commit ab166eb3f628bcc4a2156d4b9daa0370df6f241b · pyrox.dev/nix

lib/data/default.nix

···

       1
        
       {

     

       2
        
         data.hosts = builtins.fromTOML (builtins.readFile ./hosts.toml);

     

       3
        
         data.services = builtins.fromTOML (builtins.readFile ./services.toml);

     

       0
        
       
     

       4
        
         data.tsNet = "coelacanth-dragon.ts.net";

     

       5
        
       }

···

       1
        
       {

     

       2
        
         data.hosts = builtins.fromTOML (builtins.readFile ./hosts.toml);

     

       3
        
         data.services = builtins.fromTOML (builtins.readFile ./services.toml);

     

       4
       +
         data.mail = builtins.fromTOML (builtins.readFile ./mail.toml);

     

       5
        
         data.tsNet = "coelacanth-dragon.ts.net";

     

       6
        
       }

+10

lib/data/mail.toml

···

       1
       +
       extUrl = "mail.pyrox.dev"

     

       2
       +
       extIPs = ["5.161.140.5", "2a01:4ff:f0:98bf:0:0:0:1"]

     

       3
       +
       # internal port is 40k+real mail port

     

       4
       +
       intSMTP = 40587

     

       5
       +
       intSMTPS = 40465

     

       6
       +
       intIMAP = 40143

     

       7
       +
       intIMAPS = 40993

     

       8
       +
       intManageSieve = 44190

     

       9
       +
       intHTTPS = 40443

     

       10
       +
       intHTTP = 40080

systems/x86_64-linux/prefect/default.nix

···

       19
        
           ./services/fail2ban.nix

     

       20
        
           # ./services/headscale.nix

     

       21
        
           ./services/mailserver

     

       0
        
       
     

       22
        
           # ./services/netdata.nix

     

       23
        
           ./services/nginx

     

       24
        
           ./services/prometheus.nix

···

       19
        
           ./services/fail2ban.nix

     

       20
        
           # ./services/headscale.nix

     

       21
        
           ./services/mailserver

     

       22
       +
           ./services/mailserver/stalwart

     

       23
        
           # ./services/netdata.nix

     

       24
        
           ./services/nginx

     

       25
        
           ./services/prometheus.nix

systems/x86_64-linux/prefect/firewall.nix

···

       14
        
             636

     

       15
        
             993

     

       16
        
             4130

     

       0
        
       
     

       17
        
             6900

     

       18
        
             8000

     

       19
        
           ];

     

       20
        
           allowedUDPPorts = [

     

       0
        
       
     

       21
        
             636

     

       22
        
             4367

     

       23
        
             6900

···

       14
        
             636

     

       15
        
             993

     

       16
        
             4130

     

       17
       +
             4190

     

       18
        
             6900

     

       19
        
             8000

     

       20
        
           ];

     

       21
        
           allowedUDPPorts = [

     

       22
       +
             80

     

       23
        
             636

     

       24
        
             4367

     

       25
        
             6900

+10

systems/x86_64-linux/prefect/secrets/secrets.nix

···

       32
        
           yubi-main

     

       33
        
           yubi-back

     

       34
        
         ];

     

       35
       +
         "stalwart-secret-rsa.age".publicKeys = [

     

       36
       +
           prefect

     

       37
       +
           yubi-main

     

       38
       +
           yubi-back

     

       39
       +
         ];

     

       40
       +
         "stalwart-secret-ed25519.age".publicKeys = [

     

       41
       +
           prefect

     

       42
       +
           yubi-main

     

       43
       +
           yubi-back

     

       44
       +
         ];

     

       45
        
       }

+19

systems/x86_64-linux/prefect/secrets/stalwart-secret-ed25519.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 LcWOqQ iqNMs1zctbP+bDdN4c3RGhckhCvrTPJbcTHUQnu88ko

     

       3
       +
       x5T5SxnBpMRgAHbYY1YU0Yy7XVlGRZ2WnM7ICDFmjbE

     

       4
       +
       -> ssh-ed25519 ihSg8g g0enzjgGoNx7kHNuq7lSys3G3MeQeusWuRZ0oIrP0UE

     

       5
       +
       V6mXoy2LFKubv4f1Fwa0Wx15D7OI3FWeBovhDcuGaMQ

     

       6
       +
       -> ssh-rsa fFaiTA

     

       7
       +
       b9TNMiCUmYELGyGF5YzGR6KOA1w6dUteVArMlg1ZPn1HW2W/wrhhAEmTN/hAnEPR

     

       8
       +
       9AFTDJupQ/6aacyIUnQlkXjI7QZeVbKXJ39VHva1rTXCamAKAAjVBdzcLtEbl4Z5

     

       9
       +
       iZuv6bEDcggZ1/4PmvmMtH5ljkGZWmbRSXwSqn0xF2P9VY4QMVK86WWpobk+St1X

     

       10
       +
       EQqEDiGrPtgwHMCOfL1wb7lZD6t2wwMlRfnTee/5qDWTSDme6QYPsAFmJOpQGCYT

     

       11
       +
       BOQOlZegH/KCl7qai8qBOKwEWTVMbyblihCp4vaVTgpkOiHO6PM1HS4JrXMZJeDr

     

       12
       +
       30m8oeGT7/PoO14tWZvU2jCWGO/M6tiiif5I+cOymFnGCxmHPpuO/+GPOQ+f4bKb

     

       13
       +
       zw5hh6Bqpj9bp6QoTLfzzKnrpSk/n26e89nejha0iLDwP+QQyZZos9vss3B6Fkmu

     

       14
       +
       bZUuifW7eSuI7Y7l4RkuvCOEIJf+vkW7bF0e1BDpd6n5B9Jp/c5ghvWzgoyCyDud

     

       15
       +
       1Xf0UxiFM90AUR8ml3QtclaRewfMr/b69qgR2olwBVrctjC/CSXAJC3bih6LZLdA

     

       16
       +
       nKHWyqWjWfsxCPWZUmFHMcu1ogFVsnlEdr+UoYCN1oXMwZfgxQnkfLFfcLZFW3+a

     

       17
       +
       JeXgm10wb2+DpmltSi7fLgQOB5462VQ+SvnFFwWFRN8

     

       18
       +
       --- xB0nATcSCPeSRGpbNMeSuUCJ3rxQhruXmqczOcTvMj0

     

       19
       +
       �EՊ�[�7]COII�IU[1�:?�wfq��;m�+%9�������d}ՈQ!y
�����IVz;`�᭹�33L ;�Z� �����J�kҕW<W,f2������"V�������G<�q'0*���~!�7��&��-��i�e�e�'�^

systems/x86_64-linux/prefect/secrets/stalwart-secret-rsa.age

This is a binary file and will not be displayed.

+101 -50

systems/x86_64-linux/prefect/services/caddy.nix

···

       1
        
       { pkgs, lib, ... }:

     

       2
        
       let

     

       3
        
         pns = lib.py.data.services;

     

       4
       -
         # mail = lib.py.data.mail;

     

       5
        
         marvin = "http://${lib.py.data.hosts.marvin.ts.ip4}";

     

       6
        
         marvinIP = lib.py.data.hosts.marvin.ts.ip4;

     

       7
        
         tsNet = lib.py.data.tsNet;

     
···

       115
        
                 handle /metrics* {

     

       116
        
                   respond @blocked "Access Denied" 403

     

       117
        
                 }

     

       118
       -
               '';

     

       119
       -
             };

     

       120
       -
       

     

       121
       -
             # MTA-STS Setup for mailserver

     

       122
       -
             "mta-sts.pyrox.dev" = {

     

       123
       -
               extraConfig = ''

     

       124
       -
                 header Content-Type text/plain; charset=utf-8

     

       125
       -
                 respond /.well-known/mta-sts.txt <<END

     

       126
       -
                     version: STSv1

     

       127
       -
                     mode: enforce

     

       128
       -
                     mx: mail.pyrox.dev

     

       129
       -
                     mx:mail2.pyrox.dev

     

       130
       -
                     max_age: 2419200

     

       131
       -
                     END 200

     

       132
        
               '';

     

       133
        
             };

     

       134
        
       

     
···

       271
        
                 reverse_proxy ${marvin}:${toString pns.pinchflat.port}

     

       272
        
               '';

     

       273
        
             };

     

       274
       -
             # "mail.pyrox.dev:80" = {

     

       275
       -
             #   extraConfig = ''

     

       276
       -
             #     reverse_proxy ${marvin}:${mail.intHTTP}

     

       277
       -
             #   '';

     

       278
       -
             # };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       279
        
           };

     

       280
        
           # Mail Config

     

       281
        
           globalConfig = ''

     
···

       283
        
               ref refs/heads/pages

     

       284
        
               refresh_period 10m

     

       285
        
             }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       286
        
             layer4 {

     

       287
        
               :22 {

     

       288
        
                 @a ssh

     

       289
        
                 route @a {

     

       290
       -
                   proxy ${marvinIP}:2222

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       291
        
                 }

     

       292
        
               }

     

       293
        
             }

     

       294
        
           '';

     

       295
       -
           # TODO: Move the below section to global options once stalwart is working

     

       296
       -
           # extraConfig = ''

     

       297
       -
           #   layer4 {

     

       298
       -
           #     0.0.0.0:465 {

     

       299
       -
           #       route {

     

       300
       -
           #         proxy {

     

       301
       -
           #           proxy_protocol v2

     

       302
       -
           #           upstream ${marvinIP}:mail.intSMTPS}

     

       303
       -
           #         }

     

       304
       -
           #       }

     

       305
       -
           #     }

     

       306
       -
           #     0.0.0.0:993 {

     

       307
       -
           #       route {

     

       308
       -
           #         proxy {

     

       309
       -
           #           proxy_protocol v2

     

       310
       -
           #           upstream ${marvinIP}:mail.intIMAPS}

     

       311
       -
           #         }

     

       312
       -
           #       }

     

       313
       -
           #     }

     

       314
       -
           #     0.0.0.0:4190 {

     

       315
       -
           #       route {

     

       316
       -
           #         proxy {

     

       317
       -
           #           proxy_protocol v2

     

       318
       -
           #           upstream ${marvinIP}:mail.intManageSieve}

     

       319
       -
           #         }

     

       320
       -
           #       }

     

       321
       -
           #     }

     

       322
       -
           #   }

     

       323
       -
           # '';

     

       324
        
         };

     

       325
        
         systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       326
        
         systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";

···

       1
        
       { pkgs, lib, ... }:

     

       2
        
       let

     

       3
        
         pns = lib.py.data.services;

     

       4
       +
         mail = lib.py.data.mail;

     

       5
        
         marvin = "http://${lib.py.data.hosts.marvin.ts.ip4}";

     

       6
        
         marvinIP = lib.py.data.hosts.marvin.ts.ip4;

     

       7
        
         tsNet = lib.py.data.tsNet;

     
···

       115
        
                 handle /metrics* {

     

       116
        
                   respond @blocked "Access Denied" 403

     

       117
        
                 }

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       118
        
               '';

     

       119
        
             };

     

       120
        
       

     
···

       257
        
                 reverse_proxy ${marvin}:${toString pns.pinchflat.port}

     

       258
        
               '';

     

       259
        
             };

     

       260
       +
       

     

       261
       +
             "http://mail.pyrox.dev" = {

     

       262
       +
               serverAliases = [

     

       263
       +
                 "http://mta-sts.pyrox.dev"

     

       264
       +
                 "http://autodiscover.pyrox.dev"

     

       265
       +
                 "http://autoconfig.pyrox.dev"

     

       266
       +
               ];

     

       267
       +
               extraConfig = ''

     

       268
       +
                 reverse_proxy 127.0.0.1:${toString mail.intHTTP} {

     

       269
       +
                   transport http {

     

       270
       +
                     proxy_protocol v2

     

       271
       +
                   }

     

       272
       +
                 }

     

       273
       +
       

     

       274
       +
               '';

     

       275
       +
             };

     

       276
        
           };

     

       277
        
           # Mail Config

     

       278
        
           globalConfig = ''

     
···

       280
        
               ref refs/heads/pages

     

       281
        
               refresh_period 10m

     

       282
        
             }

     

       283
       +
             servers :80 {

     

       284
       +
               listener_wrappers {

     

       285
       +
                 layer4 {

     

       286
       +
                   @maildomains http host mail.pyrox.dev mta-sts.pyrox.dev autoconfig.pyrox.dev autodiscover.pyrox.dev

     

       287
       +
                   route @maildomains {

     

       288
       +
                     subroute {

     

       289
       +
                       @a http

     

       290
       +
                       route @a {

     

       291
       +
                         proxy {

     

       292
       +
                           proxy_protocol v2

     

       293
       +
                           upstream 127.0.0.1:${toString mail.intHTTP}

     

       294
       +
                         }

     

       295
       +
                       }

     

       296
       +
                     }

     

       297
       +
                   }

     

       298
       +
                 }

     

       299
       +
                 http_redirect

     

       300
       +
               }

     

       301
       +
             }

     

       302
       +
             servers :443 {

     

       303
       +
               listener_wrappers {

     

       304
       +
                 layer4 {

     

       305
       +
                   @maildomains tls sni mail.pyrox.dev mta-sts.pyrox.dev autoconfig.pyrox.dev autodiscover.pyrox.dev

     

       306
       +
                   route @maildomains {

     

       307
       +
                     proxy {

     

       308
       +
                       proxy_protocol v2

     

       309
       +
                       upstream 127.0.0.1:${toString mail.intHTTPS}

     

       310
       +
                     }

     

       311
       +
                   }

     

       312
       +
                 }

     

       313
       +
                 tls

     

       314
       +
               }

     

       315
       +
             }

     

       316
        
             layer4 {

     

       317
        
               :22 {

     

       318
        
                 @a ssh

     

       319
        
                 route @a {

     

       320
       +
                   proxy {

     

       321
       +
                     upstream ${marvinIP}:2222

     

       322
       +
                   }

     

       323
       +
                 }

     

       324
       +
               }

     

       325
       +
               :2025 {

     

       326
       +
                 route {

     

       327
       +
                   proxy {

     

       328
       +
                     proxy_protocol v2

     

       329
       +
                     upstream 127.0.0.1:40025

     

       330
       +
                   }

     

       331
       +
                 }

     

       332
       +
               }

     

       333
       +
               :2143 {

     

       334
       +
                 route {

     

       335
       +
                   proxy {

     

       336
       +
                     proxy_protocol v2

     

       337
       +
                     upstream 127.0.0.1:${toString mail.intIMAP}

     

       338
       +
                   }

     

       339
       +
                 }

     

       340
       +
               }

     

       341
       +
               :2465 {

     

       342
       +
                 route {

     

       343
       +
                   proxy {

     

       344
       +
                     proxy_protocol v2

     

       345
       +
                     upstream 127.0.0.1:${toString mail.intSMTPS}

     

       346
       +
                   }

     

       347
       +
                 }

     

       348
       +
               }

     

       349
       +
               :2587 {

     

       350
       +
                 route {

     

       351
       +
                   proxy {

     

       352
       +
                     proxy_protocol v2

     

       353
       +
                     upstream 127.0.0.1:${toString mail.intSMTP}

     

       354
       +
                   }

     

       355
       +
                 }

     

       356
       +
               }

     

       357
       +
               :2993 {

     

       358
       +
                 route {

     

       359
       +
                   proxy {

     

       360
       +
                     proxy_protocol v2

     

       361
       +
                     upstream 127.0.0.1:${toString mail.intIMAPS}

     

       362
       +
                   }

     

       363
       +
                 }

     

       364
       +
               }

     

       365
       +
               :24190 {

     

       366
       +
                 route {

     

       367
       +
                   proxy {

     

       368
       +
                     proxy_protocol v2

     

       369
       +
                     upstream 127.0.0.1:${toString mail.intManageSieve}

     

       370
       +
                   }

     

       371
        
                 }

     

       372
        
               }

     

       373
        
             }

     

       374
        
           '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       375
        
         };

     

       376
        
         systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       377
        
         systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";

+17

systems/x86_64-linux/prefect/services/mailserver/stalwart/acme.nix

···

       1
       +
       { cfg }:

     

       2
       +
       {

     

       3
       +
         letsencrypt = {

     

       4
       +
           directory = "https://acme-staging-v02.api.letsencrypt.org/directory";

     

       5
       +
           challenge = "http-01";

     

       6
       +
           contact = [ "pyrox@pyrox.dev" ];

     

       7
       +
           domains = [

     

       8
       +
             "mail.pyrox.dev"

     

       9
       +
             "mta-sts.pyrox.dev"

     

       10
       +
             "autoconfig.pyrox.dev"

     

       11
       +
             "autodiscover.pyrox.dev"

     

       12
       +
           ];

     

       13
       +
           cache = "${cfg.dataDir}/acme/certs";

     

       14
       +
           renew-before = "30d";

     

       15
       +
           default = true;

     

       16
       +
         };

     

       17
       +
       }

+22

systems/x86_64-linux/prefect/services/mailserver/stalwart/auth.nix

···

       1
       +
       { ifThen, otherwise }:

     

       2
       +
       let

     

       3
       +
         relVer = [

     

       4
       +
           (ifThen "listener = 'smtp'" "relaxed")

     

       5
       +
           (otherwise "disable")

     

       6
       +
         ];

     

       7
       +
       in

     

       8
       +
       {

     

       9
       +
         dkim = {

     

       10
       +
           sign = [

     

       11
       +
             (ifThen "sender_domain = 'pyrox.dev'" "'rsa'")

     

       12
       +
             (ifThen "sender_domain = 'pyrox.dev'" "'ed25519'")

     

       13
       +
             (otherwise false)

     

       14
       +
           ];

     

       15
       +
         };

     

       16
       +
         spf.verify.ehlo = relVer;

     

       17
       +
         spf.verify.mail-from = relVer;

     

       18
       +
         dmarc.verify = relVer;

     

       19
       +
         iprev.verify = relVer;

     

       20
       +
         arc.seal = "'ed25519'";

     

       21
       +
         arc.verify = "relaxed";

     

       22
       +
       }

+25

systems/x86_64-linux/prefect/services/mailserver/stalwart/auto-ban.nix

···

       1
       +
       # Strict Auto-ban

     

       2
       +
       # https://stalw.art/docs/server/auto-ban

     

       3
       +
       {

     

       4
       +
         auth.rate = "15/1d";

     

       5
       +
         abuse.rate = "15/1d";

     

       6
       +
         loiter.rate = "15/1d";

     

       7
       +
         scan = {

     

       8
       +
           rate = "20/1d";

     

       9
       +
           paths = [

     

       10
       +
             "*.php*"

     

       11
       +
             "*.cgi*"

     

       12
       +
             "*.asp*"

     

       13
       +
             "*/wp-*"

     

       14
       +
             "*/php*"

     

       15
       +
             "*/cgi-bin*"

     

       16
       +
             "*xmlrpc*"

     

       17
       +
             "*../*"

     

       18
       +
             "*/..*"

     

       19
       +
             "*joomla*"

     

       20
       +
             "*wordpress*"

     

       21
       +
             "*drupal*"

     

       22
       +
             "/.git*"

     

       23
       +
           ];

     

       24
       +
         };

     

       25
       +
       }

+25

systems/x86_64-linux/prefect/services/mailserver/stalwart/calendar.nix

···

       1
       +
       # Calendar settings

     

       2
       +
       # https://stalw.art/docs/collaboration/calendar

     

       3
       +
       {

     

       4
       +
         max-recurrence-expansions = 2048;

     

       5
       +
         # 512 KiB

     

       6
       +
         max-size = 524288;

     

       7
       +
         max-attendees-per-instance = 20;

     

       8
       +
         default.href-name = "default";

     

       9
       +
         default.display-name = "Personal";

     

       10
       +
         # Scheduling

     

       11
       +
         # https://stalw.art/docs/collaboration/scheduling

     

       12
       +
         scheduling.enable = true;

     

       13
       +
         # 1 MiB

     

       14
       +
         scheduling.inbound.max-size = 1048576;

     

       15
       +
         scheduling.outbound.max-recipients = 100;

     

       16
       +
         scheduling.inbox.auto-expunge = "30d";

     

       17
       +
         scheduling.http-rsvp.enable = true;

     

       18
       +
         scheduling.http-rsvp.expiration = "7d";

     

       19
       +
         # Notifications

     

       20
       +
         # https://stalw.art/docs/collaboration/notifications

     

       21
       +
         alarms.enable = true;

     

       22
       +
         alarms.minimum-interval = "1h";

     

       23
       +
         alarms.from.name = "PyroNet Calendars";

     

       24
       +
         alarms.from.email = "calendar-notifs@pyrox.dev";

     

       25
       +
       }

+181

systems/x86_64-linux/prefect/services/mailserver/stalwart/default.nix

···

       1
       +
       {

     

       2
       +
         config,

     

       3
       +
         lib,

     

       4
       +
         ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
       +
         d = lib.py.data.mail;

     

       8
       +
         cfg = config.services.stalwart-mail;

     

       9
       +
         sec = config.age.secrets;

     

       10
       +
         creds = config.services.stalwart-mail.credentials;

     

       11
       +
         isAuthenticated = d: {

     

       12
       +
           "if" = "!is_empty(authenticated_as)";

     

       13
       +
           "then" = d;

     

       14
       +
         };

     

       15
       +
         otherwise = d: {

     

       16
       +
           "else" = d;

     

       17
       +
         };

     

       18
       +
         ifThen = f: d: {

     

       19
       +
           "if" = f;

     

       20
       +
           "then" = d;

     

       21
       +
         };

     

       22
       +
         smSecret = {

     

       23
       +
           owner = "stalwart-mail";

     

       24
       +
           group = "stalwart-mail";

     

       25
       +
         };

     

       26
       +
       in

     

       27
       +
       {

     

       28
       +
         services.stalwart-mail = {

     

       29
       +
           enable = true;

     

       30
       +
           dataDir = "/var/lib/stalwart";

     

       31
       +
           credentials = {

     

       32
       +
             rsa_private_key = sec.stalwart-secret-rsa.path;

     

       33
       +
             ed25519_private_key = sec.stalwart-secret-ed25519.path;

     

       34
       +
           };

     

       35
       +
           settings = {

     

       36
       +
             tracer.stdout.level = "debug";

     

       37
       +
             config = {

     

       38
       +
               local-keys = [

     

       39
       +
                 "acme.*"

     

       40
       +
                 "asn.*"

     

       41
       +
                 "auth.*"

     

       42
       +
                 "authentication.*"

     

       43
       +
                 "auto-ban.*"

     

       44
       +
                 "calendar.*"

     

       45
       +
                 "certificate.*"

     

       46
       +
                 "changes.*"

     

       47
       +
                 "cluster.*"

     

       48
       +
                 "config.*"

     

       49
       +
                 "contacts.*"

     

       50
       +
                 "directory.*"

     

       51
       +
                 "http.*"

     

       52
       +
                 "imap.*"

     

       53
       +
                 "jmap.*"

     

       54
       +
                 "queue.*"

     

       55
       +
                 "report.*"

     

       56
       +
                 "resolver.*"

     

       57
       +
                 "server.*"

     

       58
       +
                 "session.*"

     

       59
       +
                 "storage.*"

     

       60
       +
                 "store.*"

     

       61
       +
                 "tracer.*"

     

       62
       +
                 "webadmin.*"

     

       63
       +
                 "form.*"

     

       64
       +
                 "email.*"

     

       65
       +
                 "spam-filter.*"

     

       66
       +
               ];

     

       67
       +
             };

     

       68
       +
             server = import ./server.nix { inherit d; };

     

       69
       +
             # ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open)

     

       70
       +
             # https://stalw.art/docs/server/tls/acme/configuration

     

       71
       +
             acme = import ./acme.nix { inherit cfg; };

     

       72
       +
             # HTTP Configuration

     

       73
       +
             # https://stalw.art/docs/http/overview

     

       74
       +
             http = {

     

       75
       +
               url = "'https://${d.extUrl}'";

     

       76
       +
               hsts = true;

     

       77
       +
             };

     

       78
       +
             # Disable HTTP Forms submission

     

       79
       +
             # https://stalw.art/docs/http/form-submission

     

       80
       +
             form.enable = false;

     

       81
       +
             # Storage Settings

     

       82
       +
             # https://stalw.art/docs/storage/overview

     

       83
       +
             store = {

     

       84
       +
               data = {

     

       85
       +
                 type = "rocksdb";

     

       86
       +
                 path = "${cfg.dataDir}/db";

     

       87
       +
                 purge.frequency = "0 3 *";

     

       88
       +
               };

     

       89
       +
               blob = {

     

       90
       +
                 type = "fs";

     

       91
       +
                 path = "${cfg.dataDir}/blobs";

     

       92
       +
                 depth = 2;

     

       93
       +
                 compression = "lz4";

     

       94
       +
                 purge.frequency = "0 4 *";

     

       95
       +
               };

     

       96
       +
               db.path = "${cfg.dataDir}/db2";

     

       97
       +
             };

     

       98
       +
             storage = {

     

       99
       +
               data = "data";

     

       100
       +
               blob = "blob";

     

       101
       +
               fts = "data";

     

       102
       +
               lookup = "data";

     

       103
       +
               directory = "default";

     

       104
       +
             };

     

       105
       +
             directory = {

     

       106
       +
               default = {

     

       107
       +
                 type = "internal";

     

       108
       +
                 store = "data";

     

       109
       +
               };

     

       110
       +
             };

     

       111
       +
             # ASN/GeoIP Lookups

     

       112
       +
             # https://stalw.art/docs/server/asn

     

       113
       +
             asn = {

     

       114
       +
               type = "dns";

     

       115
       +
               separator = "|";

     

       116
       +
               zone.ipv4 = "origin.asn.cymru.com";

     

       117
       +
               zone.ipv6 = "origin6.asn.cymru.com";

     

       118
       +
               index.asn = 0;

     

       119
       +
               index.asn-name = 1;

     

       120
       +
               index.country = 2;

     

       121
       +
             };

     

       122
       +
             auto-ban = import ./auto-ban.nix;

     

       123
       +
             # JMAP Settings

     

       124
       +
             # https://stalw.art/docs/email/jmap

     

       125
       +
             jmap = {

     

       126
       +
               mailbox.max-depth = 10;

     

       127
       +
               mailbox.max-name-length = 255;

     

       128
       +
               # 50 MB

     

       129
       +
               email.max-attachment-size = 50 * 1000 * 1000;

     

       130
       +
               # 75 MB

     

       131
       +
               email.max-size = 75 * 1000 * 1000;

     

       132
       +
               email.parse.max-items = 10;

     

       133
       +
             };

     

       134
       +
             imap = import ./imap.nix;

     

       135
       +
             # Maintainance

     

       136
       +
             # https://stalw.art/docs/email/maintenance

     

       137
       +
             email.auto-expunge = "180d";

     

       138
       +
             changes.max-history = 10000;

     

       139
       +
             session = import ./session.nix { inherit isAuthenticated otherwise; };

     

       140
       +
             queue = import ./queue.nix { inherit d ifThen otherwise; };

     

       141
       +
             # DNS Settings

     

       142
       +
             # https://stalw.art/docs/mta/outbound/dns

     

       143
       +
             resolver = {

     

       144
       +
               custom = [

     

       145
       +
                 "tls://dns11.quad9.net"

     

       146
       +
                 "tcp://1.1.1.1"

     

       147
       +
               ];

     

       148
       +
               concurrency = 2;

     

       149
       +
               preserve-intermediates = true;

     

       150
       +
               timeout = "5s";

     

       151
       +
               attempts = 3;

     

       152
       +
               edns = true;

     

       153
       +
             };

     

       154
       +
             report = import ./report.nix { inherit d; };

     

       155
       +
             calendar = import ./calendar.nix;

     

       156
       +
             # Authentication

     

       157
       +
             auth = import ./auth.nix { inherit ifThen otherwise; };

     

       158
       +
             # Contacts

     

       159
       +
             # https://stalw.art/docs/collaboration/contact

     

       160
       +
             contacts = {

     

       161
       +
               # 512 KiB

     

       162
       +
               max-size = 524288;

     

       163
       +
               default.href-name = "default";

     

       164
       +
               default.display-name = "Contacts";

     

       165
       +
             };

     

       166
       +
             # Spam Filtering

     

       167
       +
             # https://stalw.art/docs/spamfilter/overview

     

       168
       +
             spam-filter = {

     

       169
       +
               card-is-ham = true;

     

       170
       +
             };

     

       171
       +
           };

     

       172
       +
         };

     

       173
       +
         age.secrets = {

     

       174
       +
           stalwart-secret-rsa = smSecret // {

     

       175
       +
             file = ../../../secrets/stalwart-secret-rsa.age;

     

       176
       +
           };

     

       177
       +
           stalwart-secret-ed25519 = smSecret // {

     

       178
       +
             file = ../../../secrets/stalwart-secret-ed25519.age;

     

       179
       +
           };

     

       180
       +
         };

     

       181
       +
       }

+42

systems/x86_64-linux/prefect/services/mailserver/stalwart/imap.nix

···

       1
       +
       # https://stalw.art/docs/email/imap

     

       2
       +
       {

     

       3
       +
         # 50 MiB

     

       4
       +
         request.max-size = 52428800;

     

       5
       +
         auth.max-failures = 3;

     

       6
       +
         auth.allow-plain-text = false;

     

       7
       +
         folders =

     

       8
       +
           let

     

       9
       +
             folder = {

     

       10
       +
               create = true;

     

       11
       +
               subscribe = true;

     

       12
       +
             };

     

       13
       +
           in

     

       14
       +
           {

     

       15
       +
             inbox = folder // {

     

       16
       +
               name = "Inbox";

     

       17
       +
             };

     

       18
       +
             drafts = folder // {

     

       19
       +
               name = "Drafts";

     

       20
       +
             };

     

       21
       +
             sent = folder // {

     

       22
       +
               name = "Sent";

     

       23
       +
             };

     

       24
       +
             trash = folder // {

     

       25
       +
               name = "Trash";

     

       26
       +
             };

     

       27
       +
             archive = folder // {

     

       28
       +
               name = "Archive";

     

       29
       +
             };

     

       30
       +
             junk = folder // {

     

       31
       +
               name = "Junk";

     

       32
       +
             };

     

       33
       +
             shared = {

     

       34
       +
               name = "Shared Folders";

     

       35
       +
               create = true;

     

       36
       +
               subscribe = false;

     

       37
       +
             };

     

       38
       +
           };

     

       39
       +
         timeout.authenticated = "30m";

     

       40
       +
         timeout.anonymous = "1m";

     

       41
       +
         timeout.idle = "30m";

     

       42
       +
       }

+97

systems/x86_64-linux/prefect/services/mailserver/stalwart/queue.nix

···

       1
       +
       {

     

       2
       +
         d,

     

       3
       +
         ifThen,

     

       4
       +
         otherwise,

     

       5
       +
       }:

     

       6
       +
       # Queue Management

     

       7
       +
       # https://stalw.art/docs/mta/outbound/overview

     

       8
       +
       {

     

       9
       +
         # Virtual Queues

     

       10
       +
         # https://stalw.art/docs/mta/outbound/queue

     

       11
       +
         virtual.default.threads-per-node = 100;

     

       12
       +
         virtual.admin.threads-per-node = 10;

     

       13
       +
         virtual.local.threads-per-node = 100;

     

       14
       +
         # Schedules

     

       15
       +
         # https://stalw.art/docs/mta/outbound/schedule

     

       16
       +
         schedule =

     

       17
       +
           let

     

       18
       +
             queue = {

     

       19
       +
               retry = [

     

       20
       +
                 "1m"

     

       21
       +
                 "2m"

     

       22
       +
                 "5m"

     

       23
       +
                 "10m"

     

       24
       +
                 "15m"

     

       25
       +
                 "30m"

     

       26
       +
                 "1h"

     

       27
       +
                 "2h"

     

       28
       +
               ];

     

       29
       +
               notify = [

     

       30
       +
                 "1d"

     

       31
       +
                 "3d"

     

       32
       +
               ];

     

       33
       +
               max-attempts = 15;

     

       34
       +
             };

     

       35
       +
           in

     

       36
       +
           {

     

       37
       +
             default = queue // {

     

       38
       +
               queue-name = "default";

     

       39
       +
             };

     

       40
       +
             admin = queue // {

     

       41
       +
               queue-name = "admin";

     

       42
       +
             };

     

       43
       +
             local = queue // {

     

       44
       +
               queue-name = "local";

     

       45
       +
             };

     

       46
       +
           };

     

       47
       +
         # Routes

     

       48
       +
         # https://stalw.art/docs/mta/outbound/routing

     

       49
       +
         route = {

     

       50
       +
           local.type = "local";

     

       51
       +
           remote = {

     

       52
       +
             type = "mx";

     

       53
       +
             ip-lookup = "ipv6_then_ipv4";

     

       54
       +
             tls.implicit = false;

     

       55
       +
             tls.allow-invalid-certs = false;

     

       56
       +
           };

     

       57
       +
         };

     

       58
       +
         # Strategies

     

       59
       +
         # https://stalw.art/docs/mta/outbound/strategy

     

       60
       +
         strategy = {

     

       61
       +
           schedule = [

     

       62
       +
             (ifThen "is_local_domain('', rcpt_domain)" "'local'")

     

       63
       +
             (ifThen "source = 'dsn'" "'admin'")

     

       64
       +
             (ifThen "source = 'report'" "'admin'")

     

       65
       +
             (ifThen "source = 'autogenerated'" "'admin'")

     

       66
       +
             (otherwise "'default'")

     

       67
       +
           ];

     

       68
       +
           route = [

     

       69
       +
             (ifThen "is_local_domain('', rcpt_domain)" "'local'")

     

       70
       +
             (otherwise "'remote'")

     

       71
       +
           ];

     

       72
       +
           connection = "'default'";

     

       73
       +
           tls = "'default'";

     

       74
       +
         };

     

       75
       +
         # Remote Connection

     

       76
       +
         # https://stalw.art/docs/mta/outbound/connection

     

       77
       +
         connection.default = {

     

       78
       +
           ehlo-hostname = d.extUrl;

     

       79
       +
           source-ips = d.extIPs;

     

       80
       +
           timeout = {

     

       81
       +
             connect = "3m";

     

       82
       +
             greeting = "3m";

     

       83
       +
             ehlo = "3m";

     

       84
       +
             mail-from = "3m";

     

       85
       +
             rcpt-to = "3m";

     

       86
       +
             data = "10m";

     

       87
       +
           };

     

       88
       +
         };

     

       89
       +
         tls.default = {

     

       90
       +
           dane = "optional";

     

       91
       +
           mta-sts = "optional";

     

       92
       +
           starttls = "optional";

     

       93
       +
           allow-invalid-certs = false;

     

       94
       +
           timeout.tls = "3m";

     

       95
       +
           timeout.mta-sts = "3m";

     

       96
       +
         };

     

       97
       +
       }

+64

systems/x86_64-linux/prefect/services/mailserver/stalwart/report.nix

···

       1
       +
       { d }:

     

       2
       +
       # Reports

     

       3
       +
       # https://stalw.art/docs/mta/reports/overview

     

       4
       +
       {

     

       5
       +
         domain = "pyrox.dev";

     

       6
       +
         submitter = "'${d.extUrl}'";

     

       7
       +
         analysis = {

     

       8
       +
           addresses = [

     

       9
       +
             "dmarc@"

     

       10
       +
             "reports@"

     

       11
       +
             "spf@"

     

       12
       +
             "dkim@"

     

       13
       +
             "abuse@"

     

       14
       +
           ];

     

       15
       +
           forward = true;

     

       16
       +
           store = "30d";

     

       17
       +
         };

     

       18
       +
         dsn = {

     

       19
       +
           from-name = "'PyroNet Mail'";

     

       20
       +
           from-address = "'mail@pyrox.dev'";

     

       21
       +
           sign = "['rsa', 'ed25519']";

     

       22
       +
         };

     

       23
       +
         dkim = {

     

       24
       +
           from-name = "'PyroNet Mail Reports'";

     

       25
       +
           from-address = "'noreply-dkim@pyrox.dev'";

     

       26
       +
           subject = "'DKIM Authentication Failure Report'";

     

       27
       +
           sign = "['rsa', 'ed25519']";

     

       28
       +
           send = "1/1d";

     

       29
       +
         };

     

       30
       +
         spf = {

     

       31
       +
           from-name = "'PyroNet Mail Reports'";

     

       32
       +
           from-address = "'noreply-spf@pyrox.dev'";

     

       33
       +
           subject = "'SPF Authentication Failure Report'";

     

       34
       +
           sign = "['rsa', 'ed25519']";

     

       35
       +
           send = "1/1d";

     

       36
       +
         };

     

       37
       +
         dmarc = {

     

       38
       +
           from-name = "'PyroNet Mail Reports'";

     

       39
       +
           from-address = "'noreply-dmarc@pyrox.dev'";

     

       40
       +
           subject = "'DMARC Authentication Failure Report'";

     

       41
       +
           sign = "['rsa', 'ed25519']";

     

       42
       +
           send = "1/1d";

     

       43
       +
           aggregate = {

     

       44
       +
             from-name = "'DMARC Report'";

     

       45
       +
             from-address = "'noreply-dmarc@pyrox.dev'";

     

       46
       +
             org-name = "'PyroNet Mail'";

     

       47
       +
             contact-info = "'pyrox@pyrox.dev'";

     

       48
       +
             send = "daily";

     

       49
       +
             # 25 MiB

     

       50
       +
             max-size = 26214400;

     

       51
       +
             sign = "['rsa', 'ed25519']";

     

       52
       +
           };

     

       53
       +
         };

     

       54
       +
         tls.aggregate = {

     

       55
       +
           from-name = "'PyroNet Mail Reports'";

     

       56
       +
           from-address = "'noreply-tls@pyrox.dev'";

     

       57
       +
           org-name = "'PyroNet Mail'";

     

       58
       +
           contact-info = "'pyrox@pyrox.dev'";

     

       59
       +
           send = "daily";

     

       60
       +
           # 25 MiB

     

       61
       +
           max-size = 26214400;

     

       62
       +
           sign = "['rsa', 'ed25519']";

     

       63
       +
         };

     

       64
       +
       }

+68

systems/x86_64-linux/prefect/services/mailserver/stalwart/server.nix

···

       1
       +
       { d }:

     

       2
       +
       {

     

       3
       +
         hostname = d.extUrl;

     

       4
       +
         # TLS

     

       5
       +
         # https://stalw.art/docs/server/tls/overview

     

       6
       +
         tls = {

     

       7
       +
           enable = true;

     

       8
       +
           implicit = false;

     

       9
       +
           ignore-client-order = true;

     

       10
       +
         };

     

       11
       +
         # Listeners

     

       12
       +
         # https://stalw.art/docs/server/listener

     

       13
       +
         listener = {

     

       14
       +
           smtp = {

     

       15
       +
             bind = [

     

       16
       +
               "[::]:${toString d.intSMTP}"

     

       17
       +
               "[::]:40025"

     

       18
       +
             ];

     

       19
       +
             protocol = "smtp";

     

       20
       +
             # Explicit TLS

     

       21
       +
             tls.implicit = false;

     

       22
       +
           };

     

       23
       +
           smtps = {

     

       24
       +
             bind = "[::]:${toString d.intSMTPS}";

     

       25
       +
             protocol = "smtp";

     

       26
       +
             # Implicit TLS

     

       27
       +
             tls.implicit = true;

     

       28
       +
           };

     

       29
       +
           imap = {

     

       30
       +
             bind = "[::]:${toString d.intIMAP}";

     

       31
       +
             protocol = "imap";

     

       32
       +
             # Explicit TLS

     

       33
       +
             tls.implicit = false;

     

       34
       +
           };

     

       35
       +
           imaps = {

     

       36
       +
             bind = "[::]:${toString d.intIMAPS}";

     

       37
       +
             protocol = "imap";

     

       38
       +
             # Implicit TLS

     

       39
       +
             tls.implicit = true;

     

       40
       +
           };

     

       41
       +
           managesieve = {

     

       42
       +
             bind = "[::]:${toString d.intManageSieve}";

     

       43
       +
             protocol = "managesieve";

     

       44
       +
             # Explicit TLS

     

       45
       +
             tls.implicit = false;

     

       46
       +
           };

     

       47
       +
           https = {

     

       48
       +
             bind = "[::]:${toString d.intHTTPS}";

     

       49
       +
             protocol = "http";

     

       50
       +
             # Implicit TLS

     

       51
       +
             tls.implicit = true;

     

       52
       +
           };

     

       53
       +
           http = {

     

       54
       +
             bind = "[::]:${toString d.intHTTP}";

     

       55
       +
             protocol = "http";

     

       56
       +
             # Implicit TLS

     

       57
       +
             tls.implicit = false;

     

       58
       +
           };

     

       59
       +
         };

     

       60
       +
         # Proxy Protocol from Caddy

     

       61
       +
         # Only accepts proxy protocol from Tailscale IP Ranges

     

       62
       +
         # https://tailscale.com/kb/1015/100.x-addresses

     

       63
       +
         # https://tailscale.com/kb/1033/ip-and-dns-addresses

     

       64
       +
         proxy.trusted-networks = [

     

       65
       +
           "fd7a:115c:a1e0::/48"

     

       66
       +
           "100.64.0.0/10"

     

       67
       +
         ];

     

       68
       +
       }

+42

systems/x86_64-linux/prefect/services/mailserver/stalwart/session.nix

···

       1
       +
       { isAuthenticated, otherwise }:

     

       2
       +
       # MTA Settings

     

       3
       +
       # https://stalw.art/docs/mta/overview

     

       4
       +
       {

     

       5
       +
         # Inbound

     

       6
       +
         # https://stalw.art/docs/mta/inbound/overview

     

       7
       +
         # # EHLO Stage

     

       8
       +
         # # https://stalw.art/docs/mta/inbound/ehlo

     

       9
       +
         ehlo = {

     

       10
       +
           require = true;

     

       11
       +
         };

     

       12
       +
         # # RCPT Stage

     

       13
       +
         # # https://stalw.art/docs/mta/inbound/rcpt

     

       14
       +
         rcpt = {

     

       15
       +
           relay = [

     

       16
       +
             (isAuthenticated true)

     

       17
       +
             (otherwise false)

     

       18
       +
           ];

     

       19
       +
           subaddressing = true;

     

       20
       +
         };

     

       21
       +
         extensions =

     

       22
       +
           let

     

       23
       +
             ifAuthed = [

     

       24
       +
               (isAuthenticated true)

     

       25
       +
               (otherwise false)

     

       26
       +
             ];

     

       27
       +
           in

     

       28
       +
           {

     

       29
       +
             pipelining = true;

     

       30
       +
             chunking = true;

     

       31
       +
             requiretls = true;

     

       32
       +
             no-soliciting = "";

     

       33
       +
             dsn = ifAuthed;

     

       34
       +
             deliver-by = [

     

       35
       +
               (isAuthenticated "15d")

     

       36
       +
               (otherwise false)

     

       37
       +
             ];

     

       38
       +
             mt-priority = false;

     

       39
       +
             vrfy = ifAuthed;

     

       40
       +
             expn = ifAuthed;

     

       41
       +
           };

     

       42
       +
       }

+41

systems/x86_64-linux/prefect/services/mailserver/stalwart/signature.nix

···

       1
       +
       let

     

       2
       +
         headers = [

     

       3
       +
           "From"

     

       4
       +
           "To"

     

       5
       +
           "Cc"

     

       6
       +
           "Date"

     

       7
       +
           "Subject"

     

       8
       +
           "Message-ID"

     

       9
       +
           "Organization"

     

       10
       +
           "MIME-Version"

     

       11
       +
           "Content-Type"

     

       12
       +
           "In-Reply-To"

     

       13
       +
           "References"

     

       14
       +
           "List-Id"

     

       15
       +
           "User-Agent"

     

       16
       +
           "Thread-Topic"

     

       17
       +
           "Thread-Index"

     

       18
       +
         ];

     

       19
       +
       in

     

       20
       +
       {

     

       21
       +
         rsa = {

     

       22
       +
           inherit headers;

     

       23
       +
           private-key = "%{file:/run/credentials/stalwart-mail.service/rsa_private_key}";

     

       24
       +
           domain = "pyrox.dev";

     

       25
       +
           selector = "rsa-default";

     

       26
       +
           algorithm = "rsa-sha256";

     

       27
       +
           canonicalization = "relaxed/relaxed";

     

       28
       +
           expire = "10d";

     

       29
       +
           report = true;

     

       30
       +
         };

     

       31
       +
         ed25519 = {

     

       32
       +
           inherit headers;

     

       33
       +
           private-key = "%{file:/run/credentials/stalwart-mail.service/ed25519_private_key}";

     

       34
       +
           domain = "pyrox.dev";

     

       35
       +
           selector = "default";

     

       36
       +
           algorithm = "ed25519-sha256";

     

       37
       +
           canonicalization = "relaxed/relaxed";

     

       38
       +
           expire = "10d";

     

       39
       +
           report = true;

     

       40
       +
         };

     

       41
       +
       }