From 343c87b279facec91521ff1a0712df38fb997bc4 Mon Sep 17 00:00:00 2001
From: Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>
Date: Tue, 29 Jul 2025 11:27:09 +0200
Subject: [PATCH] Mostly working postfix+dovecot2+ldap setup

Missing:

1. Figure out how to do some useful aliases for the mail
   addresses. Either something like assigning @kas.agerlinskovgaard.dk
   to kaare@agerlinskovgaard.dk or usual + aliases.
2. Oauth2 login is not working yet.
3. Need to be able to create accounts not handled by LDAP, such
   that eg. forgejo can have an account to send mails from (maybe
   also an account to receive mails?).
4. Once support in kanidm lands, need to look into application passwords
   such that one doesn't have to use their regular posix password,
   and maybe, ideally, doesn't need a posix password at all.
---
 .../nixos/infrastructure/mailserver/acme.nix  |  9 +++++++++
 .../infrastructure/mailserver/default.nix     |  5 +----
 .../nixos/infrastructure/mailserver/dkim.nix  |  9 +++++++++
 .../nixos/infrastructure/mailserver/ldap.nix  | 19 ++++++++++++++++---
 .../infrastructure/mailserver/mta-sts.nix     |  2 +-
 .../infrastructure/mailserver/prometheus.nix  |  8 +++-----
 .../security.kaareskovgaard.net/kanidm.nix    |  1 -
 7 files changed, 39 insertions(+), 14 deletions(-)
 create mode 100644 nix/modules/nixos/infrastructure/mailserver/acme.nix

diff --git a/nix/modules/nixos/infrastructure/mailserver/acme.nix b/nix/modules/nixos/infrastructure/mailserver/acme.nix
new file mode 100644
index 0000000..1321901
--- /dev/null
+++ b/nix/modules/nixos/infrastructure/mailserver/acme.nix
@@ -0,0 +1,9 @@
+{ lib, config, ... }:
+let
+  cfg = config.khscodes.infrastructure.mailserver;
+in
+{
+  config = lib.mkIf cfg.enable {
+    khscodes.services.nginx.virtualHosts."${config.khscodes.networking.fqdn}" = { };
+  };
+}
diff --git a/nix/modules/nixos/infrastructure/mailserver/default.nix b/nix/modules/nixos/infrastructure/mailserver/default.nix
index 6f124b7..3f5d38e 100644
--- a/nix/modules/nixos/infrastructure/mailserver/default.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/default.nix
@@ -18,6 +18,7 @@ in
   };
   imports = [
     inputs.simple-nixos-mailserver.nixosModules.mailserver
+    ./acme.nix
     ./dmarc.nix
     ./dane.nix
     ./dkim.nix
@@ -106,10 +107,6 @@ in
       introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect
       introspection_mode = post
     '';
-    services.prometheus.exporters.postfix = {
-      enable = true;
-    };
-    khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ];
     services.fail2ban.jails = {
       postfix = {
         settings = {
diff --git a/nix/modules/nixos/infrastructure/mailserver/dkim.nix b/nix/modules/nixos/infrastructure/mailserver/dkim.nix
index 30c0c35..1d1834c 100644
--- a/nix/modules/nixos/infrastructure/mailserver/dkim.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/dkim.nix
@@ -164,15 +164,24 @@ in
     services.rspamd.locals."dkim_signing.conf" = lib.mkForce {
       text = ''
         enabled = true;
+        allow_username_mismatch = true;
         domain {
           ${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)}
         }
       '';
     };
+    services.postfix.config = {
+      # Need to include this as I disabled the in built support for dkim signing
+      # without this postfix won't forward the mails to rspamd to be signed.
+      non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
+    };
     systemd.services.rspamd = {
       unitConfig = {
         ConditionPathExists = domainKeyPaths;
       };
+      serviceConfig = {
+        ReadOnlyPaths = domainKeyPaths;
+      };
     };
     systemd.services.postfix = {
       unitConfig = {
diff --git a/nix/modules/nixos/infrastructure/mailserver/ldap.nix b/nix/modules/nixos/infrastructure/mailserver/ldap.nix
index 622efcd..aa7d802 100644
--- a/nix/modules/nixos/infrastructure/mailserver/ldap.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/ldap.nix
@@ -16,7 +16,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    mailserver.debug = true;
     mailserver.ldap = {
       enable = true;
       uris = [ "ldaps://login.kaareskovgaard.net" ];
@@ -30,14 +29,28 @@ in
         # Map LDAP uid to dovecot user, and ldap userPassword to dovecot password
         passAttrs = "uid=user";
         passFilter = "(&(class=account)(memberOf=mail_user)(uid=%u))";
-        userFilter = "(&(class=account)(memberOf=mail_user)(uid=%u))";
+        # This filter is used both when receiving mail (thus needing to lookup by mail address, and when authenticating, requriing the lookup by uid.)
+        # Note that the pass filter only allows looking up by uid, so should still only be able to authenticate using that.
+        userFilter = "(&(class=account)(memberOf=mail_user)(|(mail=%u)(uid=%u)))";
+        userAttrs = "uid=user";
       };
       postfix = {
         filter = "(&(class=account)(memberOf=mail_user)(mail=%s))";
-        mailAttribute = "mail";
+        mailAttribute = "uid";
         uidAttribute = "uid";
       };
     };
+    systemd.services.dovecot2 = {
+      unitConfig = {
+        ConditionPathExists = [ secretFile ];
+      };
+    };
+
+    systemd.services.postfix = {
+      unitConfig = {
+        ConditionPathExists = [ secretFile ];
+      };
+    };
     khscodes.services.vault-agent.templates = [
       {
         contents = ''
diff --git a/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix b/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix
index df75f48..57a4bb6 100644
--- a/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/mta-sts.nix
@@ -27,7 +27,7 @@ in
           name = "mta-sts.${domain}";
           value = {
             locations."=/.well-known/mta-sts.txt" = {
-              tryFiles = "${mtaStsWellKnown} =404";
+              alias = mtaStsWellKnown;
             };
             locations."/" = {
               return = 404;
diff --git a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix
index 682c33a..3318a54 100644
--- a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix
+++ b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix
@@ -1,15 +1,13 @@
 { config, lib, ... }:
 let
-  fqdn = config.khscodes.networking.fqdn;
   cfg = config.khscodes.infrastructure.mailserver;
 in
 {
   config = lib.mkIf cfg.enable {
-    services.stalwart-mail.settings.metrics.prometheus = {
+
+    services.prometheus.exporters.postfix = {
       enable = true;
     };
-    khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = {
-      return = 404;
-    };
+    khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ];
   };
 }
diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
index 6c44a12..63ae288 100644
--- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
+++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
@@ -157,7 +157,6 @@ in
         persons.khs = {
           present = true;
           mailAddresses = [
-            "kaare@kaareskovgaard.net"
             "kaare@agerlin-skovgaard.dk"
             "kaare@agerlinskovgaard.dk"
           ];