modules/services/nixos-mailserver.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

{ inputs, config, lib, ... }:

with lib;
let
  cfg = config.modules.services.nixos-mailserver;
in
{
  imports = [ inputs.nixos-mailserver.nixosModules.mailserver ];

  options.modules.services.nixos-mailserver = {
    enable = mkEnableOption "nixos-mailserver";
  };

  config = mkIf cfg.enable {
    sops.secrets.sefidel-imap-pass = {
      mode = "0440";
      owner = "dovecot2";
      group = "dovecot2";
    };
    sops.secrets.internal-imap-pass = {
      mode = "0440";
      owner = "dovecot2";
      group = "dovecot2";
    };

    systemd.services.dovecot2 = {
      serviceConfig.SupplementaryGroups = [ "acme" ];
    };

    services.postfix = {
      dnsBlacklists = [
        # TODO: add sources
        "bl.spamcop.net"
      ];
      dnsBlacklistOverrides = ''
        exotic.sh OK
        sefidel.net OK
        sefidel.com OK
        192.168.0.0/16 OK
      '';
    };

    # HACK: nixos-mailserver sets up reload hook on 'fqdn', which is 'mail.exotic.sh'.
    # Since our cert is a wildcard cert with domain 'exotic.sh', it is excluded from the hook.
    security.acme.certs."exotic.sh".reloadServices = [
      "postfix.service"
      "dovecot2.service"
    ];

    mailserver = {
      enable = true;
      fqdn = "mail.exotic.sh";
      domains = [ "exotic.sh" "nand.moe" "sefidel.com" "sefidel.net" ];
      mailboxes = {
        Trash = {
          auto = "no";
          specialUse = "Trash";
        };
        Junk = {
          auto = "subscribe";
          specialUse = "Junk";
        };
        Drafts = {
          auto = "subscribe";
          specialUse = "Drafts";
        };
        Sent = {
          auto = "subscribe";
          specialUse = "Sent";
        };
      };

      loginAccounts = {
        "contact@sefidel.com" = {
          aliases = [ "sefidel" "admin" "admin@sefidel.com" "postmaster" "postmaster@sefidel.com" ];
          hashedPasswordFile = config.sops.secrets.sefidel-imap-pass.path;
        };
        "contact@sefidel.net" = {
          aliases = [ "sefidel" "dev@sefidel.net" "social@sefidel.net" "media@sefidel.net" "public@sefidel.net" "admin" "admin@sefidel.net" "postmaster" "postmaster@sefidel.net" ];
          hashedPasswordFile = config.sops.secrets.sefidel-imap-pass.path;
        };
        "sef@exotic.sh" = {
          aliases = [ "sef" "sefidel" "sefidel@exotic.sh" "admin" "admin@exotic.sh" "postmaster" "postmaster@exotic.sh" "admin@nand.moe" "postmaster@nand.moe" ];
          hashedPasswordFile = config.sops.secrets.sefidel-imap-pass.path;
        };
        "system@exotic.sh" = {
          aliases = [ "system@nand.moe" ];
          hashedPasswordFile = config.sops.secrets.internal-imap-pass.path;
        };
      };
      localDnsResolver = false;
      certificateScheme = 1;
      certificateFile = "${config.security.acme.certs."exotic.sh".directory}/cert.pem";
      keyFile = "${config.security.acme.certs."exotic.sh".directory}/key.pem";
      enableImap = true;
      enableImapSsl = true;
      enableSubmission = true;
      enableSubmissionSsl = true;
      virusScanning = false;
    };

    environment.persistence."/persist".directories = [
      "/var/lib/dovecot"
      "/var/lib/rspamd"
      "/var/lib/redis-rspamd"
      "/var/vmail"
      "/var/dkim"
      "/var/sieve"
    ];

    networking.firewall.allowedTCPPorts = [ 143 993 465 587 ];
  };
}