diff --git a/nix/modules/nixos/infrastructure/mailserver/acme.nix b/nix/modules/nixos/infrastructure/mailserver/acme.nix new file mode 100644 index 0000000..1321901 --- /dev/null +++ b/nix/modules/nixos/infrastructure/mailserver/acme.nix @@ -0,0 +1,9 @@ +{ lib, config, ... }: +let + cfg = config.khscodes.infrastructure.mailserver; +in +{ + config = lib.mkIf cfg.enable { + khscodes.services.nginx.virtualHosts."${config.khscodes.networking.fqdn}" = { }; + }; +} diff --git a/nix/modules/nixos/infrastructure/mailserver/default.nix b/nix/modules/nixos/infrastructure/mailserver/default.nix index 6f124b7..3f5d38e 100644 --- a/nix/modules/nixos/infrastructure/mailserver/default.nix +++ b/nix/modules/nixos/infrastructure/mailserver/default.nix @@ -18,6 +18,7 @@ in }; imports = [ inputs.simple-nixos-mailserver.nixosModules.mailserver + ./acme.nix ./dmarc.nix ./dane.nix ./dkim.nix @@ -106,10 +107,6 @@ in introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect introspection_mode = post ''; - services.prometheus.exporters.postfix = { - enable = true; - }; - khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ]; services.fail2ban.jails = { postfix = { settings = { diff --git a/nix/modules/nixos/infrastructure/mailserver/dkim.nix b/nix/modules/nixos/infrastructure/mailserver/dkim.nix index 30c0c35..1d1834c 100644 --- a/nix/modules/nixos/infrastructure/mailserver/dkim.nix +++ b/nix/modules/nixos/infrastructure/mailserver/dkim.nix @@ -164,15 +164,24 @@ in services.rspamd.locals."dkim_signing.conf" = lib.mkForce { text = '' enabled = true; + allow_username_mismatch = true; domain { ${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)} } ''; }; + services.postfix.config = { + # Need to include this as I disabled the in built support for dkim signing + # without this postfix won't forward the mails to rspamd to be signed. + non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ]; + }; systemd.services.rspamd = { unitConfig = { ConditionPathExists = domainKeyPaths; }; + serviceConfig = { + ReadOnlyPaths = domainKeyPaths; + }; }; systemd.services.postfix = { unitConfig = { diff --git a/nix/modules/nixos/infrastructure/mailserver/ldap.nix b/nix/modules/nixos/infrastructure/mailserver/ldap.nix index 622efcd..aa7d802 100644 --- a/nix/modules/nixos/infrastructure/mailserver/ldap.nix +++ b/nix/modules/nixos/infrastructure/mailserver/ldap.nix @@ -16,7 +16,6 @@ in }; config = lib.mkIf cfg.enable { - mailserver.debug = true; mailserver.ldap = { enable = true; uris = [ "ldaps://login.kaareskovgaard.net" ]; @@ -30,14 +29,28 @@ in # Map LDAP uid to dovecot user, and ldap userPassword to dovecot password passAttrs = "uid=user"; passFilter = "(&(class=account)(memberOf=mail_user)(uid=%u))"; - userFilter = "(&(class=account)(memberOf=mail_user)(uid=%u))"; + # This filter is used both when receiving mail (thus needing to lookup by mail address, and when authenticating, requriing the lookup by uid.) + # Note that the pass filter only allows looking up by uid, so should still only be able to authenticate using that. + userFilter = "(&(class=account)(memberOf=mail_user)(|(mail=%u)(uid=%u)))"; + userAttrs = "uid=user"; }; postfix = { filter = "(&(class=account)(memberOf=mail_user)(mail=%s))"; - mailAttribute = "mail"; + mailAttribute = "uid"; uidAttribute = "uid"; }; }; + systemd.services.dovecot2 = { + unitConfig = { + ConditionPathExists = [ secretFile ]; + }; + }; + + systemd.services.postfix = { + unitConfig = { + ConditionPathExists = [ secretFile ]; + }; + }; khscodes.services.vault-agent.templates = [ { contents = '' diff --git a/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix b/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix index df75f48..57a4bb6 100644 --- a/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix +++ b/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix @@ -27,7 +27,7 @@ in name = "mta-sts.${domain}"; value = { locations."=/.well-known/mta-sts.txt" = { - tryFiles = "${mtaStsWellKnown} =404"; + alias = mtaStsWellKnown; }; locations."/" = { return = 404; diff --git a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix index 682c33a..3318a54 100644 --- a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix +++ b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix @@ -1,15 +1,13 @@ { config, lib, ... }: let - fqdn = config.khscodes.networking.fqdn; cfg = config.khscodes.infrastructure.mailserver; in { config = lib.mkIf cfg.enable { - services.stalwart-mail.settings.metrics.prometheus = { + + services.prometheus.exporters.postfix = { enable = true; }; - khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = { - return = 404; - }; + khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ]; }; } diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix index 6c44a12..63ae288 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix @@ -157,7 +157,6 @@ in persons.khs = { present = true; mailAddresses = [ - "kaare@kaareskovgaard.net" "kaare@agerlin-skovgaard.dk" "kaare@agerlinskovgaard.dk" ];