2025-06-18 19:53:44 +03:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}@nixos-args:
|
2023-11-10 07:10:06 +04:00
|
|
|
let
|
2023-11-16 04:00:11 +04:00
|
|
|
sp = config.selfprivacy;
|
2024-12-26 18:27:25 +04:00
|
|
|
|
2025-01-25 01:08:41 +04:00
|
|
|
inherit (import ./common.nix { inherit config pkgs; })
|
2024-12-26 18:27:25 +04:00
|
|
|
auth-passthru
|
2025-01-31 14:31:09 +04:00
|
|
|
group
|
2024-12-26 18:27:25 +04:00
|
|
|
is-auth-enabled
|
|
|
|
|
;
|
2025-03-29 03:53:09 +04:00
|
|
|
mailserver-service-account = {
|
|
|
|
|
mailserver-service-account-name = "sp.mailserver.service-account";
|
|
|
|
|
mailserver-service-account-token-name = "mailserver-service-account-token";
|
2025-06-18 19:53:44 +03:00
|
|
|
mailserver-service-account-token-fp = "/run/keys/${group}/kanidm-service-account-token"; # FIXME sync with auth module
|
2025-03-29 03:53:09 +04:00
|
|
|
};
|
2025-09-13 15:44:04 +03:00
|
|
|
|
|
|
|
|
modulesConfig = builtins.mapAttrs (
|
|
|
|
|
_: value: {
|
|
|
|
|
inherit (value) hashedPasswordFile sendOnly;
|
|
|
|
|
}
|
2025-09-13 16:36:41 +03:00
|
|
|
) sp.email;
|
2025-09-16 19:08:15 +03:00
|
|
|
extraDomains = lib.mapAttrsToList (_: value: "${value.subdomain}.${sp.domain}") sp.email;
|
2025-09-13 16:36:41 +03:00
|
|
|
extraTargets = lib.mapAttrsToList (_: value: value.systemdTargets) sp.email;
|
2023-11-10 07:10:06 +04:00
|
|
|
in
|
2025-06-18 19:53:44 +03:00
|
|
|
lib.mkIf sp.modules.simple-nixos-mailserver.enable (
|
|
|
|
|
lib.mkMerge [
|
|
|
|
|
{
|
|
|
|
|
assertions = [
|
|
|
|
|
{
|
|
|
|
|
assertion =
|
|
|
|
|
config.selfprivacy.modules.simple-nixos-mailserver.enableSso -> config.selfprivacy.sso.enable;
|
|
|
|
|
message = "SSO cannot be enabled for Mailserver when SSO is disabled globally.";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
fileSystems = lib.mkIf sp.useBinds {
|
2025-01-25 01:08:41 +04:00
|
|
|
"/var/vmail" = {
|
2025-06-18 19:53:44 +03:00
|
|
|
device = "/volumes/${sp.modules.simple-nixos-mailserver.location}/vmail";
|
2025-01-25 01:08:41 +04:00
|
|
|
options = [
|
|
|
|
|
"bind"
|
|
|
|
|
"x-systemd.required-by=postfix.service"
|
|
|
|
|
"x-systemd.before=postfix.service"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
"/var/sieve" = {
|
2025-06-18 19:53:44 +03:00
|
|
|
device = "/volumes/${sp.modules.simple-nixos-mailserver.location}/sieve";
|
2025-01-25 01:08:41 +04:00
|
|
|
options = [
|
|
|
|
|
"bind"
|
|
|
|
|
"x-systemd.required-by=dovecot2.service"
|
|
|
|
|
"x-systemd.before=dovecot2.service"
|
|
|
|
|
];
|
|
|
|
|
};
|
2023-12-12 08:25:06 +04:00
|
|
|
};
|
2025-01-25 01:08:41 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
users.users = {
|
|
|
|
|
virtualMail = {
|
|
|
|
|
isNormalUser = false;
|
|
|
|
|
};
|
2023-11-10 07:10:06 +04:00
|
|
|
};
|
|
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
users.groups.acmereceivers.members = [
|
|
|
|
|
"dovecot2"
|
|
|
|
|
"postfix"
|
|
|
|
|
"virtualMail"
|
|
|
|
|
];
|
2025-01-25 01:08:41 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
mailserver = {
|
|
|
|
|
enable = true;
|
|
|
|
|
fqdn = sp.domain;
|
2025-09-13 15:44:04 +03:00
|
|
|
domains = [ sp.domain ] ++ extraDomains;
|
2025-06-18 19:53:44 +03:00
|
|
|
localDnsResolver = false;
|
2025-01-25 01:08:41 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# A list of all login accounts. To create the password hashes, use
|
|
|
|
|
# mkpasswd -m sha-512 "super secret password"
|
|
|
|
|
loginAccounts = (
|
|
|
|
|
{
|
|
|
|
|
"${sp.username}@${sp.domain}" = {
|
|
|
|
|
hashedPassword = sp.hashedMasterPassword;
|
|
|
|
|
sieveScript = ''
|
|
|
|
|
require ["fileinto", "mailbox"];
|
|
|
|
|
if header :contains "Chat-Version" "1.0"
|
|
|
|
|
{
|
|
|
|
|
fileinto :create "DeltaChat";
|
|
|
|
|
stop;
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
// builtins.listToAttrs (
|
|
|
|
|
builtins.map (user: {
|
|
|
|
|
name = "${user.username}@${sp.domain}";
|
|
|
|
|
value = {
|
|
|
|
|
hashedPassword = user.hashedPassword;
|
|
|
|
|
sieveScript = ''
|
|
|
|
|
require ["fileinto", "mailbox"];
|
|
|
|
|
if header :contains "Chat-Version" "1.0"
|
|
|
|
|
{
|
|
|
|
|
fileinto :create "DeltaChat";
|
|
|
|
|
stop;
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}) sp.users
|
|
|
|
|
)
|
2025-09-13 15:44:04 +03:00
|
|
|
// modulesConfig
|
2025-06-18 19:53:44 +03:00
|
|
|
);
|
2025-01-25 01:08:41 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
extraVirtualAliases = {
|
|
|
|
|
"admin@${sp.domain}" = "${sp.username}@${sp.domain}";
|
|
|
|
|
};
|
2024-12-26 18:27:25 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
certificateScheme = "manual";
|
|
|
|
|
certificateFile = "/var/lib/acme/root-${sp.domain}/fullchain.pem";
|
|
|
|
|
keyFile = "/var/lib/acme/root-${sp.domain}/key.pem";
|
2024-12-26 18:27:25 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# Enable IMAP and POP3
|
|
|
|
|
enableImap = true;
|
|
|
|
|
enableImapSsl = true;
|
|
|
|
|
enablePop3 = false;
|
|
|
|
|
enablePop3Ssl = false;
|
|
|
|
|
dkimSelector = "selector";
|
2024-12-26 18:27:25 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# Enable the ManageSieve protocol
|
|
|
|
|
enableManageSieve = true;
|
2024-12-26 18:27:25 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
virusScanning = false;
|
2024-12-26 18:27:25 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
mailDirectory = "/var/vmail";
|
2025-01-25 01:08:41 +04:00
|
|
|
};
|
2025-06-18 19:53:44 +03:00
|
|
|
|
|
|
|
|
systemd = {
|
|
|
|
|
services = {
|
|
|
|
|
dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
|
|
|
|
postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
|
|
|
|
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
|
|
|
|
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
2025-09-13 15:44:04 +03:00
|
|
|
|
|
|
|
|
dovecot.wants = extraTargets;
|
|
|
|
|
dovecot2.wants = extraTargets;
|
2025-06-18 19:53:44 +03:00
|
|
|
};
|
|
|
|
|
slices."simple_nixos_mailserver" = {
|
|
|
|
|
name = "simple_nixos_mailserver.slice";
|
|
|
|
|
description = "Simple NixOS Mailserver service slice";
|
|
|
|
|
};
|
2025-01-25 01:08:41 +04:00
|
|
|
};
|
2025-06-18 19:53:44 +03:00
|
|
|
}
|
|
|
|
|
# the following parts are active only when "auth" module is enabled
|
|
|
|
|
(lib.mkIf is-auth-enabled {
|
|
|
|
|
mailserver = {
|
|
|
|
|
extraVirtualAliases = lib.mkForce { };
|
2025-09-13 15:44:04 +03:00
|
|
|
loginAccounts = lib.mkForce modulesConfig;
|
2025-06-18 19:53:44 +03:00
|
|
|
# LDAP is needed for Postfix to query Kanidm about email address ownership.
|
|
|
|
|
# LDAP is needed for Dovecot also.
|
|
|
|
|
ldap = {
|
|
|
|
|
# false; otherwise, simple-nixos-mailserver enables auth via LDAP
|
|
|
|
|
enable = false;
|
2025-02-03 02:03:20 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
|
|
|
|
|
bind.dn = "dn=token";
|
|
|
|
|
# TODO change in this file should trigger system restart dovecot
|
|
|
|
|
bind.passwordFile = mailserver-service-account.mailserver-service-account-token-fp;
|
2025-02-03 02:03:20 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# searchBase = "ou=persons," + ldap_base_dn;
|
|
|
|
|
searchBase = auth-passthru.ldap-base-dn; # TODO refine this
|
2025-02-03 02:03:20 +04:00
|
|
|
|
2025-06-18 19:53:44 +03:00
|
|
|
# NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS)
|
|
|
|
|
uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
|
|
|
|
|
};
|
2025-01-25 01:08:41 +04:00
|
|
|
};
|
2025-06-18 19:53:44 +03:00
|
|
|
})
|
|
|
|
|
(lib.mkIf is-auth-enabled (import ./auth-dovecot.nix mailserver-service-account nixos-args))
|
|
|
|
|
(lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args))
|
|
|
|
|
]
|
|
|
|
|
)
|
