129,10 +106,10 @@
vscode-server.nixosModules.default vscode-server.nixosModules.default
print-interface.nixosModules.default print-interface.nixosModules.default
./hosts/tomate/configuration.nix ./hosts/tomate/configuration.nix
./modules/base.nix ./modules/core/base.nix
./modules/zsh.nix ./modules/core/zsh.nix
./modules/fail2ban.nix ./modules/core/fail2ban.nix
./modules/sssd.nix ./modules/core/sssd.nix
{ {
sops.defaultSopsFile = ./secrets/tomate.yaml; sops.defaultSopsFile = ./secrets/tomate.yaml;
} }

View file

@ -54,14 +54,14 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
]; ];
keyFiles = [ keyFiles = [
../keys/ssh/marcus-sapphire ../../keys/ssh/marcus-sapphire
../keys/ssh/schrader ../../keys/ssh/schrader
../keys/ssh/jannusch ../../keys/ssh/jannusch
../keys/ssh/jannusch-arch ../../keys/ssh/jannusch-arch
../keys/ssh/tassilo ../../keys/ssh/tassilo
../keys/ssh/jonasga ../../keys/ssh/jonasga
../keys/ssh/rouven ../../keys/ssh/rouven
../keys/ssh/joachim ../../keys/ssh/joachim
]; ];
}; };

14
modules/core/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
imports = [
./base.nix
./bacula.nix
./fail2ban.nix
./initrd-ssh.nix
./mysql.nix
./nginx.nix
./postgres.nix
./sssd.nix
./zsh.nix
];
}

View file

@ -3,6 +3,7 @@ let
hostName = "kurse.${config.networking.domain}"; hostName = "kurse.${config.networking.domain}";
in in
{ {
imports = [ ./phil.nix ];
sops.secrets = sops.secrets =
let inherit (config.services.course-management) user; let inherit (config.services.course-management) user;
in in

View file

@ -1,426 +1,25 @@
{ config, pkgs, ... }: { config, ... }:
let let
hostname = "mail.${config.networking.domain}"; hostname = "mail.${config.networking.domain}";
domain = config.networking.domain;
rspamd-domain = "rspamd.${config.networking.domain}";
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
uris = ldap://localhost
dn = uid=search, ou=users, dc=ifsr, dc=de
auth_bind = yes
!include ${config.sops.secrets."dovecot_ldap_search".path}
ldap_version = 3
scope = subtree
base = dc=ifsr, dc=de
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_filter = (&(objectClass=posixAccount)(uid=%n))
'';
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version/ IGNORE
'';
# https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
login_maps = pkgs.writeText "login_maps.pcre" ''
# basic username => username@ifsr.de
/^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
'';
in in
{ {
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; imports = [
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; ./postfix.nix
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user; ./dovecot2.nix
./rspamd.nix
networking.firewall.allowedTCPPorts = [ ./sogo.nix
25 # insecure SMTP ./mailman.nix
143
465
587 # SMTP
993 # IMAP
4190 # sieve
]; ];
users.users.rspamd.extraGroups = [ "redis-rspamd" ];
environment.etc = {
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_spam
'';
mode = "0555";
};
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_ham
'';
mode = "0555";
};
"dovecot/sieve/report-spam.sieve" = {
source = ./report-spam.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
"dovecot/sieve/report-ham.sieve" = {
source = ./report-ham.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
};
services = { # Get SSL certs for dovecot and postfix via ngnix
postfix = { services.nginx.virtualHosts."${hostname}" = {
enable = true;
enableSubmission = true;
enableSubmissions = true;
hostname = "${hostname}";
domain = "${domain}";
origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ];
networksStyle = "host"; # localhost and own public IP
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem";
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
config = {
home_mailbox = "Maildir/";
# 25 MiB
message_size_limit = "26214400";
# hostname used in helo command. It is recommended to have this match the reverse dns entry
smtp_helo_name = config.networking.rDNS;
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
smtp_use_tls = true;
# smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
# smtpd_tls_security_level = lib.mkForce "encrypt";
# smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"
"!TLSv1"
"!TLSv1.1"
];
# "reject_non_fqdn_hostname"
smtpd_recipient_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_invalid_hostname"
"check_policy_service inet:localhost:12340"
];
smtpd_relay_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
];
# https://www.postfix.org/smtp-smuggling.html
smtpd_data_restrictions = [
"reject_unauth_pipelining"
];
smtpd_sender_restrictions = [
"reject_authenticated_sender_login_mismatch"
];
smtpd_sender_login_maps = [
"pcre:/etc/special-aliases.pcre"
"pcre:${login_maps}"
];
smtp_header_checks = "pcre:${header_cleanup}";
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
alias_maps = [ "hash:/etc/aliases" ];
alias_database = [ "hash:/etc/aliases" ];
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot";
#mailman stuff
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ];
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
};
};
dovecot2 = {
enable = true;
enableImap = true;
enableQuota = true;
quotaGlobalPerUser = "10G";
enableLmtp = true;
enablePAM = false;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
protocols = [ "imap" "sieve" ];
mailPlugins = {
globally.enable = [ "listescape" ];
perProtocol = {
imap = {
enable = [ "imap_sieve" "imap_filter_sieve" ];
};
lmtp = {
enable = [ "sieve" ];
};
};
};
mailboxes = {
Spam = {
auto = "subscribe";
specialUse = "Junk";
autoexpunge = "60d";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
Archive = {
auto = "no";
specialUse = "Archive";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
mailUser = "vmail";
mailGroup = "vmail";
sieveScripts = {
before = pkgs.writeText "spam.sieve" ''
require "fileinto";
if anyof(
header :contains "x-spam-flag" "yes",
header :contains "X-Spam-Status" "Yes"){
fileinto "Spam";
}
'';
};
extraConfig = ''
auth_username_format = %Ln
passdb {
driver = ldap
args = ${dovecot-ldap-args}
}
userdb {
driver = ldap
args = ${dovecot-ldap-args}
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
}
namespace inbox {
separator = /
inbox = yes
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
client_limit = 1
}
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY APPEND FLAG
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
# Ham: From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
listescape_char = "\\"
}
'';
};
rspamd = {
enable = true;
postfix.enable = true;
locals = {
"worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
"redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock";
write_servers = "/run/redis-rspamd/redis.sock";
'';
# headers in spamassasin style to not break old sieve scripts
"worker-proxy.inc".text = ''
spam_header = "X-Spam-Flag";
'';
"milter_headers.conf".text = ''
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
'';
"neural.conf".text = ''
servers = "/run/redis-rspamd/redis.sock";
enabled = true;
'';
"neural_group.conf".text = ''
symbols = {
"NEURAL_SPAM" {
weight = 0.5; # fairly low weight since we don't know how this will behave
description = "Neural network spam";
}
"NEURAL_HAM" {
weight = -0.5;
description = "Neural network ham";
}
}
'';
"dmarc.conf".text = ''
reporting {
enabled = true;
email = 'reports@${config.networking.domain}';
domain = '${config.networking.domain}';
org_name = '${config.networking.domain}';
from_name = 'DMARC Aggregate Report';
}
'';
"dkim_signing.conf".text = ''
selector = "quitte2024";
allow_username_mismatch = true;
allow_hdrfrom_mismatch = true;
use_domain_sign_local = "ifsr.de";
path = /var/lib/rspamd/dkim/$domain.$selector.key;
'';
"multimap.conf".text =
let
local_ips = pkgs.writeText "localhost.map" ''
::1
127.0.0.1
'';
tud_ips = pkgs.writeText "tud.map" ''
141.30.0.0/16
141.76.0.0/16
'';
in
''
WHITELIST_SENDER_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/whitelist.sender.domain.map";
action = "accept";
}
WHITELIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/whitelist.sender.email.map";
action = "accept";
}
BLACKLIST_SENDER_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/blacklist.sender.domain.map";
action = "reject";
}
BLACKLIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/blacklist.sender.email.map";
action = "reject";
}
BLACKLIST_SUBJECT_KEYWORDS {
type = "header";
header = "Subject"
map = "/var/lib/rspamd/blacklist.keyword.subject.map";
action = "reject";
regexp = true;
}
RECEIVED_LOCALHOST {
type = "ip";
action = "accept";
map = ${local_ips};
}
RECEIVED_TU_NETWORKS {
type = "ip";
map = ${tud_ips};
}
'';
};
};
redis = {
vmOverCommit = true;
servers.rspamd = {
enable = true;
};
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."${hostname}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
virtualHosts."${rspamd-domain}" = { security.acme.certs."${hostname}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:11334";
proxyWebsockets = true;
};
};
};
};
};
security.acme.certs."${domain}" = {
reloadServices = [ reloadServices = [
"postfix.service" "postfix.service"
"dovecot2.service" "dovecot2.service"
]; ];
}; };
systemd = {
services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
User = "rspamd";
Group = "rspamd";
};
startAt = "daily";
};
};
} }

175
modules/mail/dovecot2.nix Normal file
View file

@ -0,0 +1,175 @@
{ config, pkgs, ... }:
let
hostname = "mail.${config.networking.domain}";
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
uris = ldap://localhost
dn = uid=search, ou=users, dc=ifsr, dc=de
auth_bind = yes
!include ${config.sops.secrets."dovecot_ldap_search".path}
ldap_version = 3
scope = subtree
base = dc=ifsr, dc=de
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_filter = (&(objectClass=posixAccount)(uid=%n))
'';
in
{
networking.firewall.allowedTCPPorts = [
143 # IMAP
993 # IMAPS
4190 # Managesieve
];
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
environment.etc = {
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_spam
'';
mode = "0555";
};
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_ham
'';
mode = "0555";
};
"dovecot/sieve/report-spam.sieve" = {
source = ./report-spam.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
"dovecot/sieve/report-ham.sieve" = {
source = ./report-ham.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
};
services.dovecot2 = {
enable = true;
enableImap = true;
enableQuota = true;
quotaGlobalPerUser = "10G";
enableLmtp = true;
enablePAM = false;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
protocols = [ "imap" "sieve" ];
mailPlugins = {
globally.enable = [ "listescape" ];
perProtocol = {
imap = {
enable = [ "imap_sieve" "imap_filter_sieve" ];
};
lmtp = {
enable = [ "sieve" ];
};
};
};
mailboxes = {
Spam = {
auto = "subscribe";
specialUse = "Junk";
autoexpunge = "60d";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
Archive = {
auto = "no";
specialUse = "Archive";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
mailUser = "vmail";
mailGroup = "vmail";
sieveScripts = {
before = pkgs.writeText "spam.sieve" ''
require "fileinto";
if anyof(
header :contains "x-spam-flag" "yes",
header :contains "X-Spam-Status" "Yes"){
fileinto "Spam";
}
'';
};
extraConfig = ''
auth_username_format = %Ln
passdb {
driver = ldap
args = ${dovecot-ldap-args}
}
userdb {
driver = ldap
args = ${dovecot-ldap-args}
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
}
namespace inbox {
separator = /
inbox = yes
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
client_limit = 1
}
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY APPEND FLAG
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
# Ham: From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
listescape_char = "\\"
}
'';
};
}

View file

@ -40,6 +40,15 @@
superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de"; superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de";
}; };
}; };
services.postfix = {
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
config = {
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ];
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
};
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
ensureUsers = [ ensureUsers = [

100
modules/mail/postfix.nix Normal file
View file

@ -0,0 +1,100 @@
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
{ config, pkgs, ... }:
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
let
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
domain = config.networking.domain;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
hostname = "mail.${config.networking.domain}";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^\s*User-Agent/ IGNORE
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^\s*X-Enigmail/ IGNORE
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^\s*X-Mailer/ IGNORE
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^\s*X-Originating-IP/ IGNORE
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^\s*Mime-Version/ IGNORE
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
'';
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
login_maps = pkgs.writeText "login_maps.pcre" ''
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# basic username => username@ifsr.de
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
/^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
'';
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
in
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
{
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
networking.firewall.allowedTCPPorts = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
25 # SMTP
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
465 # Submissions
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
587 # Submission
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
services = {
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
postfix = {
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
enable = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
enableSubmission = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
enableSubmissions = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
hostname = "${hostname}";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
domain = "${domain}";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
origin = "${domain}";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
destination = [ "${hostname}" "${domain}" "localhost" ];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
networksStyle = "host"; # localhost and own public IP
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
sslKey = "/var/lib/acme/${hostname}/key.pem";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
config = {
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
home_mailbox = "Maildir/";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# 25 MiB
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
message_size_limit = "26214400";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# hostname used in helo command. It is recommended to have this match the reverse dns entry
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtp_helo_name = config.networking.rDNS;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtp_use_tls = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# smtp_tls_security_level = "encrypt";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_use_tls = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# smtpd_tls_security_level = lib.mkForce "encrypt";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# smtpd_tls_auth_only = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_tls_protocols = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"!SSLv2"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"!SSLv3"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"!TLSv1"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"!TLSv1.1"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# "reject_non_fqdn_hostname"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_recipient_restrictions = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"permit_sasl_authenticated"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"permit_mynetworks"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unauth_destination"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_non_fqdn_sender"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_non_fqdn_recipient"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unknown_sender_domain"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unknown_recipient_domain"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unauth_destination"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unauth_pipelining"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_invalid_hostname"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"check_policy_service inet:localhost:12340"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_relay_restrictions = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"permit_sasl_authenticated"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"permit_mynetworks"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unauth_destination"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# https://www.postfix.org/smtp-smuggling.html
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_data_restrictions = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_unauth_pipelining"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_sender_restrictions = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"reject_authenticated_sender_login_mismatch"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_sender_login_maps = [
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"pcre:/etc/special-aliases.pcre"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
"pcre:${login_maps}"
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtp_header_checks = "pcre:${header_cleanup}";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
alias_maps = [ "hash:/etc/aliases" ];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
alias_database = [ "hash:/etc/aliases" ];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_sasl_auth_enable = true;
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_sasl_path = "/var/lib/postfix/auth";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
smtpd_sasl_type = "dovecot";
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
local_recipient_maps = [ "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
};
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
};
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
};
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
}
fugidev commented 2024-03-12 22:45:48 +01:00 (Migrated from github.com)
Review

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately

143
modules/mail/rspamd.nix Normal file
View file

@ -0,0 +1,143 @@
{ config, pkgs, ... }:
let
domain = "rspamd.${config.networking.domain}";
in
{
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
users.users.rspamd.extraGroups = [ "redis-rspamd" ];
services = {
rspamd = {
enable = true;
postfix.enable = true;
locals = {
"worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
"redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock";
write_servers = "/run/redis-rspamd/redis.sock";
'';
# headers in spamassasin style to not break old sieve scripts
"worker-proxy.inc".text = ''
spam_header = "X-Spam-Flag";
'';
"milter_headers.conf".text = ''
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
'';
"neural.conf".text = ''
servers = "/run/redis-rspamd/redis.sock";
enabled = true;
'';
"neural_group.conf".text = ''
symbols = {
"NEURAL_SPAM" {
weight = 0.5; # fairly low weight since we don't know how this will behave
description = "Neural network spam";
}
"NEURAL_HAM" {
weight = -0.5;
description = "Neural network ham";
}
}
'';
"dmarc.conf".text = ''
reporting {
enabled = true;
email = 'reports@${config.networking.domain}';
domain = '${config.networking.domain}';
org_name = '${config.networking.domain}';
from_name = 'DMARC Aggregate Report';
}
'';
"dkim_signing.conf".text = ''
selector = "quitte2024";
allow_username_mismatch = true;
allow_hdrfrom_mismatch = true;
use_domain_sign_local = "ifsr.de";
path = /var/lib/rspamd/dkim/$domain.$selector.key;
'';
"multimap.conf".text =
let
local_ips = pkgs.writeText "localhost.map" ''
::1
127.0.0.1
'';
tud_ips = pkgs.writeText "tud.map" ''
141.30.0.0/16
141.76.0.0/16
'';
in
''
WHITELIST_SENDER_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/whitelist.sender.domain.map";
action = "accept";
}
WHITELIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/whitelist.sender.email.map";
action = "accept";
}
BLACKLIST_SENDER_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/blacklist.sender.domain.map";
action = "reject";
}
BLACKLIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/blacklist.sender.email.map";
action = "reject";
}
BLACKLIST_SUBJECT_KEYWORDS {
type = "header";
header = "Subject"
map = "/var/lib/rspamd/blacklist.keyword.subject.map";
action = "reject";
regexp = true;
}
RECEIVED_LOCALHOST {
type = "ip";
action = "accept";
map = ${local_ips};
}
RECEIVED_TU_NETWORKS {
type = "ip";
map = ${tud_ips};
}
'';
};
};
redis = {
vmOverCommit = true;
servers.rspamd = {
enable = true;
};
};
nginx = {
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:11334";
proxyWebsockets = true;
};
};
};
};
};
systemd = {
services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
User = "rspamd";
Group = "rspamd";
};
startAt = "daily";
};
};
}

View file

@ -22,6 +22,7 @@ let
matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3; matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
in in
{ {
imports = [ ./mautrix-telegram.nix ];
sops.secrets.matrix_ldap_search = { sops.secrets.matrix_ldap_search = {
key = "portunus/search-password"; key = "portunus/search-password";
owner = config.systemd.services.matrix-synapse.serviceConfig.User; owner = config.systemd.services.matrix-synapse.serviceConfig.User;

View file

@ -1,5 +0,0 @@
{ ... }:
{
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.generateKey = false;
}

15
modules/web/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
imports = [
./ifsrde.nix
./ese.nix
./infoscreen.nix
./kpp.nix
./nightline.nix
./fsrewsp.nix
./manual.nix
./sharepic.nix
./userdir.nix
./ftp.nix
];
}