integrate postfix into gitea

modules/web01/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ./homepage.nix
     ./gitea.nix
+    ./postfix.nix
   ];
 
   services.cloud-init.xfs.enable = true;

modules/web01/gitea.nix

@@ -19,11 +19,10 @@
     settings.mailer = {
       ENABLED = true;
       FROM = "gitea@clan.lol";
-      USER = "gitea@clan.lol";
-      # TODO
-      HOST = "mail.lan.lol:587";
+      HOST = "localhost:25";
     };
     settings.log.LEVEL = "Error";
+    # TODO: prevent spammers from logging in, before enabling registration
     settings.service.DISABLE_REGISTRATION = true;
     settings.metrics.ENABLED = true;
     settings.server = {

modules/web01/postfix.nix

@@ -0,0 +1,40 @@
+{ config, ... }:
+
+let
+  domain = "clan.lol";
+in
+{
+  services.opendkim.enable = true;
+  services.opendkim.domains = domain;
+  services.opendkim.selector = "v1";
+  services.opendkim.user = config.services.postfix.user;
+  services.opendkim.group = config.services.postfix.group;
+
+  # postfix configuration for sending emails only
+  services.postfix = {
+    enable = true;
+    hostname = "mail.${domain}";
+    inherit domain;
+
+    config = {
+      smtp_tls_note_starttls_offer = "yes";
+
+      smtp_dns_support_level = "dnssec";
+      smtp_tls_security_level = "dane";
+
+      tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
+
+      smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
+      mydestination = "localhost.$mydomain, localhost, $myhostname";
+      myorigin = "$mydomain";
+
+      milter_default_action = "accept";
+      milter_protocol = "6";
+      smtpd_milters = "unix:/run/opendkim/opendkim.sock";
+      non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
+
+      inet_interfaces = "loopback-only";
+      inet_protocols = "all";
+    };
+  };
+}

terraform/web01/dns.tf

@@ -44,3 +44,62 @@ resource "netlify_dns_record" "git_aaaa" {
   type     = "AAAA"
   value    = hcloud_server.server.ipv6_address
 }
+
+resource "netlify_dns_record" "mail_a" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "mail.${var.domain}"
+  type     = "A"
+  value    = hcloud_server.server.ipv4_address
+}
+
+resource "netlify_dns_record" "mail_aaaa" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "mail.${var.domain}"
+  type     = "AAAA"
+  value    = hcloud_server.server.ipv6_address
+}
+
+# for sending emails
+resource "netlify_dns_record" "spf" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = var.domain
+  type     = "TXT"
+  value    = "v=spf1 ip4:${hcloud_server.server.ipv4_address} ip6:${hcloud_server.server.ipv6_address} ~all"
+}
+
+resource "netlify_dns_record" "dkim" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "v1._domainkey.${var.domain}"
+  type     = "TXT"
+  # take from `systemctl status opendkim`
+  value    = "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTFSkQcM0v6mC4kiWEoF/EgK/hPVgOBJlHesLVIe+8BmidylaUowKlyC2gECipXhoVX9++OfMFAKNtGrIJcCTVNH/DRGkhbHLSxzzXijCbJ7G/fjpHRifpxMydEmybQDKdidR44YMR74Aj0OwUEgu+N/yJZ2+ubOlstW0fZJaJwQIDAQAB"
+}
+
+resource "netlify_dns_record" "adsp" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "_adsp._domainkey.${var.domain}"
+  type     = "TXT"
+  value    = "dkim=all;"
+}
+
+resource "netlify_dns_record" "dmarc" {
+  zone_id  = netlify_dns_zone.server.id
+  hostname = "_dmarc.${var.domain}"
+  type     = "TXT"
+  value    = "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:joerc.dmarc@thalheim.io; ruf=mailto:joerg.dmarc@thalheim.io; pct=100"
+}
+
+resource "hcloud_rdns" "master_a" {
+  server_id  = hcloud_server.server.id
+  ip_address = hcloud_server.server.ipv4_address
+  dns_ptr    = "mail.${var.domain}"
+}
+
+resource "hcloud_rdns" "master_aaaa" {
+  server_id  = hcloud_server.server.id
+  ip_address = hcloud_server.server.ipv6_address
+  dns_ptr    = "mail.${var.domain}"
+}
+
+#v1._domainkey        IN        TXT        ( "" )  ;
+