forked from hacc/haccfiles
stuebinm
319e5894e0
alps frequently fails to start (e.g. during a system activation script) since either its configured imap or smtp servers are not reachable yet (i.e. their process has not yet opened the corresponding port). This should hopefully fix that behaviour: - also set BindsTo, telling systemd to only start alps once the required units have entered "active" state (not just after it has started them) - also require postfix to be present, since that provides smtp
216 lines
6.7 KiB
Nix
216 lines
6.7 KiB
Nix
{ config, options, pkgs, lib, sources, ... }:
|
|
|
|
{
|
|
imports = [ sources.nixos-mailserver.outPath ];
|
|
|
|
# reduce log spam
|
|
systemd.services.rspamd.serviceConfig.LogLevelMax =
|
|
3; # this is set to error because rspamd regularly complains about not enough learns
|
|
systemd.services.dovecot2.serviceConfig.LogLevelMax = 5; # = notice
|
|
|
|
# stop postfix from dying if rspamd hiccups
|
|
systemd.services.postfix.unitConfig = {
|
|
Requires = lib.mkForce "dovecot2.service opendkim.service";
|
|
};
|
|
|
|
mailserver = {
|
|
mailDirectory = "/persist/mail";
|
|
enable = true;
|
|
fqdn = "mail.hacc.space";
|
|
monitoring = {
|
|
enable = true;
|
|
alertAddress = "admin@hacc.space";
|
|
config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default) + ''
|
|
check host onlyoffice with address onlyoffice.infra4future.de
|
|
if failed
|
|
port 443
|
|
protocol https
|
|
status = 302
|
|
then alert
|
|
'';
|
|
};
|
|
domains = [
|
|
"hacc.space"
|
|
"muc.hacc.space"
|
|
"hacc.earth"
|
|
"4future.dev"
|
|
"4futu.re"
|
|
"infra4future.de"
|
|
];
|
|
|
|
loginAccounts = {
|
|
"hexchen@hacc.space".hashedPassword =
|
|
"$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
|
|
|
|
"octycs@hacc.space".hashedPassword =
|
|
"$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
|
|
"octycs@hacc.space".aliases = [ "markus@hacc.space" ];
|
|
|
|
"raphael@hacc.space".hashedPassword =
|
|
"$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
|
|
|
|
"moira@hacc.space".hashedPassword =
|
|
"$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
|
|
|
|
"zauberberg@hacc.space".hashedPassword =
|
|
"$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
|
|
"zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ];
|
|
|
|
"stuebinm@hacc.space".hashedPassword =
|
|
"$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";
|
|
|
|
"lenny@hacc.space".hashedPassword =
|
|
"$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
|
|
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
|
|
|
|
"peter@hacc.space".hashedPassword =
|
|
"$6$yvpfTC.7DDpqpsYy$7TrfmLvz/fRl.k5mSHhI67CNquJa3yEFbLuTJvpyJ8Dj7SaD2eoOHWqef.CNo.T08kYzaqMcM73whAxjXVEmc.";
|
|
"peter@hacc.space".aliases = [ "linmob@hacc.space" ];
|
|
|
|
"finance@muc.hacc.space".hashedPassword =
|
|
"$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
|
|
|
|
"noreply@hacc.space" = {
|
|
hashedPassword =
|
|
"$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
|
};
|
|
|
|
"noreply@infra4future.de" = {
|
|
hashedPassword =
|
|
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
|
};
|
|
|
|
"mattermost@hacc.space" = {
|
|
hashedPassword =
|
|
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
|
};
|
|
};
|
|
|
|
extraVirtualAliases = {
|
|
# address = forward address;
|
|
|
|
# -- International --
|
|
# info/contact: main entrypoint, anyone can read or reply to this.
|
|
"info@hacc.space" = [
|
|
"hexchen@hacc.space"
|
|
"octycs@hacc.space"
|
|
"raphael@hacc.space"
|
|
"moira@hacc.space"
|
|
"zauberberg@hacc.space"
|
|
"stuebinm@hacc.space"
|
|
"lenny@hacc.space"
|
|
"peter@hacc.space"
|
|
];
|
|
|
|
# admin: current people with access to the mail server and knowledge on how to use it™
|
|
"admin@hacc.space" = [
|
|
"hexchen@hacc.space"
|
|
"moira@hacc.space"
|
|
"zauberberg@hacc.space"
|
|
"stuebinm@hacc.space"
|
|
];
|
|
|
|
# voc: hacc video operation center, various streaming-related things
|
|
"voc@hacc.space" = [
|
|
"hexchen@hacc.space"
|
|
"moira@hacc.space"
|
|
"octycs@hacc.space"
|
|
"stuebinm@hacc.space"
|
|
"zauberberg@hacc.space"
|
|
"lenny@hacc.space"
|
|
"raphael@hacc.space"
|
|
];
|
|
|
|
# -- Regional: Germany --
|
|
# board of hacc e.V.
|
|
"vorstand@hacc.space" =
|
|
[ "raphael@hacc.space" "moira@hacc.space" "peter@hacc.space" ];
|
|
|
|
# members of hacc e.V.
|
|
"mitglieder@hacc.space" = [
|
|
"hexchen@hacc.space"
|
|
"raphael@hacc.space"
|
|
"moira@hacc.space"
|
|
"zauberberg@hacc.space"
|
|
"lenny@hacc.space"
|
|
"octycs@hacc.space"
|
|
"stuebinm@hacc.space"
|
|
"peter@hacc.space"
|
|
];
|
|
|
|
# -- Regional: Munich --
|
|
"muc@hacc.space" = [
|
|
"hexchen@hacc.space"
|
|
"octycs@hacc.space"
|
|
"raphael@hacc.space"
|
|
"moira@hacc.space"
|
|
"zauberberg@hacc.space"
|
|
"stuebinm@hacc.space"
|
|
"lenny@hacc.space"
|
|
"peter@hacc.space"
|
|
];
|
|
};
|
|
|
|
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
|
# down nginx and opens port 80.
|
|
certificateScheme = "acme-nginx";
|
|
|
|
# Only allow implict TLS
|
|
enableImap = false;
|
|
enablePop3 = false;
|
|
|
|
# Enable the ManageSieve protocol
|
|
enableManageSieve = true;
|
|
|
|
};
|
|
|
|
services.postfix.submissionOptions.smtpd_sender_restrictions =
|
|
lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
|
services.postfix.submissionsOptions.smtpd_sender_restrictions =
|
|
lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
|
|
|
services.postfix.virtual = ''
|
|
postmaster@hacc.space admin@hacc.space
|
|
abuse@hacc.space admin@hacc.space
|
|
contact@hacc.space info@hacc.space
|
|
hello@hacc.space info@hacc.space
|
|
haccvoc@hacc.space voc@hacc.space
|
|
@4future.dev @hacc.space
|
|
@4futu.re @hacc.space
|
|
@hacc.earth @hacc.space
|
|
@infra4future.de @hacc.space
|
|
'';
|
|
|
|
services.alps = {
|
|
enable = true;
|
|
theme = "alps";
|
|
smtps = {
|
|
port = 465;
|
|
host = "mail.hacc.space";
|
|
};
|
|
imaps = {
|
|
port = 993;
|
|
host = "mail.hacc.space";
|
|
};
|
|
bindIP = "[::1]";
|
|
};
|
|
|
|
systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
|
|
systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];
|
|
|
|
services.nginx.virtualHosts."mail.hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".proxyPass = "http://[::1]:1323";
|
|
};
|
|
|
|
hacc.bindToPersist = [
|
|
"/var/lib/rspamd"
|
|
"/var/lib/opendkim"
|
|
"/var/lib/postfix"
|
|
"/var/lib/dovecot"
|
|
"/var/sieve"
|
|
"/var/lib/redis-rspamd"
|
|
"/var/dkim"
|
|
];
|
|
}
|