commit 70cbd40009a7d5fe7068c750bb24dfd8e5b2817b · pyrox.dev/nix

+1 -2

hosts/prefect/default.nix

···

       27
       27
        
           # ./services/dn42-peerfinder.nix

     

       28
       28
        
           ./services/fail2ban.nix

     

       29
       29
        
           # ./services/headscale.nix

     

       30
       30
       -
           # ./services/mailserver

     

       31
       31
       -
           ./services/mailserver/stalwart

     

       30
       30
       +
           ./services/mailserver

     

       32
       31
        
           # ./services/netdata.nix

     

       33
       32
        
           # ./services/nginx

     

       34
       33
        
           ./services/prometheus.nix

+204 -105

hosts/prefect/services/mailserver/default.nix

···

       1
       1
       -
       { lib, pkgs, ... }:

     

       2
       1
        
       {

     

       3
       3
       -
         imports = [

     

       4
       4
       -
           ./logins.nix

     

       5
       5
       -
           ./monitoring.nix

     

       6
       6
       -
           ./overrides.nix

     

       7
       7
       -
         ];

     

       8
       8
       -
         mailserver = {

     

       9
       9
       -
           enable = false;

     

       10
       10
       -
           fqdn = "mail.pyrox.dev";

     

       11
       11
       -
           systemName = "PyroNet Mail";

     

       12
       12
       -
           systemDomain = "mail.pyrox.dev";

     

       13
       13
       -
           openFirewall = true;

     

       14
       14
       -
           stateVersion = 3;

     

       15
       15
       -
       

     

       16
       16
       -
           # All domains this server runs email for

     

       17
       17
       -
           domains = [ "pyrox.dev" ];

     

       18
       18
       -
       

     

       19
       19
       -
           # Enable STARTTLS

     

       20
       20
       -
           enableImap = true;

     

       21
       21
       -
           enableSubmission = true;

     

       22
       22
       -
       

     

       23
       23
       -
           # Disable POP3, I don't use it and neither should you

     

       24
       24
       -
           enablePop3 = false;

     

       25
       25
       -
           enablePop3Ssl = false;

     

       26
       26
       -
       

     

       27
       27
       -
           # Enable ManageSieve so that we don't need to change the config to update sieves

     

       28
       28
       -
           enableManageSieve = true;

     

       29
       29
       -
       

     

       30
       30
       -
           # Set directories for services

     

       31
       31
       -
           mailDirectory = "/srv/mail/vmail";

     

       32
       32
       -
           sieveDirectory = "/srv/mail/sieve";

     

       33
       33
       -
           indexDir = "/var/lib/dovecot/indices";

     

       34
       34
       -
           dkimKeyDirectory = "/srv/mail/dkim";

     

       35
       35
       -
       

     

       36
       36
       -
           # Set all no-reply addresses

     

       37
       37
       -
           rejectRecipients = [

     

       38
       38
       -
             "no-reply@pyrox.dev"

     

       39
       39
       -
             "dmarc-noreply@pyrox.dev"

     

       40
       40
       -
           ];

     

       41
       41
       -
       

     

       42
       42
       -
           # DKIM Settings

     

       43
       43
       -
           dkimKeyBits = 4096;

     

       44
       44
       -
           dkimSelector = "mail";

     

       45
       45
       -
           dkimSigning = true;

     

       46
       46
       -
       

     

       47
       47
       -
           # DMARC Settings

     

       48
       48
       -
           dmarcReporting = {

     

       49
       49
       -
             enable = true;

     

       2
       2
       +
         config,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         self,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       7
       7
       +
       let

     

       8
       8
       +
         d = self.lib.data.mail;

     

       9
       9
       +
         cfg = config.services.stalwart-mail;

     

       10
       10
       +
         sec = config.age.secrets;

     

       11
       11
       +
         creds = config.services.stalwart-mail.credentials;

     

       12
       12
       +
         credsDir = "/run/credentials/stalwart-mail.service";

     

       13
       13
       +
         certDir = config.security.acme.certs."pyroxdev-mail".directory;

     

       14
       14
       +
         isAuthenticated = d: {

     

       15
       15
       +
           "if" = "!is_empty(authenticated_as)";

     

       16
       16
       +
           "then" = d;

     

       17
       17
       +
         };

     

       18
       18
       +
         otherwise = d: {

     

       19
       19
       +
           "else" = d;

     

       20
       20
       +
         };

     

       21
       21
       +
         ifThen = f: d: {

     

       22
       22
       +
           "if" = f;

     

       23
       23
       +
           "then" = d;

     

       24
       24
       +
         };

     

       25
       25
       +
         smSecret = {

     

       26
       26
       +
           owner = "stalwart-mail";

     

       27
       27
       +
           group = "stalwart-mail";

     

       28
       28
       +
         };

     

       29
       29
       +
       in

     

       30
       30
       +
       {

     

       31
       31
       +
         services.stalwart-mail = {

     

       32
       32
       +
           credentials = {

     

       33
       33
       +
             cert = "${certDir}/cert.pem";

     

       34
       34
       +
             key = "${certDir}/key.pem";

     

       50
       35
        
           };

     

       51
       51
       -
       

     

       52
       52
       -
           # Mailboxes for all users

     

       53
       53
       -
           mailboxes = {

     

       54
       54
       -
             Drafts = {

     

       55
       55
       -
               auto = "subscribe";

     

       56
       56
       -
               specialUse = "Drafts";

     

       36
       36
       +
           enable = true;

     

       37
       37
       +
           dataDir = "/var/lib/stalwart";

     

       38
       38
       +
           settings = {

     

       39
       39
       +
             tracer.stdout.level = "info";

     

       40
       40
       +
             authentication.fallback-admin = {

     

       41
       41
       +
               user = "fallback";

     

       42
       42
       +
               secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%";

     

       43
       43
       +
             };

     

       44
       44
       +
             config = {

     

       45
       45
       +
               local-keys = [

     

       46
       46
       +
                 "asn.*"

     

       47
       47
       +
                 "auth.*"

     

       48
       48
       +
                 "authentication.*"

     

       49
       49
       +
                 "auto-ban.*"

     

       50
       50
       +
                 "calendar.*"

     

       51
       51
       +
                 "certificate.*"

     

       52
       52
       +
                 "changes.*"

     

       53
       53
       +
                 "cluster.*"

     

       54
       54
       +
                 "config.*"

     

       55
       55
       +
                 "contacts.*"

     

       56
       56
       +
                 "directory.*"

     

       57
       57
       +
                 "http.*"

     

       58
       58
       +
                 "imap.*"

     

       59
       59
       +
                 "jmap.*"

     

       60
       60
       +
                 "queue.*"

     

       61
       61
       +
                 "report.*"

     

       62
       62
       +
                 "resolver.*"

     

       63
       63
       +
                 "server.*"

     

       64
       64
       +
                 "session.*"

     

       65
       65
       +
                 "signature.*"

     

       66
       66
       +
                 "storage.*"

     

       67
       67
       +
                 "store.*"

     

       68
       68
       +
                 "tracer.*"

     

       69
       69
       +
                 "webadmin.*"

     

       70
       70
       +
                 "form.*"

     

       71
       71
       +
                 "email.*"

     

       72
       72
       +
                 "spam-filter.*"

     

       73
       73
       +
               ];

     

       74
       74
       +
             };

     

       75
       75
       +
             certificate = {

     

       76
       76
       +
               default = {

     

       77
       77
       +
                 default = true;

     

       78
       78
       +
                 cert = "%{file:${credsDir}/cert}%";

     

       79
       79
       +
                 private-key = "%{file:${credsDir}/key}%";

     

       80
       80
       +
                 subjects = [

     

       81
       81
       +
                   "dav.pyrox.dev"

     

       82
       82
       +
                   "mail.pyrox.dev"

     

       83
       83
       +
                   "mta-sts.pyrox.dev"

     

       84
       84
       +
                   "autoconfig.pyrox.dev"

     

       85
       85
       +
                   "autodiscover.pyrox.dev"

     

       86
       86
       +
                 ];

     

       87
       87
       +
               };

     

       88
       88
       +
             };

     

       89
       89
       +
             server = import ./server.nix { inherit d; };

     

       90
       90
       +
             # Use NixOS-generated certs now, since stalwart can't do it on its own

     

       91
       91
       +
             # (DeSec API Errors abound)

     

       92
       92
       +
             # acme = import ./acme.nix { inherit cfg sec; };

     

       93
       93
       +
             # HTTP Configuration

     

       94
       94
       +
             # https://stalw.art/docs/http/overview

     

       95
       95
       +
             http = {

     

       96
       96
       +
               url = "'https://${d.extUrl}'";

     

       97
       97
       +
               hsts = true;

     

       98
       98
       +
               rate-limit = {

     

       99
       99
       +
                 account = "10000/1m";

     

       100
       100
       +
               };

     

       101
       101
       +
             };

     

       102
       102
       +
             # Disable HTTP Forms submission

     

       103
       103
       +
             # https://stalw.art/docs/http/form-submission

     

       104
       104
       +
             form.enable = false;

     

       105
       105
       +
             # DKIM Signatures

     

       106
       106
       +
             signature = import ./signature.nix { inherit sec; };

     

       107
       107
       +
             # Storage Settings

     

       108
       108
       +
             # https://stalw.art/docs/storage/overview

     

       109
       109
       +
             store = {

     

       110
       110
       +
               data = {

     

       111
       111
       +
                 type = "rocksdb";

     

       112
       112
       +
                 path = "${cfg.dataDir}/db";

     

       113
       113
       +
                 purge.frequency = "0 3 *";

     

       114
       114
       +
               };

     

       115
       115
       +
               blob = {

     

       116
       116
       +
                 type = "fs";

     

       117
       117
       +
                 path = "${cfg.dataDir}/blobs";

     

       118
       118
       +
                 depth = 2;

     

       119
       119
       +
                 compression = "lz4";

     

       120
       120
       +
                 purge.frequency = "0 4 *";

     

       121
       121
       +
               };

     

       122
       122
       +
               db.path = "${cfg.dataDir}/db2";

     

       123
       123
       +
             };

     

       124
       124
       +
             storage = {

     

       125
       125
       +
               data = "data";

     

       126
       126
       +
               blob = "blob";

     

       127
       127
       +
               fts = "data";

     

       128
       128
       +
               lookup = "data";

     

       129
       129
       +
               directory = "default";

     

       57
       130
        
             };

     

       58
       58
       -
             Junk = {

     

       59
       59
       -
               auto = "subscribe";

     

       60
       60
       -
               specialUse = "Junk";

     

       131
       131
       +
             directory = {

     

       132
       132
       +
               default = {

     

       133
       133
       +
                 type = "internal";

     

       134
       134
       +
                 store = "data";

     

       135
       135
       +
               };

     

       61
       136
        
             };

     

       62
       62
       -
             Sent = {

     

       63
       63
       -
               auto = "subscribe";

     

       64
       64
       -
               specialUse = "Sent";

     

       137
       137
       +
             # ASN/GeoIP Lookups

     

       138
       138
       +
             # https://stalw.art/docs/server/asn

     

       139
       139
       +
             asn = {

     

       140
       140
       +
               type = "dns";

     

       141
       141
       +
               separator = "|";

     

       142
       142
       +
               zone.ipv4 = "origin.asn.cymru.com";

     

       143
       143
       +
               zone.ipv6 = "origin6.asn.cymru.com";

     

       144
       144
       +
               index.asn = 0;

     

       145
       145
       +
               index.asn-name = 1;

     

       146
       146
       +
               index.country = 2;

     

       65
       147
        
             };

     

       66
       66
       -
             Trash = {

     

       67
       67
       -
               auto = "subscribe";

     

       68
       68
       -
               specialUse = "Trash";

     

       148
       148
       +
             auto-ban = import ./auto-ban.nix;

     

       149
       149
       +
             # JMAP Settings

     

       150
       150
       +
             # https://stalw.art/docs/email/jmap

     

       151
       151
       +
             jmap = {

     

       152
       152
       +
               mailbox.max-depth = 10;

     

       153
       153
       +
               mailbox.max-name-length = 255;

     

       154
       154
       +
               # 50 MB

     

       155
       155
       +
               email.max-attachment-size = 50 * 1000 * 1000;

     

       156
       156
       +
               # 75 MB

     

       157
       157
       +
               email.max-size = 75 * 1000 * 1000;

     

       158
       158
       +
               email.parse.max-items = 10;

     

       69
       159
        
             };

     

       70
       70
       -
           };

     

       71
       71
       -
       

     

       72
       72
       -
           # Full-Text-Search Settings

     

       73
       73
       -
           fullTextSearch = {

     

       74
       74
       -
             enable = true;

     

       75
       75
       -
             autoIndex = true;

     

       76
       76
       -
             enforced = "body";

     

       77
       77
       -
             memoryLimit = 2048;

     

       160
       160
       +
             imap = import ./imap.nix;

     

       161
       161
       +
             # Maintainance

     

       162
       162
       +
             # https://stalw.art/docs/email/maintenance

     

       163
       163
       +
             email.auto-expunge = "180d";

     

       164
       164
       +
             changes.max-history = 10000;

     

       165
       165
       +
             session = import ./session.nix { inherit isAuthenticated otherwise ifThen; };

     

       166
       166
       +
             queue = import ./queue.nix { inherit d ifThen otherwise; };

     

       167
       167
       +
             # DNS Settings

     

       168
       168
       +
             # https://stalw.art/docs/mta/outbound/dns

     

       169
       169
       +
             resolver = {

     

       170
       170
       +
               custom = [

     

       171
       171
       +
                 "tls://dns11.quad9.net"

     

       172
       172
       +
                 "tcp://1.1.1.1"

     

       173
       173
       +
               ];

     

       174
       174
       +
               concurrency = 2;

     

       175
       175
       +
               preserve-intermediates = true;

     

       176
       176
       +
               timeout = "5s";

     

       177
       177
       +
               attempts = 3;

     

       178
       178
       +
               edns = true;

     

       179
       179
       +
             };

     

       180
       180
       +
             report = import ./report.nix { inherit d; };

     

       181
       181
       +
             calendar = import ./calendar.nix;

     

       182
       182
       +
             # Authentication

     

       183
       183
       +
             auth = import ./auth.nix { inherit ifThen otherwise; };

     

       184
       184
       +
             # Contacts

     

       185
       185
       +
             # https://stalw.art/docs/collaboration/contact

     

       186
       186
       +
             contacts = {

     

       187
       187
       +
               # 512 KiB

     

       188
       188
       +
               max-size = 524288;

     

       189
       189
       +
               default.href-name = "default";

     

       190
       190
       +
               default.display-name = "Contacts";

     

       191
       191
       +
             };

     

       192
       192
       +
             # Spam Filtering

     

       193
       193
       +
             # https://stalw.art/docs/spamfilter/overview

     

       194
       194
       +
             spam-filter = {

     

       195
       195
       +
               card-is-ham = true;

     

       196
       196
       +
             };

     

       78
       197
        
           };

     

       79
       79
       -
       

     

       80
       80
       -
           # Certificate Settings

     

       81
       81
       -
           certificateScheme = "manual";

     

       82
       82
       -
           certificateFile = "/var/lib/mail/mail.crt";

     

       83
       83
       -
           keyFile = "/var/lib/mail/mail.key";

     

       84
       198
        
         };

     

       85
       85
       -
       

     

       86
       86
       -
         services.opendkim = {

     

       87
       87
       -
           user = lib.mkForce "virtualMail";

     

       88
       88
       -
           group = lib.mkForce "virtualMail";

     

       199
       199
       +
         systemd.services.stalwart-mail.serviceConfig = {

     

       200
       200
       +
           Restart = lib.mkForce "always";

     

       201
       201
       +
           RestartSec = lib.mkForce 1;

     

       89
       202
        
         };

     

       90
       90
       -
       

     

       91
       91
       -
         # Copy mail certs every month so that they don't expire

     

       92
       92
       -
         systemd = {

     

       93
       93
       -
           timers."copy-mail-certs" = {

     

       94
       94
       -
             wantedBy = [ "timers.target" ];

     

       95
       95
       -
             timerConfig = {

     

       96
       96
       -
               OnBootSec = "5m";

     

       97
       97
       -
               OnCalendar = "daily";

     

       98
       98
       -
               Unit = "copy-mail-certs.service";

     

       99
       99
       -
             };

     

       203
       203
       +
         age.secrets = {

     

       204
       204
       +
           stalwart-secret-rsa = smSecret // {

     

       205
       205
       +
             file = ../../secrets/stalwart-secret-rsa.age;

     

       100
       206
        
           };

     

       101
       101
       -
       

     

       102
       102
       -
           services."copy-mail-certs" = {

     

       103
       103
       -
             script = ''

     

       104
       104
       -
               set -eu

     

       105
       105
       -
               cp -fvr /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.pyrox.dev/mail.pyrox.dev.crt /var/lib/mail/mail.crt

     

       106
       106
       -
               chmod a+r /var/lib/mail/mail.crt

     

       107
       107
       -
               cp -fvr /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.pyrox.dev/mail.pyrox.dev.key /var/lib/mail/mail.key

     

       108
       108
       -
               chmod a+r /var/lib/mail/mail.key

     

       109
       109
       -
               chown -hR virtualMail:virtualMail /var/lib/mail/

     

       110
       110
       -
             '';

     

       111
       111
       -
             serviceConfig = {

     

       112
       112
       -
               Type = "oneshot";

     

       113
       113
       -
               User = "root";

     

       114
       114
       -
             };

     

       207
       207
       +
           stalwart-secret-ed25519 = smSecret // {

     

       208
       208
       +
             file = ../../secrets/stalwart-secret-ed25519.age;

     

       209
       209
       +
           };

     

       210
       210
       +
           stalwart-desec-token = smSecret // {

     

       211
       211
       +
             file = ../../secrets/stalwart-desec-token.age;

     

       212
       212
       +
           };

     

       213
       213
       +
           stalwart-fallback-admin-pw = smSecret // {

     

       214
       214
       +
             file = ../../secrets/stalwart-fallback-admin-pw.age;

     

       115
       215
        
           };

     

       116
       216
        
         };

     

       117
       117
       -
       

     

       118
       217
        
       }

-41

hosts/prefect/services/mailserver/logins.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         mailserver.loginAccounts = {

     

       3
       3
       -
           "pyrox@pyrox.dev" = {

     

       4
       4
       -
             hashedPassword = "$2b$05$8k04quBe6adg8d1yznEp3uNYM54MOVJTwDGIWvzocQFoWbmcCvebC";

     

       5
       5
       -
             aliases = [

     

       6
       6
       -
               "pyrox"

     

       7
       7
       -
               "postmaster@pyrox.dev"

     

       8
       8
       -
               "abuse@pyrox.dev"

     

       9
       9
       -
               "domains@pyrox.dev"

     

       10
       10
       -
             ];

     

       11
       11
       -
           };

     

       12
       12
       -
           "social@pyrox.dev" = {

     

       13
       13
       -
             hashedPassword = "$2b$05$kFDeXvSKU9oXuQXlitA7v.kkbzgCDTrm4O3Nb1kifPe7yAR7.KimO";

     

       14
       14
       -
             sendOnly = true;

     

       15
       15
       -
           };

     

       16
       16
       -
           "auth@pyrox.dev" = {

     

       17
       17
       -
             hashedPassword = "$2b$05$O049hbSwRJ5VYeAA8lLR4e6.fqVWf4PotgIUAO356j5K.OoGH5PF.";

     

       18
       18
       -
             sendOnly = true;

     

       19
       19
       -
           };

     

       20
       20
       -
           "vault@pyrox.dev" = {

     

       21
       21
       -
             hashedPassword = "$2b$05$MHo03BG3AVpBh4NE97zQ8.gTPx2sCoa6Jsw.DRxHBOBaKZ8DbfPrS";

     

       22
       22
       -
             sendOnly = true;

     

       23
       23
       -
           };

     

       24
       24
       -
           "library@pyrox.dev" = {

     

       25
       25
       -
             hashedPassword = "$2b$05$IHsSbEla8KL4gwExvFECFuuoP0ESk66K29R.vawTpbxEpuw1ahii.";

     

       26
       26
       -
             sendOnly = true;

     

       27
       27
       -
           };

     

       28
       28
       -
           "cloud@pyrox.dev" = {

     

       29
       29
       -
             hashedPassword = "$2b$05$kmbsJ2X3Y2l0KYO8jjy1SOJP29coEeKFaMqU6qvRzz/dLJp78CAk6";

     

       30
       30
       -
             sendOnly = true;

     

       31
       31
       -
           };

     

       32
       32
       -
           "git@pyrox.dev" = {

     

       33
       33
       -
             hashedPassword = "$2b$05$uZoLVdCo48rLVBFdG0.UXua8a.84w1PzmLYOpJ1qTNo25KCdQlflm";

     

       34
       34
       -
             sendOnly = true;

     

       35
       35
       -
           };

     

       36
       36
       -
           "share@pyrox.dev" = {

     

       37
       37
       -
             hashedPassword = "$2b$05$LDvYYmxYcTgqPMDvvhA.uO8UFh8yLqPzVuOdeYBq0x/WJ/85X3DEC";

     

       38
       38
       -
             sendOnly = true;

     

       39
       39
       -
           };

     

       40
       40
       -
         };

     

       41
       41
       -
       }

-46

hosts/prefect/services/mailserver/monitoring.nix

···

       1
       1
       -
       { config, pkgs, ... }:

     

       2
       2
       -
       # let

     

       3
       3
       -
       #   cfg = config.mailserver;

     

       4
       4
       -
       # in

     

       5
       5
       -
       {

     

       6
       6
       -
         mailserver.monitoring = {

     

       7
       7
       -
           enable = true;

     

       8
       8
       -
           alertAddress = "pyrox@pyrox.dev";

     

       9
       9
       -
           config = ''

     

       10
       10
       -
             set daemon 120 with start delay 60

     

       11
       11
       -
             set mailserver

     

       12
       12
       -
               localhost

     

       13
       13
       -
             set alert ${config.mailserver.monitoring.alertAddress}

     

       14
       14
       -
       

     

       15
       15
       -
             set httpd port 2812 and use address localhost

     

       16
       16
       -
               allow localhost

     

       17
       17
       -
               allow admin:obwjoawijerfoijsiwfj29jf2f2jd

     

       18
       18
       -
       

     

       19
       19
       -
             check filesystem root with path /

     

       20
       20
       -
                 if space usage > 80% then alert

     

       21
       21
       -
                 if inode usage > 80% then alert

     

       22
       22
       -
       

     

       23
       23
       -
             check system $HOST

     

       24
       24
       -
                 if cpu usage > 95% for 10 cycles then alert

     

       25
       25
       -
                 if memory usage > 75% for 5 cycles then alert

     

       26
       26
       -
                 if swap usage > 20% for 10 cycles then alert

     

       27
       27
       -
                 if loadavg (1min) > 90 for 15 cycles then alert

     

       28
       28
       -
                 if loadavg (5min) > 80 for 10 cycles then alert

     

       29
       29
       -
                 if loadavg (15min) > 70 for 8 cycles then alert

     

       30
       30
       -
       

     

       31
       31
       -
             check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid

     

       32
       32
       -
                 start program = "${pkgs.systemd}/bin/systemctl start postfix"

     

       33
       33
       -
                 stop program = "${pkgs.systemd}/bin/systemctl stop postfix"

     

       34
       34
       -
                 if failed port 25 protocol smtp for 5 cycles then restart

     

       35
       35
       -
       

     

       36
       36
       -
             check process dovecot with pidfile /var/run/dovecot2/master.pid

     

       37
       37
       -
                 start program = "${pkgs.systemd}/bin/systemctl start dovecot2"

     

       38
       38
       -
                 stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"

     

       39
       39
       -
                 if failed host ${config.mailserver.fqdn} port 993 type tcpssl sslauto protocol imap for 5 cycles then restart

     

       40
       40
       -
       

     

       41
       41
       -
             check process rspamd with matching "rspamd: main process"

     

       42
       42
       -
                 start program = "${pkgs.systemd}/bin/systemctl start rspamd"

     

       43
       43
       -
                 stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"

     

       44
       44
       -
           '';

     

       45
       45
       -
         };

     

       46
       46
       -
       }

-21

hosts/prefect/services/mailserver/overrides.nix

···

       1
       1
       -
       { lib, ... }:

     

       2
       2
       -
       let

     

       3
       3
       -
         inherit (lib) mkForce;

     

       4
       4
       -
         tlsProtocols = ">=TLSv1.2";

     

       5
       5
       -
         excludeCiphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, AES128-SHA, AES256-SHA";

     

       6
       6
       -
       in

     

       7
       7
       -
       {

     

       8
       8
       -
         services.postfix.config = {

     

       9
       9
       -
           # only support TLS 1.3/1.2

     

       10
       10
       -
           smtpd_tls_protocols = mkForce tlsProtocols;

     

       11
       11
       -
           smtp_tls_protocols = mkForce tlsProtocols;

     

       12
       12
       -
           smtpd_tls_mandatory_protocols = mkForce tlsProtocols;

     

       13
       13
       -
           smtp_tls_mandatory_protocols = mkForce tlsProtocols;

     

       14
       14
       -
       

     

       15
       15
       -
           # Exclude insecure ciphers

     

       16
       16
       -
           smtpd_tls_mandatory_exclude_ciphers = mkForce excludeCiphers;

     

       17
       17
       -
           smtpd_tls_exclude_ciphers = mkForce excludeCiphers;

     

       18
       18
       -
           smtp_tls_mandatory_exclude_ciphers = mkForce excludeCiphers;

     

       19
       19
       -
           smtp_tls_exclude_ciphers = mkForce excludeCiphers;

     

       20
       20
       -
         };

     

       21
       21
       -
       }

hosts/prefect/services/mailserver/stalwart/acme.nix hosts/prefect/services/mailserver/acme.nix

hosts/prefect/services/mailserver/stalwart/auth.nix hosts/prefect/services/mailserver/auth.nix

hosts/prefect/services/mailserver/stalwart/auto-ban.nix hosts/prefect/services/mailserver/auto-ban.nix

hosts/prefect/services/mailserver/stalwart/calendar.nix hosts/prefect/services/mailserver/calendar.nix

-217

hosts/prefect/services/mailserver/stalwart/default.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         config,

     

       3
       3
       -
         lib,

     

       4
       4
       -
         self,

     

       5
       5
       -
         ...

     

       6
       6
       -
       }:

     

       7
       7
       -
       let

     

       8
       8
       -
         d = self.lib.data.mail;

     

       9
       9
       -
         cfg = config.services.stalwart-mail;

     

       10
       10
       -
         sec = config.age.secrets;

     

       11
       11
       -
         creds = config.services.stalwart-mail.credentials;

     

       12
       12
       -
         credsDir = "/run/credentials/stalwart-mail.service";

     

       13
       13
       -
         certDir = config.security.acme.certs."pyroxdev-mail".directory;

     

       14
       14
       -
         isAuthenticated = d: {

     

       15
       15
       -
           "if" = "!is_empty(authenticated_as)";

     

       16
       16
       -
           "then" = d;

     

       17
       17
       -
         };

     

       18
       18
       -
         otherwise = d: {

     

       19
       19
       -
           "else" = d;

     

       20
       20
       -
         };

     

       21
       21
       -
         ifThen = f: d: {

     

       22
       22
       -
           "if" = f;

     

       23
       23
       -
           "then" = d;

     

       24
       24
       -
         };

     

       25
       25
       -
         smSecret = {

     

       26
       26
       -
           owner = "stalwart-mail";

     

       27
       27
       -
           group = "stalwart-mail";

     

       28
       28
       -
         };

     

       29
       29
       -
       in

     

       30
       30
       -
       {

     

       31
       31
       -
         services.stalwart-mail = {

     

       32
       32
       -
           credentials = {

     

       33
       33
       -
             cert = "${certDir}/cert.pem";

     

       34
       34
       -
             key = "${certDir}/key.pem";

     

       35
       35
       -
           };

     

       36
       36
       -
           enable = true;

     

       37
       37
       -
           dataDir = "/var/lib/stalwart";

     

       38
       38
       -
           settings = {

     

       39
       39
       -
             tracer.stdout.level = "info";

     

       40
       40
       -
             authentication.fallback-admin = {

     

       41
       41
       -
               user = "fallback";

     

       42
       42
       -
               secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%";

     

       43
       43
       -
             };

     

       44
       44
       -
             config = {

     

       45
       45
       -
               local-keys = [

     

       46
       46
       -
                 "asn.*"

     

       47
       47
       -
                 "auth.*"

     

       48
       48
       -
                 "authentication.*"

     

       49
       49
       -
                 "auto-ban.*"

     

       50
       50
       -
                 "calendar.*"

     

       51
       51
       -
                 "certificate.*"

     

       52
       52
       -
                 "changes.*"

     

       53
       53
       -
                 "cluster.*"

     

       54
       54
       -
                 "config.*"

     

       55
       55
       -
                 "contacts.*"

     

       56
       56
       -
                 "directory.*"

     

       57
       57
       -
                 "http.*"

     

       58
       58
       -
                 "imap.*"

     

       59
       59
       -
                 "jmap.*"

     

       60
       60
       -
                 "queue.*"

     

       61
       61
       -
                 "report.*"

     

       62
       62
       -
                 "resolver.*"

     

       63
       63
       -
                 "server.*"

     

       64
       64
       -
                 "session.*"

     

       65
       65
       -
                 "signature.*"

     

       66
       66
       -
                 "storage.*"

     

       67
       67
       -
                 "store.*"

     

       68
       68
       -
                 "tracer.*"

     

       69
       69
       -
                 "webadmin.*"

     

       70
       70
       -
                 "form.*"

     

       71
       71
       -
                 "email.*"

     

       72
       72
       -
                 "spam-filter.*"

     

       73
       73
       -
               ];

     

       74
       74
       -
             };

     

       75
       75
       -
             certificate = {

     

       76
       76
       -
               default = {

     

       77
       77
       -
                 default = true;

     

       78
       78
       -
                 cert = "%{file:${credsDir}/cert}%";

     

       79
       79
       -
                 private-key = "%{file:${credsDir}/key}%";

     

       80
       80
       -
                 subjects = [

     

       81
       81
       -
                   "dav.pyrox.dev"

     

       82
       82
       -
                   "mail.pyrox.dev"

     

       83
       83
       -
                   "mta-sts.pyrox.dev"

     

       84
       84
       -
                   "autoconfig.pyrox.dev"

     

       85
       85
       -
                   "autodiscover.pyrox.dev"

     

       86
       86
       -
                 ];

     

       87
       87
       -
               };

     

       88
       88
       -
             };

     

       89
       89
       -
             server = import ./server.nix { inherit d; };

     

       90
       90
       -
             # Use NixOS-generated certs now, since stalwart can't do it on its own

     

       91
       91
       -
             # (DeSec API Errors abound)

     

       92
       92
       -
             # acme = import ./acme.nix { inherit cfg sec; };

     

       93
       93
       -
             # HTTP Configuration

     

       94
       94
       -
             # https://stalw.art/docs/http/overview

     

       95
       95
       -
             http = {

     

       96
       96
       -
               url = "'https://${d.extUrl}'";

     

       97
       97
       -
               hsts = true;

     

       98
       98
       -
               rate-limit = {

     

       99
       99
       -
                 account = "10000/1m";

     

       100
       100
       -
               };

     

       101
       101
       -
             };

     

       102
       102
       -
             # Disable HTTP Forms submission

     

       103
       103
       -
             # https://stalw.art/docs/http/form-submission

     

       104
       104
       -
             form.enable = false;

     

       105
       105
       -
             # DKIM Signatures

     

       106
       106
       -
             signature = import ./signature.nix { inherit sec; };

     

       107
       107
       -
             # Storage Settings

     

       108
       108
       -
             # https://stalw.art/docs/storage/overview

     

       109
       109
       -
             store = {

     

       110
       110
       -
               data = {

     

       111
       111
       -
                 type = "rocksdb";

     

       112
       112
       -
                 path = "${cfg.dataDir}/db";

     

       113
       113
       -
                 purge.frequency = "0 3 *";

     

       114
       114
       -
               };

     

       115
       115
       -
               blob = {

     

       116
       116
       -
                 type = "fs";

     

       117
       117
       -
                 path = "${cfg.dataDir}/blobs";

     

       118
       118
       -
                 depth = 2;

     

       119
       119
       -
                 compression = "lz4";

     

       120
       120
       -
                 purge.frequency = "0 4 *";

     

       121
       121
       -
               };

     

       122
       122
       -
               db.path = "${cfg.dataDir}/db2";

     

       123
       123
       -
             };

     

       124
       124
       -
             storage = {

     

       125
       125
       -
               data = "data";

     

       126
       126
       -
               blob = "blob";

     

       127
       127
       -
               fts = "data";

     

       128
       128
       -
               lookup = "data";

     

       129
       129
       -
               directory = "default";

     

       130
       130
       -
             };

     

       131
       131
       -
             directory = {

     

       132
       132
       -
               default = {

     

       133
       133
       -
                 type = "internal";

     

       134
       134
       -
                 store = "data";

     

       135
       135
       -
               };

     

       136
       136
       -
             };

     

       137
       137
       -
             # ASN/GeoIP Lookups

     

       138
       138
       -
             # https://stalw.art/docs/server/asn

     

       139
       139
       -
             asn = {

     

       140
       140
       -
               type = "dns";

     

       141
       141
       -
               separator = "|";

     

       142
       142
       -
               zone.ipv4 = "origin.asn.cymru.com";

     

       143
       143
       -
               zone.ipv6 = "origin6.asn.cymru.com";

     

       144
       144
       -
               index.asn = 0;

     

       145
       145
       -
               index.asn-name = 1;

     

       146
       146
       -
               index.country = 2;

     

       147
       147
       -
             };

     

       148
       148
       -
             auto-ban = import ./auto-ban.nix;

     

       149
       149
       -
             # JMAP Settings

     

       150
       150
       -
             # https://stalw.art/docs/email/jmap

     

       151
       151
       -
             jmap = {

     

       152
       152
       -
               mailbox.max-depth = 10;

     

       153
       153
       -
               mailbox.max-name-length = 255;

     

       154
       154
       -
               # 50 MB

     

       155
       155
       -
               email.max-attachment-size = 50 * 1000 * 1000;

     

       156
       156
       -
               # 75 MB

     

       157
       157
       -
               email.max-size = 75 * 1000 * 1000;

     

       158
       158
       -
               email.parse.max-items = 10;

     

       159
       159
       -
             };

     

       160
       160
       -
             imap = import ./imap.nix;

     

       161
       161
       -
             # Maintainance

     

       162
       162
       -
             # https://stalw.art/docs/email/maintenance

     

       163
       163
       -
             email.auto-expunge = "180d";

     

       164
       164
       -
             changes.max-history = 10000;

     

       165
       165
       -
             session = import ./session.nix { inherit isAuthenticated otherwise ifThen; };

     

       166
       166
       -
             queue = import ./queue.nix { inherit d ifThen otherwise; };

     

       167
       167
       -
             # DNS Settings

     

       168
       168
       -
             # https://stalw.art/docs/mta/outbound/dns

     

       169
       169
       -
             resolver = {

     

       170
       170
       -
               custom = [

     

       171
       171
       -
                 "tls://dns11.quad9.net"

     

       172
       172
       -
                 "tcp://1.1.1.1"

     

       173
       173
       -
               ];

     

       174
       174
       -
               concurrency = 2;

     

       175
       175
       -
               preserve-intermediates = true;

     

       176
       176
       -
               timeout = "5s";

     

       177
       177
       -
               attempts = 3;

     

       178
       178
       -
               edns = true;

     

       179
       179
       -
             };

     

       180
       180
       -
             report = import ./report.nix { inherit d; };

     

       181
       181
       -
             calendar = import ./calendar.nix;

     

       182
       182
       -
             # Authentication

     

       183
       183
       -
             auth = import ./auth.nix { inherit ifThen otherwise; };

     

       184
       184
       -
             # Contacts

     

       185
       185
       -
             # https://stalw.art/docs/collaboration/contact

     

       186
       186
       -
             contacts = {

     

       187
       187
       -
               # 512 KiB

     

       188
       188
       -
               max-size = 524288;

     

       189
       189
       -
               default.href-name = "default";

     

       190
       190
       -
               default.display-name = "Contacts";

     

       191
       191
       -
             };

     

       192
       192
       -
             # Spam Filtering

     

       193
       193
       -
             # https://stalw.art/docs/spamfilter/overview

     

       194
       194
       -
             spam-filter = {

     

       195
       195
       -
               card-is-ham = true;

     

       196
       196
       -
             };

     

       197
       197
       -
           };

     

       198
       198
       -
         };

     

       199
       199
       -
         systemd.services.stalwart-mail.serviceConfig = {

     

       200
       200
       -
           Restart = lib.mkForce "always";

     

       201
       201
       -
           RestartSec = lib.mkForce 1;

     

       202
       202
       -
         };

     

       203
       203
       -
         age.secrets = {

     

       204
       204
       -
           stalwart-secret-rsa = smSecret // {

     

       205
       205
       -
             file = ../../../secrets/stalwart-secret-rsa.age;

     

       206
       206
       -
           };

     

       207
       207
       -
           stalwart-secret-ed25519 = smSecret // {

     

       208
       208
       -
             file = ../../../secrets/stalwart-secret-ed25519.age;

     

       209
       209
       -
           };

     

       210
       210
       -
           stalwart-desec-token = smSecret // {

     

       211
       211
       -
             file = ../../../secrets/stalwart-desec-token.age;

     

       212
       212
       -
           };

     

       213
       213
       -
           stalwart-fallback-admin-pw = smSecret // {

     

       214
       214
       -
             file = ../../../secrets/stalwart-fallback-admin-pw.age;

     

       215
       215
       -
           };

     

       216
       216
       -
         };

     

       217
       217
       -
       }

hosts/prefect/services/mailserver/stalwart/imap.nix hosts/prefect/services/mailserver/imap.nix

hosts/prefect/services/mailserver/stalwart/queue.nix hosts/prefect/services/mailserver/queue.nix

hosts/prefect/services/mailserver/stalwart/report.nix hosts/prefect/services/mailserver/report.nix

hosts/prefect/services/mailserver/stalwart/server.nix hosts/prefect/services/mailserver/server.nix

hosts/prefect/services/mailserver/stalwart/session.nix hosts/prefect/services/mailserver/session.nix

hosts/prefect/services/mailserver/stalwart/signature.nix hosts/prefect/services/mailserver/signature.nix