initial commit

2026-04-01 08:50:01 +03:00 · 2026-04-01 08:50:01 +03:00 · 30ce0dafc2
commit 30ce0dafc2
195 changed files with 8902 additions and 0 deletions
--- a/services/mail/default.nix
+++ b/services/mail/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./options.nix
+    ./rspamd.nix
+    ./secrets.nix
+    ./service.nix
+    ./tmpfiles.nix
+  ];
+}
--- a/services/mail/options.nix
+++ b/services/mail/options.nix
@ -0,0 +1,23 @@
+{ lib, ... }:
+let
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    types
+    ;
+in
+{
+  options.machine.mail = {
+    enable = mkEnableOption "Mail";
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Domain name";
+    };
+    fqdn = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "fqdn";
+    };
+  };
+}
--- a/services/mail/rspamd.nix
+++ b/services/mail/rspamd.nix
@ -0,0 +1,20 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (config.machine.mail) enable;
+in
+with lib; mkIf enable {
+  services.rspamd = {
+    enable = true;
+    overrides = {
+      "local.d/greylist.conf" = {
+        text = ''
+          enabled = false;
+        '';
+      };
+    };
+  };
+}
--- a/services/mail/secrets.nix
+++ b/services/mail/secrets.nix
@ -0,0 +1,25 @@
+{
+  sops.secrets = {
+    dkim_default_private = {
+      key = "dkim_default_private";
+      owner = "root";
+      group = "root";
+      mode = "0600";
+    };
+    "rus07tam/hashedPassword" = {
+      sopsFile = ./../../secrets/rus07tam.yaml;
+    };
+    "mail/serviceHashedPassword" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+    "mail/servicePassword" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+    "mail/NikitaHapanulStaff228HashedPassword" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+    "mail/nikitapocox6prohype" = {
+      sopsFile = ./../../secrets/common.yaml;
+    };
+  };
+}
--- a/services/mail/service.nix
+++ b/services/mail/service.nix
@ -0,0 +1,66 @@
+{ config, lib, ... }:
+let
+  sec = config.sops.secrets;
+  inherit (config.machine.mail)
+    enable
+    domain
+    fqdn
+    ;
+in
+{
+  imports = [
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz";
+      sha256 = "0vnczps1ns4d7b3l5m4qwp2fp567pr6b38w40h1x48qfw70x8mf0";
+    })
+  ];
+
+  mailserver = {
+    inherit enable;
+    inherit fqdn;
+    stateVersion = 5;
+    domains = [ domain ];
+    messageSizeLimit = 52428800; # 50MB
+    enableManageSieve = true;
+
+    localDnsResolver = false;
+
+    accounts = {
+      "admin@${domain}" = {
+        hashedPasswordFile = sec."mail/serviceHashedPassword".path;
+        aliases = [
+          "postmaster@${domain}"
+          "system@${domain}"
+          "contact@${domain}"
+          "sales@${domain}"
+        ];
+      };
+      "rus07tam@${domain}" = {
+        hashedPasswordFile = sec."rus07tam/hashedPassword".path;
+        aliases = [ ];
+      };
+      "nikitahapanulstaff228@${domain}" = {
+        hashedPasswordFile = sec."mail/NikitaHapanulStaff228HashedPassword".path;
+        aliases = [
+          "mamutraxal@${domain}"
+          "sava.uwu@${domain}"
+        ];
+      };
+      "nikitapocox6prohype@${domain}" = {
+        hashedPasswordFile = sec."mail/nikitapocox6prohype".path;
+        aliases = [
+          "pomoemuhype@${domain}"
+          "nikita.uwu@${domain}"
+        ];
+      };
+    };
+
+    x509.useACMEHost = config.mailserver.fqdn;
+
+    dkim = {
+      enable = true;
+      keyDirectory = "/var/dkim";
+      defaults.selector = "default";
+    };
+  };
+}
--- a/services/mail/tmpfiles.nix
+++ b/services/mail/tmpfiles.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  sec,
+  ...
+}:
+let
+  inherit (config.machine.mail) enable;
+in
+with lib; mkIf enable {
+  systemd.tmpfiles.rules = [
+    "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}"
+  ];
+}