chore(os/kay): refactor

1 files changed, 173 insertions, 0 deletions

diff --git a/os/kay/modules/services/mail.nix b/os/kay/modules/services/mail.nix
new file mode 100644
index 0000000..685461f
--- /dev/null
+++ b/os/kay/modules/services/mail.nix
@@ -0,0 +1,173 @@
+{ config, pkgs, ... }:
+let
+  ipv6 = "2001:470:ee65::1337";
+  domain = config.global.userdata.domain;
+  username = config.global.userdata.name;
+  email = [
+    "${username}@${domain}"
+
+    # used by github automation
+    # https://github.com/nocodb/nocodb/blob/32826d4b24e9285b898bb3547fdf550f81c930bb/nix/bumper/bumper.sh#L5
+    "auto@${domain}"
+    # used by mail.sinanmohd.com
+    "postmaster@${domain}"
+    # used by ns1.sinanmohd.com
+    "hostmaster@${domain}"
+  ];
+
+  credentials_directory = "/run/credentials/stalwart-mail.service";
+in
+{
+  security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service";
+  sops.secrets = {
+    "mail.${domain}/dkim_rsa" = { };
+    "mail.${domain}/dkim_ed25519" = { };
+    "mail.${domain}/password" = { };
+  };
+
+  systemd.services.stalwart-mail.serviceConfig.LoadCredential = [
+    "password:${config.sops.secrets."mail.${domain}/password".path}"
+
+    "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}"
+    "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}"
+
+    "cert:${config.security.acme.certs.${domain}.directory}/fullchain.pem"
+    "key:${config.security.acme.certs.${domain}.directory}/key.pem"
+  ];
+
+  services.postgresql = {
+    ensureDatabases = [ "stalwart" ];
+    ensureUsers = [
+      {
+        name = "stalwart";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.stalwart-mail = {
+    enable = true;
+    openFirewall = true;
+
+    settings = {
+      queue.outbound = {
+        ip-strategy = "ipv6_then_ipv4";
+        source-ip.v6 = "['${ipv6}']";
+        tls.starttls = "optional";
+      };
+      http.url = "'https://stalwart.${domain}'";
+
+      server = {
+        hostname = "mail.${domain}";
+        listener = {
+          smtp = {
+            bind = [
+              "[${ipv6}]:25"
+              "0.0.0.0:25"
+            ];
+            protocol = "smtp";
+          };
+          submission = {
+            bind = "[::]:587";
+            protocol = "smtp";
+          };
+          submissions = {
+            bind = "[::]:465";
+            protocol = "smtp";
+            tls.implicit = true;
+          };
+          imaptls = {
+            bind = "[::]:993";
+            protocol = "imap";
+            tls.implicit = true;
+          };
+          http = {
+            bind = "[::]:8085";
+            protocol = "http";
+          };
+        };
+      };
+
+      signature = {
+        rsa = {
+          private-key = "%{file:${credentials_directory}/dkim_rsa}%";
+          inherit domain;
+          selector = "rsa";
+          headers = [
+            "From"
+            "To"
+            "Date"
+            "Subject"
+            "Message-ID"
+          ];
+          algorithm = "rsa-sha-256";
+          canonicalization = "simple/simple";
+
+          set-body-length = true;
+          expire = "2d";
+          report = true;
+        };
+        ed25519 = {
+          private-key = "%{file:${credentials_directory}/dkim_ed25519}%";
+          inherit domain;
+          selector = "ed25519";
+          headers = [
+            "From"
+            "To"
+            "Date"
+            "Subject"
+            "Message-ID"
+          ];
+          algorithm = "ed25519-sha256";
+          canonicalization = "simple/simple";
+
+          set-body-length = true;
+          expire = "2d";
+          report = true;
+        };
+      };
+
+      certificate."default" = {
+        cert = "%{file:${credentials_directory}/cert}%";
+        private-key = "%{file:${credentials_directory}/key}%";
+      };
+
+      storage = {
+        data = "postgresql";
+        fts = "postgresql";
+        blob = "postgresql";
+        lookup = "postgresql";
+        directory = "memory";
+      };
+      store.postgresql = {
+        type = "postgresql";
+        host = "localhost";
+        database = "stalwart";
+        user = "stalwart";
+        timeout = "15s";
+        tls.enable = false;
+        pool.max-connections = 10;
+      };
+
+      directory."memory" = {
+        type = "memory";
+
+        principals = [
+          {
+            class = "admin";
+            name = "${username}@${domain}";
+            secret = "%{file:${credentials_directory}/password}%";
+            inherit email;
+          }
+          {
+            # for mta-sts & dmarc reports
+            class = "individual";
+            name = "reports@${domain}";
+            secret = "%{file:${credentials_directory}/password}%";
+            email = [ "reports@${domain}" ];
+          }
+        ];
+      };
+    };
+  };
+}