diff --git a/default.nix b/default.nix index 6a07f7e..f9303a7 100644 --- a/default.nix +++ b/default.nix @@ -28,8 +28,14 @@ in domain = mkOption { type = types.str; - example = "example.com"; - description = "The domain that this mail server serves. So far only one domain is supported"; + example = "[ example.com ]"; + description = "The primary domain that this mail server serves."; + }; + + extraDomains = mkOption { + type = types.listOf types.str; + example = "[ example.com ]"; + description = "Extra domains that this mail server serves."; }; hostPrefix = mkOption { diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix index 15bb596..71f6c28 100644 --- a/mail-server/nginx.nix +++ b/mail-server/nginx.nix @@ -21,23 +21,34 @@ with (import ./common.nix { inherit config; }); let cfg = config.mailserver; + allDomains = [ cfg.domain ] ++ cfg.extraDomains; + acmeRoot = "/var/lib/acme/acme-challenge"; in { config = with cfg; lib.mkIf (certificateScheme == 3) { - services.nginx = { enable = true; - virtualHosts = { - domain = { - serverName = "${hostPrefix}.${domain}"; - forceSSL = true; - enableACME = true; - locations."/" = { - root = "/var/www"; - }; - acmeRoot = "/var/lib/acme/acme-challenge"; - }; - }; + virtualHosts = genAttrs allDomains (domain: { + serverName = "${hostPrefix}.${domain}"; + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/var/www"; + }; + acmeRoot = acmeRoot; + }); + }; + security.acme.certs."${hostPrefix}.${domain}" = { + # @todo what user/group should this run as? + user = "postfix"; # cfg.user; + group = "postfix"; # lib.mkDefault cfg.group; + domain = "${hostPrefix}.${domain}"; + extraDomains = map (domain: "${hostPrefix}.${domain}") extraDomains; + webroot = acmeRoot; + # @todo should we reload postfix here? + postRun = '' + systemctl reload nginx + ''; }; }; } diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index fedb53c..ee91da9 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -19,17 +19,19 @@ with (import ./common.nix { inherit config; }); let + inherit (lib.strings) concatStringsSep; cfg = config.mailserver; + allDomains = [ cfg.domain ] ++ cfg.extraDomains; # valiases_postfix :: [ String ] valiases_postfix = map (from: let to = cfg.virtualAliases.${from}; - in "${from}@${cfg.domain} ${to}@${cfg.domain}") + in "${from} ${to}") (builtins.attrNames cfg.virtualAliases); # accountToIdentity :: User -> String - accountToIdentity = account: "${account.name}@${cfg.domain} ${account.name}@${cfg.domain}"; + accountToIdentity = account: "${account.name} ${account.name}"; # vaccounts_identity :: [ String ] vaccounts_identity = map accountToIdentity (lib.attrValues cfg.loginAccounts); @@ -38,7 +40,7 @@ let valiases_file = builtins.toFile "valias" (lib.concatStringsSep "\n" valiases_postfix); # vhosts_file :: Path - vhosts_file = builtins.toFile "vhosts" cfg.domain; + vhosts_file = builtins.toFile "vhosts" (concatStringsSep ", " allDomains); # vaccounts_file :: Path # see @@ -47,7 +49,7 @@ let # every alias is owned (uniquely) by its user. We have to add the users own # address though vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix)); - + submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" '' # Removes sensitive headers from mails handed in via the submission port. # See https://thomas-leister.de/mailserver-debian-stretch/ @@ -67,12 +69,12 @@ in enable = true; networksStyle = "host"; mapFiles."valias" = valiases_file; - mapFiles."vaccounts" = vaccounts_file; + mapFiles."vaccounts" = vaccounts_file; sslCert = certificatePath; sslKey = keyPath; enableSubmission = true; - extraConfig = + extraConfig = '' # Extra Config @@ -116,7 +118,7 @@ in ''; submissionOptions = - { + { smtpd_tls_security_level = "encrypt"; smtpd_sasl_auth_enable = "yes"; smtpd_sasl_type = "dovecot"; diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix index 48f5a5e..b6556a8 100644 --- a/mail-server/systemd.nix +++ b/mail-server/systemd.nix @@ -64,7 +64,7 @@ in # Create certificates and maildir folder systemd.services.postfix = { after = (if (certificateScheme == 3) then [ "nginx.service" ] else []); - preStart = + preStart = '' # Create mail directory and set permissions. See # . diff --git a/mail-server/users.nix b/mail-server/users.nix index c55375c..f49be1f 100644 --- a/mail-server/users.nix +++ b/mail-server/users.nix @@ -30,7 +30,7 @@ let # accountsToUser :: String -> UserRecord accountsToUser = account: { - name = account.name + "@" + domain; + name = account.name; isNormalUser = false; group = vmailGroupName; inherit (account) hashedPassword; diff --git a/nixops/single-server.nix b/nixops/single-server.nix index 15e9e5e..8072233 100644 --- a/nixops/single-server.nix +++ b/nixops/single-server.nix @@ -11,17 +11,22 @@ mailserver = { enable = true; domain = "example.com"; + extraDomains = [ "example2.com" ]; hostPrefix = "mail"; loginAccounts = { - user1 = { + "user1@example.com" = { hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; }; }; virtualAliases = { - info = "user1"; - postmaster = "user1"; - abuse = "user1"; + "user1@example2.com" = "user1@example.com"; + "info@example.com" = "user1@example.com"; + "postmaster@example.com" = "user1@example.com"; + "abuse@example.com" = "user1@example.com"; + "info@example2.com" = "user1@example.com"; + "postmaster@example2.com" = "user1@example.com"; + "abuse@example2.com" = "user1@example.com"; }; }; };