nixos-config/profiles/servers/mailserver.nix

{ pkgs, config, lib, inputs, ... }:
let
  secrets-default = {
    owner = "dovecot2:dovecot2";
    services = [ "dovecot2" ];
  };
in {
  imports = [ (toString inputs.simple-nixos-mailserver) ];
  secrets.mailserver = secrets-default;
  secrets.mailserver-minichka = secrets-default;
  secrets.mailserver-mitin = secrets-default;
  secrets.mailserver-joplin = secrets-default;
  secrets.mailserver-vaultwarden = secrets-default;
  secrets.mailserver-seafile = secrets-default;
  secrets.mailserver-gitea = secrets-default;
  secrets.mailserver-authentik = secrets-default;
  secrets.mailserver-kavita = secrets-default;
  secrets.mailserver-synapse = secrets-default;
  secrets.mailserver-outline = secrets-default;

  security.acme.certs."mail.ataraxiadev.com" = {
    webroot = "/var/lib/acme/acme-challenge";
    postRun = ''
      systemctl reload postfix
      systemctl reload dovecot2
    '';
  };

  services.postfix = {
    dnsBlacklists = [
      "all.s5h.net"
      "b.barracudacentral.org"
      "bl.spamcop.net"
      "blacklist.woody.ch"
    ];
    dnsBlacklistOverrides = ''
      ataraxiadev.com OK
      mail.ataraxiadev.com OK
      127.0.0.0/8 OK
      192.168.0.0/16 OK
    '';
    headerChecks = [
      {
        action = "IGNORE";
        pattern = "/^User-Agent.*Roundcube Webmail/";
      }
    ];
  };
  mailserver = rec {
    enable = true;
    openFirewall = true;
    fqdn = "mail.ataraxiadev.com";
    domains = [ "ataraxiadev.com" ];
    # hashedPassword:
    # nsp apacheHttpd --run 'htpasswd -nbB "" "super secret password"' | cut -d: -f2
    loginAccounts = {
      "ataraxiadev@ataraxiadev.com" = {
        aliases = [
          "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root"
          "ark@ataraxiadev.com" "ark" "ataraxiadev.hsr@ataraxiadev.com" "ataraxiadev.hsr"
          "hsr@ataraxiadev.com" "hsr"
          "hsr1@ataraxiadev.com" "hsr1"
          "hsr2@ataraxiadev.com" "hsr2"
          "hsr3@ataraxiadev.com" "hsr3"
          "hsr4@ataraxiadev.com" "hsr4"
          "hsr5@ataraxiadev.com" "hsr5"
          "hsr6@ataraxiadev.com" "hsr6"
          "hsr7@ataraxiadev.com" "hsr7"
          "hsr8@ataraxiadev.com" "hsr8"
          "hsr9@ataraxiadev.com" "hsr9"
          "hsr10@ataraxiadev.com" "hsr10"
          "hsr11@ataraxiadev.com" "hsr11"
          "hsr12@ataraxiadev.com" "hsr12"
          "hsr13@ataraxiadev.com" "hsr13"
          "hsr14@ataraxiadev.com" "hsr14"
          "hsr15@ataraxiadev.com" "hsr15"
          "hsr16@ataraxiadev.com" "hsr16"
          # "@ataraxiadev.com"
        ];
        hashedPasswordFile = config.secrets.mailserver.decrypted;
      };
      "minichka76@ataraxiadev.com" = {
        aliases = [
        	"minichka76" "kpoxa@ataraxiadev.com" "kpoxa"
        	"sladkiyson0417@ataraxiadev.com" "sladkiyson0417"
        ];
        hashedPasswordFile = config.secrets.mailserver-minichka.decrypted;
      };
      "mitin@ataraxiadev.com" = {
        aliases = [ "mitin" "mitin1@ataraxiadev.com" "mitin1" "mitin2@ataraxiadev.com" "mitin2" ];
        hashedPasswordFile = config.secrets.mailserver-mitin.decrypted;
      };

      "authentik@ataraxiadev.com" = {
        aliases = [ "authentik" ];
        hashedPasswordFile = config.secrets.mailserver-authentik.decrypted;
      };
      "gitea@ataraxiadev.com" = {
        aliases = [ "gitea" ];
        hashedPasswordFile = config.secrets.mailserver-gitea.decrypted;
      };
      "joplin@ataraxiadev.com" = {
        aliases = [ "joplin" ];
        hashedPasswordFile = config.secrets.mailserver-joplin.decrypted;
      };
      "kavita@ataraxiadev.com" = {
        aliases = [ "kavita" ];
        hashedPasswordFile = config.secrets.mailserver-kavita.decrypted;
      };
      "vaultwarden@ataraxiadev.com" = {
        aliases = [ "vaultwarden" ];
        hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted;
      };
      "seafile@ataraxiadev.com" = {
        aliases = [ "seafile" ];
        hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;
      };
      "matrix@ataraxiadev.com" = {
        aliases = [ "matrix" ];
        hashedPasswordFile = config.secrets.mailserver-synapse.decrypted;
      };
      "outline@ataraxiadev.com" = {
        aliases = [ "outline" ];
        hashedPasswordFile = config.secrets.mailserver-outline.decrypted;
      };
    };
    hierarchySeparator = "/";
    localDnsResolver = false;
    certificateScheme = "manual";
    certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
    keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
    enableManageSieve = true;
    enableImap = true;
    enableImapSsl = true;
    enablePop3 = false;
    enablePop3Ssl = false;
    enableSubmission = true;
    enableSubmissionSsl = true;
    virusScanning = false;

    mailDirectory = "/srv/mail/vmail";
    dkimKeyDirectory = "/srv/mail/dkim";
  };

  persist.state.directories = [
    "/var/sieve" # FIXME: change ownership to virtualMail:
  ] ++ lib.optionals (config.deviceSpecific.devInfo.fileSystem != "zfs") [
    config.mailserver.dkimKeyDirectory
    config.mailserver.mailDirectory
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}
add some services 2022-02-21 02:25:13 +03:00			`{ pkgs, config, lib, inputs, ... }:`
			`let`
wip 2023-01-13 04:03:15 +03:00			`secrets-default = {`
add seafile 2022-03-22 06:02:13 +03:00			`owner = "dovecot2:dovecot2";`
			`services = [ "dovecot2" ];`
			`};`
wip 2023-01-13 04:03:15 +03:00			`in {`
			`imports = [ (toString inputs.simple-nixos-mailserver) ];`
			`secrets.mailserver = secrets-default;`
			`secrets.mailserver-minichka = secrets-default;`
			`secrets.mailserver-mitin = secrets-default;`
			`secrets.mailserver-joplin = secrets-default;`
			`secrets.mailserver-vaultwarden = secrets-default;`
			`secrets.mailserver-seafile = secrets-default;`
			`secrets.mailserver-gitea = secrets-default;`
add authentik 2023-01-26 04:45:14 +03:00			`secrets.mailserver-authentik = secrets-default;`
huge update to server containers 2023-03-23 01:58:10 +03:00			`secrets.mailserver-kavita = secrets-default;`
add matrix server 2023-04-25 17:24:01 +03:00			`secrets.mailserver-synapse = secrets-default;`
add outline 2023-07-26 21:20:52 +03:00			`secrets.mailserver-outline = secrets-default;`
add some services 2022-02-21 02:25:13 +03:00
			`security.acme.certs."mail.ataraxiadev.com" = {`
			`webroot = "/var/lib/acme/acme-challenge";`
			`postRun = ''`
			`systemctl reload postfix`
			`systemctl reload dovecot2`
			`'';`
			`};`

			`services.postfix = {`
			`dnsBlacklists = [`
			`"all.s5h.net"`
			`"b.barracudacentral.org"`
			`"bl.spamcop.net"`
			`"blacklist.woody.ch"`
			`];`
			`dnsBlacklistOverrides = ''`
			`ataraxiadev.com OK`
			`mail.ataraxiadev.com OK`
			`127.0.0.0/8 OK`
			`192.168.0.0/16 OK`
			`'';`
server things 2022-08-31 11:37:26 +03:00			`headerChecks = [`
			`{`
			`action = "IGNORE";`
			`pattern = "/^User-Agent.*Roundcube Webmail/";`
			`}`
			`];`
add some services 2022-02-21 02:25:13 +03:00			`};`
			`mailserver = rec {`
			`enable = true;`
			`openFirewall = true;`
			`fqdn = "mail.ataraxiadev.com";`
			`domains = [ "ataraxiadev.com" ];`
add seafile 2022-03-22 06:02:13 +03:00			`# hashedPassword:`
			`# nsp apacheHttpd --run 'htpasswd -nbB "" "super secret password"' \| cut -d: -f2`
add some services 2022-02-21 02:25:13 +03:00			`loginAccounts = {`
			`"ataraxiadev@ataraxiadev.com" = {`
add a bunch of mail aliases 2023-06-13 04:24:19 +03:00			`aliases = [`
wip 2023-01-13 04:03:15 +03:00			`"ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root"`
add a bunch of mail aliases 2023-06-13 04:24:19 +03:00			`"ark@ataraxiadev.com" "ark" "ataraxiadev.hsr@ataraxiadev.com" "ataraxiadev.hsr"`
			`"hsr@ataraxiadev.com" "hsr"`
			`"hsr1@ataraxiadev.com" "hsr1"`
			`"hsr2@ataraxiadev.com" "hsr2"`
			`"hsr3@ataraxiadev.com" "hsr3"`
			`"hsr4@ataraxiadev.com" "hsr4"`
			`"hsr5@ataraxiadev.com" "hsr5"`
			`"hsr6@ataraxiadev.com" "hsr6"`
			`"hsr7@ataraxiadev.com" "hsr7"`
			`"hsr8@ataraxiadev.com" "hsr8"`
			`"hsr9@ataraxiadev.com" "hsr9"`
			`"hsr10@ataraxiadev.com" "hsr10"`
			`"hsr11@ataraxiadev.com" "hsr11"`
			`"hsr12@ataraxiadev.com" "hsr12"`
			`"hsr13@ataraxiadev.com" "hsr13"`
			`"hsr14@ataraxiadev.com" "hsr14"`
			`"hsr15@ataraxiadev.com" "hsr15"`
			`"hsr16@ataraxiadev.com" "hsr16"`
wip 2023-01-13 04:03:15 +03:00			`# "@ataraxiadev.com"`
			`];`
add some services 2022-02-21 02:25:13 +03:00			`hashedPasswordFile = config.secrets.mailserver.decrypted;`
			`};`
add new mail address 2022-03-22 06:04:02 +03:00			`"minichka76@ataraxiadev.com" = {`
add a bunch of mail aliases 2023-06-13 04:24:19 +03:00			`aliases = [`
			`"minichka76" "kpoxa@ataraxiadev.com" "kpoxa"`
			`"sladkiyson0417@ataraxiadev.com" "sladkiyson0417"`
			`];`
add new mail address 2022-03-22 06:04:02 +03:00			`hashedPasswordFile = config.secrets.mailserver-minichka.decrypted;`
			`};`
add new email address 2022-12-07 02:39:08 +03:00			`"mitin@ataraxiadev.com" = {`
			`aliases = [ "mitin" "mitin1@ataraxiadev.com" "mitin1" "mitin2@ataraxiadev.com" "mitin2" ];`
			`hashedPasswordFile = config.secrets.mailserver-mitin.decrypted;`
			`};`
wip 2023-01-13 04:03:15 +03:00
add authentik 2023-01-26 04:45:14 +03:00			`"authentik@ataraxiadev.com" = {`
			`aliases = [ "authentik" ];`
			`hashedPasswordFile = config.secrets.mailserver-authentik.decrypted;`
			`};`
wip 2023-01-13 04:03:15 +03:00			`"gitea@ataraxiadev.com" = {`
			`aliases = [ "gitea" ];`
			`hashedPasswordFile = config.secrets.mailserver-gitea.decrypted;`
			`};`
add joplin-server and fix nginx 2022-10-09 00:39:52 +03:00			`"joplin@ataraxiadev.com" = {`
			`aliases = [ "joplin" ];`
			`hashedPasswordFile = config.secrets.mailserver-joplin.decrypted;`
			`};`
huge update to server containers 2023-03-23 01:58:10 +03:00			`"kavita@ataraxiadev.com" = {`
			`aliases = [ "kavita" ];`
			`hashedPasswordFile = config.secrets.mailserver-kavita.decrypted;`
			`};`
add some services 2022-02-21 02:25:13 +03:00			`"vaultwarden@ataraxiadev.com" = {`
			`aliases = [ "vaultwarden" ];`
			`hashedPasswordFile = config.secrets.mailserver-vaultwarden.decrypted;`
			`};`
add seafile 2022-03-22 06:02:13 +03:00			`"seafile@ataraxiadev.com" = {`
			`aliases = [ "seafile" ];`
			`hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;`
			`};`
add matrix server 2023-04-25 17:24:01 +03:00			`"matrix@ataraxiadev.com" = {`
			`aliases = [ "matrix" ];`
			`hashedPasswordFile = config.secrets.mailserver-synapse.decrypted;`
			`};`
add outline 2023-07-26 21:20:52 +03:00			`"outline@ataraxiadev.com" = {`
			`aliases = [ "outline" ];`
			`hashedPasswordFile = config.secrets.mailserver-outline.decrypted;`
			`};`
add some services 2022-02-21 02:25:13 +03:00			`};`
server things 2022-08-31 11:37:26 +03:00			`hierarchySeparator = "/";`
fix dns resolver 2023-01-26 02:13:15 +03:00			`localDnsResolver = false;`
fix deprecated field in mailserver 2023-06-15 01:54:40 +03:00			`certificateScheme = "manual";`
add some services 2022-02-21 02:25:13 +03:00			`certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";`
			`keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";`
server things 2022-08-31 11:37:26 +03:00			`enableManageSieve = true;`
add some services 2022-02-21 02:25:13 +03:00			`enableImap = true;`
server things 2022-08-31 11:37:26 +03:00			`enableImapSsl = true;`
			`enablePop3 = false;`
			`enablePop3Ssl = false;`
add some services 2022-02-21 02:25:13 +03:00			`enableSubmission = true;`
server things 2022-08-31 11:37:26 +03:00			`enableSubmissionSsl = true;`
add some services 2022-02-21 02:25:13 +03:00			`virusScanning = false;`
wip 2023-01-13 04:03:15 +03:00
			`mailDirectory = "/srv/mail/vmail";`
			`dkimKeyDirectory = "/srv/mail/dkim";`
add some services 2022-02-21 02:25:13 +03:00			`};`
persist module 2022-12-14 23:46:25 +03:00
			`persist.state.directories = [`
small update 2023-04-25 17:32:30 +03:00			`"/var/sieve" # FIXME: change ownership to virtualMail:`
wip 2023-01-13 04:03:15 +03:00			`] ++ lib.optionals (config.deviceSpecific.devInfo.fileSystem != "zfs") [`
			`config.mailserver.dkimKeyDirectory`
persist module 2022-12-14 23:46:25 +03:00			`config.mailserver.mailDirectory`
			`];`
wip 2023-01-13 04:03:15 +03:00
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
add a bunch of mail aliases 2023-06-13 04:24:19 +03:00			`}`