dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-conf/system/dev/dn-server/services/mail-server.nix
danny c7743490a7 chore: routine maintenance
2025-11-23 16:24:38 +08:00

109 lines
2.9 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
inherit (lib) mkForce;
inherit (config.systemConf) username;
in
{
mail-server =
let
domain = "net.dn";
in
{
inherit domain;
enable = true;
openFirewall = true;
configureNginx = true;
hostname = "mx1";
extraDomains = [
"mail.${domain}"
];
caFile = "" + ../../../extra/ca.crt;
rootAlias = "${username}";
networks = [
"127.0.0.0/8"
"10.0.0.0/24"
];
virtual = ''
admin@${domain} ${username}@${domain}
postmaster@${domain} ${username}@${domain}
'';
webmail = {
enable = true;
hostname = "mail.${domain}";
};
keycloak = {
dbSecretFile = config.sops.secrets."oauth/password".path;
adminAccountFile = config.sops.secrets."oauth/adminEnv".path;
};
ldap = {
filter = "(&(objectClass=inetOrgPerson)(objectClass=inetMailRoutingObject)(uid=%{user | username}))";
extraAuthConf = ''
auth_username_format = %{user | lower}
fields {
user = %{ldap:mail}
password = %{ldap:userPassword}
}
'';
secretFile = config.sops.secrets."ldap/password".path;
webSecretFile = config.sops.secrets."ldap/env".path;
olcAccess =
let
olcDN = "dc=net,dc=dn";
in
[
''
{0}to attrs=userPassword
by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=admin,${olcDN}" manage
by dn.exact="uid=admin,ou=people,${olcDN}" manage
by self write
by anonymous auth
by * none
''
''
{1}to *
by peername="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=admin,${olcDN}" manage
by dn.exact="uid=admin,ou=people,${olcDN}" manage
by self read
by anonymous auth
by * none
''
];
};
rspamd = {
secretFile = config.sops.secrets."rspamd".path;
trainerSecretFile = config.sops.secrets."rspamd-trainer".path;
};
dovecot.oauth = {
enable = true;
};
};
services.openldap.settings.attrs.olcLogLevel = mkForce "config";
services.postfix.settings.main = {
# internal_mail_filter_classes = [ "bounce" ];
};
services.rspamd = {
locals."logging.conf".text = ''
level = "debug";
'';
locals."settings.conf".text = ''
bounce {
id = "bounce";
priority = high;
ip = "127.0.0.1";
selector = 'smtp_from.regexp("/^$/").last';
apply {
BOUNCE = -25.0;
}
symbols [ "BOUNCE" ]
}
'';
};
}
Reference in a new issue View git blame Copy permalink