puter/hosts/abacus/mailserver.nix

{
  config,
  pkgs,
  ...
}: let
  inherit (config.networking) domain fqdn;

  wellKnownMtaSts = pkgs.writeText "" ''
    version: STSv1
    mode: enforce
    mx: ${fqdn}
    max_age: 86400
  '';
in {
  age.secrets.mail-lukas.file = ../../secrets/mail-lukas.age;

  environment.persistence."/persist".directories = [
    config.mailserver.dkimKeyDirectory
    config.mailserver.mailDirectory
    config.mailserver.sieveDirectory
  ];

  mailserver = {
    enable = true;
    openFirewall = true;
    inherit fqdn;
    domains = [domain];

    loginAccounts = {
      "lukas@${domain}" = {
        hashedPasswordFile = config.age.secrets.mail-lukas.path;
        aliases = ["postmaster@${domain}" "vault@${domain}"];
      };
    };

    certificateScheme = "acme-nginx";
  };

  # FIXME: This is unnecessary when https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275 is closed
  services.dovecot2.sieve.extensions = ["fileinto"];

  services.nginx.virtualHosts."mta-sts.${domain}" = {
    enableACME = true;
    forceSSL = true;
    quic = true;

    locations = {
      "/".return = "404";

      "=/.well-known/mta-sts.txt" = {
        alias = wellKnownMtaSts;

        extraConfig = ''
          default_type text/plain;
        '';
      };
    };
  };
}
improvements 2024-02-14 22:06:49 +00:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}: let`
			`inherit (config.networking) domain fqdn;`

			`wellKnownMtaSts = pkgs.writeText "" ''`
			`version: STSv1`
			`mode: enforce`
			`mx: ${fqdn}`
			`max_age: 86400`
			`'';`
init 2024-02-04 20:51:11 +00:00			`in {`
			`age.secrets.mail-lukas.file = ../../secrets/mail-lukas.age;`

			`environment.persistence."/persist".directories = [`
			`config.mailserver.dkimKeyDirectory`
			`config.mailserver.mailDirectory`
			`config.mailserver.sieveDirectory`
			`];`

			`mailserver = {`
			`enable = true;`
			`openFirewall = true;`
			`inherit fqdn;`
			`domains = [domain];`

			`loginAccounts = {`
			`"lukas@${domain}" = {`
			`hashedPasswordFile = config.age.secrets.mail-lukas.path;`
improvements 2024-02-14 22:06:49 +00:00			`aliases = ["postmaster@${domain}" "vault@${domain}"];`
init 2024-02-04 20:51:11 +00:00			`};`
			`};`

			`certificateScheme = "acme-nginx";`
			`};`

			`# FIXME: This is unnecessary when https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275 is closed`
			`services.dovecot2.sieve.extensions = ["fileinto"];`

			`services.nginx.virtualHosts."mta-sts.${domain}" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`quic = true;`
improvements 2024-02-14 22:06:49 +00:00
			`locations = {`
			`"/".return = "404";`

			`"=/.well-known/mta-sts.txt" = {`
			`alias = wellKnownMtaSts;`

			`extraConfig = ''`
			`default_type text/plain;`
			`'';`
			`};`
			`};`
init 2024-02-04 20:51:11 +00:00			`};`
			`}`