diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-12-27 15:28:59 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-12-27 15:28:59 +0100 |
| commit | 17d24a633e75592f8b0dd5346c919c261332c90c (patch) | |
| tree | 01eceef16b07fdb0e440e060bffb8ac38e222d93 /hosts/surtr/email/default.nix | |
| parent | 47c4a1e7f3074ca10412abe5efd3a01ed6ba099e (diff) | |
| download | nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar.gz nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar.bz2 nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar.xz nixos-17d24a633e75592f8b0dd5346c919c261332c90c.zip | |
kleen.consulting
Diffstat (limited to 'hosts/surtr/email/default.nix')
| -rw-r--r-- | hosts/surtr/email/default.nix | 52 |
1 files changed, 40 insertions, 12 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 80611c3c..22790fbb 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
| @@ -112,6 +112,11 @@ in { | |||
| 112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem | 112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem |
| 113 | mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem | 113 | mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem |
| 114 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 114 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem |
| 115 | |||
| 116 | kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem | ||
| 117 | mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem | ||
| 118 | mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem | ||
| 119 | .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem | ||
| 115 | ''}''; | 120 | ''}''; |
| 116 | 121 | ||
| 117 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; | 122 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; |
| @@ -278,6 +283,7 @@ in { | |||
| 278 | separator = "+"; | 283 | separator = "+"; |
| 279 | excludeDomains = [ "surtr.yggdrasil.li" | 284 | excludeDomains = [ "surtr.yggdrasil.li" |
| 280 | ".bouncy.email" "bouncy.email" | 285 | ".bouncy.email" "bouncy.email" |
| 286 | ".kleen.consulting" "kleen.consulting" | ||
| 281 | ]; | 287 | ]; |
| 282 | }; | 288 | }; |
| 283 | 289 | ||
| @@ -285,7 +291,7 @@ in { | |||
| 285 | enable = true; | 291 | enable = true; |
| 286 | user = "postfix"; group = "postfix"; | 292 | user = "postfix"; group = "postfix"; |
| 287 | socket = "local:/run/opendkim/opendkim.sock"; | 293 | socket = "local:/run/opendkim/opendkim.sock"; |
| 288 | domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}''; | 294 | domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}''; |
| 289 | selector = "surtr"; | 295 | selector = "surtr"; |
| 290 | configFile = builtins.toFile "opendkim.conf" '' | 296 | configFile = builtins.toFile "opendkim.conf" '' |
| 291 | Syslog true | 297 | Syslog true |
| @@ -432,6 +438,15 @@ in { | |||
| 432 | ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem | 438 | ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem |
| 433 | } | 439 | } |
| 434 | 440 | ||
| 441 | local_name imap.kleen.consulting { | ||
| 442 | ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem | ||
| 443 | ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem | ||
| 444 | } | ||
| 445 | local_name kleen.consulting { | ||
| 446 | ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem | ||
| 447 | ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem | ||
| 448 | } | ||
| 449 | |||
| 435 | ssl_require_crl = no | 450 | ssl_require_crl = no |
| 436 | ssl_verify_client_cert = yes | 451 | ssl_verify_client_cert = yes |
| 437 | 452 | ||
| @@ -651,12 +666,17 @@ in { | |||
| 651 | }; | 666 | }; |
| 652 | 667 | ||
| 653 | security.acme.domains = { | 668 | security.acme.domains = { |
| 669 | "surtr.yggdrasil.li" = {}; | ||
| 654 | "bouncy.email" = {}; | 670 | "bouncy.email" = {}; |
| 655 | "mailin.bouncy.email" = {}; | 671 | "mailin.bouncy.email" = {}; |
| 656 | "mailsub.bouncy.email" = {}; | 672 | "mailsub.bouncy.email" = {}; |
| 657 | "imap.bouncy.email" = {}; | 673 | "imap.bouncy.email" = {}; |
| 658 | "mta-sts.bouncy.email" = {}; | 674 | "mta-sts.bouncy.email" = {}; |
| 659 | "surtr.yggdrasil.li" = {}; | 675 | "kleen.consulting" = {}; |
| 676 | "mailin.kleen.consulting" = {}; | ||
| 677 | "mailsub.kleen.consulting" = {}; | ||
| 678 | "imap.kleen.consulting" = {}; | ||
| 679 | "mta-sts.kleen.consulting" = {}; | ||
| 660 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); | 680 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); |
| 661 | 681 | ||
| 662 | systemd.services.postfix = { | 682 | systemd.services.postfix = { |
| @@ -666,6 +686,9 @@ in { | |||
| 666 | "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" | 686 | "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" |
| 667 | "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" | 687 | "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" |
| 668 | "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" | 688 | "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" |
| 689 | "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem" | ||
| 690 | "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem" | ||
| 691 | "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem" | ||
| 669 | ]; | 692 | ]; |
| 670 | }; | 693 | }; |
| 671 | 694 | ||
| @@ -684,6 +707,10 @@ in { | |||
| 684 | "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" | 707 | "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" |
| 685 | "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" | 708 | "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" |
| 686 | "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" | 709 | "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" |
| 710 | "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem" | ||
| 711 | "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem" | ||
| 712 | "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem" | ||
| 713 | "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem" | ||
| 687 | ]; | 714 | ]; |
| 688 | }; | 715 | }; |
| 689 | }; | 716 | }; |
| @@ -713,12 +740,11 @@ in { | |||
| 713 | proxy_set_header SPM-DOMAIN "${domain}"; | 740 | proxy_set_header SPM-DOMAIN "${domain}"; |
| 714 | ''; | 741 | ''; |
| 715 | }; | 742 | }; |
| 716 | }) spmDomains) // { | 743 | }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { |
| 717 | "mta-sts.bouncy.email" = { | ||
| 718 | forceSSL = true; | 744 | forceSSL = true; |
| 719 | sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem"; | 745 | sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; |
| 720 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem"; | 746 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; |
| 721 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem"; | 747 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; |
| 722 | 748 | ||
| 723 | extraConfig = '' | 749 | extraConfig = '' |
| 724 | add_header Strict-Transport-Security "max-age=63072000" always; | 750 | add_header Strict-Transport-Security "max-age=63072000" always; |
| @@ -734,18 +760,17 @@ in { | |||
| 734 | charset utf-8; | 760 | charset utf-8; |
| 735 | source_charset utf-8; | 761 | source_charset utf-8; |
| 736 | ''; | 762 | ''; |
| 737 | root = pkgs.runCommand "mta-sts" {} '' | 763 | root = pkgs.runCommand "mta-sts.${domain}" {} '' |
| 738 | mkdir -p $out/.well-known | 764 | mkdir -p $out/.well-known |
| 739 | cp ${pkgs.writeText "mta-sts.txt" '' | 765 | cp ${pkgs.writeText "mta-sts.${domain}.txt" '' |
| 740 | version: STSv1 | 766 | version: STSv1 |
| 741 | mode: enforce | 767 | mode: enforce |
| 742 | max_age: 2419200 | 768 | max_age: 2419200 |
| 743 | mx: mailin.bouncy.email | 769 | mx: mailin.${domain} |
| 744 | ''} $out/.well-known/mta-sts.txt | 770 | ''} $out/.well-known/mta-sts.txt |
| 745 | ''; | 771 | ''; |
| 746 | }; | 772 | }; |
| 747 | }; | 773 | }) ["bouncy.email" "kleen.consulting"]); |
| 748 | }; | ||
| 749 | }; | 774 | }; |
| 750 | 775 | ||
| 751 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ | 776 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ |
| @@ -755,6 +780,9 @@ in { | |||
| 755 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" | 780 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" |
| 756 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" | 781 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" |
| 757 | "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" | 782 | "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" |
| 783 | "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem" | ||
| 784 | "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem" | ||
| 785 | "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem" | ||
| 758 | ]; | 786 | ]; |
| 759 | 787 | ||
| 760 | systemd.services.spm = { | 788 | systemd.services.spm = { |