{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
mailserver = "locum";
primaryNameserver = "locum";
defaultHost = "locum";
authentikHost = "locum";
lemmyHost = "locum";
userdbPasswd = pkgs.lib.passwd.stablerandom-passwd-file "userdb-passwd"
config.instance.build-seed;
inherit (pkgs.lib) getDomainHosts getHostIpv4 getHostFqdn;
in {
imports =
[ (import ./informis.land/authentik.nix { inherit authentikHost; }) ];
config = {
fudo = {
acme.host-domains = {
"imap.informis.land".extra-domains = [ "mail.informis.land" ];
"smtp.informis.land".extra-domains = [ "mail.informis.land" ];
};
zones."informis.land" = let
mailserverIps = config.fudo.zones."informis.land".hosts."${mailserver}";
in {
hosts = {
imap = {
ipv4-address = mailserverIps.ipv4-address;
ipv6-address = mailserverIps.ipv6-address;
};
smtp = {
ipv4-address = mailserverIps.ipv4-address;
ipv6-address = mailserverIps.ipv6-address;
};
mail = {
ipv4-address = mailserverIps.ipv4-address;
ipv6-address = mailserverIps.ipv6-address;
};
};
verbatim-dns-records = [
''
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKiTSUDxDPwMxLMT7wzR0ZaGuGzU1xnhti0zqi6xGJVxe9O8wfpX1vTSAasGYGzg5r24Hc8tSTogUgy0uJXsIbPBiqXj3WsoL/vf7+tAmrmZA4DQn1hN+C0R/7knhTNPWKnIAMqReAH/yf3XvFGmBMpU3UGRNGc2MoCQ4iXBcbsQIDAQAB" ) ; ----- DKIM key mail for all-domains-generic-key''
];
};
services = {
authoritative-dns = {
enable = hostname == primaryNameserver;
nameservers.primary = primaryNameserver;
ip-host-map = let
networkHosts = getDomainHosts "informis.land";
ipHostPairs =
map (host: nameValuePair (getHostIpv4 host) (getHostFqdn host))
networkHosts;
in listToAttrs ipHostPairs;
zones."informis.land" = {
default-host = {
inherit (config.fudo.zones."informis.land".hosts."${defaultHost}")
ipv4-address ipv6-address sshfp-records;
description = "informis.land";
};
ksk =
config.fudo.secrets.files.dns.key-signing-keys."informis.land";
mail = {
smtp-servers = [ "smtp.informis.land" ];
imap-servers = [ "imap.informis.land" ];
};
reverse-zones = [ "172.86.179.17/29" "190.2.134.0/24" ];
};
};
lemmy = {
enable = hostname == lemmyHost;
hostname = "informis.land";
site-name = "Informis";
smtp.host = "mail.informis.land";
};
};
postgresql.package = pkgs.postgresql_15_gssapi;
system-users.userdb = {
description = "User Database Lookup.";
ldap-hashed-password =
pkgs.lib.passwd.hash-ldap-passwd "userdb-passwd.hashed" userdbPasswd;
};
secrets.host-secrets."${hostname}".userdbPasswd = {
source-file = userdbPasswd;
target-file = "/run/ldap/userdbPasswd";
};
mail = {
enable = hostname == mailserver;
debug = false;
primary-domain = "informis.land";
sasl-domain = "INFORMIS.LAND";
trusted-networks = config.instance.local-networks;
smtp = {
hostname = "smtp.informis.land";
ssl-directory =
config.security.acme.certs."smtp.informis.land".directory;
};
imap = {
hostname = "imap.informis.land";
ssl-directory =
config.security.acme.certs."imap.informis.land".directory;
};
ldap = {
authentik-host = "https://authentik.informis.land";
outpost-token = readFile
config.fudo.secrets.files.service-secrets."${hostname}"."authentik-ldap.token";
base = "dc=informis,dc=land";
bind-dn = "cn=userdb,ou=users,dc=informis,dc=land";
bind-password-file =
config.fudo.secrets.files.service-passwords.locum.userdb;
};
aliases = {
alias-users = let admins = config.instance.local-admins;
in {
admin = admins;
dmarc-reports = admins;
ftp = admins;
hostmaster = admins;
irc = admins;
postmaster = admins;
root = admins;
system = admins;
webmaster = admins;
www-data = admins;
};
user-aliases =
let hasAliases = _: userOpts: userOpts.email-aliases != [ ];
in mapAttrs (user: userOpts: userOpts.email-aliases)
(filterAttrs hasAliases config.fudo.users);
};
};
};
services.nginx = mkIf (hostname == mailserver) {
enable = true;
virtualHosts = {
"smtp.informis.land" = {
enableACME = true;
forceSSL = true;
locations."/".return = "404";
};
"imap.informis.land" = {
enableACME = true;
forceSSL = true;
locations."/".return = "404";
};
};
};
};
}