Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of github.com:r-raymond/nixos-mailserver

Browse source
This commit is contained in:
Robin Raymond 2018-04-08 15:28:58 +02:00
commit e4c6682eb9
5 changed files with 319 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

78
mail-server/borgbackup.nix Normal file
View file

@ -0,0 +1,78 @@
# nixos-mailserver: a simple mail server
# Copyright (C) 2016-2018 Robin Raymond
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
{ config, pkgs, lib, ... }:
let
cfg = config.mailserver.borgbackup;
methodFragment = lib.optional (cfg.compression.method != null) cfg.compression.method;
autoFragment =
if cfg.compression.auto && cfg.compression.method == null
then throw "compression.method must be set when using auto."
else lib.optional cfg.compression.auto "auto";
levelFragment =
if cfg.compression.level != null && cfg.compression.method == null
then throw "compression.method must be set when using compression.level."
else lib.optional (cfg.compression.level != null) (toString cfg.compression.level);
compressionFragment = lib.concatStringsSep "," (lib.flatten [autoFragment methodFragment levelFragment]);
compression = lib.optionalString (compressionFragment != "") "--compression ${compressionFragment}";
encryptionFragment = cfg.encryption.method;
passphraseFile = lib.escapeShellArg cfg.encryption.passphraseFile;
passphraseFragment = lib.optionalString (cfg.encryption.method != "none")
(if cfg.encryption.passphraseFile != null then ''env BORG_PASSPHRASE="$(cat ${passphraseFile})"''
else throw "passphraseFile must be set when using encryption.");
locations = lib.escapeShellArgs cfg.locations;
name = lib.escapeShellArg cfg.name;
repoLocation = lib.escapeShellArg cfg.repoLocation;
extraInitArgs = lib.escapeShellArgs cfg.extraArgumentsForInit;
extraCreateArgs = lib.escapeShellArgs cfg.extraArgumentsForCreate;
cmdPreexec = lib.optionalString (cfg.cmdPreexec != null) cfg.cmdPreexec;
cmdPostexec = lib.optionalString (cfg.cmdPostexec != null) cfg.cmdPostexec;
borgScript = ''
export BORG_REPO=${repoLocation}
${cmdPreexec}
${passphraseFragment} ${pkgs.borgbackup}/bin/borg init ${extraInitArgs} --encryption ${encryptionFragment} || true
${passphraseFragment} ${pkgs.borgbackup}/bin/borg create ${extraCreateArgs} ${compression} ::${name} ${locations}
${cmdPostexec}
'';
in {
config = lib.mkIf config.mailserver.borgbackup.enable {
environment.systemPackages = with pkgs; [
borgbackup
];
systemd.services.borgbackup = {
description = "borgbackup";
unitConfig.Documentation = "man:borgbackup";
script = borgScript;
serviceConfig = {
User = cfg.user;
Group = cfg.group;
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
ProtectSystem = "full";
};
startAt = cfg.startAt;
};
};
}

8
mail-server/dovecot.nix
View file

@ -67,6 +67,14 @@ in
verbose_ssl = yes
''}
protocol imap {
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
}
protocol pop3 {
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
}
mail_access_groups = ${vmailGroupName}
ssl = required
${lib.optionalString (dovecotVersion.major == 2 && dovecotVersion.minor >= 3) ''

21
mail-server/postfix.nix
View file

@ -41,18 +41,15 @@ let
(map
(from:
let to = cfg.extraVirtualAliases.${from};
in "${from} ${to}")
aliasList = (l: let aliasStr = builtins.foldl' (x: y: x + y + ", ") "" l;
in builtins.substring 0 (builtins.stringLength aliasStr - 2) aliasStr);
in if (builtins.isList to) then "${from} " + (aliasList to)
else "${from} ${to}")
(builtins.attrNames cfg.extraVirtualAliases));
# all_valiases_postfix :: [ String ]
all_valiases_postfix = valiases_postfix ++ extra_valiases_postfix;
# accountToIdentity :: User -> String
accountToIdentity = account: "${account.name} ${account.name}";
# vaccounts_identity :: [ String ]
vaccounts_identity = map accountToIdentity (lib.attrValues cfg.loginAccounts);
# valiases_file :: Path
valiases_file = builtins.toFile "valias"
(lib.concatStringsSep "\n" (all_valiases_postfix ++
@ -65,10 +62,9 @@ let
# see
# https://blog.grimneko.de/2011/12/24/a-bunch-of-tips-for-improving-your-postfix-setup/
# for details on how this file looks. By using the same file as valiases,
# every alias is owned (uniquely) by its user. We have to add the users own
# address though
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n"
(vaccounts_identity ++ all_valiases_postfix));
# every alias is owned (uniquely) by its user.
# The user's own address is already in all_valiases_postfix.
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" all_valiases_postfix);
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
# Removes sensitive headers from mails handed in via the submission port.
@ -98,7 +94,7 @@ in
extraConfig =
''
# Extra Config
mydestination = localhost
mydestination =
smtpd_banner = ${fqdn} ESMTP NO UCE
disable_vrfy_command = yes
@ -109,6 +105,7 @@ in
virtual_gid_maps = static:5000
virtual_mailbox_base = ${mailDirectory}
virtual_mailbox_domains = ${vhosts_file}
virtual_mailbox_maps = hash:/var/lib/postfix/conf/valias
virtual_alias_maps = hash:/var/lib/postfix/conf/valias
virtual_transport = lmtp:unix:private/dovecot-lmtp