diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-12-27 15:54:58 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-12-27 15:54:58 +0100 |
commit | fa46d01d16aad10b28e2ad25957df7727dfc4854 (patch) | |
tree | 17ec177672290927556bda9ce0d1f05baae3febf | |
parent | 17d24a633e75592f8b0dd5346c919c261332c90c (diff) | |
download | nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar.gz nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar.bz2 nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.tar.xz nixos-fa46d01d16aad10b28e2ad25957df7727dfc4854.zip |
generalize surtr email setup
-rw-r--r-- | hosts/surtr/email/default.nix | 107 |
1 files changed, 39 insertions, 68 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 22790fbb..a2e93e32 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -42,6 +42,7 @@ let | |||
42 | }; | 42 | }; |
43 | 43 | ||
44 | spmDomains = ["bouncy.email"]; | 44 | spmDomains = ["bouncy.email"]; |
45 | emailDomains = spmDomains ++ ["kleen.consulting"]; | ||
45 | in { | 46 | in { |
46 | config = { | 47 | config = { |
47 | nixpkgs.overlays = [ | 48 | nixpkgs.overlays = [ |
@@ -107,17 +108,12 @@ in { | |||
107 | 108 | ||
108 | smtp_tls_connection_reuse = true; | 109 | smtp_tls_connection_reuse = true; |
109 | 110 | ||
110 | tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" '' | 111 | tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ( |
111 | bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 112 | concatMapStringsSep "\n\n" (domain: |
112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem | 113 | concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${subdomain}.full.pem") |
113 | mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem | 114 | [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"] |
114 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 115 | ) emailDomains |
115 | 116 | )}''; | |
116 | kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem | ||
117 | mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem | ||
118 | mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem | ||
119 | .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem | ||
120 | ''}''; | ||
121 | 117 | ||
122 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; | 118 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; |
123 | 119 | ||
@@ -282,16 +278,14 @@ in { | |||
282 | domain = "surtr.yggdrasil.li"; | 278 | domain = "surtr.yggdrasil.li"; |
283 | separator = "+"; | 279 | separator = "+"; |
284 | excludeDomains = [ "surtr.yggdrasil.li" | 280 | excludeDomains = [ "surtr.yggdrasil.li" |
285 | ".bouncy.email" "bouncy.email" | 281 | ] ++ concatMap (domain: [".${domain}" domain]) emailDomains; |
286 | ".kleen.consulting" "kleen.consulting" | ||
287 | ]; | ||
288 | }; | 282 | }; |
289 | 283 | ||
290 | services.opendkim = { | 284 | services.opendkim = { |
291 | enable = true; | 285 | enable = true; |
292 | user = "postfix"; group = "postfix"; | 286 | user = "postfix"; group = "postfix"; |
293 | socket = "local:/run/opendkim/opendkim.sock"; | 287 | socket = "local:/run/opendkim/opendkim.sock"; |
294 | domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}''; | 288 | domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}''; |
295 | selector = "surtr"; | 289 | selector = "surtr"; |
296 | configFile = builtins.toFile "opendkim.conf" '' | 290 | configFile = builtins.toFile "opendkim.conf" '' |
297 | Syslog true | 291 | Syslog true |
@@ -429,23 +423,14 @@ in { | |||
429 | first_valid_gid = ${toString config.users.groups.dovecot2.gid} | 423 | first_valid_gid = ${toString config.users.groups.dovecot2.gid} |
430 | last_valid_gid = ${toString config.users.groups.dovecot2.gid} | 424 | last_valid_gid = ${toString config.users.groups.dovecot2.gid} |
431 | 425 | ||
432 | local_name imap.bouncy.email { | 426 | ${concatMapStringsSep "\n\n" (domain: |
433 | ssl_cert = </run/credentials/dovecot2.service/imap.bouncy.email.pem | 427 | concatMapStringsSep "\n" (subdomain: '' |
434 | ssl_key = </run/credentials/dovecot2.service/imap.bouncy.email.key.pem | 428 | local_name ${subdomain} { |
435 | } | 429 | ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem |
436 | local_name bouncy.email { | 430 | ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem |
437 | ssl_cert = </run/credentials/dovecot2.service/bouncy.email.pem | 431 | } |
438 | ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem | 432 | '') ["imap.${domain}" domain] |
439 | } | 433 | ) emailDomains} |
440 | |||
441 | local_name imap.kleen.consulting { | ||
442 | ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem | ||
443 | ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem | ||
444 | } | ||
445 | local_name kleen.consulting { | ||
446 | ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem | ||
447 | ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem | ||
448 | } | ||
449 | 434 | ||
450 | ssl_require_crl = no | 435 | ssl_require_crl = no |
451 | ssl_verify_client_cert = yes | 436 | ssl_verify_client_cert = yes |
@@ -667,29 +652,20 @@ in { | |||
667 | 652 | ||
668 | security.acme.domains = { | 653 | security.acme.domains = { |
669 | "surtr.yggdrasil.li" = {}; | 654 | "surtr.yggdrasil.li" = {}; |
670 | "bouncy.email" = {}; | 655 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains) |
671 | "mailin.bouncy.email" = {}; | 656 | // listToAttrs (concatMap (domain: |
672 | "mailsub.bouncy.email" = {}; | 657 | map (subdomain: nameValuePair subdomain {}) |
673 | "imap.bouncy.email" = {}; | 658 | [domain "mailin.${domain}" "mailsub.${domain}" "imap.${domain}" "mta-sts.${domain}"] |
674 | "mta-sts.bouncy.email" = {}; | 659 | ) emailDomains); |
675 | "kleen.consulting" = {}; | ||
676 | "mailin.kleen.consulting" = {}; | ||
677 | "mailsub.kleen.consulting" = {}; | ||
678 | "imap.kleen.consulting" = {}; | ||
679 | "mta-sts.kleen.consulting" = {}; | ||
680 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); | ||
681 | 660 | ||
682 | systemd.services.postfix = { | 661 | systemd.services.postfix = { |
683 | serviceConfig.LoadCredential = [ | 662 | serviceConfig.LoadCredential = [ |
684 | "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" | 663 | "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" |
685 | "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" | 664 | "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" |
686 | "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" | 665 | ] ++ concatMap (domain: |
687 | "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" | 666 | map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem") |
688 | "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" | 667 | [domain "mailin.${domain}" "mailsub.${domain}"] |
689 | "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem" | 668 | ) emailDomains; |
690 | "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem" | ||
691 | "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem" | ||
692 | ]; | ||
693 | }; | 669 | }; |
694 | 670 | ||
695 | systemd.services.dovecot2 = { | 671 | systemd.services.dovecot2 = { |
@@ -703,15 +679,13 @@ in { | |||
703 | LoadCredential = [ | 679 | LoadCredential = [ |
704 | "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" | 680 | "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" |
705 | "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" | 681 | "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" |
706 | "bouncy.email.key.pem:${config.security.acme.certs."bouncy.email".directory}/key.pem" | 682 | ] ++ concatMap (domain: |
707 | "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" | 683 | concatMap (subdomain: [ |
708 | "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" | 684 | "${subdomain}.key.pem:${config.security.acme.certs.${subdomain}.directory}/key.pem" |
709 | "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" | 685 | "${subdomain}.pem:${config.security.acme.certs.${subdomain}.directory}/fullchain.pem" |
710 | "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem" | 686 | ]) |
711 | "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem" | 687 | [domain "imap.${domain}"] |
712 | "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem" | 688 | ) emailDomains; |
713 | "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem" | ||
714 | ]; | ||
715 | }; | 689 | }; |
716 | }; | 690 | }; |
717 | 691 | ||
@@ -770,20 +744,17 @@ in { | |||
770 | ''} $out/.well-known/mta-sts.txt | 744 | ''} $out/.well-known/mta-sts.txt |
771 | ''; | 745 | ''; |
772 | }; | 746 | }; |
773 | }) ["bouncy.email" "kleen.consulting"]); | 747 | }) emailDomains); |
774 | }; | 748 | }; |
775 | 749 | ||
776 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ | 750 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ |
777 | "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" | 751 | "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" |
778 | "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" | 752 | "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" |
779 | ]) spmDomains ++ [ | 753 | ]) spmDomains ++ concatMap (domain: [ |
780 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" | 754 | "mta-sts.${domain}.key.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/key.pem" |
781 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" | 755 | "mta-sts.${domain}.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/fullchain.pem" |
782 | "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" | 756 | "mta-sts.${domain}.chain.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/chain.pem" |
783 | "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem" | 757 | ]) emailDomains; |
784 | "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem" | ||
785 | "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem" | ||
786 | ]; | ||
787 | 758 | ||
788 | systemd.services.spm = { | 759 | systemd.services.spm = { |
789 | serviceConfig = { | 760 | serviceConfig = { |