summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-12-27 15:54:58 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-12-27 15:54:58 +0100
commitfa46d01d16aad10b28e2ad25957df7727dfc4854 (patch)
tree17ec177672290927556bda9ce0d1f05baae3febf
parent17d24a633e75592f8b0dd5346c919c261332c90c (diff)
downloadnixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar
nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar.gz
nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar.bz2
nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar.xz
nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.zip
generalize surtr email setup
-rw-r--r--hosts/surtr/email/default.nix107
1 files changed, 39 insertions, 68 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 22790fbb..a2e93e32 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -42,6 +42,7 @@ let
42 }; 42 };
43 43
44 spmDomains = ["bouncy.email"]; 44 spmDomains = ["bouncy.email"];
45 emailDomains = spmDomains ++ ["kleen.consulting"];
45in { 46in {
46 config = { 47 config = {
47 nixpkgs.overlays = [ 48 nixpkgs.overlays = [
@@ -107,17 +108,12 @@ in {
107 108
108 smtp_tls_connection_reuse = true; 109 smtp_tls_connection_reuse = true;
109 110
110 tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' 111 tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
111 bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem 112 concatMapStringsSep "\n\n" (domain:
112 mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem 113 concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${subdomain}.full.pem")
113 mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem 114 [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
114 .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem 115 ) emailDomains
115 116 )}'';
116 kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
117 mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem
118 mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem
119 .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
120 ''}'';
121 117
122 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; 118 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
123 119
@@ -282,16 +278,14 @@ in {
282 domain = "surtr.yggdrasil.li"; 278 domain = "surtr.yggdrasil.li";
283 separator = "+"; 279 separator = "+";
284 excludeDomains = [ "surtr.yggdrasil.li" 280 excludeDomains = [ "surtr.yggdrasil.li"
285 ".bouncy.email" "bouncy.email" 281 ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
286 ".kleen.consulting" "kleen.consulting"
287 ];
288 }; 282 };
289 283
290 services.opendkim = { 284 services.opendkim = {
291 enable = true; 285 enable = true;
292 user = "postfix"; group = "postfix"; 286 user = "postfix"; group = "postfix";
293 socket = "local:/run/opendkim/opendkim.sock"; 287 socket = "local:/run/opendkim/opendkim.sock";
294 domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}''; 288 domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
295 selector = "surtr"; 289 selector = "surtr";
296 configFile = builtins.toFile "opendkim.conf" '' 290 configFile = builtins.toFile "opendkim.conf" ''
297 Syslog true 291 Syslog true
@@ -429,23 +423,14 @@ in {
429 first_valid_gid = ${toString config.users.groups.dovecot2.gid} 423 first_valid_gid = ${toString config.users.groups.dovecot2.gid}
430 last_valid_gid = ${toString config.users.groups.dovecot2.gid} 424 last_valid_gid = ${toString config.users.groups.dovecot2.gid}
431 425
432 local_name imap.bouncy.email { 426 ${concatMapStringsSep "\n\n" (domain:
433 ssl_cert = </run/credentials/dovecot2.service/imap.bouncy.email.pem 427 concatMapStringsSep "\n" (subdomain: ''
434 ssl_key = </run/credentials/dovecot2.service/imap.bouncy.email.key.pem 428 local_name ${subdomain} {
435 } 429 ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
436 local_name bouncy.email { 430 ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
437 ssl_cert = </run/credentials/dovecot2.service/bouncy.email.pem 431 }
438 ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem 432 '') ["imap.${domain}" domain]
439 } 433 ) emailDomains}
440
441 local_name imap.kleen.consulting {
442 ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem
443 ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem
444 }
445 local_name kleen.consulting {
446 ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem
447 ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem
448 }
449 434
450 ssl_require_crl = no 435 ssl_require_crl = no
451 ssl_verify_client_cert = yes 436 ssl_verify_client_cert = yes
@@ -667,29 +652,20 @@ in {
667 652
668 security.acme.domains = { 653 security.acme.domains = {
669 "surtr.yggdrasil.li" = {}; 654 "surtr.yggdrasil.li" = {};
670 "bouncy.email" = {}; 655 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains)
671 "mailin.bouncy.email" = {}; 656 // listToAttrs (concatMap (domain:
672 "mailsub.bouncy.email" = {}; 657 map (subdomain: nameValuePair subdomain {})
673 "imap.bouncy.email" = {}; 658 [domain "mailin.${domain}" "mailsub.${domain}" "imap.${domain}" "mta-sts.${domain}"]
674 "mta-sts.bouncy.email" = {}; 659 ) emailDomains);
675 "kleen.consulting" = {};
676 "mailin.kleen.consulting" = {};
677 "mailsub.kleen.consulting" = {};
678 "imap.kleen.consulting" = {};
679 "mta-sts.kleen.consulting" = {};
680 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
681 660
682 systemd.services.postfix = { 661 systemd.services.postfix = {
683 serviceConfig.LoadCredential = [ 662 serviceConfig.LoadCredential = [
684 "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" 663 "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
685 "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" 664 "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
686 "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" 665 ] ++ concatMap (domain:
687 "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" 666 map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
688 "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" 667 [domain "mailin.${domain}" "mailsub.${domain}"]
689 "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem" 668 ) emailDomains;
690 "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem"
691 "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem"
692 ];
693 }; 669 };
694 670
695 systemd.services.dovecot2 = { 671 systemd.services.dovecot2 = {
@@ -703,15 +679,13 @@ in {
703 LoadCredential = [ 679 LoadCredential = [
704 "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" 680 "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
705 "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" 681 "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
706 "bouncy.email.key.pem:${config.security.acme.certs."bouncy.email".directory}/key.pem" 682 ] ++ concatMap (domain:
707 "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" 683 concatMap (subdomain: [
708 "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" 684 "${subdomain}.key.pem:${config.security.acme.certs.${subdomain}.directory}/key.pem"
709 "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" 685 "${subdomain}.pem:${config.security.acme.certs.${subdomain}.directory}/fullchain.pem"
710 "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem" 686 ])
711 "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem" 687 [domain "imap.${domain}"]
712 "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem" 688 ) emailDomains;
713 "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem"
714 ];
715 }; 689 };
716 }; 690 };
717 691
@@ -770,20 +744,17 @@ in {
770 ''} $out/.well-known/mta-sts.txt 744 ''} $out/.well-known/mta-sts.txt
771 ''; 745 '';
772 }; 746 };
773 }) ["bouncy.email" "kleen.consulting"]); 747 }) emailDomains);
774 }; 748 };
775 749
776 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ 750 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
777 "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" 751 "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
778 "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" 752 "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
779 ]) spmDomains ++ [ 753 ]) spmDomains ++ concatMap (domain: [
780 "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" 754 "mta-sts.${domain}.key.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/key.pem"
781 "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" 755 "mta-sts.${domain}.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/fullchain.pem"
782 "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" 756 "mta-sts.${domain}.chain.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/chain.pem"
783 "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem" 757 ]) emailDomains;
784 "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem"
785 "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem"
786 ];
787 758
788 systemd.services.spm = { 759 systemd.services.spm = {
789 serviceConfig = { 760 serviceConfig = {