diff options
| author | sinanmohd <sinan@sinanmohd.com> | 2024-02-18 10:58:23 +0530 |
|---|---|---|
| committer | sinanmohd <sinan@sinanmohd.com> | 2024-02-25 15:54:58 +0530 |
| commit | c2078d3e8be3bec0248c3f272ec6bebf46093196 (patch) | |
| tree | 2e6c758c0e74d4a81aeab3cc5a3c1badea408897 /hosts/kay/modules/mail.nix | |
| parent | 58e6156436e348d48d335deadb46ecec46432621 (diff) | |
kay/mail: init
Diffstat (limited to 'hosts/kay/modules/mail.nix')
| -rw-r--r-- | hosts/kay/modules/mail.nix | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/hosts/kay/modules/mail.nix b/hosts/kay/modules/mail.nix new file mode 100644 index 0000000..b255650 --- /dev/null +++ b/hosts/kay/modules/mail.nix @@ -0,0 +1,103 @@ +{ config, ... }: let + ipv6 = "2001:470:ee65::1337"; + domain = config.userdata.domain; + + username = config.userdata.user; + secret = "$argon2i$v=19$m=4096,t=3,p=1$SWV5aWU3YWUgZWFTNm9oc28gTGFvdDdlRG8ga2FTaWVjaDYgYWV0aDFHb28$O/sDv7oy9wUxFjvKoxB5o8ZnPvjYJo9DjX0C/AZQFF0"; + email = [ + "${username}@${domain}" + "sinanmohd@${domain}" + "me@${domain}" + + "postmaster@${domain}" + "hostmaster@${domain}" + "admin@${domain}" + ]; + + credentials_directory = "/run/credentials/stalwart-mail.service"; +in { + networking.firewall.allowedTCPPorts = [ + 25 # smto + 465 # submission + 587 # submissions + 993 # imap ssl + 4190 # managesieve + ]; + + sops.secrets = { + "mail.${domain}/dkim_rsa" = {}; + "mail.${domain}/dkim_ed25519" = {}; + }; + + services.stalwart-mail = { + enable = true; + loadCredential = [ + "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}" + "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}" + + "cert:${config.security.acme.certs.${domain}.directory}/fullchain.pem" + "key:${config.security.acme.certs.${domain}.directory}/key.pem" + ]; + + settings = { + macros = { + host = "mail.${domain}"; + default_domain = domain; + default_directory = "in-memory"; + default_store = "sqlite"; + }; + + queue.outbound = { + ip-strategy = "ipv6_then_ipv4"; + source-ip.v6 = "['${ipv6}']"; + tls.starttls = "optional"; + }; + server.listener = { + smtp.bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; + jmap.bind = [ "[::]:8034" ]; + }; + + signature = { + rsa = { + private-key = "file://${credentials_directory}/dkim_rsa"; + selector = "rsa"; + set-body-length = true; + }; + ed25519 = { + public-key = "EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU="; + private-key = "file://${credentials_directory}/dkim_ed25519"; + domain = "%{DEFAULT_DOMAIN}%"; + selector = "ed25519"; + headers = [ "From" "To" "Date" "Subject" "Message-ID" ]; + algorithm = "ed25519-sha256"; + canonicalization = "relaxed/relaxed"; + set-body-length = true; + report = true; + }; + }; + + certificate."default" = { + cert = "file://${credentials_directory}/cert"; + private-key = "file://${credentials_directory}/key"; + }; + + storage.blob = "fs"; + store = { + fs.disable = false; + sqlite.disable = false; + }; + + directory."in-memory" = { + type = "memory"; + options.subaddressing = true; + + principals = [{ + inherit email; + inherit secret; + name = username; + type = "admin"; + }]; + }; + }; + }; +} |