nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/config/host-config/france/mail-server.nix

91 lines
2.4 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
domain-name = config.instance.local-domain;
cfg = config.fudo.france.mail;
secrets = config.fudo.secrets.host-secrets.${hostname};
mail-reader-dn = "mail-auth-reader";
in {
options.fudo.france.mail = with types; {
mail-directory = mkOption {
type = str;
description = "Directory to contain user maildirs.";
};
state-directory = mkOption {
type = str;
description = "Directory to contain mail-server state.";
};
ldap-server-urls = mkOption {
type = listOf str;
description = "List of LDAP server URLs.";
};
};
config.fudo = let
mail-reader-password =
pkgs.lib.fudo.passwd.random-passwd-file "${mail-reader-dn}-ldap-password" 30;
in {
# This is used at build time...
# secrets.host-secrets.${hostname}.mail-reader-passwd = {
# source-file = ldap-password;
# target-file = "/run/mail/${mail-reader-dn}-ldap.passwd";
# user = config.services.dovecot2.user;
# };
system-users.${mail-reader-dn} = {
description = "Used by the mail server to connect to LDAP for auth.";
ldap-hashed-password =
pkgs.lib.fudo.passwd.hash-ldap-passwd
"${mail-reader-dn}-hashed"
mail-reader-password;
};
mail-server = let
mail-hostname = "mail.${domain-name}";
mail-ssl-dir = config.security.acme.certs.${mail-hostname}.directory;
ssl-certificate = "${mail-ssl-dir}/cert.pem";
ssl-private-key = "${mail-ssl-dir}/key.pem";
in {
enableContainer = true;
monitoring = true;
domain = domain-name;
mail-hostname = "mail.${domain-name}";
trusted-networks = config.instance.local-networks;
dovecot = {
ldap = {
reader-dn = "cn=${mail-reader-dn},${config.fudo.authentication.base}";
reader-password-file = mail-reader-password;
server-urls = cfg.ldap-server-urls;
};
};
user-aliases = let
aliased-users = filterAttrs
(username: userOpts: length userOpts.email-aliases > 0)
config.fudo.users;
in mapAttrs (username: userOpts: userOpts.email-aliases) aliased-users;
state-directory = cfg.state-directory;
mail-directory = cfg.mail-directory;
clamav.enable = true;
dkim.signing = true;
ssl = {
certificate = ssl-certificate;
private-key = ssl-private-key;
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink