diff --git a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix index 4b97545..10dbb3d 100644 --- a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix +++ b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix @@ -62,7 +62,7 @@ let ''; }; in -lib.mkIf is-auth-enabled { +{ mailserver.ldap = { # note: in `ldapsearch` first comes filter, then attributes dovecot.userAttrs = "+"; # all operational attributes diff --git a/sp-modules/simple-nixos-mailserver/auth-postfix.nix b/sp-modules/simple-nixos-mailserver/auth-postfix.nix index ca6ca68..38b141c 100644 --- a/sp-modules/simple-nixos-mailserver/auth-postfix.nix +++ b/sp-modules/simple-nixos-mailserver/auth-postfix.nix @@ -51,7 +51,7 @@ let destination = ldapVirtualMailboxMapFile; }; in -lib.mkIf is-auth-enabled { +{ mailserver.ldap = { postfix.mailAttribute = "mail"; postfix.uidAttribute = "uid"; diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index 2d830c0..6868666 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -1,8 +1,8 @@ -{ config, lib, pkgs, ... }: +{ config, lib, options, pkgs, ... }@nixos-args: let sp = config.selfprivacy; - inherit (import ./common.nix {inherit config pkgs;}) + inherit (import ./common.nix { inherit config pkgs; }) auth-passthru domain is-auth-enabled @@ -67,63 +67,49 @@ let fi ''; in -lib.mkIf sp.modules.simple-nixos-mailserver.enable -{ - fileSystems = lib.mkIf sp.useBinds - { - "/var/vmail" = { - device = - "/volumes/${sp.modules.simple-nixos-mailserver.location}/vmail"; - options = [ - "bind" - "x-systemd.required-by=postfix.service" - "x-systemd.before=postfix.service" - ]; +lib.mkIf sp.modules.simple-nixos-mailserver.enable (lib.mkMerge [ + { + fileSystems = lib.mkIf sp.useBinds + { + "/var/vmail" = { + device = + "/volumes/${sp.modules.simple-nixos-mailserver.location}/vmail"; + options = [ + "bind" + "x-systemd.required-by=postfix.service" + "x-systemd.before=postfix.service" + ]; + }; + "/var/sieve" = { + device = + "/volumes/${sp.modules.simple-nixos-mailserver.location}/sieve"; + options = [ + "bind" + "x-systemd.required-by=dovecot2.service" + "x-systemd.before=dovecot2.service" + ]; + }; }; - "/var/sieve" = { - device = - "/volumes/${sp.modules.simple-nixos-mailserver.location}/sieve"; - options = [ - "bind" - "x-systemd.required-by=dovecot2.service" - "x-systemd.before=dovecot2.service" - ]; + + users.users = { + virtualMail = { + isNormalUser = false; }; }; - users.users = { - virtualMail = { - isNormalUser = false; - }; - }; + users.groups.acmereceivers.members = [ "dovecot2" "postfix" "virtualMail" ]; - users.groups.acmereceivers.members = [ "dovecot2" "postfix" "virtualMail" ]; + mailserver = { + enable = true; + fqdn = sp.domain; + domains = [ sp.domain ]; + localDnsResolver = false; - mailserver = { - enable = true; - fqdn = sp.domain; - domains = [ sp.domain ]; - localDnsResolver = false; - - # A list of all login accounts. To create the password hashes, use - # mkpasswd -m sha-512 "super secret password" - loginAccounts = lib.mkIf (!is-auth-enabled) ({ - "${sp.username}@${sp.domain}" = { - hashedPassword = sp.hashedMasterPassword; - sieveScript = '' - require ["fileinto", "mailbox"]; - if header :contains "Chat-Version" "1.0" - { - fileinto :create "DeltaChat"; - stop; - } - ''; - }; - } // builtins.listToAttrs (builtins.map - (user: { - name = "${user.username}@${sp.domain}"; - value = { - hashedPassword = user.hashedPassword; + # A list of all login accounts. To create the password hashes, use + # mkpasswd -m sha-512 "super secret password" + loginAccounts = ({ + "${sp.username}@${sp.domain}" = { + hashedPassword = sp.hashedMasterPassword; sieveScript = '' require ["fileinto", "mailbox"]; if header :contains "Chat-Version" "1.0" @@ -133,70 +119,95 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable } ''; }; - }) - sp.users)); + } // builtins.listToAttrs (builtins.map + (user: { + name = "${user.username}@${sp.domain}"; + value = { + hashedPassword = user.hashedPassword; + sieveScript = '' + require ["fileinto", "mailbox"]; + if header :contains "Chat-Version" "1.0" + { + fileinto :create "DeltaChat"; + stop; + } + ''; + }; + }) + sp.users)); - extraVirtualAliases = lib.mkIf (!is-auth-enabled) { - "admin@${sp.domain}" = "${sp.username}@${sp.domain}"; + extraVirtualAliases = { + "admin@${sp.domain}" = "${sp.username}@${sp.domain}"; + }; + + certificateScheme = "manual"; + certificateFile = "/var/lib/acme/root-${sp.domain}/fullchain.pem"; + keyFile = "/var/lib/acme/root-${sp.domain}/key.pem"; + + # Enable IMAP and POP3 + enableImap = true; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = false; + dkimSelector = "selector"; + + # Enable the ManageSieve protocol + enableManageSieve = true; + + virusScanning = false; + + mailDirectory = "/var/vmail"; }; - certificateScheme = "manual"; - certificateFile = "/var/lib/acme/root-${sp.domain}/fullchain.pem"; - keyFile = "/var/lib/acme/root-${sp.domain}/key.pem"; - - # Enable IMAP and POP3 - enableImap = true; - enableImapSsl = true; - enablePop3 = false; - enablePop3Ssl = false; - dkimSelector = "selector"; - - # Enable the ManageSieve protocol - enableManageSieve = true; - - virusScanning = false; - - mailDirectory = "/var/vmail"; - - # LDAP is needed for Postfix to query Kanidm about email address ownership. - # LDAP is needed for Dovecot also. - ldap = lib.mkIf is-auth-enabled { - # false; otherwise, simple-nixos-mailserver enables auth via LDAP - enable = false; - - # bind.dn = "uid=mail,ou=persons," + ldap_base_dn; - bind.dn = "dn=token"; - # TODO change in this file should trigger system restart dovecot - bind.passwordFile = mailserver-service-account-token-fp; - - # searchBase = "ou=persons," + ldap_base_dn; - searchBase = auth-passthru.ldap-base-dn; # TODO refine this - - # NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS) - uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ]; + systemd = { + services = { + dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + }; + slices."simple_nixos_mailserver" = { + name = "simple_nixos_mailserver.slice"; + description = "Simple NixOS Mailserver service slice"; + }; }; - }; + } + # the following part is active only when "auth" module is enabled + (lib.attrsets.optionalAttrs + (options.selfprivacy.modules ? "auth") + (lib.mkIf is-auth-enabled { + mailserver = { + extraVirtualAliases = lib.mkForce { }; + loginAccounts = lib.mkForce { }; + # LDAP is needed for Postfix to query Kanidm about email address ownership. + # LDAP is needed for Dovecot also. + ldap = { + # false; otherwise, simple-nixos-mailserver enables auth via LDAP + enable = false; - systemd = { - services = { - dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice"; - postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice"; - rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice"; - redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice"; - opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice"; + # bind.dn = "uid=mail,ou=persons," + ldap_base_dn; + bind.dn = "dn=token"; + # TODO change in this file should trigger system restart dovecot + bind.passwordFile = mailserver-service-account-token-fp; + + # searchBase = "ou=persons," + ldap_base_dn; + searchBase = auth-passthru.ldap-base-dn; # TODO refine this + + # NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS) + uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ]; + }; + }; # FIXME set auth module option instead - kanidm.serviceConfig.ExecStartPost = - lib.mkIf is-auth-enabled - (lib.mkAfter - [ - ("+" + kanidmExecStartPostScriptRoot) - kanidmExecStartPostScript - ] - ); - }; - slices."simple_nixos_mailserver" = { - name = "simple_nixos_mailserver.slice"; - description = "Simple NixOS Mailserver service slice"; - }; - }; -} + systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [ + ("+" + kanidmExecStartPostScriptRoot) + kanidmExecStartPostScript + ]; + })) + (lib.attrsets.optionalAttrs + (options.selfprivacy.modules ? "auth") + (lib.mkIf is-auth-enabled (import ./auth-dovecot.nix nixos-args))) + (lib.attrsets.optionalAttrs + (options.selfprivacy.modules ? "auth") + (lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args))) +]) diff --git a/sp-modules/simple-nixos-mailserver/flake.nix b/sp-modules/simple-nixos-mailserver/flake.nix index 333e097..abff9aa 100644 --- a/sp-modules/simple-nixos-mailserver/flake.nix +++ b/sp-modules/simple-nixos-mailserver/flake.nix @@ -10,8 +10,6 @@ mailserver.nixosModules.default ./options.nix ./config.nix - ./auth-postfix.nix - ./auth-dovecot.nix ]; }; configPathsNeeded =