mail on sigma

Flake lock file updates:

• Updated input 'secrets':
    'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=e16ecd830684cd488d26d60d0c4483b26e7ab7a3' (2024-04-25)
  → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=c66057909cd902c9de691c89314816d67d7ea4c0' (2024-04-25)

flake.lock

@@ -25,6 +25,38 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -32,11 +64,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712386041,
+        "lastModified": 1714043624,
-        "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
+        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
+        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
         "type": "github"
       },
       "original": {
@@ -53,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713906585,
+        "lastModified": 1714042918,
-        "narHash": "sha256-fv84DCOkBtjF6wMATt0rfovu7e95L8rdEkSfNbwKR3U=",
+        "narHash": "sha256-4AItZA3EQIiSNAxliuYEJumw/LaVfrMv84gYyrs0r3U=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bfa7c06436771e3a0c666ccc6ee01e815d4c33aa",
+        "rev": "0c5704eceefcb7bb238a958f532a86e3b59d76db",
         "type": "github"
       },
       "original": {
@@ -120,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713725259,
+        "lastModified": 1713995372,
-        "narHash": "sha256-9ZR/Rbx5/Z/JZf5ehVNMoz/s5xjpP0a22tL6qNvLt5E=",
+        "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a5e4bbcb4780c63c79c87d29ea409abf097de3f7",
+        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
         "type": "github"
       },
       "original": {
@@ -134,13 +166,43 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-23_05": {
       "locked": {
-        "lastModified": 1713714899,
+        "lastModified": 1704290814,
-        "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-23_11": {
+      "locked": {
+        "lastModified": 1706098335,
+        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1713895582,
+        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
         "type": "github"
       },
       "original": {
@@ -160,16 +222,17 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "secrets": "secrets"
+        "secrets": "secrets",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
       }
     },
     "secrets": {
       "locked": {
-        "lastModified": 1713917623,
+        "lastModified": 1714087317,
-        "narHash": "sha256-vEFbjAd3nC1wSMxz+lUO0le4OeEeEClLahRGV3hzpAk=",
+        "narHash": "sha256-5VRcsKjdoRSe2TCic64Pj06EgEz6A+sDC+eWp5EYlyU=",
         "ref": "refs/heads/master",
-        "rev": "47502e384645913e83dfc2d633d50134a1a899cd",
+        "rev": "c66057909cd902c9de691c89314816d67d7ea4c0",
-        "revCount": 26,
+        "revCount": 28,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },
@@ -178,6 +241,32 @@
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-23_05": "nixpkgs-23_05",
+        "nixpkgs-23_11": "nixpkgs-23_11",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1706219574,
+        "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-23.11",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -192,6 +281,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -39,6 +39,10 @@
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
     };
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
+      inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
+    };
   };
 
   outputs = {

hosts/sigma/acme.nix

@@ -4,6 +4,8 @@
       domain = "*.caspervk.net";
       reloadServices = [
         "caddy.service"
+        "dovecot2.service"
+        "postfix.service"
       ];
       # The NixOS Caddy module is a little too clever and sets the cert's group
       # to 'caddy', which means other services can't load it. This is not needed
@@ -19,5 +21,7 @@
   };
   users.groups.acme.members = [
     "caddy"
+    "dovecot2"
+    "postfix"
   ];
 }

hosts/sigma/default.nix

@@ -10,6 +10,7 @@
     ./forgejo.nix
     ./hardware.nix
     ./jellyfin.nix
+    ./mail.nix
     ./network.nix
     ./sonarr.nix
   ];

hosts/sigma/deluge.nix

@@ -44,7 +44,10 @@
     };
   };
 
-  # Only allow deluged internet access through wg-sigma-p2p
+  # Only allow deluged internet access through wg-sigma-p2p. Note that this
+  # does not tell it to use the correct routing table. For proper internet
+  # access, the correct routing table is also configured by
+  # routingPolicyRuleConfig in networking.nix.
   systemd.services.deluged = {
     serviceConfig = {
       RestrictNetworkInterfaces = "lo wg-sigma-p2p";

hosts/sigma/mail.nix

@@ -0,0 +1,130 @@
+{
+  config,
+  secrets,
+  simple-nixos-mailserver,
+  ...
+}: {
+  imports = [
+    simple-nixos-mailserver.nixosModule
+  ];
+
+  # Simple NixOS Mailserver.
+  # https://nixos-mailserver.readthedocs.io
+  # https://nixos.wiki/wiki/Imapsync
+  #
+  # DNS
+  # Each domain delegates mail-handling to mail.caspervk.net using an MX
+  # record. mail.caspervk.net MUST be an A/AAAA record *NOT* CNAME. For spam
+  # purposes, the IP-addresses pointed to by mail.caspervk.net MUST point back
+  # to mail.caspervk.net using reverse-DNS.
+  # > dig mail.caspervk.net
+  # > dig -x 1.2.3.4
+  # Mail to e.g. vkristensen.dk should be delegated to mail.caspervk.net. Each
+  # domain's DKIM key in /var/dkim/ MUST be added to its DNS zone.
+  # > dig MX vkristensen.dk
+  # > dig TXT vkristensen.dk
+  # > dig TXT mail._domainkey.vkristensen.dk
+  # > dig TXT _dmarc.vkristensen.dk
+  #
+  # Online verification tools:
+  # https://www.mail-tester.com/
+  # https://mxtoolbox.com/
+  #
+  # Client Setup
+  # Account: casper@vkristensen.dk
+  # IMAP: mail.caspervk.net:993 (SSL/TLS)
+  # SMTP: mail.caspervk.net:465 (SSL/TLS)
+  mailserver = {
+    enable = true;
+    # Firewall is handled manually in networking.nix
+    openFirewall = false;
+    # Don't run a local DNS resolver
+    localDnsResolver = false;
+    # Disable opportunistic TLS encryption and force instead. This only applies
+    # to client connections from e.g. Thunderbird or K9. Submission from other
+    # mailservers is always opportunistic TLS as per RFC.
+    # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
+    enableImap = false;
+    enableSubmission = false;
+    # The fully qualified domain name of the mail server. Used for TLS and must
+    # have a matching reverse-DNS record.
+    fqdn = "mail.caspervk.net";
+    # TLS Certificate
+    # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/303
+    certificateScheme = "manual";
+    certificateFile = "${config.security.acme.certs."caspervk.net".directory}/fullchain.pem";
+    keyFile = "${config.security.acme.certs."caspervk.net".directory}/key.pem";
+    # Use more than 1024-bit DKIM keys
+    dkimKeyBits = 4096;
+    # Rewrite the MessageID's hostname-part of outgoing emails to the
+    # mailserver's FQDN. Avoids leaking local hostnames.
+    rewriteMessageId = true;
+    # The hierarchy separator for mailboxes used by dovecot for the namespace
+    # 'inbox'. Dovecot defaults to "." but recommends "/".
+    hierarchySeparator = "/";
+    # The domains that this mail server serves
+    domains = [
+      "caspervk.net"
+      "spervk.com"
+      "sudomail.org"
+      "vkristensen.dk"
+    ];
+    # The login account. All mail is delivered to the same account to ease
+    # client configuration, but it is allowed to send mail as any of the
+    # configured aliases. To generate a password use 'mkpasswd -sm bcrypt'.
+    loginAccounts = {
+      "casper@vkristensen.dk" = {
+        hashedPasswordFile = config.age.secrets.mail-hashed-password-file.path;
+        aliases = secrets.sigma.mail.aliases;
+      };
+    };
+  };
+
+  # Only allow mail delivery through through wg-sigma-public. Note that this
+  # does not tell it to use the correct routing table. For proper internet
+  # access, the correct routing table is also configured by
+  # routingPolicyRuleConfig in networking.nix.
+  systemd.services.postfix = {
+    serviceConfig = {
+      RestrictNetworkInterfaces = "lo wg-sigma-public";
+    };
+  };
+
+  # Disable rspamd filtering[1]. The rspamd service cannot be disabled
+  # completely due to [2].
+  # [1]: https://nixos-mailserver.readthedocs.io/en/latest/rspamd-tuning.html
+  # [2]: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/249
+  services.rspamd.extraConfig = ''
+    actions {
+      reject = null;
+      add_header = null;
+      greylist = null;
+    }
+  '';
+
+  environment.persistence."/nix/persist" = {
+    directories = [
+      # The generated DKIM keys are manually added to each domain's DNS zone
+      # and therefore need to be persisted.
+      {
+        directory = "/var/dkim";
+        user = "opendkim";
+        group = "opendkim";
+        mode = "0755";
+      }
+      {
+        directory = "/var/vmail";
+        user = "virtualMail";
+        group = "virtualMail";
+        mode = "2770";
+      }
+    ];
+  };
+
+  age.secrets.mail-hashed-password-file = {
+    file = "${secrets}/secrets/mail-hashed-password-file.age";
+    mode = "600";
+    owner = "root";
+    group = "root";
+  };
+}

hosts/sigma/network.nix

@@ -57,6 +57,15 @@
             Table = "wg-sigma-public";
           };
         }
+        {
+          # The postfix systemd service has
+          # RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
+          # it to use the correct routing table.
+          routingPolicyRuleConfig = {
+            User = config.services.postfix.user;
+            Table = "wg-sigma-public";
+          };
+        }
       ];
     };
 
@@ -119,15 +128,21 @@
       "enp5s0" = {
         allowedTCPPorts = [
           22 # SSH
-          80 # Caddy
+          25 # Mail SMTP
           443 # Caddy
+          465 # Mail ESMTP
+          80 # Caddy
+          993 # Mail IMAPS
         ];
       };
       "wg-sigma-public" = {
         allowedTCPPorts = [
           22 # SSH
-          80 # Caddy
+          25 # Mail SMTP
           443 # Caddy
+          465 # Mail ESMTP
+          80 # Caddy
+          993 # Mail IMAPS
         ];
       };
       "wg-sigma-p2p" = {