1 files changed, 111 insertions, 0 deletions
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..bebf7980
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = false;
+    enableSubmission = false;
+    setSendmail = true;
+    # networksStyle = "host";
+    settings.main = {
+      recpipient_delimiter = "+";
+      mydestination = [];
+      myhostname = "sif.midgard.yggdrasil";
+      mydomain = "yggdrasil.li";
+      local_transport = "error:5.1.1 No local delivery";
+      alias_database = [];
+      alias_maps = [];
+      local_recipient_maps = [];
+      inet_interfaces = "loopback-only";
+      message_size_limit = 0;
+      authorized_submit_users = "inline:{ gkleen= }";
+      authorized_flush_users = "inline:{ gkleen= }";
+      authorized_mailq_users = "inline:{ gkleen= }";
+      smtp_generic_maps = "inline:{ root=root+sif }";
+      mynetworks = ["127.0.0.0/8" "[::1]/128"];
+      smtpd_client_restrictions = ["permit_mynetworks" "reject"];
+      smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      relayhost = ["[surtr.yggdrasil.li]:465"];
+      default_transport = "relay";
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    settings.master = {
+      submission = {
+        type = "inet";
+        private = false;
+        command = "smtpd";
+        args = [
+          "-o" "syslog_name=postfix/$service_name"
+        ];
+      };
+      smtp = { };
+      smtps = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "smtp";
+        args = [
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_security_level=encrypt"
+        ];
+      };
+      relay = {
+        command = "smtp";
+        args = [
+          "-o" "smtp_fallback_relay="
+          "-o" "smtp_tls_security_level=verify"
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_cert_file=${./relay.crt}"
+          "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
+        ];
+      };
+    };
+  };
+  systemd.services.postfix = {
+    serviceConfig.LoadCredential = [
+      "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
+      "relay.key:${config.sops.secrets."relay-key".path}"
+    ];
+  };
+  sops.secrets = {
+    postfix-sasl-passwd = {
+      key = "sasl-passwd";
+      sopsFile = ./secrets.yaml;
+    };
+    relay-key = {
+      format = "binary";
+      sopsFile = ./relay.key;
+    };
+  };
+}

diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix new file mode 100644 index 00000000..bebf7980 --- /dev/null +++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
	1	{ config, lib, pkgs, ... }:
	2	{
	3	services.postfix = {
	4	enable = true;
	5	enableSmtp = false;
	6	enableSubmission = false;
	7	setSendmail = true;
	8	# networksStyle = "host";
	9	settings.main = {
	10	recpipient_delimiter = "+";
	11	mydestination = [];
	12	myhostname = "sif.midgard.yggdrasil";
	13
	14	mydomain = "yggdrasil.li";
	15
	16	local_transport = "error:5.1.1 No local delivery";
	17	alias_database = [];
	18	alias_maps = [];
	19	local_recipient_maps = [];
	20
	21	inet_interfaces = "loopback-only";
	22
	23	message_size_limit = 0;
	24
	25	authorized_submit_users = "inline:{ gkleen= }";
	26	authorized_flush_users = "inline:{ gkleen= }";
	27	authorized_mailq_users = "inline:{ gkleen= }";
	28
	29	smtp_generic_maps = "inline:{ root=root+sif }";
	30
	31	mynetworks = ["127.0.0.0/8" "[::1]/128"];
	32	smtpd_client_restrictions = ["permit_mynetworks" "reject"];
	33	smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
	34
	35	sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
	36	/@(cip\|stud)\.ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
	37	/@ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
	38	/@math(ematik)?\.(lmu\|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
	39	/@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
	40	''}'';
	41	sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
	42	/^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
	43	/@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
	44	''}'';
	45	relayhost = ["[surtr.yggdrasil.li]:465"];
	46	default_transport = "relay";
	47
	48	smtp_sasl_auth_enable = true;
	49	smtp_sender_dependent_authentication = true;
	50	smtp_sasl_tls_security_options = "noanonymous";
	51	smtp_sasl_mechanism_filter = ["plain"];
	52	smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
	53	smtp_cname_overrides_servername = false;
	54	smtp_always_send_ehlo = true;
	55	smtp_tls_security_level = "dane";
	56
	57	smtp_tls_loglevel = "1";
	58	smtp_dns_support_level = "dnssec";
	59	};
	60	settings.master = {
	61	submission = {
	62	type = "inet";
	63	private = false;
	64	command = "smtpd";
	65	args = [
	66	"-o" "syslog_name=postfix/$service_name"
	67	];
	68	};
	69	smtp = { };
	70	smtps = {
	71	type = "unix";
	72	private = true;
	73	privileged = true;
	74	chroot = false;
	75	command = "smtp";
	76	args = [
	77	"-o" "smtp_tls_wrappermode=yes"
	78	"-o" "smtp_tls_security_level=encrypt"
	79	];
	80	};
	81	relay = {
	82	command = "smtp";
	83	args = [
	84	"-o" "smtp_fallback_relay="
	85	"-o" "smtp_tls_security_level=verify"
	86	"-o" "smtp_tls_wrappermode=yes"
	87	"-o" "smtp_tls_cert_file=${./relay.crt}"
	88	"-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
	89	];
	90	};
	91	};
	92	};
	93
	94	systemd.services.postfix = {
	95	serviceConfig.LoadCredential = [
	96	"sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
	97	"relay.key:${config.sops.secrets."relay-key".path}"
	98	];
	99	};
	100
	101	sops.secrets = {
	102	postfix-sasl-passwd = {
	103	key = "sasl-passwd";
	104	sopsFile = ./secrets.yaml;
	105	};
	106	relay-key = {
	107	format = "binary";
	108	sopsFile = ./relay.key;
	109	};
	110	};
	111	}