modules: some refactoring #85
47
flake.nix
|
@ -44,7 +44,7 @@
|
||||||
quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
|
quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
|
||||||
tomate = self.nixosConfigurations.tomate.config.system.build.toplevel;
|
tomate = self.nixosConfigurations.tomate.config.system.build.toplevel;
|
||||||
});
|
});
|
||||||
formatters = forAllSystems (system: rec {
|
formatters = forAllSystems (system: {
|
||||||
default = pkgs.${system}.nixpkgs-fmt;
|
default = pkgs.${system}.nixpkgs-fmt;
|
||||||
});
|
});
|
||||||
hydraJobs = forAllSystems (system: {
|
hydraJobs = forAllSystems (system: {
|
||||||
|
@ -71,47 +71,24 @@
|
||||||
course-management.nixosModules.default
|
course-management.nixosModules.default
|
||||||
vscode-server.nixosModules.default
|
vscode-server.nixosModules.default
|
||||||
./hosts/quitte/configuration.nix
|
./hosts/quitte/configuration.nix
|
||||||
./modules/bacula.nix
|
./options
|
||||||
./modules/options.nix
|
|
||||||
./modules/base.nix
|
|
||||||
./modules/sops.nix
|
|
||||||
./modules/kpp.nix
|
|
||||||
./modules/ese-website.nix
|
|
||||||
|
|
||||||
|
./modules/core
|
||||||
./modules/ldap
|
./modules/ldap
|
||||||
./modules/sssd.nix
|
|
||||||
./modules/mail
|
./modules/mail
|
||||||
./modules/mailman.nix
|
./modules/web
|
||||||
./modules/mysql.nix
|
./modules/courses
|
||||||
|
./modules/wiki
|
||||||
|
./modules/matrix
|
||||||
|
|
||||||
./modules/nix-serve.nix
|
./modules/nix-serve.nix
|
||||||
./modules/nginx.nix
|
|
||||||
# ./modules/hydra.nix
|
|
||||||
./modules/userdir.nix
|
|
||||||
./modules/hedgedoc.nix
|
./modules/hedgedoc.nix
|
||||||
./modules/padlist.nix
|
./modules/padlist.nix
|
||||||
./modules/postgres.nix
|
|
||||||
./modules/wiki
|
|
||||||
./modules/ftp.nix
|
|
||||||
#./modules/stream.nix
|
|
||||||
./modules/nextcloud.nix
|
./modules/nextcloud.nix
|
||||||
./modules/matrix.nix
|
|
||||||
./modules/mautrix-telegram.nix
|
|
||||||
./modules/sogo.nix
|
|
||||||
./modules/vaultwarden.nix
|
./modules/vaultwarden.nix
|
||||||
./modules/website.nix
|
|
||||||
./modules/zsh.nix
|
|
||||||
./modules/course-management.nix
|
|
||||||
./modules/courses-phil.nix
|
|
||||||
./modules/gitea.nix
|
./modules/gitea.nix
|
||||||
./modules/fail2ban.nix
|
|
||||||
./modules/kanboard.nix
|
./modules/kanboard.nix
|
||||||
./modules/infoscreen.nix
|
|
||||||
./modules/manual.nix
|
|
||||||
./modules/sharepic.nix
|
|
||||||
./modules/zammad.nix
|
./modules/zammad.nix
|
||||||
./modules/initrd-ssh.nix
|
|
||||||
./modules/fsrewsp.nix
|
|
||||||
./modules/nightline.nix
|
|
||||||
./modules/decisions.nix
|
./modules/decisions.nix
|
||||||
./modules/struktur-bot.nix
|
./modules/struktur-bot.nix
|
||||||
{
|
{
|
||||||
|
@ -129,10 +106,10 @@
|
||||||
vscode-server.nixosModules.default
|
vscode-server.nixosModules.default
|
||||||
print-interface.nixosModules.default
|
print-interface.nixosModules.default
|
||||||
./hosts/tomate/configuration.nix
|
./hosts/tomate/configuration.nix
|
||||||
./modules/base.nix
|
./modules/core/base.nix
|
||||||
./modules/zsh.nix
|
./modules/core/zsh.nix
|
||||||
./modules/fail2ban.nix
|
./modules/core/fail2ban.nix
|
||||||
./modules/sssd.nix
|
./modules/core/sssd.nix
|
||||||
{
|
{
|
||||||
sops.defaultSopsFile = ./secrets/tomate.yaml;
|
sops.defaultSopsFile = ./secrets/tomate.yaml;
|
||||||
}
|
}
|
||||||
|
|
|
@ -54,14 +54,14 @@
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
|
||||||
];
|
];
|
||||||
keyFiles = [
|
keyFiles = [
|
||||||
../keys/ssh/marcus-sapphire
|
../../keys/ssh/marcus-sapphire
|
||||||
../keys/ssh/schrader
|
../../keys/ssh/schrader
|
||||||
../keys/ssh/jannusch
|
../../keys/ssh/jannusch
|
||||||
../keys/ssh/jannusch-arch
|
../../keys/ssh/jannusch-arch
|
||||||
../keys/ssh/tassilo
|
../../keys/ssh/tassilo
|
||||||
../keys/ssh/jonasga
|
../../keys/ssh/jonasga
|
||||||
../keys/ssh/rouven
|
../../keys/ssh/rouven
|
||||||
../keys/ssh/joachim
|
../../keys/ssh/joachim
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
14
modules/core/default.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./base.nix
|
||||||
|
./bacula.nix
|
||||||
|
./fail2ban.nix
|
||||||
|
./initrd-ssh.nix
|
||||||
|
./mysql.nix
|
||||||
|
./nginx.nix
|
||||||
|
./postgres.nix
|
||||||
|
./sssd.nix
|
||||||
|
./zsh.nix
|
||||||
|
];
|
||||||
|
}
|
|
@ -3,6 +3,7 @@ let
|
||||||
hostName = "kurse.${config.networking.domain}";
|
hostName = "kurse.${config.networking.domain}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
imports = [ ./phil.nix ];
|
||||||
sops.secrets =
|
sops.secrets =
|
||||||
let inherit (config.services.course-management) user;
|
let inherit (config.services.course-management) user;
|
||||||
in
|
in
|
|
@ -1,426 +1,25 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, ... }:
|
||||||
let
|
let
|
||||||
hostname = "mail.${config.networking.domain}";
|
hostname = "mail.${config.networking.domain}";
|
||||||
domain = config.networking.domain;
|
|
||||||
rspamd-domain = "rspamd.${config.networking.domain}";
|
|
||||||
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
|
|
||||||
uris = ldap://localhost
|
|
||||||
dn = uid=search, ou=users, dc=ifsr, dc=de
|
|
||||||
auth_bind = yes
|
|
||||||
!include ${config.sops.secrets."dovecot_ldap_search".path}
|
|
||||||
|
|
||||||
ldap_version = 3
|
|
||||||
scope = subtree
|
|
||||||
base = dc=ifsr, dc=de
|
|
||||||
user_filter = (&(objectClass=posixAccount)(uid=%n))
|
|
||||||
pass_filter = (&(objectClass=posixAccount)(uid=%n))
|
|
||||||
'';
|
|
||||||
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
|
|
||||||
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
|
|
||||||
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
|
|
||||||
/^\s*User-Agent/ IGNORE
|
|
||||||
/^\s*X-Enigmail/ IGNORE
|
|
||||||
/^\s*X-Mailer/ IGNORE
|
|
||||||
/^\s*X-Originating-IP/ IGNORE
|
|
||||||
/^\s*Mime-Version/ IGNORE
|
|
||||||
'';
|
|
||||||
# https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
|
|
||||||
login_maps = pkgs.writeText "login_maps.pcre" ''
|
|
||||||
# basic username => username@ifsr.de
|
|
||||||
/^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
|
|
||||||
'';
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
|
imports = [
|
||||||
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
|
./postfix.nix
|
||||||
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
|
./dovecot2.nix
|
||||||
|
./rspamd.nix
|
||||||
networking.firewall.allowedTCPPorts = [
|
./sogo.nix
|
||||||
25 # insecure SMTP
|
./mailman.nix
|
||||||
143
|
|
||||||
465
|
|
||||||
587 # SMTP
|
|
||||||
993 # IMAP
|
|
||||||
4190 # sieve
|
|
||||||
];
|
];
|
||||||
users.users.rspamd.extraGroups = [ "redis-rspamd" ];
|
|
||||||
environment.etc = {
|
|
||||||
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
|
|
||||||
text = ''
|
|
||||||
#!/bin/sh
|
|
||||||
${pkgs.rspamd}/bin/rspamc learn_spam
|
|
||||||
'';
|
|
||||||
mode = "0555";
|
|
||||||
};
|
|
||||||
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
|
|
||||||
text = ''
|
|
||||||
#!/bin/sh
|
|
||||||
${pkgs.rspamd}/bin/rspamc learn_ham
|
|
||||||
'';
|
|
||||||
mode = "0555";
|
|
||||||
};
|
|
||||||
"dovecot/sieve/report-spam.sieve" = {
|
|
||||||
source = ./report-spam.sieve;
|
|
||||||
user = "dovecot2";
|
|
||||||
group = "dovecot2";
|
|
||||||
mode = "0544";
|
|
||||||
};
|
|
||||||
"dovecot/sieve/report-ham.sieve" = {
|
|
||||||
source = ./report-ham.sieve;
|
|
||||||
user = "dovecot2";
|
|
||||||
group = "dovecot2";
|
|
||||||
mode = "0544";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
# Get SSL certs for dovecot and postfix via ngnix
|
||||||
postfix = {
|
services.nginx.virtualHosts."${hostname}" = {
|
||||||
enable = true;
|
|
||||||
enableSubmission = true;
|
|
||||||
enableSubmissions = true;
|
|
||||||
hostname = "${hostname}";
|
|
||||||
domain = "${domain}";
|
|
||||||
origin = "${domain}";
|
|
||||||
destination = [ "${hostname}" "${domain}" "localhost" ];
|
|
||||||
networksStyle = "host"; # localhost and own public IP
|
|
||||||
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
|
||||||
sslKey = "/var/lib/acme/${hostname}/key.pem";
|
|
||||||
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
|
||||||
config = {
|
|
||||||
home_mailbox = "Maildir/";
|
|
||||||
# 25 MiB
|
|
||||||
message_size_limit = "26214400";
|
|
||||||
# hostname used in helo command. It is recommended to have this match the reverse dns entry
|
|
||||||
smtp_helo_name = config.networking.rDNS;
|
|
||||||
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
|
|
||||||
smtp_use_tls = true;
|
|
||||||
# smtp_tls_security_level = "encrypt";
|
|
||||||
smtpd_use_tls = true;
|
|
||||||
# smtpd_tls_security_level = lib.mkForce "encrypt";
|
|
||||||
# smtpd_tls_auth_only = true;
|
|
||||||
smtpd_tls_protocols = [
|
|
||||||
"!SSLv2"
|
|
||||||
"!SSLv3"
|
|
||||||
"!TLSv1"
|
|
||||||
"!TLSv1.1"
|
|
||||||
];
|
|
||||||
# "reject_non_fqdn_hostname"
|
|
||||||
smtpd_recipient_restrictions = [
|
|
||||||
"permit_sasl_authenticated"
|
|
||||||
"permit_mynetworks"
|
|
||||||
"reject_unauth_destination"
|
|
||||||
"reject_non_fqdn_sender"
|
|
||||||
"reject_non_fqdn_recipient"
|
|
||||||
"reject_unknown_sender_domain"
|
|
||||||
"reject_unknown_recipient_domain"
|
|
||||||
"reject_unauth_destination"
|
|
||||||
"reject_unauth_pipelining"
|
|
||||||
"reject_invalid_hostname"
|
|
||||||
"check_policy_service inet:localhost:12340"
|
|
||||||
];
|
|
||||||
smtpd_relay_restrictions = [
|
|
||||||
"permit_sasl_authenticated"
|
|
||||||
"permit_mynetworks"
|
|
||||||
"reject_unauth_destination"
|
|
||||||
];
|
|
||||||
# https://www.postfix.org/smtp-smuggling.html
|
|
||||||
smtpd_data_restrictions = [
|
|
||||||
"reject_unauth_pipelining"
|
|
||||||
];
|
|
||||||
smtpd_sender_restrictions = [
|
|
||||||
"reject_authenticated_sender_login_mismatch"
|
|
||||||
];
|
|
||||||
smtpd_sender_login_maps = [
|
|
||||||
"pcre:/etc/special-aliases.pcre"
|
|
||||||
"pcre:${login_maps}"
|
|
||||||
];
|
|
||||||
smtp_header_checks = "pcre:${header_cleanup}";
|
|
||||||
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
|
|
||||||
alias_maps = [ "hash:/etc/aliases" ];
|
|
||||||
alias_database = [ "hash:/etc/aliases" ];
|
|
||||||
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
|
|
||||||
smtpd_sasl_auth_enable = true;
|
|
||||||
smtpd_sasl_path = "/var/lib/postfix/auth";
|
|
||||||
smtpd_sasl_type = "dovecot";
|
|
||||||
#mailman stuff
|
|
||||||
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
|
||||||
|
|
||||||
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
|
||||||
virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ];
|
|
||||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
dovecot2 = {
|
|
||||||
enable = true;
|
|
||||||
enableImap = true;
|
|
||||||
enableQuota = true;
|
|
||||||
quotaGlobalPerUser = "10G";
|
|
||||||
enableLmtp = true;
|
|
||||||
enablePAM = false;
|
|
||||||
mailLocation = "maildir:~/Maildir";
|
|
||||||
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
|
||||||
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
|
|
||||||
protocols = [ "imap" "sieve" ];
|
|
||||||
mailPlugins = {
|
|
||||||
globally.enable = [ "listescape" ];
|
|
||||||
perProtocol = {
|
|
||||||
imap = {
|
|
||||||
enable = [ "imap_sieve" "imap_filter_sieve" ];
|
|
||||||
};
|
|
||||||
lmtp = {
|
|
||||||
enable = [ "sieve" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mailboxes = {
|
|
||||||
Spam = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Junk";
|
|
||||||
autoexpunge = "60d";
|
|
||||||
};
|
|
||||||
Sent = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Sent";
|
|
||||||
};
|
|
||||||
Drafts = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Drafts";
|
|
||||||
};
|
|
||||||
Trash = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Trash";
|
|
||||||
};
|
|
||||||
Archive = {
|
|
||||||
auto = "no";
|
|
||||||
specialUse = "Archive";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
modules = [
|
|
||||||
pkgs.dovecot_pigeonhole
|
|
||||||
];
|
|
||||||
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
|
|
||||||
mailUser = "vmail";
|
|
||||||
mailGroup = "vmail";
|
|
||||||
sieveScripts = {
|
|
||||||
before = pkgs.writeText "spam.sieve" ''
|
|
||||||
require "fileinto";
|
|
||||||
|
|
||||||
if anyof(
|
|
||||||
header :contains "x-spam-flag" "yes",
|
|
||||||
header :contains "X-Spam-Status" "Yes"){
|
|
||||||
fileinto "Spam";
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
extraConfig = ''
|
|
||||||
auth_username_format = %Ln
|
|
||||||
passdb {
|
|
||||||
driver = ldap
|
|
||||||
args = ${dovecot-ldap-args}
|
|
||||||
}
|
|
||||||
userdb {
|
|
||||||
driver = ldap
|
|
||||||
args = ${dovecot-ldap-args}
|
|
||||||
}
|
|
||||||
service auth {
|
|
||||||
unix_listener /var/lib/postfix/auth {
|
|
||||||
group = postfix
|
|
||||||
mode = 0660
|
|
||||||
user = postfix
|
|
||||||
}
|
|
||||||
}
|
|
||||||
service managesieve-login {
|
|
||||||
inet_listener sieve {
|
|
||||||
port = 4190
|
|
||||||
}
|
|
||||||
service_count = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
namespace inbox {
|
|
||||||
separator = /
|
|
||||||
inbox = yes
|
|
||||||
}
|
|
||||||
|
|
||||||
service lmtp {
|
|
||||||
unix_listener dovecot-lmtp {
|
|
||||||
group = postfix
|
|
||||||
mode = 0600
|
|
||||||
user = postfix
|
|
||||||
}
|
|
||||||
client_limit = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
plugin {
|
|
||||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
|
||||||
sieve_global_extensions = +vnd.dovecot.pipe
|
|
||||||
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
|
|
||||||
|
|
||||||
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
|
|
||||||
imapsieve_mailbox1_name = Spam
|
|
||||||
imapsieve_mailbox1_causes = COPY APPEND FLAG
|
|
||||||
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
|
|
||||||
|
|
||||||
# Ham: From Spam folder to elsewhere
|
|
||||||
imapsieve_mailbox2_name = *
|
|
||||||
imapsieve_mailbox2_from = Spam
|
|
||||||
imapsieve_mailbox2_causes = COPY
|
|
||||||
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
|
|
||||||
|
|
||||||
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
|
|
||||||
listescape_char = "\\"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
rspamd = {
|
|
||||||
enable = true;
|
|
||||||
postfix.enable = true;
|
|
||||||
locals = {
|
|
||||||
"worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
|
|
||||||
"redis.conf".text = ''
|
|
||||||
read_servers = "/run/redis-rspamd/redis.sock";
|
|
||||||
write_servers = "/run/redis-rspamd/redis.sock";
|
|
||||||
'';
|
|
||||||
# headers in spamassasin style to not break old sieve scripts
|
|
||||||
"worker-proxy.inc".text = ''
|
|
||||||
spam_header = "X-Spam-Flag";
|
|
||||||
'';
|
|
||||||
"milter_headers.conf".text = ''
|
|
||||||
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
|
|
||||||
'';
|
|
||||||
"neural.conf".text = ''
|
|
||||||
servers = "/run/redis-rspamd/redis.sock";
|
|
||||||
enabled = true;
|
|
||||||
'';
|
|
||||||
"neural_group.conf".text = ''
|
|
||||||
symbols = {
|
|
||||||
"NEURAL_SPAM" {
|
|
||||||
weight = 0.5; # fairly low weight since we don't know how this will behave
|
|
||||||
description = "Neural network spam";
|
|
||||||
}
|
|
||||||
"NEURAL_HAM" {
|
|
||||||
weight = -0.5;
|
|
||||||
description = "Neural network ham";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
"dmarc.conf".text = ''
|
|
||||||
reporting {
|
|
||||||
enabled = true;
|
|
||||||
email = 'reports@${config.networking.domain}';
|
|
||||||
domain = '${config.networking.domain}';
|
|
||||||
org_name = '${config.networking.domain}';
|
|
||||||
from_name = 'DMARC Aggregate Report';
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
"dkim_signing.conf".text = ''
|
|
||||||
selector = "quitte2024";
|
|
||||||
allow_username_mismatch = true;
|
|
||||||
allow_hdrfrom_mismatch = true;
|
|
||||||
use_domain_sign_local = "ifsr.de";
|
|
||||||
path = /var/lib/rspamd/dkim/$domain.$selector.key;
|
|
||||||
|
|
||||||
'';
|
|
||||||
|
|
||||||
"multimap.conf".text =
|
|
||||||
let
|
|
||||||
local_ips = pkgs.writeText "localhost.map" ''
|
|
||||||
::1
|
|
||||||
127.0.0.1
|
|
||||||
'';
|
|
||||||
tud_ips = pkgs.writeText "tud.map" ''
|
|
||||||
141.30.0.0/16
|
|
||||||
141.76.0.0/16
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
''
|
|
||||||
WHITELIST_SENDER_DOMAIN {
|
|
||||||
type = "from";
|
|
||||||
filter = "email:domain";
|
|
||||||
map = "/var/lib/rspamd/whitelist.sender.domain.map";
|
|
||||||
action = "accept";
|
|
||||||
}
|
|
||||||
WHITELIST_SENDER_EMAIL {
|
|
||||||
type = "from";
|
|
||||||
map = "/var/lib/rspamd/whitelist.sender.email.map";
|
|
||||||
action = "accept";
|
|
||||||
}
|
|
||||||
BLACKLIST_SENDER_DOMAIN {
|
|
||||||
type = "from";
|
|
||||||
filter = "email:domain";
|
|
||||||
map = "/var/lib/rspamd/blacklist.sender.domain.map";
|
|
||||||
action = "reject";
|
|
||||||
}
|
|
||||||
BLACKLIST_SENDER_EMAIL {
|
|
||||||
type = "from";
|
|
||||||
map = "/var/lib/rspamd/blacklist.sender.email.map";
|
|
||||||
action = "reject";
|
|
||||||
}
|
|
||||||
BLACKLIST_SUBJECT_KEYWORDS {
|
|
||||||
type = "header";
|
|
||||||
header = "Subject"
|
|
||||||
map = "/var/lib/rspamd/blacklist.keyword.subject.map";
|
|
||||||
action = "reject";
|
|
||||||
regexp = true;
|
|
||||||
}
|
|
||||||
RECEIVED_LOCALHOST {
|
|
||||||
type = "ip";
|
|
||||||
action = "accept";
|
|
||||||
map = ${local_ips};
|
|
||||||
}
|
|
||||||
RECEIVED_TU_NETWORKS {
|
|
||||||
type = "ip";
|
|
||||||
map = ${tud_ips};
|
|
||||||
}
|
|
||||||
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
redis = {
|
|
||||||
vmOverCommit = true;
|
|
||||||
servers.rspamd = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
|
|
||||||
virtualHosts."${hostname}" = {
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
virtualHosts."${rspamd-domain}" = {
|
security.acme.certs."${hostname}" = {
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:11334";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
security.acme.certs."${domain}" = {
|
|
||||||
reloadServices = [
|
reloadServices = [
|
||||||
"postfix.service"
|
"postfix.service"
|
||||||
"dovecot2.service"
|
"dovecot2.service"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
systemd = {
|
|
||||||
services.rspamd-dmarc-report = {
|
|
||||||
description = "rspamd dmarc reporter";
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
|
|
||||||
User = "rspamd";
|
|
||||||
Group = "rspamd";
|
|
||||||
};
|
|
||||||
startAt = "daily";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
175
modules/mail/dovecot2.nix
Normal file
|
@ -0,0 +1,175 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
hostname = "mail.${config.networking.domain}";
|
||||||
|
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
|
||||||
|
uris = ldap://localhost
|
||||||
|
dn = uid=search, ou=users, dc=ifsr, dc=de
|
||||||
|
auth_bind = yes
|
||||||
|
!include ${config.sops.secrets."dovecot_ldap_search".path}
|
||||||
|
|
||||||
|
ldap_version = 3
|
||||||
|
scope = subtree
|
||||||
|
base = dc=ifsr, dc=de
|
||||||
|
user_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||||
|
pass_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
143 # IMAP
|
||||||
|
993 # IMAPS
|
||||||
|
4190 # Managesieve
|
||||||
|
];
|
||||||
|
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
|
||||||
|
environment.etc = {
|
||||||
|
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
|
||||||
|
text = ''
|
||||||
|
#!/bin/sh
|
||||||
|
${pkgs.rspamd}/bin/rspamc learn_spam
|
||||||
|
'';
|
||||||
|
mode = "0555";
|
||||||
|
};
|
||||||
|
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
|
||||||
|
text = ''
|
||||||
|
#!/bin/sh
|
||||||
|
${pkgs.rspamd}/bin/rspamc learn_ham
|
||||||
|
'';
|
||||||
|
mode = "0555";
|
||||||
|
};
|
||||||
|
"dovecot/sieve/report-spam.sieve" = {
|
||||||
|
source = ./report-spam.sieve;
|
||||||
|
user = "dovecot2";
|
||||||
|
group = "dovecot2";
|
||||||
|
mode = "0544";
|
||||||
|
};
|
||||||
|
"dovecot/sieve/report-ham.sieve" = {
|
||||||
|
source = ./report-ham.sieve;
|
||||||
|
user = "dovecot2";
|
||||||
|
group = "dovecot2";
|
||||||
|
mode = "0544";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.dovecot2 = {
|
||||||
|
enable = true;
|
||||||
|
enableImap = true;
|
||||||
|
enableQuota = true;
|
||||||
|
quotaGlobalPerUser = "10G";
|
||||||
|
enableLmtp = true;
|
||||||
|
enablePAM = false;
|
||||||
|
mailLocation = "maildir:~/Maildir";
|
||||||
|
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
||||||
|
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
|
||||||
|
protocols = [ "imap" "sieve" ];
|
||||||
|
mailPlugins = {
|
||||||
|
globally.enable = [ "listescape" ];
|
||||||
|
perProtocol = {
|
||||||
|
imap = {
|
||||||
|
enable = [ "imap_sieve" "imap_filter_sieve" ];
|
||||||
|
};
|
||||||
|
lmtp = {
|
||||||
|
enable = [ "sieve" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
mailboxes = {
|
||||||
|
Spam = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Junk";
|
||||||
|
autoexpunge = "60d";
|
||||||
|
};
|
||||||
|
Sent = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Sent";
|
||||||
|
};
|
||||||
|
Drafts = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Drafts";
|
||||||
|
};
|
||||||
|
Trash = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Trash";
|
||||||
|
};
|
||||||
|
Archive = {
|
||||||
|
auto = "no";
|
||||||
|
specialUse = "Archive";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
modules = [
|
||||||
|
pkgs.dovecot_pigeonhole
|
||||||
|
];
|
||||||
|
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
|
||||||
|
mailUser = "vmail";
|
||||||
|
mailGroup = "vmail";
|
||||||
|
sieveScripts = {
|
||||||
|
before = pkgs.writeText "spam.sieve" ''
|
||||||
|
require "fileinto";
|
||||||
|
|
||||||
|
if anyof(
|
||||||
|
header :contains "x-spam-flag" "yes",
|
||||||
|
header :contains "X-Spam-Status" "Yes"){
|
||||||
|
fileinto "Spam";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
extraConfig = ''
|
||||||
|
auth_username_format = %Ln
|
||||||
|
passdb {
|
||||||
|
driver = ldap
|
||||||
|
args = ${dovecot-ldap-args}
|
||||||
|
}
|
||||||
|
userdb {
|
||||||
|
driver = ldap
|
||||||
|
args = ${dovecot-ldap-args}
|
||||||
|
}
|
||||||
|
service auth {
|
||||||
|
unix_listener /var/lib/postfix/auth {
|
||||||
|
group = postfix
|
||||||
|
mode = 0660
|
||||||
|
user = postfix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
service managesieve-login {
|
||||||
|
inet_listener sieve {
|
||||||
|
port = 4190
|
||||||
|
}
|
||||||
|
service_count = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace inbox {
|
||||||
|
separator = /
|
||||||
|
inbox = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
service lmtp {
|
||||||
|
unix_listener dovecot-lmtp {
|
||||||
|
group = postfix
|
||||||
|
mode = 0600
|
||||||
|
user = postfix
|
||||||
|
}
|
||||||
|
client_limit = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
plugin {
|
||||||
|
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||||
|
sieve_global_extensions = +vnd.dovecot.pipe
|
||||||
|
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
|
||||||
|
|
||||||
|
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
|
||||||
|
imapsieve_mailbox1_name = Spam
|
||||||
|
imapsieve_mailbox1_causes = COPY APPEND FLAG
|
||||||
|
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
|
||||||
|
|
||||||
|
# Ham: From Spam folder to elsewhere
|
||||||
|
imapsieve_mailbox2_name = *
|
||||||
|
imapsieve_mailbox2_from = Spam
|
||||||
|
imapsieve_mailbox2_causes = COPY
|
||||||
|
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
|
||||||
|
|
||||||
|
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
|
||||||
|
listescape_char = "\\"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -40,6 +40,15 @@
|
||||||
superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de";
|
superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
services.postfix = {
|
||||||
|
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
||||||
|
config = {
|
||||||
|
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||||
|
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||||
|
virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ];
|
||||||
|
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = [
|
ensureUsers = [
|
100
modules/mail/postfix.nix
Normal file
|
@ -0,0 +1,100 @@
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
{ config, pkgs, ... }:
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
let
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
domain = config.networking.domain;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
hostname = "mail.${config.networking.domain}";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^\s*User-Agent/ IGNORE
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^\s*X-Enigmail/ IGNORE
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^\s*X-Mailer/ IGNORE
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^\s*X-Originating-IP/ IGNORE
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^\s*Mime-Version/ IGNORE
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
'';
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
login_maps = pkgs.writeText "login_maps.pcre" ''
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# basic username => username@ifsr.de
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
/^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
'';
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
in
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
{
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
25 # SMTP
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
465 # Submissions
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
587 # Submission
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
services = {
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
postfix = {
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
enable = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
enableSubmission = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
enableSubmissions = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
hostname = "${hostname}";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
domain = "${domain}";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
origin = "${domain}";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
destination = [ "${hostname}" "${domain}" "localhost" ];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
networksStyle = "host"; # localhost and own public IP
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
sslKey = "/var/lib/acme/${hostname}/key.pem";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
config = {
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
home_mailbox = "Maildir/";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# 25 MiB
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
message_size_limit = "26214400";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# hostname used in helo command. It is recommended to have this match the reverse dns entry
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtp_helo_name = config.networking.rDNS;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtp_use_tls = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# smtp_tls_security_level = "encrypt";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_use_tls = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# smtpd_tls_security_level = lib.mkForce "encrypt";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# smtpd_tls_auth_only = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_tls_protocols = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"!SSLv2"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"!SSLv3"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"!TLSv1"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"!TLSv1.1"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# "reject_non_fqdn_hostname"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_recipient_restrictions = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"permit_sasl_authenticated"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"permit_mynetworks"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unauth_destination"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_non_fqdn_sender"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_non_fqdn_recipient"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unknown_sender_domain"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unknown_recipient_domain"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unauth_destination"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unauth_pipelining"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_invalid_hostname"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"check_policy_service inet:localhost:12340"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_relay_restrictions = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"permit_sasl_authenticated"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"permit_mynetworks"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unauth_destination"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# https://www.postfix.org/smtp-smuggling.html
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_data_restrictions = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_unauth_pipelining"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_sender_restrictions = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"reject_authenticated_sender_login_mismatch"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_sender_login_maps = [
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"pcre:/etc/special-aliases.pcre"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
"pcre:${login_maps}"
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtp_header_checks = "pcre:${header_cleanup}";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
alias_maps = [ "hash:/etc/aliases" ];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
alias_database = [ "hash:/etc/aliases" ];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_sasl_auth_enable = true;
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_sasl_path = "/var/lib/postfix/auth";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
smtpd_sasl_type = "dovecot";
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
local_recipient_maps = [ "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
};
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
};
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
};
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
|||||||
|
}
|
||||||
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately
|
143
modules/mail/rspamd.nix
Normal file
|
@ -0,0 +1,143 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "rspamd.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
|
||||||
|
users.users.rspamd.extraGroups = [ "redis-rspamd" ];
|
||||||
|
services = {
|
||||||
|
rspamd = {
|
||||||
|
enable = true;
|
||||||
|
postfix.enable = true;
|
||||||
|
locals = {
|
||||||
|
"worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
|
||||||
|
"redis.conf".text = ''
|
||||||
|
read_servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
write_servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
'';
|
||||||
|
# headers in spamassasin style to not break old sieve scripts
|
||||||
|
"worker-proxy.inc".text = ''
|
||||||
|
spam_header = "X-Spam-Flag";
|
||||||
|
'';
|
||||||
|
"milter_headers.conf".text = ''
|
||||||
|
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
|
||||||
|
'';
|
||||||
|
"neural.conf".text = ''
|
||||||
|
servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
enabled = true;
|
||||||
|
'';
|
||||||
|
"neural_group.conf".text = ''
|
||||||
|
symbols = {
|
||||||
|
"NEURAL_SPAM" {
|
||||||
|
weight = 0.5; # fairly low weight since we don't know how this will behave
|
||||||
|
description = "Neural network spam";
|
||||||
|
}
|
||||||
|
"NEURAL_HAM" {
|
||||||
|
weight = -0.5;
|
||||||
|
description = "Neural network ham";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
"dmarc.conf".text = ''
|
||||||
|
reporting {
|
||||||
|
enabled = true;
|
||||||
|
email = 'reports@${config.networking.domain}';
|
||||||
|
domain = '${config.networking.domain}';
|
||||||
|
org_name = '${config.networking.domain}';
|
||||||
|
from_name = 'DMARC Aggregate Report';
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
"dkim_signing.conf".text = ''
|
||||||
|
selector = "quitte2024";
|
||||||
|
allow_username_mismatch = true;
|
||||||
|
allow_hdrfrom_mismatch = true;
|
||||||
|
use_domain_sign_local = "ifsr.de";
|
||||||
|
path = /var/lib/rspamd/dkim/$domain.$selector.key;
|
||||||
|
|
||||||
|
'';
|
||||||
|
|
||||||
|
"multimap.conf".text =
|
||||||
|
let
|
||||||
|
local_ips = pkgs.writeText "localhost.map" ''
|
||||||
|
::1
|
||||||
|
127.0.0.1
|
||||||
|
'';
|
||||||
|
tud_ips = pkgs.writeText "tud.map" ''
|
||||||
|
141.30.0.0/16
|
||||||
|
141.76.0.0/16
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
''
|
||||||
|
WHITELIST_SENDER_DOMAIN {
|
||||||
|
type = "from";
|
||||||
|
filter = "email:domain";
|
||||||
|
map = "/var/lib/rspamd/whitelist.sender.domain.map";
|
||||||
|
action = "accept";
|
||||||
|
}
|
||||||
|
WHITELIST_SENDER_EMAIL {
|
||||||
|
type = "from";
|
||||||
|
map = "/var/lib/rspamd/whitelist.sender.email.map";
|
||||||
|
action = "accept";
|
||||||
|
}
|
||||||
|
BLACKLIST_SENDER_DOMAIN {
|
||||||
|
type = "from";
|
||||||
|
filter = "email:domain";
|
||||||
|
map = "/var/lib/rspamd/blacklist.sender.domain.map";
|
||||||
|
action = "reject";
|
||||||
|
}
|
||||||
|
BLACKLIST_SENDER_EMAIL {
|
||||||
|
type = "from";
|
||||||
|
map = "/var/lib/rspamd/blacklist.sender.email.map";
|
||||||
|
action = "reject";
|
||||||
|
}
|
||||||
|
BLACKLIST_SUBJECT_KEYWORDS {
|
||||||
|
type = "header";
|
||||||
|
header = "Subject"
|
||||||
|
map = "/var/lib/rspamd/blacklist.keyword.subject.map";
|
||||||
|
action = "reject";
|
||||||
|
regexp = true;
|
||||||
|
}
|
||||||
|
RECEIVED_LOCALHOST {
|
||||||
|
type = "ip";
|
||||||
|
action = "accept";
|
||||||
|
map = ${local_ips};
|
||||||
|
}
|
||||||
|
RECEIVED_TU_NETWORKS {
|
||||||
|
type = "ip";
|
||||||
|
map = ${tud_ips};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
redis = {
|
||||||
|
vmOverCommit = true;
|
||||||
|
servers.rspamd = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:11334";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd = {
|
||||||
|
services.rspamd-dmarc-report = {
|
||||||
|
description = "rspamd dmarc reporter";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
|
||||||
|
User = "rspamd";
|
||||||
|
Group = "rspamd";
|
||||||
|
};
|
||||||
|
startAt = "daily";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -22,6 +22,7 @@ let
|
||||||
matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
|
matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
imports = [ ./mautrix-telegram.nix ];
|
||||||
sops.secrets.matrix_ldap_search = {
|
sops.secrets.matrix_ldap_search = {
|
||||||
key = "portunus/search-password";
|
key = "portunus/search-password";
|
||||||
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
|
@ -1,5 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.generateKey = false;
|
|
||||||
}
|
|
15
modules/web/default.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./ifsrde.nix
|
||||||
|
./ese.nix
|
||||||
|
./infoscreen.nix
|
||||||
|
./kpp.nix
|
||||||
|
./nightline.nix
|
||||||
|
./fsrewsp.nix
|
||||||
|
./manual.nix
|
||||||
|
./sharepic.nix
|
||||||
|
./userdir.nix
|
||||||
|
./ftp.nix
|
||||||
|
];
|
||||||
|
}
|
maybe would be nice to move mailman specific postfix config to mailman.nix, so they could be enabled separately