Merge pull request #22 from jbboehr/multi-domain

Multi domain support
This commit is contained in:
Robin Raymond 2017-11-11 14:03:52 +01:00 committed by GitHub
commit 4a619c6349
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 71 additions and 55 deletions

9
.editorconfig Normal file
View file

@ -0,0 +1,9 @@
root = true
[*]
charset = utf-8
end_of_line = lf
indent_style = space
indent_size = 2
insert_final_newline = true
trim_trailing_whitespace = true

View file

@ -26,19 +26,17 @@ in
options.mailserver = { options.mailserver = {
enable = mkEnableOption "nixos-mailserver"; enable = mkEnableOption "nixos-mailserver";
domain = mkOption { fqdn = mkOption {
type = types.str; type = types.str;
example = "example.com"; example = "[ example.com ]";
description = "The domain that this mail server serves. So far only one domain is supported"; description = "The fully qualified domain name of the mail server.";
}; };
hostPrefix = mkOption { domains = mkOption {
type = types.str; type = types.listOf types.str;
default = "mail"; example = "[ example.com ]";
description = '' default = [];
The prefix of the FQDN of the server. In this example the FQDN of the server description = "The domains that this mail server serves.";
is given by 'mail.example.com'
'';
}; };
loginAccounts = mkOption { loginAccounts = mkOption {

View file

@ -24,17 +24,17 @@ in
certificatePath = if cfg.certificateScheme == 1 certificatePath = if cfg.certificateScheme == 1
then cfg.certificateFile then cfg.certificateFile
else if cfg.certificateScheme == 2 else if cfg.certificateScheme == 2
then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem" then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
else if cfg.certificateScheme == 3 else if cfg.certificateScheme == 3
then "/var/lib/acme/${cfg.hostPrefix}.${cfg.domain}/fullchain.pem" then "/var/lib/acme/${cfg.fqdn}/fullchain.pem"
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }"; else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
# key :: PATH # key :: PATH
keyPath = if cfg.certificateScheme == 1 keyPath = if cfg.certificateScheme == 1
then cfg.keyFile then cfg.keyFile
else if cfg.certificateScheme == 2 else if cfg.certificateScheme == 2
then "${cfg.certificateDirectory}/key-${cfg.domain}.pem" then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
else if cfg.certificateScheme == 3 else if cfg.certificateScheme == 3
then "/var/lib/acme/${cfg.hostPrefix}.${cfg.domain}/key.pem" then "/var/lib/acme/${cfg.fqdn}/key.pem"
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }"; else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
} }

View file

@ -21,23 +21,28 @@ with (import ./common.nix { inherit config; });
let let
cfg = config.mailserver; cfg = config.mailserver;
acmeRoot = "/var/lib/acme/acme-challenge";
in in
{ {
config = with cfg; lib.mkIf (certificateScheme == 3) { config = lib.mkIf (cfg.certificateScheme == 3) {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts."${cfg.fqdn}" = {
domain = { serverName = cfg.fqdn;
serverName = "${hostPrefix}.${domain}"; forceSSL = true;
forceSSL = true; enableACME = true;
enableACME = true; acmeRoot = acmeRoot;
locations."/" = {
root = "/var/www";
};
acmeRoot = "/var/lib/acme/acme-challenge";
};
}; };
}; };
security.acme.certs."${cfg.fqdn}".postRun = #{
# domain = "${cfg.fqdn}";
# webroot = acmeRoot;
# postRun =
''
systemctl reload nginx
systemctl reload postfix
systemctl reload dovecot2
'';
# };
}; };
} }

View file

@ -19,17 +19,18 @@
with (import ./common.nix { inherit config; }); with (import ./common.nix { inherit config; });
let let
inherit (lib.strings) concatStringsSep;
cfg = config.mailserver; cfg = config.mailserver;
# valiases_postfix :: [ String ] # valiases_postfix :: [ String ]
valiases_postfix = map valiases_postfix = map
(from: (from:
let to = cfg.virtualAliases.${from}; let to = cfg.virtualAliases.${from};
in "${from}@${cfg.domain} ${to}@${cfg.domain}") in "${from} ${to}")
(builtins.attrNames cfg.virtualAliases); (builtins.attrNames cfg.virtualAliases);
# accountToIdentity :: User -> String # accountToIdentity :: User -> String
accountToIdentity = account: "${account.name}@${cfg.domain} ${account.name}@${cfg.domain}"; accountToIdentity = account: "${account.name} ${account.name}";
# vaccounts_identity :: [ String ] # vaccounts_identity :: [ String ]
vaccounts_identity = map accountToIdentity (lib.attrValues cfg.loginAccounts); vaccounts_identity = map accountToIdentity (lib.attrValues cfg.loginAccounts);
@ -38,7 +39,7 @@ let
valiases_file = builtins.toFile "valias" (lib.concatStringsSep "\n" valiases_postfix); valiases_file = builtins.toFile "valias" (lib.concatStringsSep "\n" valiases_postfix);
# vhosts_file :: Path # vhosts_file :: Path
vhosts_file = builtins.toFile "vhosts" cfg.domain; vhosts_file = builtins.toFile "vhosts" (concatStringsSep "\n" cfg.domains);
# vaccounts_file :: Path # vaccounts_file :: Path
# see # see
@ -47,7 +48,7 @@ let
# every alias is owned (uniquely) by its user. We have to add the users own # every alias is owned (uniquely) by its user. We have to add the users own
# address though # address though
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix)); vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" '' submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
# Removes sensitive headers from mails handed in via the submission port. # Removes sensitive headers from mails handed in via the submission port.
# See https://thomas-leister.de/mailserver-debian-stretch/ # See https://thomas-leister.de/mailserver-debian-stretch/
@ -67,12 +68,12 @@ in
enable = true; enable = true;
networksStyle = "host"; networksStyle = "host";
mapFiles."valias" = valiases_file; mapFiles."valias" = valiases_file;
mapFiles."vaccounts" = vaccounts_file; mapFiles."vaccounts" = vaccounts_file;
sslCert = certificatePath; sslCert = certificatePath;
sslKey = keyPath; sslKey = keyPath;
enableSubmission = true; enableSubmission = true;
extraConfig = extraConfig =
'' ''
# Extra Config # Extra Config
@ -116,7 +117,7 @@ in
''; '';
submissionOptions = submissionOptions =
{ {
smtpd_tls_security_level = "encrypt"; smtpd_tls_security_level = "encrypt";
smtpd_sasl_auth_enable = "yes"; smtpd_sasl_auth_enable = "yes";
smtpd_sasl_type = "dovecot"; smtpd_sasl_type = "dovecot";

View file

@ -24,14 +24,14 @@ let
cert = if cfg.certificateScheme == 1 cert = if cfg.certificateScheme == 1
then cfg.certificateFile then cfg.certificateFile
else if cfg.certificateScheme == 2 else if cfg.certificateScheme == 2
then "${cfg.certificateDirectory}/cert-${cfg.domain}.pem" then "${cfg.certificateDirectory}/cert-${cfg.fqdn.pem"
else ""; else "";
# key :: PATH # key :: PATH
key = if cfg.certificateScheme == 1 key = if cfg.certificateScheme == 1
then cfg.keyFile then cfg.keyFile
else if cfg.certificateScheme == 2 else if cfg.certificateScheme == 2
then "${cfg.certificateDirectory}/key-${cfg.domain}.pem" then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
else ""; else "";
in in
{ {

View file

@ -23,10 +23,10 @@ let
'' ''
# Create certificates if they do not exist yet # Create certificates if they do not exist yet
dir="${cfg.certificateDirectory}" dir="${cfg.certificateDirectory}"
fqdn="${cfg.hostPrefix}.${cfg.domain}" fqdn="${cfg.fqdn}"
case $fqdn in /*) fqdn=$(cat "$fqdn");; esac case $fqdn in /*) fqdn=$(cat "$fqdn");; esac
key="''${dir}/key-${cfg.domain}.pem"; key="''${dir}/key-${cfg.fqdn}.pem";
cert="''${dir}/cert-${cfg.domain}.pem"; cert="''${dir}/cert-${cfg.fqdn}.pem";
if [ ! -f "''${key}" ] || [ ! -f "''${cert}" ] if [ ! -f "''${key}" ] || [ ! -f "''${cert}" ]
then then
@ -50,7 +50,7 @@ let
then then
${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \ ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
-d ${cfg.domain} \ -d ${cfg.fqdn} \
--directory="${cfg.dkimKeyDirectory}" --directory="${cfg.dkimKeyDirectory}"
chown rmilter:rmilter "${dkim_key}" chown rmilter:rmilter "${dkim_key}"
fi fi
@ -64,7 +64,7 @@ in
# Create certificates and maildir folder # Create certificates and maildir folder
systemd.services.postfix = { systemd.services.postfix = {
after = (if (certificateScheme == 3) then [ "nginx.service" ] else []); after = (if (certificateScheme == 3) then [ "nginx.service" ] else []);
preStart = preStart =
'' ''
# Create mail directory and set permissions. See # Create mail directory and set permissions. See
# <http://wiki2.dovecot.org/SharedMailboxes/Permissions>. # <http://wiki2.dovecot.org/SharedMailboxes/Permissions>.

View file

@ -30,7 +30,7 @@ let
# accountsToUser :: String -> UserRecord # accountsToUser :: String -> UserRecord
accountsToUser = account: { accountsToUser = account: {
name = account.name + "@" + domain; name = account.name;
isNormalUser = false; isNormalUser = false;
group = vmailGroupName; group = vmailGroupName;
inherit (account) hashedPassword; inherit (account) hashedPassword;

View file

@ -10,18 +10,21 @@
mailserver = { mailserver = {
enable = true; enable = true;
domain = "example.com"; fqdn = "mail.example.com";
domains = [ "example.com" "example2.com" ];
hostPrefix = "mail";
loginAccounts = { loginAccounts = {
user1 = { "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
}; };
}; };
virtualAliases = { virtualAliases = {
info = "user1"; "info@example.com" = "user1@example.com";
postmaster = "user1"; "postmaster@example.com" = "user1@example.com";
abuse = "user1"; "abuse@example.com" = "user1@example.com";
"user1@example2.com" = "user1@example.com";
"info@example2.com" = "user1@example.com";
"postmaster@example2.com" = "user1@example.com";
"abuse@example2.com" = "user1@example.com";
}; };
}; };
}; };

View file

@ -25,14 +25,14 @@ import <nixpkgs/nixos/tests/make-test.nix> {
mailserver = { mailserver = {
enable = true; enable = true;
domain = "example.com"; fqdn = "mail.example.com";
domains = [ "example.com" ];
hostPrefix = "mail";
loginAccounts = { loginAccounts = {
user1 = { "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
}; };
user2 = { "user2@example.com" = {
hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0"; hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
}; };
}; };

View file

@ -25,11 +25,11 @@ import <nixpkgs/nixos/tests/make-test.nix> {
mailserver = { mailserver = {
enable = true; enable = true;
domain = "example.com"; fqdn = "mail.example.com";
domains = [ "example.com" ];
hostPrefix = "mail";
loginAccounts = { loginAccounts = {
user1 = { "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
}; };
}; };