Kaare Hoff Skovgaard
6a1aca24a9
LDAP login works for IMAP, but postfix doesn't recognise the mail addresses for the users.
140 lines
3.5 KiB
Nix
140 lines
3.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
inputs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.khscodes.infrastructure.mailserver;
|
|
fqdn = config.khscodes.networking.fqdn;
|
|
in
|
|
{
|
|
options.khscodes.infrastructure.mailserver = {
|
|
enable = lib.mkEnableOption "Enables setting up stuff for a mail server";
|
|
domains = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
};
|
|
};
|
|
imports = [
|
|
inputs.simple-nixos-mailserver.nixosModules.mailserver
|
|
./dmarc.nix
|
|
./dane.nix
|
|
./dkim.nix
|
|
./mta-sts.nix
|
|
./spf.nix
|
|
./tls-rpt.nix
|
|
./prometheus.nix
|
|
./openid-connect.nix
|
|
./ldap.nix
|
|
];
|
|
config = lib.mkIf cfg.enable {
|
|
# TODO: Include a similiar rule for openstack
|
|
khscodes.infrastructure.hetzner-instance.extraFirewallRules = [
|
|
{
|
|
direction = "out";
|
|
protocol = "tcp";
|
|
port = 25;
|
|
destination_ips = [
|
|
"0.0.0.0/0"
|
|
"::/0"
|
|
];
|
|
description = "smtp";
|
|
}
|
|
];
|
|
khscodes.infrastructure.provisioning.pre.modules = [
|
|
(
|
|
{ ... }:
|
|
{
|
|
khscodes.cloudflare.dns.mxRecords = (
|
|
lib.lists.map (domain: {
|
|
fqdn = domain;
|
|
priority = 10;
|
|
content = fqdn;
|
|
ttl = 600;
|
|
}) cfg.domains
|
|
);
|
|
khscodes.cloudflare.dns.srvRecords = lib.lists.flatten (
|
|
lib.lists.map (domain: [
|
|
{
|
|
fqdn = "_imaps._tcp.${domain}";
|
|
content = fqdn;
|
|
priority = 0;
|
|
weight = 1;
|
|
port = 993;
|
|
ttl = 600;
|
|
}
|
|
{
|
|
fqdn = "_submissions._tcp.${domain}";
|
|
content = fqdn;
|
|
priority = 0;
|
|
weight = 1;
|
|
port = 465;
|
|
ttl = 600;
|
|
}
|
|
]) cfg.domains
|
|
);
|
|
}
|
|
)
|
|
];
|
|
mailserver = {
|
|
enable = true;
|
|
enableImap = false;
|
|
enableImapSsl = true;
|
|
enableSubmission = false;
|
|
enableSubmissionSsl = true;
|
|
fqdn = config.khscodes.networking.fqdn;
|
|
useUTF8FolderNames = true;
|
|
domains = cfg.domains;
|
|
certificateScheme = "acme";
|
|
};
|
|
services.dovecot2.extraConfig = ''
|
|
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
|
|
|
|
passdb {
|
|
driver = oauth2
|
|
mechanisms = xoauth2 oauthbearer
|
|
args = /etc/dovecot/dovecot-oauth2.conf.ext
|
|
}
|
|
'';
|
|
environment.etc."dovecot/dovecot-oauth2.conf.ext".text = ''
|
|
scope = email openid profile
|
|
username_attribute = preferred_username
|
|
client_id = dovecot
|
|
client_secret = <${config.khscodes.infrastructure.kanidm-client-application.secretFile}
|
|
tokeninfo_url = https://login.kaareskovgaard.net/oauth2/token
|
|
introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect
|
|
introspection_mode = post
|
|
'';
|
|
services.prometheus.exporters.postfix = {
|
|
enable = true;
|
|
};
|
|
khscodes.infrastructure.vault-prometheus-sender.exporters.enabled = [ "postfix" ];
|
|
services.fail2ban.jails = {
|
|
postfix = {
|
|
settings = {
|
|
enabled = true;
|
|
mode = "aggressive";
|
|
findtime = 600;
|
|
bantime = "1d";
|
|
maxretry = 3;
|
|
};
|
|
};
|
|
dovecot = {
|
|
settings = {
|
|
enabled = true;
|
|
mode = "aggressive";
|
|
findtime = 600;
|
|
bantime = "1d";
|
|
maxretry = 3;
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
25
|
|
465
|
|
993
|
|
];
|
|
};
|
|
}
|