{ zentralwerk, config, pkgs, lib, ... }: let domain = "mailtng.c3d2.de"; ldap-auth-config = pkgs.writeText '' hosts = auth.c3d2.de dn = uid=search,ou=users,dc=c3d2,dc=de !include ${config.sops.secrets."ldap/search-user-pw".path} auth_bind = yes auth_bind_userdn = uid=%u,ou=users,dc=c3d2,dc=de ldap_version = 3 base = ou=users,dc=c3d2,dc=de scope = subtree user_attrs = homeDirectory=home user_filter = (&(objectClass=person)(isMemberOf=cn=mail,ou=groups,dc=c3d2,dc=de)(uid=%u)) pass_filter = (&(objectClass=person)(isMemberOf=cn=mail,ou=groups,dc=c3d2,dc=de)(uid=%u)) mail_uid = dovecot mail_gid = mail ''; in { microvm.mem = 2048; networking = { hostName = "mailtng"; firewall.allowedTCPPorts = [ # postfix (smtp and submission) 25 587 # dovecot (imap) 143 # nginx for rspamd #80 443 ]; }; c3d2 = { isInHq = false; hq.statistics.enable = true; deployment = { server = "server10"; mounts = [ "etc" "var"]; }; }; sops.secrets."ldap/search-user-pw" = { owner = config.systemd.services.dovecot2.serviceConfig.User; group = config.systemd.services.dovecot2.serviceConfig.Group; }; services = { postfix = { enable = true; enableSmtp = true; enableSubmission = true; enableHeaderChecks = true; domain = "${domain}"; hostname = "${domain}"; sslCert = "/var/lib/acme/${domain}/fullchain.pem"; sslKey = "/var/lib/acme/${domain}/key.pem"; networks = [ "127.0.0.1" "172.20.77.10" #TODO: take ip directly from server10 config "10.0.0.0/8" "[2a00:8180:2c00:284::1a]/64" ]; virtual = '' postmaster root abuse root root root garbage root ''; config = { myorigin = "${domain}"; mydestination = [ "127.0.0.1" ]; mail_owner = "postfix"; smtp_use_tls = true; smtp_tls_security_level = "encrypt"; smtpd_use_tls = true; smtpd_tls_security_level = lib.mkForce "encrypt"; smtpd_recipient_restrictions = [ "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination" ]; smtpd_relay_restrictions = [ "permit_mynetworks" "permit_sasl_authenticated" "reject_unauth_destination" ]; smtpd_sasl_auth_enable = true; smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" ]; smtpd_tls_mandatory_ciphers = "high"; smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_type = "dovecot"; virtual_mailbox_domains = [ "${domain}" ]; virtual_gid_maps = "static:5000"; virtual_uid_maps = "static:5000"; virtual_minimum_uid = "1000"; virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; virtual_mailbox_base = "/var/spool/mail"; message_size_limit = "40960000"; }; }; dovecot2 = { enable = true; enableImap = true; enableLmtp = true; enablePop3 = false; enablePAM = false; enableQuota = true; createMailUser = true; mailLocation = "maildir:~/maildir"; mailboxes = { Spam = { auto = "create"; specialUse = "Junk"; }; Sent = { auto = "create"; specialUse = "Sent"; }; Drafts = { auto = "create"; specialUse = "Drafts"; }; Trash = { auto = "create"; specialUse = "Trash"; }; }; modules = [ pkgs.dovecot_pigeonhole ]; quotaGlobalPerUser = "1G"; sslServerCert = "/var/lib/acme/${domain}/fullchain.pem"; sslServerKey = "/var/lib/acme/${domain}/key.pem"; protocols = [ ]; mailPlugins = { perProtocol = { imap = { enable = [ ]; }; lmtp = { enable = [ ]; }; }; }; extraConfig = '' passdb ldap { args = ${ldap-auth-config} } userdb ldap{ args = ${ldap-auth-config} } service lmtp { unix_listener dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service auth { unix_listener /var/lib/postfix/auth { group = postfix mode = 0660 user = postfix } user = dovecot2 } protocol lmtp { postmaster_address = root@c3d2.de } protocol imap { mail_max_userip_connections = 100 } ''; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts."${domain}" = { serverAliases = [ ]; forceSSL = true; enableACME = true; http2 = true; /* locations."/rspamd/" = { proxyPass = "http://127.0.0.1:11334/"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; */ }; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; defaults.renewInterval = "*-01,03,05,07,09,11-01 00:00:00"; certs = { "${domain}" = { email = "root@c3d2.de"; extraDomainNames = [ ]; postRun = "systemctl restart postfix.service dovecot2.service"; }; }; }; }; }