laalsaas/nix-config
laalsaas
/
nix-config
forked from c3d2/nix-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: laalsaas:master
Branches Tags
laalsaas:master
laalsaas:flake-update
laalsaas:vater-patching
laalsaas:eris
laalsaas:ds-future
laalsaas:nek0/mail_redux
laalsaas:broken
laalsaas:container/radius
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius
...
pull from: laalsaas:nek0/mail_redux
Branches Tags
laalsaas:master
laalsaas:flake-update
laalsaas:vater-patching
laalsaas:eris
laalsaas:ds-future
laalsaas:nek0/mail_redux
laalsaas:broken
laalsaas:container/radius
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius

2 Commits
master ... nek0/mail_

Author SHA1 Message Date
Nek0 - b1b4d8c994 local_addrs from mynetworks in rspamd 2021-10-16 18:17:09 +02:00
Nek0 - b666d334b9 redux 2021-10-02 20:41:46 +02:00
1 changed files with 745 additions and 9 deletions
Show Stats Expand all files Collapse all files

754
hosts/containers/mail/default.nix
View File

@ -1,9 +1,745 @@
{
networking.hostName = "mail";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.58";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
}
{pkgs ? <nixpkgs>, ...}:
let
maildomain = "c3d2.de";
hostname = "mail.c3d2.de";
virtual_map = ''
### system
# postmaster
postmaster root
hostmaster@redmine.c3d2.de root
hostmaster@pentapad.c3d2.de root
hostmaster@wiki.c3d2.de root
hostmaster@chat.c3d2.de nulli
# hostmaster
hostmaster@dresden.ccc.de fb@alien8.de, root
hostmaster@datenspuren.de daniel@plominski.eu, root
hostmaster root
# root
root@c3d2.de astro, morphium, nulli, eri, tboston
root root@c3d2.de
# webmaster
webmaster astro, root
# c3d2web
c3d2web astro
# Abuse
abuse abuse@c3d2.de
abuse@c3d2.de abuse@q-ix.net, root
# listmaster
listmaster@c3d2.de fb@c3d2.de, ps@c3d2.de, mail@c3d2.de
list@c3d2.de nulli, koeart, morphium, vv01f, tboston
list list@c3d2.de
mailer-daemon list@c3d2.de
# logcheck
logcheck root
# admin fuer gitolite
admin@c3d2.de root, blastmaster@c3d2.de, john@tuxcode.org, nulli
admin admin@c3d2.de
# flatbert admins
flatbert-admin@c3d2.de daniel@plominski.eu, astro@spaceboyz.net, john@tuxcode.org, paul@schwanse.de, morphium, ccc@poelzi.org, nulli@c3d2.de
wiki@c3d2.de root
## VPN
vpn@c3d2.de astro, ccc@poelzi.org, vv01f
### c3d2 user local home
# nulli
nulli@dresden.ccc.de nulli
nulli@c3d2.de nulli
webzwo0i@c3d2.de nulli
#ispconfig trial, can be removed?
hostmaster@jabber.c3d2.de nulli
0i@c3d2.de nulli
rec0very@c3d2.de nulli
vr@c3d2.de nulli
dock@c3d2.de nulli
shodan@c3d2.de nulli
tkradio@c3d2.de nulli, honky
dict@c3d2.de nulli
eb@c3d2.de nulli
dropbox@c3d2.de nulli
ebi@c3d2.de nulli
goo@c3d2.de nulli
dmi@c3d2.de nulli
impffein@c3d2.de nulli
gaga@c3d2.de nulli
# astro
# formerly: astro@spaceboyz.net
astro@c3d2.de astro
astro@netzbiotop.org astro
# alien8
a8 a8, fb@alien8.de
a8@c3d2.de a8, fb@alien8.de
fb@c3d2.de a8, fb@alien8.de
alien8@c3d2.de a8, fb@alien8.de
# pentabugs
pentabugs@c3d2.de pentabugs
# herr flupke
hf@c3d2.de hf
# santex
# formerly:
santex@c3d2.de santex
hagen@c3d2.de santex
#nek0
nek0@c3d2.de nek0
nek0@netzbiotop.org nek0
pizza@c3d2.de nek0
# ju
ju@c3d2.de ju
# vater
vater@c3d2.de vater
pavel@c3d2.de vater
# flatbert
flatbert@c3d2.de flatbert
###Datenspuren
datenspuren@c3d2.de martin@christianix.de, blastmaster, bigalex, nek0, honky, koeart, xyrill@c3d2.de
twitter@datenspuren.de mail@c3d2.de
lightningtalks@datenspuren.de bigalex@c3d2.de, hcx23@mailbox.org, honky
### c3d2 user forwarding
# riot
riot@c3d2.de riot@bsd-crew.de
# fukami
fukami@c3d2.de ccc@foo.io
# jens
jens@c3d2.de weisse_jens@web.de
# matthias
matthias@c3d2.de matthias@bsd-crew.de
# morphium
morphium@c3d2.de c3d2@morphium.info
morphium c3d2@morphium.info
# tibyr
tibyr@c3d2.de tibyr@alien8.de
# twobit
twobit@c3d2.de s8572327@gmail.com
tboston tboston@posteo.net
xyrill majewsky@posteo.de
polaris ursa.minor@posteo.de
### c3d2 aliases
## viele bunte smarties
#astro seins
eris@c3d2.de astro
flauschi@c3d2.de astro
kabelsalat@c3d2.de eris@c3d2.de
fnord@c3d2.de eris@c3d2.de
f.nord@c3d2.de eris@c3d2.de
frauke@c3d2.de eris@c3d2.de
fridolin@c3d2.de eris@c3d2.de
pm@c3d2.de eris@c3d2.de
# pre pre urzeit
21c3fpdev@c3d2.de pentabarf@mail.skyhub.de
ds-ic@c3d2.de ds-ic@mail.kruitzer.net
# pentamusic
podcast@c3d2.de pentaradio
ps@c3d2.de koeart
pentamusic@c3d2.de koeart
pentaradio honky, xyrill@c3d2.de, siehm@c3d2.de, mole@mopox.de, vv01f, friedemann@wulff-woesten.de
# autotopia - arbeitsgruppe zu atomatisierung
autotopia@c3d2.de polaris, nos, nek0, adrien@informancer.eu
# datenschleuder
datenschleuder@c3d2.de koeart, nulli, john@tuxcode.org, datenschleuder@tuxcode.org
# bestellungen fuer wem auch immer fuer den vllt. c3d2 oder privat, man weis es nicht
bestellungen@c3d2.de c3d2@xvlc.de, bigalex, mail@c3d2.de
#robmail addresse suchen
peering@c3d2.de koeart, nulli, astro@spaceboyz.net
freifunk@c3d2.de nulli, astro@spaceboyz.net
# vorstand, schatzmeister, kassenwart
schatzmeister@c3d2.de vorstand@c3d2.de
kassenwart@c3d2.de vorstand@c3d2.de
kassenwart@netzbiotop.org vorstand@c3d2.de
vorstand@netzbiotop.org honky, winzlieb, nek0
vorstand@c3d2.de honky, winzlieb, nek0
# master of coin
ln@c3d2.de bitcoin@c3d2.de
crypto@c3d2.de bitcoin@c3d2.de
bitcoin@c3d2.de vv01f
# wire
# project address, forward ziel fuer alle *.wire@c3d2.de siehe virtual.regex
wire@c3d2.de wire
# adressen aus dem c3d2-web git
2c3@c3d2.de mail@c3d2.de
keysign@c3d2.de mail@c3d2.de
news@c3d2.de mail@c3d2.de
presse@c3d2.de mail@c3d2.de
info@c3d2.de mail@c3d2.de
# CmS Schule
schule@c3d2.de cms@lists.c3d2.de
### c3d2 orga
# mail@
mail@c3d2.de astro, ibook@klobs.de, koeart, bigalex, morphium, nulli, vv01f, vater, nek0, tboston, xyrill, polaris, winzlieb, simon_ccc@liebing.cc
mail@dresden.ccc.de mail@c3d2.de
mail@c3dd.de mail@c3d2.de
mail@cccdd.de mail@c3d2.de
mail mail@c3d2.de
werbung@c3d2.de mail@c3d2.de
paypal@c3d2.de daniel@plominski.eu, astro, bigalex@c3d2.de, raz@c3d2.de, joerg@higgsboson.tk, mail
mail@netzbiotop.org mail@c3d2.de
### ueber /home/blotter/bin/create_vmail_user hinzugefuegt
# sven
# formerly: sven@elektro-klemm.de
sven@c3d2.de sven
nevs@c3d2.de sven
# blastmaster
# formerly: oeste.sebastian@googlemail.com
blastmaster@c3d2.de blastmaster
blastermaster@c3d2.de blastmaster
# koeart
# formerly: paul@schwanse.de, koeart@zwoelfelf.org
koeart@c3d2.de koeart
# eri!
# formerly: hans.orter@gmx.de
eri@c3d2.de eri
eri@cccdd.de eri
eri@netzbiotop.org eri
# pwnytail
# formerly: jakobi@stura.htw-dresden.de
pwnytail@c3d2.de pwnytail
# darkwake
# formerly: darkwake@freenet.de
darkwake@c3d2.de darkwake
# coeins
# formerly: coeins@gmail.com
coeins@c3d2.de coeins
# bigalex
# formerly: bigalex@gmx.de, alexander.lorz@tu-dresden.de
bigalex@c3d2.de bigalex
bigalex bigalex
# lachmoewe
# formerly: omg-lachmoewe@gmx.net
lachmoewe@c3d2.de lachmoewe
tf@c3d2.de lachmoewe
# daniel.plominski
daniel@c3d2.de daniel, daniel@plominski.eu
daniel@dresden.ccc.de daniel, daniel@plominski.eu
daniel.plominski@c3d2.de daniel, daniel@plominski.eu
daniel.plominski@dresden.ccc.de daniel, daniel@plominski.eu
# dodo
# formerly: dodo.the.last@gmail.com
dodo@c3d2.de dodo
dodo@dresden.ccc.de dodo
# payload
# formerly: payload@payload-bay.de
payload payload, s1394474@mail.zih.tu-dresden.de
payload@c3d2.de payload, s1394474@mail.zih.tu-dresden.de
# nos
# formerly: s70341@htw-dresden.de
nos@c3d2.de nos
# mc
# formerly: martin@christianix.de
mc@c3d2.de mc
norbert@c3d2.de mc
# vany
# formerly: eyke.schoeniger@gmx.de
vany@c3d2.de vany
# toon
# formerly: s71156@htw-dresden.de
toon@c3d2.de toon
# meo
# formerly: meodexter@gmail.com
meo@c3d2.de meo
meodexter@c3d2.de meo
# j03
j03@c3d2.de j03
jo3@c3d2.de j03
# nac
nac@c3d2.de nac
#vv01f
vv01f@c3d2.de vv01f
wolf@c3d2.de vv01f
vv01f@dresden.ccc.de vv01f
vv01f@c3dd.de vv01f
vv01f@cccdd.de vv01f
wolf@dresden.ccc.de vv01f
vv01f@netzbiotop.org vv01f
wolf@netzbiotop.org vv01f
# polygon
polygon@c3d2.de polygon
# derped
derped@c3d2.de derped
# kalipso
# formerly: kingkaiserprinz@gmail.com
kalipso@c3d2.de kalipso
# dzzzniel
dzzzniel@c3d2.de dzzzniel
# summi
summi@c3d2.de summi
# hendrix
hendrix@c3d2.de ra.anti@gmx.net
# testcopy
testcopy@c3d2.de testcopy
# blottervmail
blotter@c3d2.de blotter
blotter@c3dd.de blotter
blotter@cccdd.de blotter
blotter@dresden.ccc.de blotter
no blotter
blottervmail@c3d2.de blotter
blottervmail@mail.c3d2.de blotter
# simon
# formerly: simon.toermer@gmx.de
simon@c3d2.de simon
# ventolin
# formerly: sackgasse@gmx.net
ventolin@c3d2.de ventolin
# honky
# formerly: honky@defendtheplanet.net
honky@c3d2.de honky
honky@cccdd.de honky
honky@c3dd.de honky
honky@netzbiotop.org honky
# matemat
matemat@c3d2.de matemat
# nero
# formerly: nero@w1r3.net
nero@c3d2.de nero
# billy
# formerly: annettgerlach@gmx.net
billy@c3d2.de annettgerlach@gmx.net
# winzlieb
winzlieb graviola@posteo.de
winzlieb@netzbiotop.org winzlieb
# broken_pipe
# formerly: urban@subnet.email
broken_pipe@c3d2.de broken_pipe
# autotopia
# formerly: broken_pipe@c3d2.de
# servicemail
servicemail@c3d2.de servicemail
monitoring@c3d2.de monitoring
# polaris
# formerly: ursa.minor@posteo.de
polaris@c3d2.de polaris
# xeri
xeri@c3d2.de xeri
# xyrill
# formerly: majewsky@posteo.de
xyrill@dresden.ccc.de majewsky@posteo.de
xyrill@c3d2.de majewsky@posteo.de
xyrill@c3dd.de majewsky@posteo.de
xyrill@netzbiotop.org majewsky@posteo.de
# neda
neda@c3d2.de n.sultova@hzdr.de
# ehmry
ehmry@c3d2.de ehmry@posteo.net
ehmry@dresden.ccc.de ehmry@posteo.net
ehmry@c3dd.de ehmry@posteo.net
# antranes
antranes@c3d2.de antranes
# antrares
antrares@c3d2.de antrares
# siehm: simon_ccc@liebing.cc
siehm@c3d2.de simon_ccc@liebing.cc
siehm@c3dd.de simon_ccc@liebing.cc
siehm@dresden.ccc.de simon_ccc@liebing.cc
# sandro
# formerly: sandro.jaeckel@posteo.de
sandro@c3d2.de sandro
# leonvita91
leonvita91@c3d2.de leonvita91
# wiki-sender
wiki-sender@c3d2.de wiki-sender
# etherpad-notify
etherpad-notify@c3d2.de etherpad-notify
# zylens
# formerly: zylens
zylens@c3d2.de zylens
# formerly: Mirko <mirko@zeiban.de>
mirko@c3d2.de mirko@c3d2.zeiban.de
'';
mynetworks = [
"127.0.0.0/8"
"172.22.99.0/24"
"172.22.100.0/24"
"81.201.149.152/32"
"24.134.104.53/32"
"[::1]/128"
"[fe80::]/10"
"[2a00:1828:a008::]/48"
"[2001:470:6d:670::]/64"
"[2001:67c:1400:2240::]/64"
"[2a00:8180:2c00:200::]/56"
];
virtual_domains = [
"dresden.ccc.de"
"cccdd.de"
"c3dd.de"
"datenspuren.de"
"jabber.c3d2.de"
"webmail.c3d2.de"
"chat.c3d2.de"
"zengelsystem.c3d2.space"
"c3d2.space"
"netzbiotop.org"
# "nc.c3d2.space"
];
in
{
#imports = [
# <nixpkgs/nixos/modules/virtualisation/lxc-container.nix>
#];
networking.hostName = "mail";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.58";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
networking.firewall = {
enable = true;
allowedTCPPorts = [
25 587 143
4190
80 443
];
allowedUDPPorts = [
];
};
users.users."mailowner" = {
createHome = false;
extraGroups = [];
group = "users";
home = "/vor/spool/mail";
isSystemUser = true;
openssh.authorizedKeys.keys = [
];
uid = 5000;
};
services = {
postfix = {
enable = true;
enableSmtp = true;
enableSubmission = true;
enableHeaderChecks = true;
domain = maildomain;
hostname = hostname;
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem";
networks = [
];
virtual = virtual_map;
config = {
myorigin = maildomain;
mydestination = [
"127.0.0.1"
];
mynetworks = mynetworks;
mail_owner = "postfix";
smtp_use_tls = true;
smtp_tls_security_level = "may";
smtpd_use_tls = true;
smtpd_tls_security_level = "may";
smtpd_recipient_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_unauth_destination"
];
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_unauth_destination"
];
smtpd_sasl_auth_enable = true;
smtpd_tls_auth_only = false;
smtpd_tls_protocols = [
"!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"
];
smtpd_tls_mandatory_ciphers = "high";
smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot";
virtual_mailbox_domains =
[ maildomain ] ++ virtual_domains;
relay_domains = [
"$mydestination"
"lists.c3d2.de"
];
message_size_limit = "40960000";
# Dovecot delivery
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
virtual_gid_maps = "static:5000";
virtual_uid_maps = "static:5000";
virtual_minimum_uid = "5000";
virtual_mailbox_base = "/var/vmail";
# tarpitting
smtpd_error_sleep_time = "10s";
smtpd_soft_error_limit = 2;
smtpd_hard_error_limit = 5;
smtpd_junk_command_limit = 2;
};
};
dovecot2 = {
enable = true;
enableImap = true;
enableLmtp = true;
enablePop3 = false;
enablePAM = false;
enableQuota = true;
createMailUser = true;
mailLocation = "maildir:~/maildir";
mailboxes = {
Spam = {
auto = "create";
specialUse = "Junk";
};
Sent = {
auto = "create";
specialUse = "Sent";
};
Drafts = {
auto = "create";
specialUse = "Drafts";
};
Trash = {
auto = "create";
specialUse = "Trash";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
quotaGlobalPerUser = "1G";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
protocols = [
"sieve"
];
mailPlugins = {
perProtocol = {
imap = {
enable = [
"imap_sieve"
];
};
lmtp = {
enable = [
"sieve"
];
};
};
};
extraConfig = ''
passdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/auth.d/passwd
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/auth.d/passwd
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
user = dovecot2
}
service managesieve-login {
}
service managesieve {
}
protocol sieve {
}
protocol lmtp {
postmaster_address = postmaster@nek0.eu
}
protocol imap {
mail_max_userip_connections = 100
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
'';
};
fail2ban = {
enable = true;
ignoreIP = mynetworks;
jails = {
"postfix" = ''
enabled = true
'';
"dovecot-imap" = ''
enabled = true
port = imap,imaps
filter = dovecot-imap
#logpath = /var/log/dovecot.log
'';
};
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."${maildomain}" = {
serverAliases = virtual_domains;
forceSSL = true;
enableACME = true;
http2 = true;
locations."/rspamd/" = {
proxyPass = "http://127.0.0.1:11334/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
rspamd = {
enable = true;
user = "rspamd";
group = "rspamd";
postfix = {
enable = true;
config = {
non_smtpd_milters = [ "inet:127.0.0.1:11332" ];
smtpd_milters = [ "inet:127.0.0.1:11332" ];
milter_protocol = "6";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
milter_default_action = "accept";
};
};
workers = {
"normal" = {
enable = true;
type = "normal";
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [{
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "rspamd";
group = "rspamd";
}];
};
"controller" = {
enable = true;
count = 1;
type = "controller";
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:11334" ];
};
"rspamd_proxy" = {
enable = true;
type = "rspamd_proxy";
includes = [ "$CONFDIR/worker-proxy.inc" ];
extraConfig = ''
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}
'';
};
};
locals = {
"options.inc" = {
enable = true;
text = ''
#local_addrs = "127.0.0.0/8, ::1, 10.0.0.0/8, 2a01:4f8:222:2b41::/64";
local_addrs = ${builtins foldl (acc: a: acc + a + " ") "" mynetworks}
dns {
nameserver = ["10.0.0.53:53:10"];
}
'';
};
"worker-normal.inc" = {
enable = true;
text = ''
bind_socket = "127.0.0.1:11333";
count = 2;
'';
};
"worker-controller.inc" = {
enable = true;
text = ''
# create with "rspamadm pw"
password = "$2$ybs6zdxgq17ys7azr4iwkwr3tg4ifx5z$79hoz8ah1w6f4b5rs7u8x7gst6ioidzcwijj8uu5zap9t6cw4tjb";
'';
};
"worker-proxy.inc" = {
enable = true;
text = ''
bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}
'';
};
"logging.inc" = {
enable = true;
text = ''
type = "file";
filename = "/var/lib/rspamd/rspamd.log";
level = "error";
debug_modules = [];
'';
};
"milter_headers.conf" = {
enable = true;
text = ''
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
'';
};
"classifier-bayes.conf" = {
enable = true;
text = ''
backend = "redis";
servers = "127.0.0.1:6378";
'';
};
};
};
redis = {
enable = true;
bind = "127.0.0.1";
port = 6378;
vmOverCommit = true;
settings = {
supervised = "systemd";
maxmemory = "1GB";
maxmemory-policy = "volatile-lru";
};
};
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
renewInterval = "*-01,03,05,07,09,11-01 00:00:00";
certs = {
"${maildomain}" = {
email = "nek0@nek0.eu";
extraDomainNames = [
virtual_domains
];
postRun = "systemctl restart postfix.service dovecot2.service";
};
};
};
}