summaryrefslogtreecommitdiff
path: root/hosts/surtr/email
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/email')
-rw-r--r--hosts/surtr/email/default.nix52
1 files changed, 40 insertions, 12 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 80611c3c..22790fbb 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -112,6 +112,11 @@ in {
112 mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem 112 mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem
113 mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem 113 mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem
114 .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem 114 .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
115
116 kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
117 mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem
118 mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem
119 .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
115 ''}''; 120 ''}'';
116 121
117 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; 122 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
@@ -278,6 +283,7 @@ in {
278 separator = "+"; 283 separator = "+";
279 excludeDomains = [ "surtr.yggdrasil.li" 284 excludeDomains = [ "surtr.yggdrasil.li"
280 ".bouncy.email" "bouncy.email" 285 ".bouncy.email" "bouncy.email"
286 ".kleen.consulting" "kleen.consulting"
281 ]; 287 ];
282 }; 288 };
283 289
@@ -285,7 +291,7 @@ in {
285 enable = true; 291 enable = true;
286 user = "postfix"; group = "postfix"; 292 user = "postfix"; group = "postfix";
287 socket = "local:/run/opendkim/opendkim.sock"; 293 socket = "local:/run/opendkim/opendkim.sock";
288 domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}''; 294 domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}'';
289 selector = "surtr"; 295 selector = "surtr";
290 configFile = builtins.toFile "opendkim.conf" '' 296 configFile = builtins.toFile "opendkim.conf" ''
291 Syslog true 297 Syslog true
@@ -432,6 +438,15 @@ in {
432 ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem 438 ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem
433 } 439 }
434 440
441 local_name imap.kleen.consulting {
442 ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem
443 ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem
444 }
445 local_name kleen.consulting {
446 ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem
447 ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem
448 }
449
435 ssl_require_crl = no 450 ssl_require_crl = no
436 ssl_verify_client_cert = yes 451 ssl_verify_client_cert = yes
437 452
@@ -651,12 +666,17 @@ in {
651 }; 666 };
652 667
653 security.acme.domains = { 668 security.acme.domains = {
669 "surtr.yggdrasil.li" = {};
654 "bouncy.email" = {}; 670 "bouncy.email" = {};
655 "mailin.bouncy.email" = {}; 671 "mailin.bouncy.email" = {};
656 "mailsub.bouncy.email" = {}; 672 "mailsub.bouncy.email" = {};
657 "imap.bouncy.email" = {}; 673 "imap.bouncy.email" = {};
658 "mta-sts.bouncy.email" = {}; 674 "mta-sts.bouncy.email" = {};
659 "surtr.yggdrasil.li" = {}; 675 "kleen.consulting" = {};
676 "mailin.kleen.consulting" = {};
677 "mailsub.kleen.consulting" = {};
678 "imap.kleen.consulting" = {};
679 "mta-sts.kleen.consulting" = {};
660 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); 680 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
661 681
662 systemd.services.postfix = { 682 systemd.services.postfix = {
@@ -666,6 +686,9 @@ in {
666 "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" 686 "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem"
667 "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" 687 "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem"
668 "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" 688 "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem"
689 "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem"
690 "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem"
691 "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem"
669 ]; 692 ];
670 }; 693 };
671 694
@@ -684,6 +707,10 @@ in {
684 "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" 707 "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem"
685 "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" 708 "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem"
686 "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" 709 "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem"
710 "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem"
711 "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem"
712 "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem"
713 "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem"
687 ]; 714 ];
688 }; 715 };
689 }; 716 };
@@ -713,12 +740,11 @@ in {
713 proxy_set_header SPM-DOMAIN "${domain}"; 740 proxy_set_header SPM-DOMAIN "${domain}";
714 ''; 741 '';
715 }; 742 };
716 }) spmDomains) // { 743 }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" {
717 "mta-sts.bouncy.email" = {
718 forceSSL = true; 744 forceSSL = true;
719 sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem"; 745 sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem";
720 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem"; 746 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem";
721 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem"; 747 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem";
722 748
723 extraConfig = '' 749 extraConfig = ''
724 add_header Strict-Transport-Security "max-age=63072000" always; 750 add_header Strict-Transport-Security "max-age=63072000" always;
@@ -734,18 +760,17 @@ in {
734 charset utf-8; 760 charset utf-8;
735 source_charset utf-8; 761 source_charset utf-8;
736 ''; 762 '';
737 root = pkgs.runCommand "mta-sts" {} '' 763 root = pkgs.runCommand "mta-sts.${domain}" {} ''
738 mkdir -p $out/.well-known 764 mkdir -p $out/.well-known
739 cp ${pkgs.writeText "mta-sts.txt" '' 765 cp ${pkgs.writeText "mta-sts.${domain}.txt" ''
740 version: STSv1 766 version: STSv1
741 mode: enforce 767 mode: enforce
742 max_age: 2419200 768 max_age: 2419200
743 mx: mailin.bouncy.email 769 mx: mailin.${domain}
744 ''} $out/.well-known/mta-sts.txt 770 ''} $out/.well-known/mta-sts.txt
745 ''; 771 '';
746 }; 772 };
747 }; 773 }) ["bouncy.email" "kleen.consulting"]);
748 };
749 }; 774 };
750 775
751 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ 776 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
@@ -755,6 +780,9 @@ in {
755 "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" 780 "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
756 "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" 781 "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
757 "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" 782 "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"
783 "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem"
784 "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem"
785 "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem"
758 ]; 786 ];
759 787
760 systemd.services.spm = { 788 systemd.services.spm = {
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-25 23:54:35 +0000