aboutsummaryrefslogtreecommitdiff
path: root/modules/private
diff options
context:
space:
mode:
Diffstat (limited to 'modules/private')
-rw-r--r--modules/private/mail/default.nix2
-rw-r--r--modules/private/mail/opensmtpd.nix51
-rw-r--r--modules/private/mail/postfix.nix15
-rw-r--r--modules/private/system/backup-2.nix11
4 files changed, 66 insertions, 13 deletions
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index 839939c..a617934 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -5,8 +5,10 @@
5 ./postfix.nix 5 ./postfix.nix
6 ./dovecot.nix 6 ./dovecot.nix
7 ./rspamd.nix 7 ./rspamd.nix
8 ./opensmtpd.nix
8 ]; 9 ];
9 options.myServices.mail.enable = lib.mkEnableOption "enable Mail services"; 10 options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";
11 options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services";
10 12
11 config = lib.mkIf config.myServices.mail.enable { 13 config = lib.mkIf config.myServices.mail.enable {
12 security.acme.certs."mail" = config.myServices.certificates.certConfig // { 14 security.acme.certs."mail" = config.myServices.certificates.certConfig // {
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix
new file mode 100644
index 0000000..7831ac0
--- /dev/null
+++ b/modules/private/mail/opensmtpd.nix
@@ -0,0 +1,51 @@
1{ lib, pkgs, config, name, ... }:
2{
3 config = lib.mkIf config.myServices.mailRelay.enable {
4 secrets.keys = [
5 {
6 dest = "opensmtpd/creds";
7 user = "smtpd";
8 group = "smtpd";
9 permissions = "0400";
10 text = ''
11 eldiron ${name}:${config.myEnv.servers."${name}".ldap.password}
12 '';
13 }
14 ];
15 users.users.smtpd.extraGroups = [ "keys" ];
16 services.opensmtpd = {
17 enable = true;
18 serverConfiguration = ''
19 table creds \
20 "${config.secrets.fullPaths."opensmtpd/creds"}"
21 # FIXME: filtering requires 6.6
22 # filter "fixfrom" \
23 # proc-exec "${pkgs.procmail}/bin/formail -i 'From: ${name}@immae.eu'"
24 action "relay-rewrite-from" relay \
25 helo ${config.hostEnv.FQDN} \
26 host smtp+tls://eldiron@eldiron.immae.eu:587 \
27 auth <creds> \
28 mail-from ${name}@immae.eu
29 action "relay" relay \
30 helo ${config.hostEnv.FQDN} \
31 host smtp+tls://eldiron@eldiron.immae.eu:587 \
32 auth <creds>
33 match for any !mail-from "@immae.eu" action "relay-rewrite-from"
34 match for any mail-from "@immae.eu" action "relay"
35 '';
36 };
37 environment.systemPackages = [ config.services.opensmtpd.package ];
38 services.mail.sendmailSetuidWrapper = {
39 program = "sendmail";
40 source = "${config.services.opensmtpd.package}/bin/smtpctl";
41 setuid = false;
42 setgid = false;
43 };
44 security.wrappers.mailq = {
45 program = "mailq";
46 source = "${config.services.opensmtpd.package}/bin/smtpctl";
47 setuid = false;
48 setgid = false;
49 };
50 };
51}
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 9c4b87c..a31841f 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,4 +1,4 @@
1{ lib, pkgs, config, ... }: 1{ lib, pkgs, config, nodes, ... }:
2{ 2{
3 config = lib.mkIf config.myServices.mail.enable { 3 config = lib.mkIf config.myServices.mail.enable {
4 services.duplyBackup.profiles.mail.excludeFile = '' 4 services.duplyBackup.profiles.mail.excludeFile = ''
@@ -186,8 +186,15 @@
186 ) 186 )
187 ); 187 );
188 }; 188 };
189 sasl_access = {
190 host_sender_login = pkgs.writeText "host-sender-login"
191 (builtins.concatStringsSep "\n" (lib.flatten (lib.attrsets.mapAttrsToList
192 (n: v: (map (e: "${e} ${n}@immae.eu") v.emails)) config.myEnv.servers)));
193 host_dummy_mailboxes = pkgs.writeText "host-virtual-mailbox"
194 (builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "${n}@immae.eu dummy") nodes));
195 };
189 in 196 in
190 recipient_maps // relay_restrictions // virtual_map; 197 recipient_maps // relay_restrictions // virtual_map // sasl_access;
191 config = { 198 config = {
192 ### postfix module overrides 199 ### postfix module overrides
193 readme_directory = "${pkgs.postfix}/share/postfix/doc"; 200 readme_directory = "${pkgs.postfix}/share/postfix/doc";
@@ -212,7 +219,7 @@
212 ) 219 )
213 config.myEnv.dns.masterZones 220 config.myEnv.dns.masterZones
214 ))); 221 )));
215 virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; 222 virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
216 dovecot_destination_recipient_limit = "1"; 223 dovecot_destination_recipient_limit = "1";
217 virtual_transport = "dovecot"; 224 virtual_transport = "dovecot";
218 225
@@ -277,7 +284,7 @@
277 # Refuse to send e-mails with a From that is not handled 284 # Refuse to send e-mails with a From that is not handled
278 smtpd_sender_restrictions = 285 smtpd_sender_restrictions =
279 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject"; 286 "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
280 smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}"; 287 smtpd_sender_login_maps = "hash:/etc/postfix/host_sender_login,mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
281 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject"; 288 smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
282 milter_macro_daemon_name = "ORIGINATING"; 289 milter_macro_daemon_name = "ORIGINATING";
283 smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}"; 290 smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index f241ad1..ede5bc2 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
1{ privateFiles }: 1{ privateFiles }:
2{ config, pkgs, resources, ... }: 2{ config, pkgs, resources, name, ... }:
3{ 3{
4 boot.kernelPackages = pkgs.linuxPackages_latest; 4 boot.kernelPackages = pkgs.linuxPackages_latest;
5 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; 5 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -33,14 +33,6 @@
33 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) 33 (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
34 config.myEnv.servers.backup-2.ips); 34 config.myEnv.servers.backup-2.ips);
35 defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; 35 defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
36
37 defaultMailServer = {
38 directDelivery = true;
39 hostName = "eldiron.immae.eu:25";
40 useTLS = true;
41 useSTARTTLS = true;
42 root = "postmaster@immae.eu";
43 };
44 }; 36 };
45 37
46 services.cron = { 38 services.cron = {
@@ -56,6 +48,7 @@
56 ssh_key_private = config.myEnv.rsync_backup.ssh_key.private; 48 ssh_key_private = config.myEnv.rsync_backup.ssh_key.private;
57 }; 49 };
58 50
51 myServices.mailRelay.enable = true;
59 myServices.monitoring.enable = true; 52 myServices.monitoring.enable = true;
60 myServices.databasesReplication = { 53 myServices.databasesReplication = {
61 postgresql = { 54 postgresql = {