forked from clan/clan-infra
55 lines
1.6 KiB
Nix
55 lines
1.6 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
mailPassword =
|
|
{ service }:
|
|
{
|
|
secret."${service}-password" = { };
|
|
secret."${service}-password-hash" = { };
|
|
generator.path = with pkgs; [
|
|
coreutils
|
|
xkcdpass
|
|
mkpasswd
|
|
];
|
|
generator.script = ''
|
|
xkcdpass -n 4 -d - > $secrets/${service}-password
|
|
cat $secrets/${service}-password | mkpasswd -s -m bcrypt > $secrets/${service}-password-hash
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
mailserver = {
|
|
enable = true;
|
|
fqdn = "mail.clan.lol";
|
|
domains = [ "clan.lol" ];
|
|
enablePop3 = true;
|
|
certificateScheme = "acme-nginx";
|
|
# kresd sucks unfortunally (fails when one NS server is not working, instead of trying other ones)
|
|
localDnsResolver = false;
|
|
|
|
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
|
config.clan.core.facts.services.golem-mail.secret.golem-password-hash.path;
|
|
loginAccounts."gitea@clan.lol".hashedPasswordFile =
|
|
config.clan.core.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
|
};
|
|
|
|
services.unbound = {
|
|
enable = true;
|
|
settings.server = {
|
|
prefetch = "yes";
|
|
prefetch-key = true;
|
|
qname-minimisation = true;
|
|
# Too many broken dnssec setups even at big companies such as amazon.
|
|
# Breaks my email setup. Better rely on tls for security.
|
|
val-permissive-mode = "yes";
|
|
};
|
|
};
|
|
|
|
# use local unbound as dns resolver
|
|
networking.nameservers = [ "127.0.0.1" ];
|
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
clan.core.facts.services.golem-mail = mailPassword { service = "golem"; };
|
|
clan.core.facts.services.gitea-mail = mailPassword { service = "gitea"; };
|
|
}
|