machines/osterei: use SNM instead of maddy for mail

commit eb8d2fc447e3ce5d93e3dc3635bfc9a9078acddc
parent 2869ecd7e05a0397dac728b79a1f27969c54f734
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 14 Nov 2022 13:08:09 +0100

machines/osterei: use SNM instead of maddy for mail

9 files changed, 273 insertions(+), 22 deletions(-)

flake.lock

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-

flake.nix

++++++++++++++++++++++++++++++------------------

machines/osterei/configuration.nix

++-

machines/osterei/mail.nix

129

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

modules/linux/email-notify.nix

+++--

secrets/osterei/mail/password-leah-ctu.cx.age

+++++++++++

secrets/osterei/mail/password-mail-zug.network.age

+++++++++++

secrets/osterei/restic/mail.age

+++++++++++

secrets/secrets.nix

++++

diff --git a/flake.lock b/flake.lock
@@ -21,6 +21,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "colmena": {
       "inputs": {
         "flake-compat": "flake-compat",

@@ -226,6 +242,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-22_05": {
+      "locked": {
+        "lastModified": 1654936503,
+        "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-22.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgsUnstable": {
       "locked": {
         "lastModified": 1668086072,

@@ -252,7 +283,32 @@
         "local-secrets": "local-secrets",
         "nix-std": "nix-std",
         "nixpkgs": "nixpkgs",
-        "nixpkgsUnstable": "nixpkgsUnstable"
+        "nixpkgsUnstable": "nixpkgsUnstable",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-22_05": "nixpkgs-22_05",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1655930346,
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-22.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
       }
     },
     "stable": {

@@ -270,6 +326,21 @@
         "repo": "nixpkgs",
         "type": "github"
       }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

diff --git a/flake.nix b/flake.nix
@@ -1,42 +1,51 @@
 {
+
   description = "A flake for building Hello World";
 
   inputs = {
     nixpkgs = {
-      type = "github";
+      type  = "github";
       owner = "NixOS";
-      repo = "nixpkgs";
-      ref = "nixos-22.05";
+      repo  = "nixpkgs";
+      ref   = "nixos-22.05";
     };
 
     nixpkgsUnstable = {
-      type = "github";
+      type  = "github";
       owner = "NixOS";
-      repo = "nixpkgs";
-      ref = "nixpkgs-unstable";
+      repo  = "nixpkgs";
+      ref   = "nixpkgs-unstable";
     };
 
     home-manager = {
-      type = "github";
+      type  = "github";
       owner = "nix-community";
-      repo = "home-manager";
-      ref = "release-22.05";
+      repo  = "home-manager";
+      ref   = "release-22.05";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    simple-nixos-mailserver = {
+      type  = "gitlab";
+      owner = "simple-nixos-mailserver";
+      repo  = "nixos-mailserver";
+      ref   = "nixos-22.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
     darwin = {
-      type = "github";
+      type  = "github";
       owner = "lnl7";
-      repo = "nix-darwin";
-      ref = "master";
+      repo  = "nix-darwin";
+      ref   = "master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
     nix-std = {
-      type = "github";
+      type  = "github";
       owner = "chessai";
-      repo = "nix-std";
-      ref = "master";
+      repo  = "nix-std";
+      ref   = "master";
     };
 
     dns = {

@@ -55,10 +64,10 @@
     };
 
     colmena = {
-      type = "github";
+      type  = "github";
       owner = "zhaofengli";
-      repo = "colmena";
-      ref = "main";
+      repo  = "colmena";
+      ref   = "main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 

@@ -68,6 +77,7 @@
   outputs = inputs: {
 
     darwinConfigurations = {
+
       blechkasten = inputs.darwin.lib.darwinSystem rec {
         system = "aarch64-darwin";
         specialArgs = {

@@ -76,6 +86,7 @@
         };
         modules = [ ./machines/blechkasten/darwin-configuration.nix ];
       };
+
       blechbuechse = inputs.darwin.lib.darwinSystem rec {
         system = "aarch64-darwin";
         specialArgs = {

@@ -84,6 +95,7 @@
         };
         modules = [ ./machines/blechbuechse/darwin-configuration.nix ];
       };
+
     };
 
     colmena = import ./hive.nix inputs;

diff --git a/machines/osterei/configuration.nix b/machines/osterei/configuration.nix
@@ -25,7 +25,8 @@
     # communication
     ./matrix-synapse.nix
     ./pleroma
-    ./maddy.nix
+    ./mail.nix
+#    ./maddy.nix
 
     # websites
     ./websites

diff --git a/machines/osterei/mail.nix b/machines/osterei/mail.nix
@@ -0,0 +1,129 @@
+{ inputs, pkgs, config, ... }:
+
+{
+
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+
+  age.secrets.restic-mail.file              = ../../secrets/osterei/restic/mail.age;
+  age.secrets.mail-password-leah.file       = ../../secrets/osterei/mail/password-leah-ctu.cx.age;
+  age.secrets.mail-password-zugnetwork.file = ../../secrets/osterei/mail/password-mail-zug.network.age;
+
+  dns.zones = with pkgs.dns.lib.combinators; let
+    TXT   = [ "v=spf1 a mx ip4:185.232.70.80 +ip6:2a03:4000:4e:af1::1 ~all" ];
+    DMARC = "v=DMARC1; p=none";
+    MX    = with mx; [ (mx 10 "osterei.ctu.cx.") ];
+   in {
+    "ctu.cx" = {
+      inherit MX TXT;
+
+      SRV = [
+        { proto = "tcp"; service = "imaps"; priority = 0; weight = 1; port = 993; target = "osterei.ctu.cx."; }
+        { proto = "tcp"; service = "imap"; priority = 0; weight = 1; port = 143; target = "osterei.ctu.cx."; }
+        { proto = "tcp"; service = "submission"; priority = 0; weight = 1; port = 587; target = "osterei.ctu.cx."; }
+      ];
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKryfX99NkcU5Xe4AmG+kO/sfuYSXk5RqJhzxS4uMqERE8UszgEGdteXcD8pqON2MfDmA3G6cA+Oa+N4tIWdIYNwTISVXXMGdHvjFIsVUEW0turM104tXESELaPRntkCvDBk/yOgsBDRZQHSx5MdGwpzeRC8TLdCbalh3W0jp5PQIDAQA" ];
+      };
+    };
+
+    "ctucx.de" = {
+      inherit MX TXT;
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5fu690bKYCZLPAFfQQK+nl+aAmtetaWBKCWzGj6pt7HjpFjystgtgnQ6+DZLFXWUp8GRfMEycySB5kQULtYtSMUmx0gQBnTTLsRj+e55/CYUllLV6YXb5uca7LuVhlWPpH3sCr6TvC2VFWe4t0UC3uIXhYPrCm6p8OE7g+TdHHwIDAQAB" ];
+      };
+    };
+
+    "thein.ovh" = {
+      inherit MX TXT;
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8oumqNkHboF/S4dnKue+hEC3V226ToMmL/fmXqbAhsW88m+jUuLgZE8Nl7kc/lzD9yY7JmCXcWFzoLJWE8xusfmT1yMOW9sQmee7g0tHsm1fVqFMUetmC4+QuqAdvjIGU5QndjdWHP/gssIoLPT7lCNUL4/lkaPmFiiDyvaMpkQIDAQAB" ];
+      };
+    };
+
+    "zug.network" = {
+      inherit MX TXT;
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl+VU9Bx/MAxyiYttChdXIlvEMUT5jY4k7n/g5d2ISHBqsH6is8fttOZlBv+N8vEQ1pD+DKNdFKqb2ZXfXPwln4rL5FbzN6O0BRXuATxRpI5WA1Fi3N+us17I8b0YaGK+Se5eQKcqpxZ6x8Ao2f7cRCW7xa6aqGtyDwexsmuw+4QIDAQAB" ];
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${config.networking.fqdn}" = {
+      enableACME = true;
+      forceSSL   = true;
+    };
+  };
+
+  mailserver = {
+    enable  = true;
+    fqdn    = config.networking.fqdn;
+
+    openFirewall        = true;
+    localDnsResolver    = false;
+    virusScanning       = false;
+
+    certificateScheme   = 1;
+    certificateFile     = "${config.security.acme.certs.${config.networking.fqdn}.directory}/fullchain.pem";
+    keyFile             = "${config.security.acme.certs.${config.networking.fqdn}.directory}/key.pem";
+
+    enableManageSieve   = true;
+    enableSubmission    = true;
+    enableSubmissionSsl = true;
+    enableImap          = true;
+    enableImapSsl       = true;
+    enablePop3          = false;
+    enablePop3Ssl       = false;
+
+    sieveDirectory      = "/var/lib/sieve";
+
+    domains = [
+      "ctu.cx"
+      "ctucx.de"
+      "thein.ovh"
+      "zug.network"
+    ];
+
+    forwards = {
+      "mail@zug.network" = "isabelle.kleinheuer@gmail.com";
+    };
+
+    loginAccounts = {
+      "leah@ctu.cx" = {
+        hashedPasswordFile = config.age.secrets.mail-password-leah.path;
+        aliases = [
+          "@ctu.cx"
+          "@ctucx.de"
+          "leah@thein.ovh"
+          "leon@thein.ovh"
+        ];
+      };
+
+      "mail@zug.network" = {
+        hashedPasswordFile = config.age.secrets.mail-password-zugnetwork.path;      	
+      };
+    };
+  };
+
+  restic-backups.mail = {
+    passwordFile = config.age.secrets.restic-mail.path;
+    paths        = [
+      "/var/vmail"
+      "/var/lib/sieve"
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+}

diff --git a/modules/linux/email-notify.nix b/modules/linux/email-notify.nix
@@ -8,8 +8,9 @@
     age.secrets.password-leah-at-f2k1-de.file = ../../secrets/passwords/leah-at-f2k1-de.age;
 
     programs.msmtp = {
-      enable = true;
-      accounts = {
+      enable      = true;
+      setSendmail = false;
+      accounts    = {
         default = {
           auth         = true;
           tls          = true;

diff --git a/secrets/osterei/mail/password-leah-ctu.cx.age b/secrets/osterei/mail/password-leah-ctu.cx.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 FO3OdOxS0r3BjdAbaW6bG9/PY2XnpMUJFykZ4EwRnEU
+52gk0WMZ7kWiLNWe8cc5D05xmwIY3r8H6M7+fBxv7V0
+-> ssh-ed25519 YtLkIw CDq8sMvxkTQw1mL+LSit0qzM4mfcXiAByFwIFjY2YA4
+tW2j6Ndh+oMeKXeVVT6BMj52xI1qT+/lBph+yKFrScA
+-> ':6:46c-grease 4tr\-3+( ?XW8
+Dk1wNczSfkEnyo+/ZkoS6Q13+rqc+4toHisQJio
+--- cMuExgPkB0lVkq1NrV1e7TVEX8R8Fm0HJspvC9UqhJc
+e
+>�q�4N��z��ѹ`��;O|�Z��D�U��߻����}�f�Z2`�G�#{�
�`D�=����沙�*�(�X>�+}w�w��+
\ No newline at end of file

diff --git a/secrets/osterei/mail/password-mail-zug.network.age b/secrets/osterei/mail/password-mail-zug.network.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 jM6TcdXhxBQwwuCFoRbluBB3zpKF3eKcACCNzGogcgk
+B5i51+0LZET7TMhCLV9ieBbmAplobRZo7rroXwGfnFc
+-> ssh-ed25519 YtLkIw OUm9LIlbU2K5uh1EB2mT03qj8SA6XV0P9SuvKD3rsVg
+cXsO9X06aOkJvEEhivG/3VrBRnuOu6hcPiKZ+0prGgQ
+-> N-grease 83( Dzlt %Y%P4Nfr @x\9Q`
+dicuHfdWYbh6DWWbZ4jKdEIRj18phFbhlJF5IhvwIMRy2Dtc0qTFrT0Y2+ApADKr
+bw3dsKu9BDbvVbMBgU/DPE5EpgGQkG9Zd+roZvfUCxAVncZx7AEDqQyvDJdq
+--- HHF5yKveFP0SkQhMnTtioGLsZH3OnqobqSFNGxGBUXE
+��0q��׎?�r�I�Ltw�)���CJO��	;�w~=g1h�,|�c�<�=;����~2���+-��1״�JQ|�$<���	O�7�]0��j+
\ No newline at end of file

diff --git a/secrets/osterei/restic/mail.age b/secrets/osterei/restic/mail.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 cCSDbJ7zu5HtOlzpRywyHXgwA4eiSU8xNe03E8PZGA8
+BIgMg2l0Q2Nu33DSQWjwNCG7z3yjzanykRnetTpKEQA
+-> ssh-ed25519 YtLkIw zxiLHeUfKpYtJ87W0zTKpLVqPNDDkU0WxZa5HY42eDo
+SZ0zRqtMlPoUTavjV1L22chFLpua4B9g0JcU0Z3Rdc8
+-> 3q_#-grease 7{nBL L:c($" LqM1l
+Wj8i8sG2iXUyzZQ1+LT2bQNTRKljscxo7Vezs6zV5XnYBc8zqffzg2erM1bQ
+--- 32iEWmy2KzWLbiBKYJgbVKCovbQTi4xEkPWoZE6Qp9c
+�w� =��3	
+���.Tz8!y�x�>r\O���N�ov�;'_�Qf��F�Oޜ�l���>��+
\ No newline at end of file

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -74,10 +74,14 @@ in {
   "osterei/syncthing/key.age".publicKeys                      = [ leah osterei ];
   "osterei/syncthing/cert.age".publicKeys                     = [ leah osterei ];
 
+  "osterei/mail/password-leah-ctu.cx.age".publicKeys          = [ leah osterei ];
+  "osterei/mail/password-mail-zug.network.age".publicKeys     = [ leah osterei ];
+
   "osterei/restic/gitolite.age".publicKeys                    = [ leah osterei ];
   "osterei/restic/pleroma.age".publicKeys                     = [ leah osterei ];
   "osterei/restic/matrix-synapse.age".publicKeys              = [ leah osterei ];
   "osterei/restic/maddy.age".publicKeys                       = [ leah osterei ];
+  "osterei/restic/mail.age".publicKeys                        = [ leah osterei ];
 
 
   "taurus/syncthing/key.age".publicKeys                       = [ leah taurus ];