Merge pull request 'mailtng' (#93) from mailtng into master
Reviewed-on: #93
This commit is contained in:
commit
070aa33d2d
|
@ -352,6 +352,14 @@
|
|||
];
|
||||
};
|
||||
|
||||
mailtngbert = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/mailtngbert
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
dacbert = nixosSystem' {
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.raspberry-pi-4
|
||||
|
|
225
hosts/mailtngbert/default.nix
Normal file
225
hosts/mailtngbert/default.nix
Normal file
|
@ -0,0 +1,225 @@
|
|||
{ zentralwerk, config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
domain = "mailtng.c3d2.de";
|
||||
|
||||
ldap-auth-config = pkgs.writeText ''
|
||||
hosts = auth.c3d2.de
|
||||
dn = uid=search,ou=users,dc=c3d2,dc=de
|
||||
|
||||
!include ${config.sops.secrets."ldap/search-user-pw".path}
|
||||
auth_bind = yes
|
||||
auth_bind_userdn = uid=%u,ou=users,dc=c3d2,dc=de
|
||||
ldap_version = 3
|
||||
base = ou=users,dc=c3d2,dc=de
|
||||
scope = subtree
|
||||
user_attrs = homeDirectory=home
|
||||
|
||||
user_filter = (&(objectClass=person)(isMemberOf=cn=mail,ou=groups,dc=c3d2,dc=de)(uid=%u))
|
||||
pass_filter = (&(objectClass=person)(isMemberOf=cn=mail,ou=groups,dc=c3d2,dc=de)(uid=%u))
|
||||
|
||||
mail_uid = dovecot
|
||||
mail_gid = mail
|
||||
'';
|
||||
|
||||
in
|
||||
{
|
||||
microvm.mem = 2048;
|
||||
|
||||
networking = {
|
||||
hostName = "mailtng";
|
||||
firewall.allowedTCPPorts = [
|
||||
# postfix (smtp and submission)
|
||||
25 587
|
||||
# dovecot (imap)
|
||||
143
|
||||
# managesieve
|
||||
4190
|
||||
# nginx for rspamd
|
||||
#80 443
|
||||
];
|
||||
};
|
||||
|
||||
c3d2 = {
|
||||
isInHq = false;
|
||||
hq.statistics.enable = true;
|
||||
deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "var"];
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets."ldap/search-user-pw" = {
|
||||
owner = config.systemd.services.dovecot2.serviceConfig.User;
|
||||
group = config.systemd.services.dovecot2.serviceConfig.Group;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hosts = with zentralwerk.lib.config.site.net.serv; {
|
||||
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
postfix = {
|
||||
enable = true;
|
||||
enableSmtp = true;
|
||||
enableSubmission = true;
|
||||
enableHeaderChecks = true;
|
||||
domain = "${domain}";
|
||||
hostname = "${domain}";
|
||||
sslCert = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslKey = "/var/lib/acme/${domain}/key.pem";
|
||||
networks = [
|
||||
"127.0.0.1"
|
||||
"172.20.77.10" #TODO: take ip directly from server10 config
|
||||
"10.0.0.0/8"
|
||||
"[2a00:8180:2c00:284::1a]/64"
|
||||
];
|
||||
virtual = ''
|
||||
postmaster root
|
||||
abuse root
|
||||
root root
|
||||
garbage root
|
||||
'';
|
||||
config = {
|
||||
myorigin = "${domain}";
|
||||
mydestination = [
|
||||
"127.0.0.1"
|
||||
];
|
||||
mail_owner = "postfix";
|
||||
smtp_use_tls = true;
|
||||
smtp_tls_security_level = "encrypt";
|
||||
smtpd_use_tls = true;
|
||||
smtpd_tls_security_level = lib.mkForce "encrypt";
|
||||
smtpd_recipient_restrictions = [
|
||||
"permit_mynetworks"
|
||||
"permit_sasl_authenticated"
|
||||
"reject_unauth_destination"
|
||||
];
|
||||
smtpd_relay_restrictions = [
|
||||
"permit_mynetworks"
|
||||
"permit_sasl_authenticated"
|
||||
"reject_unauth_destination"
|
||||
];
|
||||
smtpd_sasl_auth_enable = true;
|
||||
smtpd_tls_auth_only = true;
|
||||
smtpd_tls_protocols = [
|
||||
"!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"
|
||||
];
|
||||
smtpd_tls_mandatory_ciphers = "high";
|
||||
smtpd_sasl_path = "/var/lib/postfix/auth";
|
||||
smtpd_sasl_type = "dovecot";
|
||||
virtual_mailbox_domains = [
|
||||
"${domain}"
|
||||
];
|
||||
virtual_gid_maps = "static:5000";
|
||||
virtual_uid_maps = "static:5000";
|
||||
virtual_minimum_uid = "1000";
|
||||
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||
virtual_mailbox_base = "/var/spool/mail";
|
||||
message_size_limit = "40960000";
|
||||
};
|
||||
};
|
||||
dovecot2 = {
|
||||
enable = true;
|
||||
enableImap = true;
|
||||
enableLmtp = true;
|
||||
enablePop3 = false;
|
||||
enablePAM = false;
|
||||
enableQuota = true;
|
||||
createMailUser = true;
|
||||
mailLocation = "maildir:~/maildir";
|
||||
mailboxes = {
|
||||
Spam = {
|
||||
auto = "create";
|
||||
specialUse = "Junk";
|
||||
};
|
||||
Sent = {
|
||||
auto = "create";
|
||||
specialUse = "Sent";
|
||||
};
|
||||
Drafts = {
|
||||
auto = "create";
|
||||
specialUse = "Drafts";
|
||||
};
|
||||
Trash = {
|
||||
auto = "create";
|
||||
specialUse = "Trash";
|
||||
};
|
||||
};
|
||||
modules = [
|
||||
pkgs.dovecot_pigeonhole
|
||||
];
|
||||
quotaGlobalPerUser = "1G";
|
||||
sslServerCert = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslServerKey = "/var/lib/acme/${domain}/key.pem";
|
||||
protocols = [ ];
|
||||
mailPlugins = {
|
||||
perProtocol = {
|
||||
imap = {
|
||||
enable = [ ];
|
||||
};
|
||||
lmtp = {
|
||||
enable = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
passdb ldap {
|
||||
args = ${ldap-auth-config}
|
||||
}
|
||||
userdb ldap{
|
||||
args = ${ldap-auth-config}
|
||||
}
|
||||
service lmtp {
|
||||
unix_listener dovecot-lmtp {
|
||||
group = postfix
|
||||
mode = 0660
|
||||
user = postfix
|
||||
}
|
||||
}
|
||||
service auth {
|
||||
unix_listener /var/lib/postfix/auth {
|
||||
group = postfix
|
||||
mode = 0660
|
||||
user = postfix
|
||||
}
|
||||
user = dovecot2
|
||||
}
|
||||
|
||||
protocol lmtp {
|
||||
postmaster_address = root@c3d2.de
|
||||
}
|
||||
|
||||
protocol imap {
|
||||
mail_max_userip_connections = 100
|
||||
}
|
||||
'';
|
||||
};
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
/*
|
||||
locations."/rspamd/" = {
|
||||
proxyPass = "http://127.0.0.1:11334/";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
'';
|
||||
};
|
||||
*/
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs."${domain}" = {
|
||||
reloadServices = [
|
||||
"postfix.service"
|
||||
"dovecot2.service"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,4 +1,5 @@
|
|||
mock-data: ENC[AES256_GCM,data:fQ88gg==,iv:TphtBcDzX9xHW8eu4BwyitiOg6D6pnTRUrVtMUOjKTo=,tag:v4xjJNFTKyA7kbjeXDDz7w==,type:bool]
|
||||
ldap:
|
||||
search-user-pw: ENC[AES256_GCM,data:Pd6Qy8Ilu1RAkIOnpHNoGV+VBNCg/IAl9InWOGDlsTSbDVqK4B5aUmX2sl0=,iv:nZQwmiWJtQ4AmzAgv3Fhh625K11U4uxTCE6Rj5okRns=,tag:v9pVGrSQoaGGYG5X8wUyoA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -23,8 +24,8 @@ sops:
|
|||
bTBPcjZCZFNBWWtUVGNRUWE4eTA1ZjgKF4qoSyKCL2ytTf5vZRVLFr89R5/7HCji
|
||||
hsPXdE607b+s5PAaOPMWF8Zfy7QJr6hqG9+Pbr4FnGB5nTvTsO5d3Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-02-25T18:51:17Z"
|
||||
mac: ENC[AES256_GCM,data:/xwOBXbYBd9TqosVFDEAyjVBOcZ1NdxNEz5nTmaFwiBHJSICflX54YSx+1QT44jFCkDFdvf3ZSojZ/bJ9EBsGZycaa4dQvReF5jjMnDzdwPvf+R84F/QuyHZTNnxXfneXUP9SWcenREr/ku/96x7ignKg1n4YsRq1hiot4W8sFk=,iv:7gzXGTlZ+A6ihSF6B94ttyWlREXLTUJukv45nBYPVKI=,tag:E3zlnQrMs0gCNdeuX2Bmfw==,type:str]
|
||||
lastmodified: "2022-12-18T19:16:04Z"
|
||||
mac: ENC[AES256_GCM,data:7bqWB5fzhL6J18vak2pfW0Oq8mo0iLiHefCYEklTcUVVHOJy//hO9yw95gjUpGyq6Fx77SKOgu7SaM2bnBOTSdbvoz3mUsUZUUztSlJ+vrXNeD2tNHES6laa3W+lxDwl4WYOz5rPM5oOo0jWuMkIayE+fYC6d21AK8H910fdMjQ=,iv:tYIt1vi4FQezs7LoLXiF4J++KHUOQV8tYfap3l072zY=,tag:Pu0pXHG3WI1WoWXwCvKAXg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-15T23:32:09Z"
|
||||
enc: |
|
||||
|
@ -179,4 +180,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
||||
version: 3.7.3
|
||||
|
|
Loading…
Reference in New Issue
Block a user