nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f4ae5eae2743faa2bf9b76e0acdd7e235fa74678
dotfiles/system-modules/nx2site/maddy.nix
Lennart J. Kurzweg (Nx2) 6ab89d09b7 email smtp2go&google relay 2
2026-05-04 03:30:43 +02:00

104 lines
3.8 KiB
Nix
Raw Blame History

{ config, pkgs, ... }@all: with all; {
sops.secrets = {
"nx2site/maddy/nxcaldav_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/nextcloud_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/lennart_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/daniel_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/diane_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/georg_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/tessa_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
};
users.users."maddy" = {
extraGroups = [ "acme" "nginx" ];
};
services.maddy = {
enable = true;
primaryDomain = hyper.domain;
user = "maddy";
group = "maddy";
hostname = "mail.${hyper.domain}";
ensureAccounts = [
"nxcaldav@${hyper.domain}"
"nextcloud@${hyper.domain}"
"lennart@${hyper.domain}"
"daniel@${hyper.domain}"
"diane@${hyper.domain}"
"georg@${hyper.domain}"
"tessa@${hyper.domain}"
];
ensureCredentials = {
"nxcaldav@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nxcaldav_password".path;
"nextcloud@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
"lennart@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/lennart_password".path;
"daniel@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/daniel_password".path;
"diane@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/diane_password".path;
"georg@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/georg_password".path;
"tessa@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/tessa_password".path;
};
openFirewall = true;
tls = {
loader = "file";
certificates = [{
keyPath = "/var/lib/acme/nx2.site/key.pem";
certPath = "/var/lib/acme/nx2.site/cert.pem";
}];
};
# Enable TLS listeners. Configuring this via the module is not yet
# implemented, see https://github.com/NixOS/nixpkgs/pull/153372
config = (builtins.replaceStrings [
"imap tcp://0.0.0.0:143"
"submission tcp://0.0.0.0:587"
] [
"imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
"submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
] options.services.maddy.config.default) + ''
smtp tcp://127.0.0.1:2525 {
tls off
# 1. Allow local delivery (e.g., app sending to admin@nx2.site)
destination postmaster $(local_domains) {
deliver_to &local_routing
}
# 2. Allow remote delivery (e.g., app sending to gmail.com)
default_destination {
modify {
# Ensure outgoing mail is signed even if sent via 2525
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
# nx2s-email-relay backdor
smtp tcp://0.0.0.0:25025 {
# tls off
# 1. Allow incoming mail from the VM for your domains
destination postmaster $(local_domains) {
deliver_to &local_routing
}
# 2. Prevent the world from using you as an open relay
default_destination {
reject 521 5.0.0 "User not local"
}
}
'';
};
}
# --- Receive
# 1. mx to mail.nx2.site
# 2. mail.nx2.site to nx2s-email-relay (google e2-micro)
# 3. nx2s-email-relay uses emaul-relay.service to socat 25 to 25025 home
# 4. home gets 25025 and handles it
# -- Send
# 1. Via Smtp2go (mail-eu.smtp2go.com)
# SPF is coverd by CNAME (return) (somehow)
Reference in New Issue View Git Blame Copy Permalink