public
/
mail-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Share whole SSL directory

This commit is contained in:
niten 2023-09-23 15:20:13 -07:00
parent 5b7eb05635
commit 7362553d02
1 changed files with 71 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
mail-server.nix
View File

@ -1,7 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }@toplevel:
with lib; with lib;
let cfg = config.fudo.mail; let cfg = config.fudo.mail;
in { in {
options.fudo.mail = with types; { options.fudo.mail = with types; {
enable = mkEnableOption "Enable mail server."; enable = mkEnableOption "Enable mail server.";
@ -22,6 +23,48 @@ in {
default = [ ]; default = [ ];
}; };
ldap = {
authentik-host = mkOption {
type = str;
description = "Hostname of the LDAP outpost provider.";
default = "authentik.${toplevel.config.fudo.mail.primary-domain}";
};
outpost-token = mkOption {
type = str;
description = "Token with which to authenticate to the Authentik host.";
};
# bind-dn = mkOption {
# type = str;
# description = "DN as which to bind with the LDAP server.";
# };
# bind-password-file = mkOption {
# type = str;
# description =
# "File containing password with which to bind with the LDAP server.";
# };
base = mkOption {
type = str;
description = "Base of the LDAP server.";
example = "dc=fudo,dc=org";
};
member-ou = mkOption {
type = str;
description = "Organizational unit containing users.";
default = "ou=members";
};
};
images.ldap-proxy = mkOption {
type = str;
description = "Docker image to use for LDAP proxy.";
default = "ghcr.io/goauthentik/ldap";
};
smtp = { smtp = {
hostname = mkOption { hostname = mkOption {
type = str; type = str;
@ -30,15 +73,10 @@ in {
default = "smtp.${config.fudo.mail.primary-domain}"; default = "smtp.${config.fudo.mail.primary-domain}";
}; };
ssl = { ssl-directory = mkOption {
certificate = mkOption {
type = str; type = str;
description = "SSL certificate for the SMTP host."; description =
}; "Directory containing SSL certificates for SMTP hostname.";
private-key = mkOption {
type = str;
description = "SSL private key for the SMTP host.";
};
}; };
}; };
@ -50,15 +88,10 @@ in {
default = "imap.${config.fudo.mail.primary-domain}"; default = "imap.${config.fudo.mail.primary-domain}";
}; };
ssl = { ssl-directory = mkOption {
certificate = mkOption {
type = str; type = str;
description = "SSL certificate for the IMAP host."; description =
}; "Directory containing SSL certificates for IMAP hostname.";
private-key = mkOption {
type = str;
description = "SSL private key for the IMAP host.";
};
}; };
}; };
}; };
@ -76,13 +109,22 @@ in {
}; };
fudo.secrets.host-secrets."${hostname}" = { fudo.secrets.host-secrets."${hostname}" = {
mailLdapProxyEnv = {
source-file = pkgs.writeText "ldap-proxy.env" ''
AUTHENTIK_HOST=${cfg.ldap.authentik-host}
AUTHENTIK_TOKEN=${cfg.ldap.outpost-token}
AUTHENTIK_INSECURE=false
'';
target-file = "/run/ldap-proxy/env";
};
dovecotLdapConfig = { dovecotLdapConfig = {
source-file = pkgs.writeText "dovecot-ldap.conf" source-file = pkgs.writeText "dovecot-ldap.conf"
(concatStringsSep "\n" [ (concatStringsSep "\n" [
"uris = ldap://ldap-proxymine:${ldapPort}" "uris = ldap://ldap-proxy:3389"
"ldap_version = 3" "ldap_version = 3"
"dn = ${cfg.ldap.bind-dn}" # "dn = ${cfg.ldap.bind-dn}"
"dnpass = ${readFile cfg.ldap.bind-password-file}" # "dnpass = ${readFile cfg.ldap.bind-password-file}"
"auth_bind = yes" "auth_bind = yes"
"auth_bind_userdn = uid=%u,${cfg.ldap.member-ou},${cfg.ldap.base}" "auth_bind_userdn = uid=%u,${cfg.ldap.member-ou},${cfg.ldap.base}"
"base = ${cfg.ldap.base}" "base = ${cfg.ldap.base}"
@ -140,6 +182,7 @@ in {
]; ];
volumes = [ volumes = [
"${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro" "${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro"
"${cfg.smtp.ssl-directory}:/run/certs/smtp"
]; ];
ports = [ "25:25" "587:587" "465:465" "2525:2525" ]; ports = [ "25:25" "587:587" "465:465" "2525:2525" ];
nixos = { nixos = {
@ -168,8 +211,9 @@ in {
alias-users = cfg.alias-users; alias-users = cfg.alias-users;
}; };
ssl = { ssl = {
certificate = cfg.smtp.ssl.certificate; certificate =
private-key = cfg.smtp.ssl.private-key; "/run/certs/smtp/fullchain.pem"; # FIXME: or just cert?
private-key = "/run/certs/smtp/key.pem";
}; };
sasl-domain = cfg.sasl-domain; sasl-domain = cfg.sasl-domain;
message-size-limit = cfg.message-size-limit; message-size-limit = cfg.message-size-limit;
@ -199,6 +243,7 @@ in {
volumes = [ volumes = [
"${cfg.state-directory}/dovecot:/state" "${cfg.state-directory}/dovecot:/state"
"${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro" "${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro"
"${cfg.imap.ssl-directory}:/run/certs/imap"
]; ];
nixos = { nixos = {
useSystemd = true; useSystemd = true;
@ -220,8 +265,8 @@ in {
mail-user = cfg.mail-user; mail-user = cfg.mail-user;
mail-group = cfg.mail-group; mail-group = cfg.mail-group;
ssl = { ssl = {
certificate = cfg.imap.ssl.certificate; certificate = "/run/certs/imap/fullchain.pem";
private-key = cfg.imap.ssl.private-key; private-key = "/run/certs/imap/key.pem";
}; };
rspamd = { rspamd = {
host = "antispam"; host = "antispam";