{ primaryMailserver, primaryDomain, authentikServer, servedDomains, ldapBase , ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken , authentikVersion, ... }: { config, lib, pkgs, ... }: with lib; let inherit (pkgs.lib) getHostIpv4 getHostIpv6; hostname = config.instance.hostname; in { config = { systemd.services.arion-mail-server = { requires = [ "podman.service" ]; after = [ "podman.service" ]; }; # security.acme.certs = { # "imap.${primaryDomain}".extraDomainNames = [ "mail.${primaryDomain}" ]; # "smtp.${primaryDomain}".extraDomainNames = [ "mail.${primaryDomain}" ]; # }; fudo = { zones = let mailserverIp = getHostIpv4 primaryMailserver; spfRecords = [ ''@ IN TXT "v=spf1 mx ip4:${mailserverIp}/32 -all"'' ''@ IN SPF "v=spf1 mx ip4:${mailserverIp}/32 -all"'' ]; in { "${primaryDomain}" = let mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain; mailserverIps = { ipv4-address = getHostIpv4 primaryMailserver; ipv6-address = getHostIpv6 primaryMailserver; }; srvRecord = host: port: [{ inherit host port; }]; in { srv-records = { tcp = { imap = srvRecord "mail.${primaryDomain}" 143; imaps = srvRecord "mail.${primaryDomain}" 993; smtp = srvRecord "mail.${primaryDomain}" 25; submission = srvRecord "mail.${primaryDomain}" 587; submissions = srvRecord "mail.${primaryDomain}" 465; }; udp = { smtp = srvRecord "mail.${primaryDomain}" 25; submission = srvRecord "mail.${primaryDomain}" 587; }; }; metric-records = genAttrs [ "dovecot" "postfix" "rspamd" ] (_: srvRecord "mail-stats.${primaryDomain}" 443); hosts = { imap = mailserverIps; smtp = mailserverIps; mail = mailserverIps; mail-stats = mailserverIps; }; verbatim-dns-records = [ dkimRecord ] ++ spfRecords; }; } // (genAttrs (filter (dom: dom != primaryDomain) servedDomains) (domain: { verbatim-dns-records = [ dkimRecord ] ++ spfRecords; })); metrics.prometheus.service-discovery-dns = (genAttrs [ "dovecot" "postfix" "rspamd" ] (metricType: [ "${metricType}._metrics._tcp.${primaryDomain}" ])); mail = { enable = hostname == primaryMailserver; debug = true; primary-domain = primaryDomain; extra-domains = servedDomains; sasl-domain = saslDomain; trusted-networks = config.instance.local-networks; smtp = { hostname = "mail.${primaryDomain}"; spf.enable = false; ssl-directory = config.security.acme.certs."mail.${primaryDomain}".directory; }; imap = { hostname = "mail.${primaryDomain}"; ssl-directory = config.security.acme.certs."mail.${primaryDomain}".directory; }; ldap = { authentik-host = "https://${authentikServer}"; outpost-token = readFile authentikOutpostToken; base = ldapBase; bind-dn = ldapBindDn; bind-password-file = ldapBindPwFile; }; images.ldap-proxy = "ghcr.io/goauthentik/ldap:${authentikVersion}"; aliases = let admins = config.instance.local-admins; in { alias-users = { admin = admins; dmarc-reports = admins; ftp = admins; hostmaster = admins; irc = admins; postmaster = admins; root = admins; system = admins; webmaster = admins; www-data = admins; }; user-aliases = let hasAliases = _: userOpts: userOpts.email-aliases != [ ]; in mapAttrs (_: userOpts: userOpts.email-aliases) (filterAttrs hasAliases config.fudo.users); }; }; }; services.nginx = mkIf (hostname == primaryMailserver) { enable = true; virtualHosts = { "imap.${primaryDomain}" = { enableACME = true; forceSSL = true; locations."/".return = "403 Forbidden"; }; "mail.${primaryDomain}" = { enableACME = true; forceSSL = true; locations."/".return = "301 https://webmail.${primaryDomain}"; }; "smtp.${primaryDomain}" = { enableACME = true; forceSSL = true; locations."/".return = "403 Forbidden"; }; }; }; }; }