6afb255d97
these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
465 lines
13 KiB
Nix
465 lines
13 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
name = "maddy";
|
|
|
|
cfg = config.services.maddy;
|
|
|
|
defaultConfig = ''
|
|
# Minimal configuration with TLS disabled, adapted from upstream example
|
|
# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
|
|
# Do not use this in production!
|
|
|
|
auth.pass_table local_authdb {
|
|
table sql_table {
|
|
driver sqlite3
|
|
dsn credentials.db
|
|
table_name passwords
|
|
}
|
|
}
|
|
|
|
storage.imapsql local_mailboxes {
|
|
driver sqlite3
|
|
dsn imapsql.db
|
|
}
|
|
|
|
table.chain local_rewrites {
|
|
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
|
|
optional_step static {
|
|
entry postmaster postmaster@$(primary_domain)
|
|
}
|
|
optional_step file /etc/maddy/aliases
|
|
}
|
|
|
|
msgpipeline local_routing {
|
|
destination postmaster $(local_domains) {
|
|
modify {
|
|
replace_rcpt &local_rewrites
|
|
}
|
|
deliver_to &local_mailboxes
|
|
}
|
|
default_destination {
|
|
reject 550 5.1.1 "User doesn't exist"
|
|
}
|
|
}
|
|
|
|
smtp tcp://0.0.0.0:25 {
|
|
limits {
|
|
all rate 20 1s
|
|
all concurrency 10
|
|
}
|
|
dmarc yes
|
|
check {
|
|
require_mx_record
|
|
dkim
|
|
spf
|
|
}
|
|
source $(local_domains) {
|
|
reject 501 5.1.8 "Use Submission for outgoing SMTP"
|
|
}
|
|
default_source {
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
reject 550 5.1.1 "User doesn't exist"
|
|
}
|
|
}
|
|
}
|
|
|
|
submission tcp://0.0.0.0:587 {
|
|
limits {
|
|
all rate 50 1s
|
|
}
|
|
auth &local_authdb
|
|
source $(local_domains) {
|
|
check {
|
|
authorize_sender {
|
|
prepare_email &local_rewrites
|
|
user_to_email identity
|
|
}
|
|
}
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
modify {
|
|
dkim $(primary_domain) $(local_domains) default
|
|
}
|
|
deliver_to &remote_queue
|
|
}
|
|
}
|
|
default_source {
|
|
reject 501 5.1.8 "Non-local sender domain"
|
|
}
|
|
}
|
|
|
|
target.remote outbound_delivery {
|
|
limits {
|
|
destination rate 20 1s
|
|
destination concurrency 10
|
|
}
|
|
mx_auth {
|
|
dane
|
|
mtasts {
|
|
cache fs
|
|
fs_dir mtasts_cache/
|
|
}
|
|
local_policy {
|
|
min_tls_level encrypted
|
|
min_mx_level none
|
|
}
|
|
}
|
|
}
|
|
|
|
target.queue remote_queue {
|
|
target &outbound_delivery
|
|
autogenerated_msg_domain $(primary_domain)
|
|
bounce {
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
|
|
}
|
|
}
|
|
}
|
|
|
|
imap tcp://0.0.0.0:143 {
|
|
auth &local_authdb
|
|
storage &local_mailboxes
|
|
}
|
|
'';
|
|
|
|
in {
|
|
options = {
|
|
services.maddy = {
|
|
|
|
enable = mkEnableOption "Maddy, a free an open source mail server";
|
|
|
|
user = mkOption {
|
|
default = "maddy";
|
|
type = with types; uniq str;
|
|
description = ''
|
|
User account under which maddy runs.
|
|
|
|
::: {.note}
|
|
If left as the default value this user will automatically be created
|
|
on system activation, otherwise the sysadmin is responsible for
|
|
ensuring the user exists before the maddy service starts.
|
|
:::
|
|
'';
|
|
};
|
|
|
|
group = mkOption {
|
|
default = "maddy";
|
|
type = with types; uniq str;
|
|
description = ''
|
|
Group account under which maddy runs.
|
|
|
|
::: {.note}
|
|
If left as the default value this group will automatically be created
|
|
on system activation, otherwise the sysadmin is responsible for
|
|
ensuring the group exists before the maddy service starts.
|
|
:::
|
|
'';
|
|
};
|
|
|
|
hostname = mkOption {
|
|
default = "localhost";
|
|
type = with types; uniq str;
|
|
example = ''example.com'';
|
|
description = ''
|
|
Hostname to use. It should be FQDN.
|
|
'';
|
|
};
|
|
|
|
primaryDomain = mkOption {
|
|
default = "localhost";
|
|
type = with types; uniq str;
|
|
example = ''mail.example.com'';
|
|
description = ''
|
|
Primary MX domain to use. It should be FQDN.
|
|
'';
|
|
};
|
|
|
|
localDomains = mkOption {
|
|
type = with types; listOf str;
|
|
default = ["$(primary_domain)"];
|
|
example = [
|
|
"$(primary_domain)"
|
|
"example.com"
|
|
"other.example.com"
|
|
];
|
|
description = ''
|
|
Define list of allowed domains.
|
|
'';
|
|
};
|
|
|
|
config = mkOption {
|
|
type = with types; nullOr lines;
|
|
default = defaultConfig;
|
|
description = ''
|
|
Server configuration, see
|
|
[https://maddy.email](https://maddy.email) for
|
|
more information. The default configuration of this module will setup
|
|
minimal Maddy instance for mail transfer without TLS encryption.
|
|
|
|
::: {.note}
|
|
This should not be used in a production environment.
|
|
:::
|
|
'';
|
|
};
|
|
|
|
tls = {
|
|
loader = mkOption {
|
|
type = with types; nullOr (enum [ "off" "file" "acme" ]);
|
|
default = "off";
|
|
description = ''
|
|
TLS certificates are obtained by modules called "certificate
|
|
loaders".
|
|
|
|
The `file` loader module reads certificates from files specified by
|
|
the `certificates` option.
|
|
|
|
Alternatively the `acme` module can be used to automatically obtain
|
|
certificates using the ACME protocol.
|
|
|
|
Module configuration is done via the `tls.extraConfig` option.
|
|
|
|
Secrets such as API keys or passwords should not be supplied in
|
|
plaintext. Instead the `secrets` option can be used to read secrets
|
|
at runtime as environment variables. Secrets can be referenced with
|
|
`{env:VAR}`.
|
|
'';
|
|
};
|
|
|
|
certificates = mkOption {
|
|
type = with types; listOf (submodule {
|
|
options = {
|
|
keyPath = mkOption {
|
|
type = types.path;
|
|
example = "/etc/ssl/mx1.example.org.key";
|
|
description = ''
|
|
Path to the private key used for TLS.
|
|
'';
|
|
};
|
|
certPath = mkOption {
|
|
type = types.path;
|
|
example = "/etc/ssl/mx1.example.org.crt";
|
|
description = ''
|
|
Path to the certificate used for TLS.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
default = [];
|
|
example = lib.literalExpression ''
|
|
[{
|
|
keyPath = "/etc/ssl/mx1.example.org.key";
|
|
certPath = "/etc/ssl/mx1.example.org.crt";
|
|
}]
|
|
'';
|
|
description = ''
|
|
A list of attribute sets containing paths to TLS certificates and
|
|
keys. Maddy will use SNI if multiple pairs are selected.
|
|
'';
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
type = with types; nullOr lines;
|
|
description = ''
|
|
Arguments for the specified certificate loader.
|
|
|
|
In case the `tls` loader is set, the defaults are considered secure
|
|
and there is no need to change anything in most cases.
|
|
For available options see [upstream manual](https://maddy.email/reference/tls/).
|
|
|
|
For ACME configuration, see [following page](https://maddy.email/reference/tls-acme).
|
|
'';
|
|
default = "";
|
|
};
|
|
};
|
|
|
|
openFirewall = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Open the configured incoming and outgoing mail server ports.
|
|
'';
|
|
};
|
|
|
|
ensureAccounts = mkOption {
|
|
type = with types; listOf str;
|
|
default = [];
|
|
description = ''
|
|
List of IMAP accounts which get automatically created. Note that for
|
|
a complete setup, user credentials for these accounts are required
|
|
and can be created using the `ensureCredentials` option.
|
|
This option does not delete accounts which are not (anymore) listed.
|
|
'';
|
|
example = [
|
|
"user1@localhost"
|
|
"user2@localhost"
|
|
];
|
|
};
|
|
|
|
ensureCredentials = mkOption {
|
|
default = {};
|
|
description = ''
|
|
List of user accounts which get automatically created if they don't
|
|
exist yet. Note that for a complete setup, corresponding mail boxes
|
|
have to get created using the `ensureAccounts` option.
|
|
This option does not delete accounts which are not (anymore) listed.
|
|
'';
|
|
example = {
|
|
"user1@localhost".passwordFile = /secrets/user1-localhost;
|
|
"user2@localhost".passwordFile = /secrets/user2-localhost;
|
|
};
|
|
type = types.attrsOf (types.submodule {
|
|
options = {
|
|
passwordFile = mkOption {
|
|
type = types.path;
|
|
example = "/path/to/file";
|
|
default = null;
|
|
description = ''
|
|
Specifies the path to a file containing the
|
|
clear text password for the user.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
secrets = lib.mkOption {
|
|
type = with types; listOf path;
|
|
description = ''
|
|
A list of files containing the various secrets. Should be in the format
|
|
expected by systemd's `EnvironmentFile` directory. Secrets can be
|
|
referenced in the format `{env:VAR}`.
|
|
'';
|
|
default = [ ];
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
assertions = [
|
|
{
|
|
assertion = cfg.tls.loader == "file" -> cfg.tls.certificates != [];
|
|
message = ''
|
|
If Maddy is configured to use TLS, tls.certificates with attribute sets
|
|
of certPath and keyPath must be provided.
|
|
Read more about obtaining TLS certificates here:
|
|
https://maddy.email/tutorials/setting-up/#tls-certificates
|
|
'';
|
|
}
|
|
{
|
|
assertion = cfg.tls.loader == "acme" -> cfg.tls.extraConfig != "";
|
|
message = ''
|
|
If Maddy is configured to obtain TLS certificates using the ACME
|
|
loader, extra configuration options must be supplied via
|
|
tls.extraConfig option.
|
|
See upstream documentation for more details:
|
|
https://maddy.email/reference/tls-acme
|
|
'';
|
|
}
|
|
];
|
|
|
|
systemd = {
|
|
|
|
packages = [ pkgs.maddy ];
|
|
services = {
|
|
maddy = {
|
|
serviceConfig = {
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
StateDirectory = [ "maddy" ];
|
|
EnvironmentFile = cfg.secrets;
|
|
};
|
|
restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
maddy-ensure-accounts = {
|
|
script = ''
|
|
${optionalString (cfg.ensureAccounts != []) ''
|
|
${concatMapStrings (account: ''
|
|
if ! ${pkgs.maddy}/bin/maddyctl imap-acct list | grep "${account}"; then
|
|
${pkgs.maddy}/bin/maddyctl imap-acct create ${account}
|
|
fi
|
|
'') cfg.ensureAccounts}
|
|
''}
|
|
${optionalString (cfg.ensureCredentials != {}) ''
|
|
${concatStringsSep "\n" (mapAttrsToList (name: cfg: ''
|
|
if ! ${pkgs.maddy}/bin/maddyctl creds list | grep "${name}"; then
|
|
${pkgs.maddy}/bin/maddyctl creds create --password $(cat ${escapeShellArg cfg.passwordFile}) ${name}
|
|
fi
|
|
'') cfg.ensureCredentials)}
|
|
''}
|
|
'';
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User= "maddy";
|
|
};
|
|
after = [ "maddy.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
environment.etc."maddy/maddy.conf" = {
|
|
text = ''
|
|
$(hostname) = ${cfg.hostname}
|
|
$(primary_domain) = ${cfg.primaryDomain}
|
|
$(local_domains) = ${toString cfg.localDomains}
|
|
hostname ${cfg.hostname}
|
|
|
|
${if (cfg.tls.loader == "file") then ''
|
|
tls file ${concatStringsSep " " (
|
|
map (x: x.certPath + " " + x.keyPath
|
|
) cfg.tls.certificates)} ${optionalString (cfg.tls.extraConfig != "") ''
|
|
{ ${cfg.tls.extraConfig} }
|
|
''}
|
|
'' else if (cfg.tls.loader == "acme") then ''
|
|
tls {
|
|
loader acme {
|
|
${cfg.tls.extraConfig}
|
|
}
|
|
}
|
|
'' else if (cfg.tls.loader == "off") then ''
|
|
tls off
|
|
'' else ""}
|
|
|
|
${cfg.config}
|
|
'';
|
|
};
|
|
|
|
users.users = optionalAttrs (cfg.user == name) {
|
|
${name} = {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
description = "Maddy mail transfer agent user";
|
|
};
|
|
};
|
|
|
|
users.groups = optionalAttrs (cfg.group == name) {
|
|
${cfg.group} = { };
|
|
};
|
|
|
|
networking.firewall = mkIf cfg.openFirewall {
|
|
allowedTCPPorts = [ 25 143 587 ];
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
pkgs.maddy
|
|
];
|
|
};
|
|
}
|