dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: mailserver

Browse source
This commit is contained in:
DACHXY 2025-08-14 12:27:49 +08:00
parent 0ebf0d7a29
commit b8a31b6264
28 changed files with 2446 additions and 1350 deletions
Download patch file Download diff file Expand all files Collapse all files

36
system/modules/actual.nix Normal file
View file

@ -0,0 +1,36 @@
{
fqdn ? null,
}:
{ config, ... }:
let
inherit (builtins) toString;
finalFqdn = if fqdn != null then fqdn else config.networking.fqdn;
in
{
services.actual = {
enable = true;
settings = {
port = 31000;
hostname = "127.0.0.1";
serverFiles = "/var/lib/actual/server-files";
userFiles = "/var/lib/actual/user-files";
loginMethod = "openid";
};
};
services.actual-budget-api = {
enable = true;
listenPort = 31001;
listenHost = "127.0.0.1";
serverURL = "https://${finalFqdn}";
};
services.nginx.virtualHosts."${finalFqdn}" = {
enableACME = true;
forceSSL = true;
locations."/api/".proxyPass =
"http://localhost:${toString config.services.actual-budget-api.listenPort}/";
locations."/".proxyPass = "http://localhost:${toString config.services.actual.settings.port}";
};
}

52
system/modules/certbot.nix
View file

@ -1,52 +0,0 @@
{
pkgs,
lib,
config,
...
}:
{
systemd.timers."certbot-renew" = {
enable = true;
description = "certbot renew";
timerConfig = {
Persistent = true;
OnCalendar = "*-*-* 16:30:00";
Unit = "certbot-renew.service";
};
wantedBy = [ "timers.target" ];
};
systemd.timers."certbot-nginx-reload" = lib.mkIf config.services.nginx.enable {
enable = true;
description = "certbot renew";
timerConfig = {
Persistent = true;
OnCalendar = "*-*-* 16:32:00";
Unit = "nginx-config-reload.service";
};
wantedBy = [ "timers.target" ];
};
systemd.services."certbot-renew" = {
enable = true;
after = (if config.services.nginx.enable then [ "nginx.service" ] else [ ]) ++ [
"network.target"
];
environment = {
"REQUESTS_CA_BUNDLE" = ../extra/ca.crt;
};
serviceConfig = {
ExecStart = ''${pkgs.certbot}/bin/certbot renew --no-random-sleep-on-renew --force-renewal'';
ExecStartPost = lib.mkIf config.services.nginx.enable "${pkgs.busybox}/bin/chown nginx:nginx -R /etc/letsencrypt";
};
};
systemd.services."nginx-config-reload" = lib.mkIf config.services.nginx.enable {
after = [ "certbot-renew.service" ];
wantedBy = [ "certbot-renew.service" ];
serviceConfig = {
User = "root";
ExecStartPre = "${pkgs.busybox}/bin/chown -R nginx:nginx /etc/letsencrypt/";
};
};
}

100
system/modules/dns-server/default.nix Normal file
View file

@ -0,0 +1,100 @@
{
config,
lib,
...
}:
let
cfg = config.dns-server;
in
with lib;
{
options.dns-server = {
enable = mkEnableOption "PowerDNS server and PowerDNS Recursor";
openFirewall = mkOption {
type = types.bool;
default = true;
description = ''
Open 53 port in firewall
'';
};
webAdmin = {
enable = mkEnableOption "Enable PowerDNS Admin";
saltFile = mkOption {
type = types.path;
description = ''
Slat value for serialization, can be generated with `openssl rand -hex 16`
'';
};
apiSecretFile = mkOption {
type = types.path;
description = ''
The file content should be
```
YOUR_PASSWORD
```
'';
};
};
};
config = mkIf cfg.enable {
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services = {
powerdns = {
enable = true;
extraConfig = ''
launch=gpgsql
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
webserver=yes
local-port=5359
'';
secretFile = config.sops.secrets.powerdns.path;
};
pdns-recursor = {
enable = true;
forwardZones = {
"net.dn" = "127.0.0.1:5359";
};
forwardZonesRecurse = {
"" = "8.8.8.8;8.8.4.4";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
"::1/128"
"fc00::/7"
"fe80::/10"
];
};
powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
};
};
}

50
system/modules/grafana.nix Normal file
View file

@ -0,0 +1,50 @@
{
passFile,
smtpHost,
smtpDomain,
domain,
extraSettings ? { },
}:
{ config, ... }:
let
email = "grafana@${smtpDomain}";
in
{
services.grafana = {
enable = true;
settings = (
{
server = {
http_addr = "127.0.0.1";
http_port = 31003;
root_url = "https://${domain}";
domain = domain;
};
smtp = {
enabled = true;
user = "grafana";
password = "$__file{${passFile}}";
host = smtpHost;
from_address = email;
cert_file = config.security.pki.caBundle;
};
security = {
admin_email = email;
admin_password = "$__file{${passFile}}";
};
}
// extraSettings
);
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}

322
system/modules/mail-server.nix
View file

@ -1,322 +0,0 @@
{
fqdn ? null,
origin ? null,
destination ? null,
networks ? null,
rootAlias ? "root",
extraAliases ? "",
enableOpenldap ? true,
dovecotLdapSecretFile,
openldapAdmPassPath,
sslKeyPath,
sslCertPath,
}:
{
config,
lib,
pkgs,
...
}:
let
postfixFqdn = if fqdn != null then fqdn else config.networking.fqdn;
postfixOrigin = if origin != null then origin else postfixFqdn;
postfixDest =
if destination != null then
destination
else
[
"localhost"
"localhost.${postfixFqdn}"
];
postfixNet =
if networks != null then
networks
else
[
"127.0.0.0/8"
"[::1]/128"
];
postfixMailDir = "~/Maildir";
mailLocationPrefix = "/var/mail/vhosts";
mailLocation = "${mailLocationPrefix}/%d/%n/";
dcList = lib.strings.splitString "." postfixFqdn;
domain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
dovecotSecretPath = "/run/dovecot2-secret";
ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
ldap_version = 3
auth_bind_userdn = uid=%u,ou=mail,${domain}
auth_bind = yes
hosts = ${postfixFqdn}
dn = cn=admin,${domain}
base = ou=mail,${domain}
pass_filter = (&(objectClass=inetorgperson)(uid=%u))
user_filter = (&(objectClass=inetorgperson)(uid=%u))
'';
mailUser = "vmail";
in
with builtins;
{
environment.sessionVariables = {
MAILDIR = postfixMailDir;
};
networking.firewall.allowedTCPPorts = [
25 # SMTP
465 # SMTPS
587 # STARTTLS
80
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
];
users.groups.${mailUser} = {
gid = 5000;
};
users.users.${mailUser} = {
isSystemUser = true;
uid = 5000;
group = mailUser;
};
services.postfix = {
inherit rootAlias;
enable = lib.mkDefault true;
hostname = postfixFqdn;
origin = postfixOrigin;
destination = postfixDest;
networks = postfixNet;
sslKey = sslKeyPath;
sslCert = sslCertPath;
config = {
virtual_uid_maps = [
"static:${toString config.users.users.vmail.uid}"
];
virtual_gid_maps = [
"static:${toString config.users.groups.vmail.gid}"
];
virtual_mailbox_domains = [ postfixFqdn ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
tls_preempt_cipherlist = "yes";
smtpd_use_tls = "yes";
smtpd_tls_security_level = "may";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
home_mailbox = postfixMailDir;
};
postmasterAlias = "root";
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ extraAliases;
};
services.dovecot2 = {
enable = lib.mkDefault true;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
mailLocation = lib.mkDefault "maildir:${mailLocation}";
mailUser = mailUser;
mailGroup = mailUser;
sslServerKey = sslKeyPath;
sslServerCert = sslCertPath;
sslCACert = config.security.pki.caBundle;
extraConfig = ''
log_path = /var/log/dovecot.log
auth_debug = yes
mail_debug = yes
auth_mechanisms = plain login
ssl = yes
ssl_dh_parameters_length = 2048
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
service auth {
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
service lmtp {
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
mode = 0600
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
passdb ldap {
driver = ldap
args = ${ldapSecretConf}
}
userdb {
driver = static
args = uid=${mailUser} gid=${mailUser} home=${mailLocation}
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
'';
};
systemd.services.dovecot2 = {
serviceConfig = {
RuntimeDirectory = [ "dovecot2-secret" ];
RuntimeDirectoryMode = "0640";
ExecStartPre = [
''${pkgs.busybox.out}/bin/mkdir -p ${mailLocationPrefix}''
''${pkgs.busybox.out}/bin/chown -R ${mailUser}:${mailUser} ${mailLocationPrefix}''
''${pkgs.busybox.out}/bin/chmod 770 ${mailLocationPrefix}''
''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${dovecotLdapSecretFile} > ${ldapSecretConf}"''
];
};
};
services.openldap = lib.mkIf enableOpenldap {
enable = true;
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "${domain}";
olcRootDN = "cn=admin,${domain}";
olcRootPW.path = openldapAdmPassPath;
olcAccess = [
''
{0}to attrs=userPassword
by dn="cn=admin,${domain}" read
by self write
by anonymous auth
by * none
''
''
{1}to *
by * read
''
];
};
};
};
};
environment.etc."openldap/base.ldif" = {
mode = "0770";
user = config.services.openldap.user;
group = config.services.openldap.group;
text = ''
dn: ${domain}
objectClass: top
objectClass: domain
dc: ${elemAt dcList 0}
'';
};
systemd.services.openldap-init-base = {
wantedBy = [ "openldap.service" ];
requires = [ "openldap.service" ];
after = [ "openldap.service" ];
serviceConfig = {
User = config.services.openldap.user;
Group = config.services.openldap.group;
Type = "oneshot";
ExecStart =
let
dcScript = pkgs.writeShellScriptBin "openldap-init" ''
BASE_DN="${domain}"
LDIF_FILE="/etc/openldap/base.ldif"
ADMIN_DN="cn=admin,${domain}"
${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${openldapAdmPassPath} -W -f "$LDIF_FILE"
else
echo "Base DN $BASE_DN exists, skip"
fi
'';
in
"${dcScript}/bin/openldap-init";
};
};
virtualisation = {
docker = {
enable = lib.mkDefault true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
oci-containers = {
backend = "docker";
containers = {
lam = {
image = "ghcr.io/ldapaccountmanager/lam:9.2";
extraOptions = [ "--network=host" ];
autoStart = true;
environment = {
LDAP_DOMAIN = postfixFqdn;
LDAP_SERVER = "ldap://${postfixFqdn}";
LDAP_USERS_DN = "ou=mail,${domain}";
};
};
};
};
};
}

81
system/modules/mail-server/default.nix
View file

@ -7,6 +7,13 @@ with lib;
{
options.mail-server = {
enable = mkEnableOption "mail-server";
caFile = mkOption {
type = types.path;
default = config.security.pki.caBundle;
description = ''
Extra CA certification to trust;
'';
};
openFirewall = mkOption {
type = types.bool;
@ -26,6 +33,23 @@ with lib;
'';
};
rootAlias = mkOption {
type = with types; uniq str;
default = "";
description = "Root alias";
example = ''
<your username>
'';
};
virtual = mkOption {
type = lib.types.lines;
default = "";
description = ''
Entries for the virtual alias map, cf. man-page {manpage}`virtual(5)`.
'';
};
extraAliases = mkOption {
type = with types; str;
default = "";
@ -86,37 +110,44 @@ with lib;
description = "Postfix networks";
};
sslKey = mkOption {
type = with types; path;
description = "Path to the SSL key";
example = "/etc/ssl/private/key.pem";
};
sslCert = mkOption {
type = with types; path;
description = "Path to the SSL Certification";
example = "/etc/ssl/private/cert.pem";
};
dovecot = {
ldapFile = mkOption {
type = with types; path;
description = "Path to the dovecot openldap config file";
example = "/run/secrets/dovecot/ldap";
oauth = {
username = mkOption {
type = with types; uniq str;
default = "keycloak";
description = "Keycloak username";
};
};
openldap = {
passwordFile = mkOption {
type = with types; path;
description = "Path to the openldap admin password file";
example = "/run/secrets/openldap/passwd";
description = "Path to the keycloak password file";
example = "/run/secrets/keycloak/password";
};
};
ldap = {
passwordFile = mkOption {
type = with types; path;
description = "Path to the openldap password file";
example = "/run/secrets/ldap/password";
};
enableWebUI = mkOption {
type = types.bool;
default = false;
description = "Use docker to run Ldap Account Manager for using web ui.";
webEnv = mkOption {
type = with types; path;
description = "Path to phpLDAPadmin env file";
example = "/run/secrets/ldap/env";
};
};
rspamd = {
trainerSecret = mkOption {
type = with types; path;
description = "Path to rspamd trainer secret";
example = "/run/secrets/rspamd-trainer/secret";
};
port = mkOption {
type = with types; int;
default = 11334;
description = "Port for rspamd webUI";
};
};
};

749
system/modules/mail-server/server.nix
View file

@ -4,155 +4,452 @@
pkgs,
...
}:
with lib;
let
cfg = config.mail-server;
dcList = strings.splitString "." cfg.domain;
ldapDomain = strings.concatStringsSep "," (lists.forEach dcList (dc: "dc=" + dc));
dcList = lib.strings.splitString "." cfg.domain;
ldapDomain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
dovecotSecretPath = "/run/dovecot-secret";
authBaseConf = pkgs.writeText "dovecot-auth.conf.ext" ''
passdb ldap {
auth_username_format = %{user | lower}
ldap_bind = no
ldap_filter = (&(objectClass=inetOrgPerson)(uid=%{user | username}))
use_worker = no
dovecotSecretPath = "/run/dovecot2-secret";
ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
ldap_version = 3
auth_bind_userdn = uid=%u,ou=mail,${ldapDomain}
auth_bind = yes
hosts = ${cfg.domain}
dn = cn=admin,${ldapDomain}
base = ou=mail,${ldapDomain}
pass_filter = (&(objectClass=inetorgperson)(uid=%u))
user_filter = (&(objectClass=inetorgperson)(uid=%u))
fields {
user = %{ldap:mail}
password = %{ldap:userPassword}
}
}
ldap_auth_dn = cn=admin,${ldapDomain}
ldap_auth_dn_password = $LDAP_PASSWORD
ldap_uris = ldap://localhost
ldap_base = ${ldapDomain}
'';
ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
authConf = "${dovecotSecretPath}/dovecot-auth.conf.ext";
oauthConf = pkgs.writeText "dovecot-oauth.conf.ext" ''
oauth2 {
client_id = dovecot
client_secret = 1l9EyvmaDQBMUHXgPkH69RwNcm7gDFbB
introspection_mode = post
introspection_url = https://keycloak.net.dn/realms/master/protocol/openid-connect/token/introspect
username_attribute = email
}
'';
dovecotDomain = config.services.postfix.hostname;
in
with builtins;
with lib;
{
config = mkIf cfg.enable {
security.acme.certs = {
"${config.services.postfix.hostname}" = {
dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge";
postRun = ''
systemctl restart postfix.service
systemctl restart dovecot.service
systemctl restart rspamd-trainer.service
'';
};
"${cfg.domain}" = {
dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge";
};
};
# ===== opendkim ===== #
services.opendkim = {
enable = true;
domains = "csl:${cfg.domain}";
selector = "mail";
};
# ===== Postfix ===== #
environment.sessionVariables = {
MAILDIR = cfg.mailDir;
};
systemd.services.postfix = {
requires = [
"acme-finished-${config.services.postfix.hostname}.target"
];
serviceConfig.LoadCredential =
let
certDir = config.security.acme.certs."${config.services.postfix.hostname}".directory;
in
[
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
};
services.postfix = {
enable = true;
hostname = cfg.domain;
hostname = "mail.${cfg.domain}";
origin = cfg.origin;
destination = cfg.destination;
networks = cfg.networks;
config = {
virtual_uid_maps = [
"static:${toString cfg.uid}"
];
virtual_gid_maps = [
"static:${toString cfg.gid}"
];
virtual_mailbox_domains = [ cfg.domain ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
tls_preempt_cipherlist = "yes";
smtpd_use_tls = "yes";
smtpd_tls_security_level = "may";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
virtual = cfg.virtual;
enableSubmissions = true;
relayPort = 465;
submissionOptions = {
milter_macro_daemon_name = "ORIGINATING";
smtpd_client_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject";
smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
home_mailbox = cfg.mailDir;
smtpd_tls_security_level = "encrypt";
smtpd_tls_loglevel = "10";
};
config =
let
credsDir = "/run/credentials/postfix.service";
certDir = "${credsDir}/cert.pem";
keyDir = "${credsDir}/key.pem";
in
{
virtual_uid_maps = [
"static:${toString cfg.uid}"
];
virtual_gid_maps = [
"static:${toString cfg.gid}"
];
virtual_mailbox_domains = [ cfg.domain ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
tls_random_source = "dev:/dev/urandom";
smtp_tls_security_level = "may";
smtp_tls_chain_files = [
keyDir
certDir
];
smtpd_tls_chain_files = [
keyDir
certDir
];
home_mailbox = cfg.mailDir;
}
// optionalAttrs config.services.opendkim.enable (
let
opendkimSocket = strings.removePrefix "local:" config.services.opendkim.socket;
in
{
smtpd_milters = [ "unix:${opendkimSocket}" ];
non_smtpd_milters = [ "unix:${opendkimSocket}" ];
milter_default_action = "accept";
}
);
rootAlias = cfg.rootAlias;
postmasterAlias = "root";
extraAliases =
''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ cfg.extraAliases;
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ cfg.extraAliases;
};
services.rspamd = {
enable = true;
postfix.enable = true;
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [
{
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "${config.services.rspamd.user}";
group = "${config.services.rspamd.group}";
}
];
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:${toString cfg.rspamd.port}" ];
extraConfig = ''
password=$2$w3asngzxwp3hoa67gimtrgmdxzmpq1n1$knfe5cyb1f769zro4rsi3j8ipc1p7ewh3u4cz63ngidmpjs8955y
'';
};
};
};
# ===== rspamd trainer ===== #
services.rspamd-trainer = {
enable = true;
settings = {
HOST = dovecotDomain;
USERNAME = "spam@${cfg.domain}";
INBOXPREFIX = "INBOX.";
};
secrets = [
cfg.rspamd.trainerSecret
];
};
systemd.services.rspamd-trainer = lib.mkIf config.services.rspamd-trainer.enable {
after = [
"postfix.service"
"dovecot.service"
"rspamd-trainer-pre.service"
];
requires = [ "rspamd-trainer-pre.service" ];
};
# ===== Create Mailbox for rspamd trainer ===== #
systemd.services.rspamd-trainer-pre = lib.mkIf config.services.rspamd-trainer.enable {
serviceConfig = {
ExecStart =
let
script = pkgs.writeShellScript "rspamd-trainer-pre.sh" ''
set -euo pipefail
username=${config.services.rspamd-trainer.settings.USERNAME}
domain="${cfg.domain}"
mailbox_list=("report_spam" "report_ham" "report_spam_reply")
for mailbox in ''\${mailbox_list[@]}; do
echo "Creating $mailbox..."
${pkgs.dovecot}/bin/doveadm mailbox create -u "$username@$domain" "INBOX.$mailbox" 2>/dev/null || true
done
'';
in
"${pkgs.bash}/bin/bash ${script}";
Type = "oneshot";
};
};
# ===== Dovecot ===== #
services.dovecot2 = {
enable = lib.mkDefault true;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
mailLocation = lib.mkDefault "maildir:${cfg.virtualMailDir}";
mailUser = "vmail";
mailGroup = "vmail";
sslServerKey = cfg.sslKey;
sslServerCert = cfg.sslCert;
sslCACert = config.security.pki.caBundle;
extraConfig = ''
log_path = /var/log/dovecot.log
auth_debug = yes
mail_debug = yes
auth_mechanisms = plain login
ssl = yes
ssl_dh_parameters_length = 2048
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
service auth {
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
service lmtp {
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
mode = 0600
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
}
}
passdb ldap {
driver = ldap
args = ${ldapSecretConf}
}
userdb {
driver = static
args = uid=${toString cfg.uid} gid=${toString cfg.gid} home=${cfg.virtualMailDir}/%d/%n/
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
'';
};
systemd.services.dovecot2 = {
systemd.services.dovecot = {
requires = [ "acme-finished-${dovecotDomain}.target" ];
serviceConfig = {
RuntimeDirectory = [ "dovecot2-secret" ];
RuntimeDirectory = [ "dovecot-secret" ];
RuntimeDirectoryMode = "0640";
ExecStartPre = [
''${pkgs.busybox.out}/bin/mkdir -p ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/chown -R vmail:vmail ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/chmod 770 ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${cfg.dovecot.ldapFile} > ${ldapSecretConf}"''
''${pkgs.bash}/bin/bash -c "LDAP_PASSWORD=$(cat ${cfg.ldap.passwordFile}) ${pkgs.gettext.out}/bin/envsubst < ${authBaseConf} > ${authConf}"''
''${pkgs.busybox.out}/bin/chown ${config.services.dovecot.user}:${config.services.dovecot.group} ${authConf}''
''${pkgs.busybox.out}/bin/chmod 660 ${authConf}''
];
LoadCredential =
let
certDir = config.security.acme.certs."${dovecotDomain}".directory;
in
[
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
};
};
services.dovecot =
let
credsDir = "/run/credentials/dovecot.service";
certDir = "${credsDir}/cert.pem";
keyDir = "${credsDir}/key.pem";
in
{
enable = true;
enablePAM = false;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
enableHealthCheck = true;
mailLocation = lib.mkDefault "${cfg.mailDir}";
mailUser = "vmail";
mailGroup = "vmail";
sslServerKey = keyDir;
sslServerCert = certDir;
mailboxes = {
Junk = {
specialUse = "Junk";
auto = "subscribe";
};
Drafts = {
specialUse = "Drafts";
auto = "subscribe";
};
Archive = {
specialUse = "Archive";
auto = "subscribe";
};
Sent = {
specialUse = "Sent";
auto = "subscribe";
};
};
extraConfig = ''
# authentication debug logging
log_path = /dev/stderr
log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)
auth_mechanisms = plain login oauthbearer
ssl = required
service auth {
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
type = postfix
}
}
service lmtp {
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
type = postfix
}
}
userdb static {
fields {
uid = ${toString cfg.uid}
gid = ${toString cfg.gid}
home = ${cfg.virtualMailDir}/%{user | domain}/%{user | username}
}
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
!include ${authConf}
!include ${oauthConf}
'';
};
systemd.services.dovecot-healthcheck = mkIf config.services.dovecot.enableHealthCheck (
let
pythonServer =
pkgs.writeScript "dovecot-healthcheck"
# python
''
#!${pkgs.python3}/bin/python3
import socket
from http.server import BaseHTTPRequestHandler, HTTPServer
DOVECOT_HOST = '127.0.0.1'
DOVECOT_PORT = ${toString config.services.dovecot.healthCheckPort}
class HealthCheckHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path != '/ping':
self.send_response(404)
self.end_headers()
return
try:
with socket.create_connection((DOVECOT_HOST, DOVECOT_PORT), timeout=5) as sock:
sock.sendall(b"PING\n")
data = sock.recv(1024).strip()
except Exception as e:
self.send_response(500)
self.end_headers()
self.wfile.write(b"Error connecting to healthcheck service")
return
if data == b"PONG":
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.end_headers()
self.wfile.write(b"PONG")
else:
self.send_response(500)
self.end_headers()
self.wfile.write(b"Unexpected response")
if __name__ == '__main__':
server = HTTPServer(('0.0.0.0', 5002), HealthCheckHandler)
print("HTTP healthcheck proxy running on port 5002")
server.serve_forever()
'';
in
{
requires = [ "dovecot.service" ];
wantedBy = [ "multi-user.target" ];
after = [ "dovecot.service" ];
serviceConfig = {
Type = "simple";
ExecStart = pythonServer;
};
}
);
# ===== Firewall ===== #
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
80 # HTTP
443 # HTTPS
25 # SMTP
465 # SMTPS
587 # STARTTLS
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
389 # LDAP
];
services.postgresql = {
enable = true;
ensureDatabases = [ "keycloak" ];
ensureUsers = [
{
name = "keycloak";
ensureDBOwnership = true;
}
];
};
# ===== OAuth keycloak ===== #
services.keycloak = {
enable = true;
database = {
type = "postgresql";
host = "localhost";
name = "keycloak";
createLocally = false;
passwordFile = cfg.oauth.passwordFile;
};
settings = {
hostname = "keycloak.${cfg.domain}";
proxy-headers = "xforwarded";
http-port = 38080;
http-enabled = true;
health-enabled = true;
http-management-port = 38081;
truststore-paths = cfg.caFile;
};
};
# ==== LDAP ===== #
services.openldap = {
enable = true;
urlList = [ "ldap:///" ];
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
@ -163,91 +460,127 @@ with lib;
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "${ldapDomain}";
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcRootDN = "cn=admin,${ldapDomain}";
olcRootPW.path = cfg.openldap.passwordFile;
olcSuffix = ldapDomain;
olcAccess = [
''
{0}to attrs=userPassword
by dn="cn=admin,${ldapDomain}" read
by self write
by anonymous auth
by * none
''
''
{1}to *
by * read
''
];
olcRootDN = "cn=admin,${ldapDomain}";
olcRootPW.path = cfg.ldap.passwordFile;
olcAccess = [
''
{0}to attrs=userPassword
by dn.exact="cn=admin,${ldapDomain}" read
by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
by self write
by anonymous auth
by * none
''
''
{1}to *
by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
by * read
''
];
};
children = {
"olcOverlay={2}ppolicy".attrs = {
objectClass = [
"olcOverlayConfig"
"olcPPolicyConfig"
"top"
];
olcOverlay = "{2}ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcOverlay={3}memberof".attrs = {
objectClass = [
"olcOverlayConfig"
"olcMemberOf"
"top"
];
olcOverlay = "{3}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
"olcOverlay={4}refint".attrs = {
objectClass = [
"olcOverlayConfig"
"olcRefintConfig"
"top"
];
olcOverlay = "{4}refint";
olcRefintAttribute = "memberof member manager owner";
};
};
};
};
};
};
# Openldap auto create baseDN
environment.etc."openldap/base.ldif" = {
mode = "0770";
user = config.services.openldap.user;
group = config.services.openldap.group;
text = ''
dn: ${ldapDomain}
objectClass: top
objectClass: domain
dc: ${elemAt dcList 0}
'';
};
systemd.services.openldap-init-base = {
wantedBy = [ "openldap.service" ];
requires = [ "openldap.service" ];
after = [ "openldap.service" ];
serviceConfig = {
User = config.services.openldap.user;
Group = config.services.openldap.group;
Type = "oneshot";
ExecStart =
let
dcScript = pkgs.writeShellScriptBin "openldap-init" ''
BASE_DN="${ldapDomain}"
LDIF_FILE="/etc/openldap/base.ldif"
ADMIN_DN="cn=admin,${ldapDomain}"
${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${cfg.openldap.passwordFile} -W -f "$LDIF_FILE"
else
echo "Base DN $BASE_DN exists, skip"
fi
'';
in
"${dcScript}/bin/openldap-init";
# ==== postsrsd ==== #
services.postsrsd = {
enable = true;
configurePostfix = true;
secretsFile = config.sops.secrets."postsrsd/secret".path;
settings = {
srs-domain = cfg.domain;
domains = [ cfg.domain ];
};
};
# ===== Firewall ===== #
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
25 # SMTP
465 # SMTPS
587 # STARTTLS
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
];
virtualisation = {
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
oci-containers = {
backend = "docker";
containers = {
phpLDAPadmin = {
extraOptions = [ "--network=host" ];
image = "phpldapadmin/phpldapadmin";
volumes = [
"/var/lib/pla/logs:/app/storage/logs"
"/var/lib/pla/sessions:/app/storage/framework/sessions"
];
environment = {
APP_URL = "https://ldap.${cfg.domain}";
ASSET_URL = "https://ldap.${cfg.domain}";
APP_TIMEZONE = "Asia/Taipei";
LDAP_HOST = "127.0.0.1";
SERVER_NAME = ":8080";
LDAP_LOGIN_OBJECTCLASS = "inetOrgPerson";
LDAP_BASE_DN = "${ldapDomain}";
LDAP_LOGIN_ATTR = "dn";
LDAP_LOGIN_ATTR_DESC = "Username";
};
environmentFiles = [
cfg.ldap.webEnv
];
};
};
};
};
# ===== Virtual Mail User ===== #
users.groups.vmail = {
@ -259,28 +592,36 @@ with lib;
group = "vmail";
};
virtualisation = mkIf cfg.openldap.enableWebUI {
docker = {
enable = lib.mkDefault true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
services.nginx = {
enable = mkDefault true;
recommendedGzipSettings = mkDefault true;
recommendedOptimisation = mkDefault true;
recommendedTlsSettings = mkDefault true;
recommendedProxySettings = mkDefault true;
oci-containers = {
backend = "docker";
containers = {
lam = {
image = "ghcr.io/ldapaccountmanager/lam:9.2";
extraOptions = [ "--network=host" ];
autoStart = true;
environment = {
LDAP_DOMAIN = cfg.domain;
LDAP_SERVER = "ldap://${cfg.domain}";
LDAP_USERS_DN = "ou=mail,${ldapDomain}";
};
};
virtualHosts = {
"${config.services.postfix.hostname}" = {
enableACME = true;
forceSSL = true;
locations."/dovecot/ping".proxyPass = "http://localhost:${toString 5002}/ping";
};
"ldap.${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString 8080}/";
};
"rspamd.${cfg.domain}" = mkIf config.services.rspamd.enable {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.rspamd.port}/";
};
"${config.services.keycloak.settings.hostname}" = mkIf config.services.keycloak.enable {
enableACME = true;
forceSSL = true;
locations."/".proxyPass =
"http://localhost:${toString config.services.keycloak.settings.http-port}";
locations."/health".proxyPass =
"http://localhost:${toString config.services.keycloak.settings.http-management-port}/health";
};
};
};

128
system/modules/nextcloud.nix
View file

@ -11,6 +11,14 @@
lib,
...
}:
let
nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec {
caBundle = config.security.pki.caBundle;
postPatch = ''
cp ${caBundle} resources/config/ca-bundle.crt
'';
});
in
{
imports = [
"${
@ -23,10 +31,6 @@
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
@ -40,7 +44,7 @@
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
package = nextcloudPkg;
configureRedis = true;
hostName = hostname;
https = if https then true else false;
@ -50,8 +54,6 @@
imagick
];
maxUploadSize = "10240M";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
contacts
@ -64,6 +66,12 @@
sha256 = "sha256-aiMUSJQVbr3xlJkqOaE3cNhdZu3CnPEIWTNVOoG4HSo=";
license = "agpl3Plus";
};
user_oidc = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v7.2.0/user_oidc-v7.2.0.tar.gz";
sha256 = "sha256-nXDWfRP9n9eH+JGg1a++kD5uLMsXh5BHAaTAOgLI9W4=";
license = "agpl3Plus";
};
};
extraAppsEnable = true;
@ -74,7 +82,8 @@
};
settings = {
log_type = "file";
allow_local_remote_servers = true;
log_type = "syslog";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
@ -89,12 +98,15 @@
"OC\\Preview\\HEIC"
"OC\\Preview\\SVG"
"OC\\Preview\\FONT"
"OC\\Preview\\Imaginary"
"OC\\Preview\\ImaginaryPDF"
];
};
};
services.nginx.virtualHosts.${hostname} = {
enableACME = true;
forceSSL = true;
};
environment.systemPackages = with pkgs; [
exiftool
];
@ -115,59 +127,57 @@
};
};
services = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
"nextcloud-backup" = {
enable = true;
serviceConfig = {
User = "nextcloud";
ExecStart =
let
script = pkgs.writeShellScriptBin "backup" (
''
nextcloudPath="${config.services.nextcloud.datadir}"
services."nextcloud-backup" = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
enable = true;
serviceConfig = {
User = "nextcloud";
ExecStart =
let
script = pkgs.writeShellScriptBin "backup" (
''
nextcloudPath="${config.services.nextcloud.datadir}"
if [ ! -d "$nextcloudPath" ]; then
echo "nextcloud path not found: $nextcloudPath"
exit 1
fi
''
+ (
if dataBackupPath != null then
''
backupPath="${dataBackupPath}"
nextcloudBakPath="$backupPath"
if [ ! -d "$nextcloudPath" ]; then
echo "nextcloud path not found: $nextcloudPath"
exit 1
fi
''
+ (
if dataBackupPath != null then
''
backupPath="${dataBackupPath}"
nextcloudBakPath="$backupPath"
if [ ! -d "$backupPath" ]; then
echo "Backup device is not mounted: $backupPath"
exit 1
fi
if [ ! -d "$backupPath" ]; then
echo "Backup device is not mounted: $backupPath"
exit 1
fi
echo "Start syncing..."
${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
echo "Data dir backup completed."
''
else
""
)
+ (
if dbBackupPath != null then
''
nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
if [ ! -d "$nextcloudBakPath" ]; then
mkdir -p "$nextcloudBakPath"
fi
echo "Start syncing..."
${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
echo "Data dir backup completed."
''
else
""
)
+ (
if dbBackupPath != null then
''
nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
if [ ! -d "$nextcloudBakPath" ]; then
mkdir -p "$nextcloudBakPath"
fi
echo "Try backing up database (postgresql)"
${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
echo "Database backup completed."
''
else
""
)
);
in
"${script}/bin/backup";
};
echo "Try backing up database (postgresql)"
${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
echo "Database backup completed."
''
else
""
)
);
in
"${script}/bin/backup";
};
};
};

10
system/modules/postgresql.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, ... }:
{
services.postgresql = {
enable = lib.mkDefault true;
authentication = ''
#type database DBuser origin-address auth-method
local all all trust
'';
};
}

53
system/modules/prometheus.nix Normal file
View file

@ -0,0 +1,53 @@
{
fqdn,
selfMonitor ? true,
configureNginx ? true,
scrapes ? [ ],
}:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf optionalAttrs;
inherit (builtins) toString;
in
{
services.prometheus.exporters.node = mkIf selfMonitor {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
};
services.prometheus = {
enable = true;
webExternalUrl = "https://${fqdn}";
globalConfig = {
scrape_interval = "10s";
};
scrapeConfigs = (
[
{
job_name = "master-server";
static_configs = [
(optionalAttrs selfMonitor {
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
})
];
}
]
++ scrapes
);
};
services.nginx.virtualHosts."${fqdn}" = mkIf configureNginx {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.prometheus.port}";
};
};
}

51
system/modules/terraria.nix
View file

@ -1,51 +0,0 @@
{ pkgs, ... }:
let
serverPkg = pkgs.tmodloader-server.overrideAttrs (
final: prev: rec {
version = "v2025.04.3.0";
name = "tmodloader-${version}";
url = "https://github.com/tModLoader/tModLoader/releases/download/${version}/tModLoader.zip";
src = pkgs.fetchurl {
inherit url;
hash = "sha256-cu98vb3T2iGC9W3e3nfls3mYTUQ4sviRHyViL0Qexn0=";
};
}
);
in
{
services.tmodloader = {
enable = true;
servers.pokemon = {
enable = true;
openFirewall = true;
port = 7777;
autoStart = true;
package = serverPkg;
world = "/var/lib/tmodloader/pokemon/Worlds/default.wld";
autocreate = "large";
install = [
3039823461
2619954303
2563851005
3378168037
3173371762
2800050107
2785100219
3018447913
2565540604
2563309347
2908170107
2669644269
3439924021
2599842771
2797518634
2565639705
3497111954
2563815443
2707400823
];
};
};
}

9
system/modules/vaultwarden.nix
View file

@ -19,7 +19,7 @@
dbBackend = "postgresql";
environmentFile = config.sops.secrets.vaultwarden.path;
config = {
DOMAIN = domain;
DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = true;
SIGNUPS_VERIFY = true;
ROCKET_PORT = 8222;
@ -29,4 +29,11 @@
DATABASE_URL = "postgresql:///vaultwarden";
};
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass =
"http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
};
}