Projekt

Allgemein

Profil

Herunterladen (13,2 KB)

Aufgabe #1613 » mail.nix

nek0, 18.05.2023 19:30

 
{config, pkgs, suffix, lib, ...}:
{
autoStart = false;
forwardPorts = [
{ hostPort = 25;
containerPort = 25;
protocol = "tcp";
}
{ hostPort = 587;
containerPort = 587;
protocol = "tcp";
}
{ hostPort = 143;
containerPort = 143;
protocol = "tcp";
}
{ hostPort = 4190;
containerPort = 4190;
protocol = "tcp";
}
];

hostAddress = "10.1.0.${suffix}";
hostAddress6 = "2a01:4f8:222:2b41:1::${suffix}";
localAddress = "10.0.0.${suffix}";
localAddress6 = "2a01:4f8:222:2b41::${suffix}";

privateNetwork = true;

timeoutStartSec = "5min";

config = {
boot.isContainer = true;

boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
};

system.stateVersion = "20.03";

networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
25 587 143
4190
80 443
];
allowedUDPPorts = [
];
};

users.users."mailowner" = {
createHome = false;
extraGroups = [];
group = "users";
home = "/vor/spool/mail";
isSystemUser = true;
openssh.authorizedKeys.keys = [
];
uid = 5000;
};

services = {
postfix = {
enable = true;
enableSmtp = true;
enableSubmission = true;
enableHeaderChecks = true;
domain = "nek0.eu";
hostname = "nek0.eu";
sslCert = "/var/lib/acme/mail.nek0.eu/fullchain.pem";
sslKey = "/var/lib/acme/mail.nek0.eu/key.pem";
networks = [
"127.0.0.1"
"88.198.20.152"
"10.0.0.0/8"
"[2a01:4f8:222:2b41::]/64"
];
virtual = ''
postmaster nek0
abuse nek0
root nek0
nek0 nek0
garbage nek0
amedeo.molnar@nek0.eu nek0
amedeo.molnar@nek0.de nek0
amedeo.molnar@nek0.dev nek0
amedeo.molnar@nek0.cat nek0
amedeo.molnar@nek0.space nek0

nek0@nek0.eu nek0
nek0@nek0.cat nek0
nek0@nek0.space nek0
nek0@nek0.dev nek0
nek0@nek0.de nek0
nek0@art.nek0.eu nek0
nek0@art.nek0.cat nek0
nek0@art.nek0.space nek0
nek0@art.nek0.dev nek0
nek0@art.nek0.de nek0
nek0@sleepalone.space nek0
nek0@alitheia-comic.eu nek0
nek0@xn--katzenpension-schrdinger-2oc.de nek0
nek0@chaoszone.cz nek0
'';
config = {
myorigin = "nek0.eu";
mydestination = [
"localhost"
];
mail_owner = "postfix";
smtp_use_tls = true;
smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
smtpd_tls_security_level = lib.mkForce "encrypt";
smtpd_recipient_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_unauth_destination"
];
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_unauth_destination"
];
smtpd_sasl_auth_enable = true;
smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1"
];
smtpd_tls_mandatory_ciphers = "high";
smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot";
virtual_mailbox_domains = [
"nek0.eu"
"nek0.cat"
"nek0.space"
"nek0.dev"
"nek0.de"
"art.nek0.eu"
"art.nek0.cat"
"art.nek0.space"
"art.nek0.dev"
"art.nek0.de"
"sleepalone.space"
"alitheia-comic.eu"
"xn--katzenpension-schrdinger-2oc.de"
"chaoszone.cz"
"lynxworks.studio"
];
virtual_gid_maps = "static:5000";
virtual_uid_maps = "static:5000";
virtual_minimum_uid = "1000";
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
virtual_mailbox_base = "/var/spool/mail";
message_size_limit = "40960000";
};
};

dovecot2 = {
enable = true;
enableImap = true;
enableLmtp = true;
enablePop3 = false;
enablePAM = false;
enableQuota = true;
createMailUser = true;
mailLocation = "maildir:~/maildir";
mailboxes = {
Spam = {
auto = "create";
specialUse = "Junk";
};
Sent = {
auto = "create";
specialUse = "Sent";
};
Drafts = {
auto = "create";
specialUse = "Drafts";
};
Trash = {
auto = "create";
specialUse = "Trash";
};
};
modules = [
pkgs.dovecot_pigeonhole
];
quotaGlobalPerUser = "1G";
sslServerCert = "/var/lib/acme/mail.nek0.eu/fullchain.pem";
sslServerKey = "/var/lib/acme/mail.nek0.eu/key.pem";
protocols = [
"sieve"
];
mailPlugins = {
perProtocol = {
imap = {
enable = [
"imap_sieve"
];
};
lmtp = {
enable = [
"sieve"
];
};
};
};
extraConfig = ''
passdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/auth.d/passwd
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/auth.d/passwd
}
service lmtp {
unix_listener dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service auth {
unix_listener /var/lib/postfix/auth {
group = postfix
mode = 0660
user = postfix
}
user = dovecot2
}

service managesieve-login {
}

service managesieve {
}

protocol sieve {
}

protocol lmtp {
postmaster_address = postmaster@nek0.eu
}

protocol imap {
mail_max_userip_connections = 100
}

plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
'';
};

fail2ban = {
enable = true;
ignoreIP = [
"10.0.0.0/8"
"2a01:4f8:222:2b41::/64"
];
jails = {
"postfix" = ''
enabled = true
'';
"dovecot-imap" = ''
enabled = true
port = imap,imaps
filter = dovecot-imap
#logpath = /var/log/dovecot.log
'';
};
};

nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."mail.nek0.eu" = {
serverAliases = [
"mail.nek0.cat"
"mail.nek0.space"
"mail.nek0.dev"
"mail.nek0.de"
"mail.sleepalone.space"
"mail.alitheia-comic.eu"
"mail.xn--katzenpension-schrdinger-2oc.de"
];
forceSSL = true;
enableACME = true;
http2 = true;
locations."/rspamd/" = {
proxyPass = "http://127.0.0.1:11334/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};

rspamd = {
enable = true;
user = "rspamd";
group = "rspamd";
postfix = {
enable = true;
config = {
non_smtpd_milters = [ "inet:127.0.0.1:11332" ];
smtpd_milters = [ "inet:127.0.0.1:11332" ];
milter_protocol = "6";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
milter_default_action = "accept";
};
};
workers = {
"normal" = {
enable = true;
type = "normal";
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [{
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "rspamd";
group = "rspamd";
}];
};
"controller" = {
enable = true;
count = 1;
type = "controller";
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:11334" ];
};
"rspamd_proxy" = {
enable = true;
type = "rspamd_proxy";
includes = [ "$CONFDIR/worker-proxy.inc" ];
extraConfig = ''
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}
'';
};
};
locals = {
"options.inc" = {
enable = true;
text = ''
local_addrs = "127.0.0.0/8, ::1, 10.0.0.0/8, 2a01:4f8:222:2b41::/64";
dns {
nameserver = ["10.0.0.53:53:10"];
}
'';
};
"worker-normal.inc" = {
enable = true;
text = ''
bind_socket = "127.0.0.1:11333";
count = 2;
'';
};
"worker-controller.inc" = {
enable = true;
text = ''
# create with "rspamadm pw"
password = "<redacted>";
'';
};
"worker-proxy.inc" = {
enable = true;
text = ''
bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}
'';
};
"logging.inc" = {
enable = true;
text = ''
type = "file";
filename = "/var/lib/rspamd/rspamd.log";
level = "error";
debug_modules = [];
'';
};
"milter_headers.conf" = {
enable = true;
text = ''
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
'';
};
"classifier-bayes.conf" = {
enable = true;
text = ''
backend = "redis";
servers = "127.0.0.1:6378";
'';
};
};
};
redis.servers.rspamd = {
enable = true;
bind = "127.0.0.1";
port = 6378;
settings = {
supervised = "systemd";
maxmemory = "1GB";
maxmemory-policy = "volatile-lru";
};
};

restic.backups.mail-dump = {
paths = [
"/var/spool/mail/"
];
extraBackupArgs = [
];
repository = "rest:https://vault.nek0.eu:8080/yuggoth-mail-dump";
initialize = true;
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "10m";
Persistent = true;
};
user = "mailowner";
passwordFile = "/etc/restic/.dumppasswd";
};
};

security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
defaults.renewInterval = "*-01,03,05,07,09,11-01 00:00:00";
certs = {
"mail.nek0.eu" = {
email = "nek0@nek0.eu";
extraDomainNames = [
"mail.nek0.cat"
"mail.nek0.space"
"mail.nek0.dev"
"mail.nek0.de"
"mail.sleepalone.space"
"mail.alitheia-comic.eu"
"mail.xn--katzenpension-schrdinger-2oc.de"
];
postRun = "systemctl restart postfix.service dovecot2.service";
};
};
};

environment.etc = {
"dovecot/auth.d/passwd" = {
enable = true;
text = ''
# generate passwords with 'mkpasswd -m SHA-512'
<redacted>
'';
};

"fail2ban/filter.d/dovecot-imap.conf" = {
enable = true;
text = ''
[Definition]
failregex = dovecot.*auth\(default\): pam\(.*,<HOST>\): pam_authenticate\(\) failed:
ignoreregex =
'';
};

"restic/.dumppasswd" = {
enable = true;
text = ''
<redacted>
'';
};
};
};
}
    (1-1/1)