{ config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; mailserver = "locum"; authentikHost = "locum"; userdbPasswd = pkgs.lib.passwd.stablerandom-passwd-file "userdb-passwd" config.instance.build-seed; in { imports = [ (import ./informis.land/authentik.nix { inherit authentikHost; }) ]; config = { fudo = { acme.host-domains = { "imap.informis.land".extra-domains = [ "mail.informis.land" ]; "smtp.informis.land".extra-domains = [ "mail.informis.land" ]; }; zones."informis.land" = let mailserverIps = config.fudo.zones."informis.land".hosts."${mailserver}"; in { hosts = { imap = { ipv4-address = mailserverIps.ipv4-address; ipv6-address = mailserverIps.ipv6-address; }; smtp = { ipv4-address = mailserverIps.ipv4-address; ipv6-address = mailserverIps.ipv6-address; }; mail = { ipv4-address = mailserverIps.ipv4-address; ipv6-address = mailserverIps.ipv6-address; }; }; verbatim-dns-records = [ '' mail._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKiTSUDxDPwMxLMT7wzR0ZaGuGzU1xnhti0zqi6xGJVxe9O8wfpX1vTSAasGYGzg5r24Hc8tSTogUgy0uJXsIbPBiqXj3WsoL/vf7+tAmrmZA4DQn1hN+C0R/7knhTNPWKnIAMqReAH/yf3XvFGmBMpU3UGRNGc2MoCQ4iXBcbsQIDAQAB" ) ; ----- DKIM key mail for all-domains-generic-key'' ]; # srv-records = let srv-record = host: port: [{ inherit host port; }]; # in { # tcp = { # imap = srv-record "imap.informis.land" 143; # imaps = srv-record "imap.informis.land" 993; # smtp = srv-record "smtp.informis.land" 25; # submission = srv-record "smtp.informis.land" 587; # }; # }; }; services.dns.zones."informis.land" = { default-host = pkgs.lib.getHostIpv4 "locum"; }; postgresql.package = pkgs.postgresql_15_gssapi; system-users.userdb = { description = "User Database Lookup."; ldap-hashed-password = pkgs.lib.passwd.hash-ldap-passwd "userdb-passwd.hashed" userdbPasswd; }; secrets.host-secrets."${hostname}".userdbPasswd = { source-file = userdbPasswd; target-file = "/run/ldap/userdbPasswd"; }; mail = { enable = hostname == mailserver; debug = false; primary-domain = "informis.land"; sasl-domain = "INFORMIS.LAND"; trusted-networks = config.instance.local-networks; smtp = { hostname = "smtp.informis.land"; ssl-directory = config.security.acme.certs."smtp.informis.land".directory; }; imap = { hostname = "imap.informis.land"; ssl-directory = config.security.acme.certs."imap.informis.land".directory; }; ldap = { authentik-host = "https://authentik.informis.land"; outpost-token = readFile config.fudo.secrets.files.service-secrets."${hostname}"."authentik-ldap.token"; base = "dc=informis,dc=land"; bind-dn = "cn=userdb,ou=users,dc=informis,dc=land"; bind-password-file = config.fudo.secrets.files.service-passwords.locum.userdb; }; aliases = { alias-users = let admins = config.instance.local-admins; in { admin = admins; dmarc-reports = admins; ftp = admins; hostmaster = admins; irc = admins; postmaster = admins; root = admins; system = admins; webmaster = admins; www-data = admins; }; user-aliases = let hasAliases = _: userOpts: userOpts.email-aliases != [ ]; in mapAttrs (user: userOpts: userOpts.email-aliases) (filterAttrs hasAliases config.fudo.users); }; }; }; services.nginx = mkIf (hostname == mailserver) { enable = true; virtualHosts = { "smtp.informis.land" = { enableACME = true; forceSSL = true; locations."/".return = "404"; }; "imap.informis.land" = { enableACME = true; forceSSL = true; locations."/".return = "404"; }; }; }; }; }