haccfiles/parsons/mail.nix

{ config, options, pkgs, lib, sources, ... }:

{
  imports = [ sources.nixos-mailserver.outPath ];

  # reduce log spam
  systemd.services.rspamd.serviceConfig.LogLevelMax =
    3; # this is set to error because rspamd regularly complains about not enough learns
  systemd.services.dovecot2.serviceConfig.LogLevelMax = 5; # = notice

  # stop postfix from dying if rspamd hiccups
  systemd.services.postfix.unitConfig = {
    Requires = lib.mkForce "dovecot2.service opendkim.service";
  };

  mailserver = {
    mailDirectory = "/persist/mail";
    enable = true;
    fqdn = "mail.hacc.space";
    monitoring = {
      enable = true;
      alertAddress = "admin@hacc.space";
      config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default) + ''
        check host onlyoffice with address onlyoffice.infra4future.de
              start program "/run/current-system/sw/bin/lxc-start onlyoffice"
              stop program "/run/current-system/sw/bin/lxc-stop onlyoffice"
              if failed port 443 protocol https status = 302
              then restart
      '';
    };
    domains = [
      "hacc.space"
      "muc.hacc.space"
      "hacc.earth"
      "4future.dev"
      "4futu.re"
      "infra4future.de"
    ];

    loginAccounts = {
      "hexchen@hacc.space".hashedPassword =
        "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";

      "octycs@hacc.space".hashedPassword =
        "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
      "octycs@hacc.space".aliases = [ "markus@hacc.space" ];

      "raphael@hacc.space".hashedPassword =
        "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";

      "moira@hacc.space".hashedPassword =
        "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";

      "zauberberg@hacc.space".hashedPassword =
        "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
      "zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ];

      "stuebinm@hacc.space".hashedPassword =
        "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";

      "lenny@hacc.space".hashedPassword =
        "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
      "lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];

      "peter@hacc.space".hashedPassword =
        "$6$yvpfTC.7DDpqpsYy$7TrfmLvz/fRl.k5mSHhI67CNquJa3yEFbLuTJvpyJ8Dj7SaD2eoOHWqef.CNo.T08kYzaqMcM73whAxjXVEmc.";
      "peter@hacc.space".aliases = [ "linmob@hacc.space" ];

      "finance@muc.hacc.space".hashedPassword =
        "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";

      "noreply@hacc.space" = {
        hashedPassword =
          "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
      };

      "noreply@infra4future.de" = {
        hashedPassword =
          "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
      };

      "mattermost@hacc.space" = {
        hashedPassword =
          "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
      };
    };

    extraVirtualAliases = {
      # address = forward address;

      # -- International --
      # info/contact: main entrypoint, anyone can read or reply to this.
      "info@hacc.space" = [
        "hexchen@hacc.space"
        "octycs@hacc.space"
        "raphael@hacc.space"
        "moira@hacc.space"
        "zauberberg@hacc.space"
        "stuebinm@hacc.space"
        "lenny@hacc.space"
        "peter@hacc.space"
      ];

      # admin: current people with access to the mail server and knowledge on how to use it™
      "admin@hacc.space" = [
        "hexchen@hacc.space"
        "moira@hacc.space"
        "zauberberg@hacc.space"
        "stuebinm@hacc.space"
      ];

      # voc: hacc video operation center, various streaming-related things
      "voc@hacc.space" = [
        "hexchen@hacc.space"
        "moira@hacc.space"
        "octycs@hacc.space"
        "stuebinm@hacc.space"
        "zauberberg@hacc.space"
        "lenny@hacc.space"
        "raphael@hacc.space"
      ];

      # -- Regional: Germany --
      # board of hacc e.V.
      "vorstand@hacc.space" =
        [ "raphael@hacc.space" "moira@hacc.space" "peter@hacc.space" ];

      # members of hacc e.V.
      "mitglieder@hacc.space" = [
        "hexchen@hacc.space"
        "raphael@hacc.space"
        "moira@hacc.space"
        "zauberberg@hacc.space"
        "lenny@hacc.space"
        "octycs@hacc.space"
        "stuebinm@hacc.space"
        "peter@hacc.space"
      ];

      # -- Regional: Munich --
      "muc@hacc.space" = [
        "hexchen@hacc.space"
        "octycs@hacc.space"
        "raphael@hacc.space"
        "moira@hacc.space"
        "zauberberg@hacc.space"
        "stuebinm@hacc.space"
        "lenny@hacc.space"
        "peter@hacc.space"
      ];
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";

    # Only allow implict TLS
    enableImap = false;
    enablePop3 = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

  };

  services.postfix.submissionOptions.smtpd_sender_restrictions =
    lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
  services.postfix.submissionsOptions.smtpd_sender_restrictions =
    lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";

  services.postfix.virtual = ''
    postmaster@hacc.space admin@hacc.space
    abuse@hacc.space admin@hacc.space
    contact@hacc.space info@hacc.space
    hello@hacc.space info@hacc.space
    haccvoc@hacc.space voc@hacc.space
    @4future.dev @hacc.space
    @4futu.re @hacc.space
    @hacc.earth @hacc.space
    @infra4future.de @hacc.space
  '';

  services.alps = {
    enable = true;
    theme = "alps";
    smtps = {
      port = 465;
      host = "mail.hacc.space";
    };
    imaps = {
      port = 993;
      host = "mail.hacc.space";
    };
    bindIP = "[::1]";
  };

  systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
  systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];

  services.nginx.virtualHosts."mail.hacc.space" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://[::1]:1323";
  };

  hacc.bindToPersist = [
    "/var/lib/rspamd"
    "/var/lib/opendkim"
    "/var/lib/postfix"
    "/var/lib/dovecot"
    "/var/sieve"
    "/var/lib/redis-rspamd"
    "/var/dkim"
  ];
}