323 lines
8 KiB
Nix
323 lines
8 KiB
Nix
{
|
|
fqdn ? null,
|
|
origin ? null,
|
|
destination ? null,
|
|
networks ? null,
|
|
rootAlias ? "root",
|
|
extraAliases ? "",
|
|
enableOpenldap ? true,
|
|
dovecotLdapSecretFile,
|
|
openldapAdmPassPath,
|
|
sslKeyPath,
|
|
sslCertPath,
|
|
}:
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
postfixFqdn = if fqdn != null then fqdn else config.networking.fqdn;
|
|
postfixOrigin = if origin != null then origin else postfixFqdn;
|
|
postfixDest =
|
|
if destination != null then
|
|
destination
|
|
else
|
|
[
|
|
"localhost"
|
|
"localhost.${postfixFqdn}"
|
|
];
|
|
|
|
postfixNet =
|
|
if networks != null then
|
|
networks
|
|
else
|
|
[
|
|
"127.0.0.0/8"
|
|
"[::1]/128"
|
|
];
|
|
|
|
postfixMailDir = "~/Maildir";
|
|
mailLocationPrefix = "/var/mail/vhosts";
|
|
mailLocation = "${mailLocationPrefix}/%d/%n/";
|
|
|
|
dcList = lib.strings.splitString "." postfixFqdn;
|
|
domain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
|
|
|
|
dovecotSecretPath = "/run/dovecot2-secret";
|
|
ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
|
|
|
|
ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
|
|
ldap_version = 3
|
|
auth_bind_userdn = uid=%u,ou=mail,${domain}
|
|
auth_bind = yes
|
|
hosts = ${postfixFqdn}
|
|
dn = cn=admin,${domain}
|
|
base = ou=mail,${domain}
|
|
pass_filter = (&(objectClass=inetorgperson)(uid=%u))
|
|
|
|
user_filter = (&(objectClass=inetorgperson)(uid=%u))
|
|
'';
|
|
|
|
mailUser = "vmail";
|
|
in
|
|
with builtins;
|
|
{
|
|
environment.sessionVariables = {
|
|
MAILDIR = postfixMailDir;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
25 # SMTP
|
|
465 # SMTPS
|
|
587 # STARTTLS
|
|
80
|
|
143 # IMAP STARTTLS
|
|
993 # IMAPS
|
|
110 # POP3 STARTTLS
|
|
995 # POP3S
|
|
];
|
|
|
|
users.groups.${mailUser} = {
|
|
gid = 5000;
|
|
};
|
|
|
|
users.users.${mailUser} = {
|
|
isSystemUser = true;
|
|
uid = 5000;
|
|
group = mailUser;
|
|
};
|
|
|
|
services.postfix = {
|
|
inherit rootAlias;
|
|
|
|
enable = lib.mkDefault true;
|
|
hostname = postfixFqdn;
|
|
origin = postfixOrigin;
|
|
destination = postfixDest;
|
|
networks = postfixNet;
|
|
sslKey = sslKeyPath;
|
|
sslCert = sslCertPath;
|
|
|
|
config = {
|
|
virtual_uid_maps = [
|
|
"static:${toString config.users.users.vmail.uid}"
|
|
];
|
|
virtual_gid_maps = [
|
|
"static:${toString config.users.groups.vmail.gid}"
|
|
];
|
|
virtual_mailbox_domains = [ postfixFqdn ];
|
|
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
|
|
|
|
tls_preempt_cipherlist = "yes";
|
|
smtpd_use_tls = "yes";
|
|
smtpd_tls_security_level = "may";
|
|
smtpd_sasl_type = "dovecot";
|
|
smtpd_sasl_path = "private/auth";
|
|
smtpd_sasl_auth_enable = "yes";
|
|
smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
|
|
smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
|
|
|
|
home_mailbox = postfixMailDir;
|
|
};
|
|
|
|
postmasterAlias = "root";
|
|
extraAliases =
|
|
''
|
|
mailer-daemon: postmaster
|
|
nobody: root
|
|
hostmaster: root
|
|
usenet: root
|
|
news: root
|
|
webmaster: root
|
|
www: root
|
|
ftp: root
|
|
abuse: root
|
|
noc: root
|
|
security: root
|
|
''
|
|
+ extraAliases;
|
|
};
|
|
|
|
services.dovecot2 = {
|
|
enable = lib.mkDefault true;
|
|
enableImap = true;
|
|
enablePop3 = true;
|
|
enableLmtp = true;
|
|
mailLocation = lib.mkDefault "maildir:${mailLocation}";
|
|
mailUser = mailUser;
|
|
mailGroup = mailUser;
|
|
sslServerKey = sslKeyPath;
|
|
sslServerCert = sslCertPath;
|
|
sslCACert = config.security.pki.caBundle;
|
|
|
|
extraConfig = ''
|
|
log_path = /var/log/dovecot.log
|
|
auth_debug = yes
|
|
mail_debug = yes
|
|
|
|
auth_mechanisms = plain login
|
|
ssl = yes
|
|
ssl_dh_parameters_length = 2048
|
|
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
|
|
ssl_prefer_server_ciphers = yes
|
|
|
|
service auth {
|
|
unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
|
|
mode = 0660
|
|
user = ${config.services.postfix.user}
|
|
group = ${config.services.postfix.group}
|
|
}
|
|
}
|
|
|
|
service lmtp {
|
|
unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
|
|
mode = 0600
|
|
user = ${config.services.postfix.user}
|
|
group = ${config.services.postfix.group}
|
|
}
|
|
}
|
|
|
|
passdb ldap {
|
|
driver = ldap
|
|
args = ${ldapSecretConf}
|
|
}
|
|
|
|
userdb {
|
|
driver = static
|
|
args = uid=${mailUser} gid=${mailUser} home=${mailLocation}
|
|
}
|
|
|
|
lda_mailbox_autosubscribe = yes
|
|
lda_mailbox_autocreate = yes
|
|
'';
|
|
};
|
|
|
|
systemd.services.dovecot2 = {
|
|
serviceConfig = {
|
|
RuntimeDirectory = [ "dovecot2-secret" ];
|
|
RuntimeDirectoryMode = "0640";
|
|
ExecStartPre = [
|
|
''${pkgs.busybox.out}/bin/mkdir -p ${mailLocationPrefix}''
|
|
''${pkgs.busybox.out}/bin/chown -R ${mailUser}:${mailUser} ${mailLocationPrefix}''
|
|
''${pkgs.busybox.out}/bin/chmod 770 ${mailLocationPrefix}''
|
|
''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${dovecotLdapSecretFile} > ${ldapSecretConf}"''
|
|
];
|
|
};
|
|
};
|
|
|
|
services.openldap = lib.mkIf enableOpenldap {
|
|
enable = true;
|
|
urlList = [ "ldap:///" ];
|
|
|
|
settings = {
|
|
attrs = {
|
|
olcLogLevel = "conns config";
|
|
};
|
|
|
|
children = {
|
|
"cn=schema".includes = [
|
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
|
"${pkgs.openldap}/etc/schema/nis.ldif"
|
|
];
|
|
|
|
"olcDatabase={1}mdb".attrs = {
|
|
objectClass = [
|
|
"olcDatabaseConfig"
|
|
"olcMdbConfig"
|
|
];
|
|
|
|
olcDatabase = "{1}mdb";
|
|
olcDbDirectory = "/var/lib/openldap/data";
|
|
olcSuffix = "${domain}";
|
|
|
|
olcRootDN = "cn=admin,${domain}";
|
|
olcRootPW.path = openldapAdmPassPath;
|
|
|
|
olcAccess = [
|
|
''
|
|
{0}to attrs=userPassword
|
|
by dn="cn=admin,${domain}" read
|
|
by self write
|
|
by anonymous auth
|
|
by * none
|
|
''
|
|
''
|
|
{1}to *
|
|
by * read
|
|
''
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.etc."openldap/base.ldif" = {
|
|
mode = "0770";
|
|
user = config.services.openldap.user;
|
|
group = config.services.openldap.group;
|
|
text = ''
|
|
dn: ${domain}
|
|
objectClass: top
|
|
objectClass: domain
|
|
dc: ${elemAt dcList 0}
|
|
'';
|
|
};
|
|
|
|
systemd.services.openldap-init-base = {
|
|
wantedBy = [ "openldap.service" ];
|
|
requires = [ "openldap.service" ];
|
|
after = [ "openldap.service" ];
|
|
serviceConfig = {
|
|
User = config.services.openldap.user;
|
|
Group = config.services.openldap.group;
|
|
Type = "oneshot";
|
|
ExecStart =
|
|
let
|
|
dcScript = pkgs.writeShellScriptBin "openldap-init" ''
|
|
BASE_DN="${domain}"
|
|
LDIF_FILE="/etc/openldap/base.ldif"
|
|
ADMIN_DN="cn=admin,${domain}"
|
|
${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
|
|
${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${openldapAdmPassPath} -W -f "$LDIF_FILE"
|
|
else
|
|
echo "Base DN $BASE_DN exists, skip"
|
|
fi
|
|
'';
|
|
in
|
|
"${dcScript}/bin/openldap-init";
|
|
};
|
|
};
|
|
|
|
virtualisation = {
|
|
docker = {
|
|
enable = lib.mkDefault true;
|
|
rootless = {
|
|
enable = true;
|
|
setSocketVariable = true;
|
|
};
|
|
};
|
|
|
|
oci-containers = {
|
|
backend = "docker";
|
|
containers = {
|
|
lam = {
|
|
image = "ghcr.io/ldapaccountmanager/lam:9.2";
|
|
extraOptions = [ "--network=host" ];
|
|
autoStart = true;
|
|
environment = {
|
|
LDAP_DOMAIN = postfixFqdn;
|
|
LDAP_SERVER = "ldap://${postfixFqdn}";
|
|
LDAP_USERS_DN = "ou=mail,${domain}";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|