1
0
Fork 0

Compare commits

..

No commits in common. "17c93bc64c6547402280387da862cba4f0bcf2ee" and "017a9948e80f47acb536067e0c550f5c6391cf16" have entirely different histories.

7 changed files with 20 additions and 281 deletions

138
flake.lock generated
View file

@ -25,38 +25,6 @@
"type": "github" "type": "github"
} }
}, },
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -64,11 +32,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714043624, "lastModified": 1712386041,
"narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=", "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411", "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -85,11 +53,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714042918, "lastModified": 1713906585,
"narHash": "sha256-4AItZA3EQIiSNAxliuYEJumw/LaVfrMv84gYyrs0r3U=", "narHash": "sha256-fv84DCOkBtjF6wMATt0rfovu7e95L8rdEkSfNbwKR3U=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0c5704eceefcb7bb238a958f532a86e3b59d76db", "rev": "bfa7c06436771e3a0c666ccc6ee01e815d4c33aa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -152,11 +120,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1713995372, "lastModified": 1713725259,
"narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=", "narHash": "sha256-9ZR/Rbx5/Z/JZf5ehVNMoz/s5xjpP0a22tL6qNvLt5E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "dd37924974b9202f8226ed5d74a252a9785aedf8", "rev": "a5e4bbcb4780c63c79c87d29ea409abf097de3f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -166,43 +134,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-23_05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1713895582, "lastModified": 1713714899,
"narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=", "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "572af610f6151fd41c212f897c71f7056e3fb518", "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -222,17 +160,16 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"secrets": "secrets", "secrets": "secrets"
"simple-nixos-mailserver": "simple-nixos-mailserver"
} }
}, },
"secrets": { "secrets": {
"locked": { "locked": {
"lastModified": 1714087317, "lastModified": 1713917623,
"narHash": "sha256-5VRcsKjdoRSe2TCic64Pj06EgEz6A+sDC+eWp5EYlyU=", "narHash": "sha256-vEFbjAd3nC1wSMxz+lUO0le4OeEeEClLahRGV3hzpAk=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "c66057909cd902c9de691c89314816d67d7ea4c0", "rev": "47502e384645913e83dfc2d633d50134a1a899cd",
"revCount": 28, "revCount": 26,
"type": "git", "type": "git",
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git" "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
}, },
@ -241,32 +178,6 @@
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git" "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
} }
}, },
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils"
},
"locked": {
"lastModified": 1706219574,
"narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.11",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -281,21 +192,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

View file

@ -39,10 +39,6 @@
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
}; };
simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
};
}; };
outputs = { outputs = {

View file

@ -4,8 +4,6 @@
domain = "*.caspervk.net"; domain = "*.caspervk.net";
reloadServices = [ reloadServices = [
"caddy.service" "caddy.service"
"dovecot2.service"
"postfix.service"
]; ];
# The NixOS Caddy module is a little too clever and sets the cert's group # The NixOS Caddy module is a little too clever and sets the cert's group
# to 'caddy', which means other services can't load it. This is not needed # to 'caddy', which means other services can't load it. This is not needed
@ -21,7 +19,5 @@
}; };
users.groups.acme.members = [ users.groups.acme.members = [
"caddy" "caddy"
"dovecot2"
"postfix"
]; ];
} }

View file

@ -10,7 +10,6 @@
./forgejo.nix ./forgejo.nix
./hardware.nix ./hardware.nix
./jellyfin.nix ./jellyfin.nix
./mail.nix
./network.nix ./network.nix
./sonarr.nix ./sonarr.nix
]; ];

View file

@ -44,10 +44,7 @@
}; };
}; };
# Only allow deluged internet access through wg-sigma-p2p. Note that this # Only allow deluged internet access through wg-sigma-p2p
# does not tell it to use the correct routing table. For proper internet
# access, the correct routing table is also configured by
# routingPolicyRuleConfig in networking.nix.
systemd.services.deluged = { systemd.services.deluged = {
serviceConfig = { serviceConfig = {
RestrictNetworkInterfaces = "lo wg-sigma-p2p"; RestrictNetworkInterfaces = "lo wg-sigma-p2p";

View file

@ -1,130 +0,0 @@
{
config,
secrets,
simple-nixos-mailserver,
...
}: {
imports = [
simple-nixos-mailserver.nixosModule
];
# Simple NixOS Mailserver.
# https://nixos-mailserver.readthedocs.io
# https://nixos.wiki/wiki/Imapsync
#
# DNS
# Each domain delegates mail-handling to mail.caspervk.net using an MX
# record. mail.caspervk.net MUST be an A/AAAA record *NOT* CNAME. For spam
# purposes, the IP-addresses pointed to by mail.caspervk.net MUST point back
# to mail.caspervk.net using reverse-DNS.
# > dig mail.caspervk.net
# > dig -x 1.2.3.4
# Mail to e.g. vkristensen.dk should be delegated to mail.caspervk.net. Each
# domain's DKIM key in /var/dkim/ MUST be added to its DNS zone.
# > dig MX vkristensen.dk
# > dig TXT vkristensen.dk
# > dig TXT mail._domainkey.vkristensen.dk
# > dig TXT _dmarc.vkristensen.dk
#
# Online verification tools:
# https://www.mail-tester.com/
# https://mxtoolbox.com/
#
# Client Setup
# Account: casper@vkristensen.dk
# IMAP: mail.caspervk.net:993 (SSL/TLS)
# SMTP: mail.caspervk.net:465 (SSL/TLS)
mailserver = {
enable = true;
# Firewall is handled manually in networking.nix
openFirewall = false;
# Don't run a local DNS resolver
localDnsResolver = false;
# Disable opportunistic TLS encryption and force instead. This only applies
# to client connections from e.g. Thunderbird or K9. Submission from other
# mailservers is always opportunistic TLS as per RFC.
# https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
enableImap = false;
enableSubmission = false;
# The fully qualified domain name of the mail server. Used for TLS and must
# have a matching reverse-DNS record.
fqdn = "mail.caspervk.net";
# TLS Certificate
# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/303
certificateScheme = "manual";
certificateFile = "${config.security.acme.certs."caspervk.net".directory}/fullchain.pem";
keyFile = "${config.security.acme.certs."caspervk.net".directory}/key.pem";
# Use more than 1024-bit DKIM keys
dkimKeyBits = 4096;
# Rewrite the MessageID's hostname-part of outgoing emails to the
# mailserver's FQDN. Avoids leaking local hostnames.
rewriteMessageId = true;
# The hierarchy separator for mailboxes used by dovecot for the namespace
# 'inbox'. Dovecot defaults to "." but recommends "/".
hierarchySeparator = "/";
# The domains that this mail server serves
domains = [
"caspervk.net"
"spervk.com"
"sudomail.org"
"vkristensen.dk"
];
# The login account. All mail is delivered to the same account to ease
# client configuration, but it is allowed to send mail as any of the
# configured aliases. To generate a password use 'mkpasswd -sm bcrypt'.
loginAccounts = {
"casper@vkristensen.dk" = {
hashedPasswordFile = config.age.secrets.mail-hashed-password-file.path;
aliases = secrets.sigma.mail.aliases;
};
};
};
# Only allow mail delivery through through wg-sigma-public. Note that this
# does not tell it to use the correct routing table. For proper internet
# access, the correct routing table is also configured by
# routingPolicyRuleConfig in networking.nix.
systemd.services.postfix = {
serviceConfig = {
RestrictNetworkInterfaces = "lo wg-sigma-public";
};
};
# Disable rspamd filtering[1]. The rspamd service cannot be disabled
# completely due to [2].
# [1]: https://nixos-mailserver.readthedocs.io/en/latest/rspamd-tuning.html
# [2]: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/249
services.rspamd.extraConfig = ''
actions {
reject = null;
add_header = null;
greylist = null;
}
'';
environment.persistence."/nix/persist" = {
directories = [
# The generated DKIM keys are manually added to each domain's DNS zone
# and therefore need to be persisted.
{
directory = "/var/dkim";
user = "opendkim";
group = "opendkim";
mode = "0755";
}
{
directory = "/var/vmail";
user = "virtualMail";
group = "virtualMail";
mode = "2770";
}
];
};
age.secrets.mail-hashed-password-file = {
file = "${secrets}/secrets/mail-hashed-password-file.age";
mode = "600";
owner = "root";
group = "root";
};
}

View file

@ -57,15 +57,6 @@
Table = "wg-sigma-public"; Table = "wg-sigma-public";
}; };
} }
{
# The postfix systemd service has
# RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
# it to use the correct routing table.
routingPolicyRuleConfig = {
User = config.services.postfix.user;
Table = "wg-sigma-public";
};
}
]; ];
}; };
@ -128,21 +119,15 @@
"enp5s0" = { "enp5s0" = {
allowedTCPPorts = [ allowedTCPPorts = [
22 # SSH 22 # SSH
25 # Mail SMTP
443 # Caddy
465 # Mail ESMTP
80 # Caddy 80 # Caddy
993 # Mail IMAPS 443 # Caddy
]; ];
}; };
"wg-sigma-public" = { "wg-sigma-public" = {
allowedTCPPorts = [ allowedTCPPorts = [
22 # SSH 22 # SSH
25 # Mail SMTP
443 # Caddy
465 # Mail ESMTP
80 # Caddy 80 # Caddy
993 # Mail IMAPS 443 # Caddy
]; ];
}; };
"wg-sigma-p2p" = { "wg-sigma-p2p" = {