diff --git a/flake.lock b/flake.lock index 60c6d13..b22336e 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "owner": "ryantm", "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "type": "github" }, "original": { @@ -47,11 +47,11 @@ ] }, "locked": { - "lastModified": 1769889994, - "narHash": "sha256-uEn3WcpPHe3sMJMgIJ0XW3f4/+TRzZpNgv4vu5/gjmA=", + "lastModified": 1770681688, + "narHash": "sha256-bGVEgZMxmw9N+IKp5nG+2nyKFezdPWYDxyxXkYW+d2M=", "owner": "9001", "repo": "copyparty", - "rev": "9b436eb52e5cfe7a0a8e59dd9f1a37351f3a2abd", + "rev": "e5d0a0572da507acfe774e0f86ad541f5daab97f", "type": "github" }, "original": { @@ -89,11 +89,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1766051518, - "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=", + "lastModified": 1770019181, + "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", "owner": "serokell", "repo": "deploy-rs", - "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa", + "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", "type": "github" }, "original": { @@ -141,15 +141,15 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -182,11 +182,11 @@ ] }, "locked": { - "lastModified": 1763988335, - "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=", + "lastModified": 1769939035, + "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce", + "rev": "a8ca480175326551d6c4121498316261cbb5b260", "type": "github" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1769978395, - "narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=", + "lastModified": 1770654520, + "narHash": "sha256-mg5WZMIPGsFu9MxSrUcuJUPMbfMsF77el5yb/7rc10k=", "owner": "nix-community", "repo": "home-manager", - "rev": "984708c34d3495a518e6ab6b8633469bbca2f77a", + "rev": "6c4fdbe1ad198fac36c320fd45c5957324a80b8e", "type": "github" }, "original": { @@ -288,11 +288,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1766321686, - "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=", + "lastModified": 1770659507, + "narHash": "sha256-RVZno9CypFN3eHxfULKN1K7mb/Cq0HkznnWqnshxpWY=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3", + "rev": "781e833633ebc0873d251772a74e4400a73f5d78", "type": "gitlab" }, "original": { @@ -335,11 +335,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769302137, - "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", + "lastModified": 1770631810, + "narHash": "sha256-b7iK/x+zOXbjhRqa+XBlYla4zFvPZyU5Ln2HJkiSnzc=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", + "rev": "2889685785848de940375bf7fea5e7c5a3c8d502", "type": "github" }, "original": { @@ -383,11 +383,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1769789167, - "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", + "lastModified": 1770562336, + "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", + "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", "type": "github" }, "original": { @@ -399,11 +399,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1764374374, - "narHash": "sha256-naS7hg/D1yLKSZoENx9gvsPLFiNEOTcqamJSu0OEvCA=", + "lastModified": 1770650459, + "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6a49303095abc094ee77dc243a9e351b642e8e75", + "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378", "type": "github" }, "original": { @@ -415,11 +415,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1769789167, - "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", + "lastModified": 1770562336, + "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", + "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", "type": "github" }, "original": { @@ -533,11 +533,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1769922110, - "narHash": "sha256-/0Cl75Yy4mQOWNfr2ZR5aYZlFc2geH7NUkwiwiKUNhg=", + "lastModified": 1770707140, + "narHash": "sha256-3ZRA2+o5p1+FKWx988WbwB1SQ2Mz5aL95zxhL5iD+O0=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "dc3cb779f0fae72b3ebffd60a2272095f8848eda", + "rev": "db14437f8667f7f09784e2a4e73c105bdc1c7023", "type": "github" }, "original": { diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix index a9352bc..6d3d543 100644 --- a/hosts/zora/default.nix +++ b/hosts/zora/default.nix @@ -13,7 +13,6 @@ ./users.nix ../../users/lyes - ../../users/lyes/server ../../modules ../../modules/server diff --git a/hosts/zora/reverse-proxy.nix b/hosts/zora/reverse-proxy.nix index f4e6501..5c597fd 100644 --- a/hosts/zora/reverse-proxy.nix +++ b/hosts/zora/reverse-proxy.nix @@ -3,7 +3,7 @@ { security.acme = { acceptTerms = true; - defaults.email = "root.security@lyes.eu"; + defaults.email = "security@lyes.eu"; }; services.nginx = { diff --git a/modules/server/baba/default.nix b/modules/server/baba/default.nix index fa7940c..34a0220 100644 --- a/modules/server/baba/default.nix +++ b/modules/server/baba/default.nix @@ -15,12 +15,12 @@ extraAppsEnable = true; extraApps = { - inherit (config.services.nextcloud.package.packages.apps) mail calendar contacts user_oidc notes richdocuments tasks news dav_push repod phonetrack music; - gpoddersync = pkgs.fetchNextcloudApp { - hash = "sha256-EQVs1fe0ierjqFZ5+KVc1Yj67zrwjLBAzY5A+QsC7AU="; - url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.13.2r/gpoddersync.tar.gz"; - license = "agpl3Only"; - }; + inherit (config.services.nextcloud.package.packages.apps) mail calendar contacts cospend user_oidc notes richdocuments tasks news dav_push repod gpoddersync phonetrack music; + # gpoddersync = pkgs.fetchNextcloudApp { + # hash = "sha256-EQVs1fe0ierjqFZ5+KVc1Yj67zrwjLBAzY5A+QsC7AU="; + # url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.13.2r/gpoddersync.tar.gz"; + # license = "agpl3Only"; + # }; }; config = { diff --git a/modules/server/link/default.nix b/modules/server/link/default.nix index b2627d7..a76f5e3 100644 --- a/modules/server/link/default.nix +++ b/modules/server/link/default.nix @@ -14,7 +14,7 @@ in # package = pkgs.kanidmWithSecretProvisioning_1_7; enableServer = true; - server.settings = { + serverSettings = { bindaddress = "127.0.0.1:${port}"; ldapbindaddress = "0.0.0.0:636"; domain = hostname; diff --git a/modules/server/taf/default.nix b/modules/server/taf/default.nix index c4a461d..ca0c361 100644 --- a/modules/server/taf/default.nix +++ b/modules/server/taf/default.nix @@ -1,20 +1,5 @@ -{ config, lib, ... }: +{ config, ... }: -let - alias = '' - @lyes.eu lyes - lyes@mail.lyes.eu lyes - abuse@taf.lyes.eu lyes - abuse@mail.lyes.eu lyes - abuse@minish.fr lyes - abuse@minish.link lyes - postmaster@taf.lyes.eu lyes - postmaster@mail.lyes.eu lyes - postmaster@minish.fr lyes - postmaster@minish.link lyes - ''; - aliasFile = lib.toFile "alias" alias; -in { mailserver = { enable = true; @@ -22,10 +7,7 @@ in fqdn = "taf.lyes.eu"; domains = [ "lyes.eu" - "taf.lyes.eu" "mail.lyes.eu" - "minish.fr" - "minish.link" ]; localDnsResolver = false; @@ -33,85 +15,175 @@ in # debug.all = true; - ldap = { - enable = true; - - uris = [ "ldaps://auth.lyes.eu:636" ]; - searchBase = "dc=auth,dc=lyes,dc=eu"; - searchScope = "sub"; - - bind = { - # dn = "dn=token,dc=auth,dc=lyes,dc=eu"; - dn = "dn=token"; - passwordFile = config.age.secrets.taf-token.path; - }; - - dovecot = { - userFilter = "(&(memberof=taf_users)(mail=%u))"; - passFilter = "(&(memberof=taf_users)(mail=%u))"; - }; - - postfix = { - filter = "(&(memberof=taf_users)(mail=%s))"; - mailAttribute = "mail"; - uidAttribute = "name"; - }; - }; - - # fullTextSearch = { + # ldap = { # enable = true; - # autoIndex = true; - # enforced = "body"; - # }; - # loginAccounts = { - # "lyes@mail.lyes.eu" = { - # # hashedPasswordFile = config.age.secrets.lyes-mail-passwd.path; - # # aliases = [ - # # "@lyes.eu" - # # ]; - # # quota = "1T"; + # uris = [ "ldaps://auth.lyes.eu:636" ]; + # searchBase = "dc=auth,dc=lyes,dc=eu"; + # searchScope = "sub"; + + # bind = { + # # dn = "dn=token,dc=auth,dc=lyes,dc=eu"; + # dn = "dn=token"; + # passwordFile = config.age.secrets.taf-token.path; + # }; + + # dovecot = { + # userFilter = "(name=%u)"; + # passFilter = "(name=%u)"; + # }; + + # postfix = { + # filter = "(name=%s)"; + # mailAttribute = "mail"; + # uidAttribute = "name"; # }; # }; + loginAccounts = { + "lyes@mail.lyes.eu" = { + hashedPasswordFile = config.age.secrets.lyes-mail-passwd.path; + aliases = [ + "@lyes.eu" + ]; + quota = "1T"; + sieveScript = '' + require ["include", "fileinto", "mailbox", "copy", "regex", "variables", "imap4flags"]; + + include :personal "hiddensieve"; + + # lyes.eu filters + if address :is :domain "X-Original-To" "lyes.eu" { + # If the mail comes from my crans mailbox + if address :is :localpart "X-Original-To" "crans" { + # Aurore Support + if header :contains "List-Id" "" { + fileinto :create "Crans.aurore.support"; + } + # Mailman moderation request + elsif address :matches :all "To" "*-owner@lists.crans.org" { + fileinto :create "Crans.moderation"; + } + # Crans Bureau + elsif anyof ( + header :contains "List-Id" "", + header :contains "List-Id" "", + header :contains "List-Id" "" + ) { + fileinto :create "Crans.crans.bureau"; + } + # Crans CA + elsif header :contains "List-Id" "" { + fileinto :create "Crans.crans.ca"; + } + # Crans Root Postmaster + elsif address :is :all "To" "postmaster@crans.org" { + addflag "\\Seen"; + fileinto :create "Crans.crans.root.postmaster"; + } + # Crans Root Mailer + elsif address :is :all "From" "MAILER-DAEMON@crans.org" { + fileinto :create "Crans.crans.root.mailer"; + } + # Crans Nounou + elsif anyof ( + header :contains "List-Id" "", + header :contains "List-Id" "", + address :is :all "To" "contact@crans.org", + address :is :all "From" "contact@crans.org" + ) { + fileinto :create "Crans.crans.nounou"; + } + # Crans Root + elsif anyof ( + address :is :all "To" "root@crans.org", + address :is :all "From" "root@crans.org", + address :is :all "From" "www-data@crans.org" + ) { + fileinto :create "Crans.crans.root"; + } + # Crans Gitlab + elsif address :is :all "From" "gitlab@crans.org" { + fileinto :create "Crans.crans.gitlab"; + } + # Crans Wiki + elsif address :is :all "From" "wiki@crans.org" { + fileinto :create "Crans.crans.wiki"; + } + # Aurore CA + elsif header :contains "List-Id" "" { + fileinto :create "Crans.aurore.ca"; + } + # BDL + elsif anyof ( + header :contains "List-Id" "", + header :contains "List-Id" "" + ) { + fileinto :create "Crans.asso.bdl"; + } + # Med + elsif anyof ( + header :contains "List-Id" "", + header :contains "List-Id" "" + ) { + fileinto :create "Crans.asso.med"; + } + # NL BDE + elsif header :contains "List-Id" "" { + fileinto :create "Crans.asso.nl.bde"; + } + # NL BDA + elsif header :contains "List-Id" "" { + fileinto :create "Crans.asso.nl.bda"; + } + # Any other associative mail + elsif anyof ( + header :contains "List-Id" "", + header :contains "List-Id" "", + header :matches "List-Id" "<*.lists.crans.org>" + ) { + fileinto :create "Crans.asso"; + } + # Otherwise it's for the generic mailbox + else { + fileinto :create "Crans"; + } + } + + # Otherwise it's for my different accounts + # It's automatically sorted using the localpart + elsif address :localpart :regex "X-Original-To" "^(([a-zA-Z]+\\.)*([a-zA-Z]+))(-([a-zA-Z0-9_.\\-]*))?''$" { + set :lower "sub_folder" "''${1}"; + set "mbox_candidate" "INBOX.''${sub_folder}"; + fileinto :create "''${mbox_candidate}"; + } + + # Other unknown origin + else { + fileinto :create "INBOX.other"; + } + } + + # It's destined to my main inbox + elsif address :is "X-Original-To" "lyes@mail.lyes.eu" { + fileinto :create "INBOX"; + } + + # Other unknown origin + else { + fileinto :create "INBOX.other"; + } + ''; + }; + }; + # extraVirtualAliases = { - # "@lyes.eu" = "lyes"; - # "abuse@mail.lyes.eu" = "lyes"; - # # "abuse@minish.fr" = "lyes"; - # # "abuse@minish.link" = "lyes"; - # "postmaster@mail.lyes.eu" = "lyes"; - # # "postmaster@minish.fr" = "lyes"; - # # "postmaster@minish.link" = "lyes"; + # "@lyes.eu" = "lyes@mail.lyes.eu"; # }; x509.useACMEHost = config.mailserver.fqdn; }; - services.postfix = { - mapFiles."valias" = lib.mkForce aliasFile; - mapFiles."vaccounts" = lib.mkForce aliasFile; - virtual = lib.mkForce alias; - - settings = { - main = { - # local_recipient_maps = ""; - # virtual_alias_maps = lib.mkForce "ldap:/run/postfix/ldap-virtual-mailbox-map.cf"; - - maximal_queue_lifetime = "31d"; - - relay_domains = [ - "skaven.org" - "agreg.info" - ]; - - smtpd_recipient_restrictions = [ - "permit_mynetworks" - "permit_sasl_authenticated" - ]; - }; - }; - }; - # services.dovecot2.extraConfig = '' # userdb { # driver = ldap @@ -128,10 +200,7 @@ in # } # ''; - services.dovecot2 = { - # enableQuota = lib.mkForce false; - sieve.extensions = [ "imap4flags" ]; - }; + services.dovecot2.sieve.extensions = [ "imap4flags" ]; services.roundcube = { enable = true; @@ -148,12 +217,21 @@ in age.secrets = { taf-token = { + owner = "postfix"; file = ../../../secrets/zora/services/taf-token.age; }; - # lyes-mail-passwd = { - # owner = "postfix"; - # file = ../../../secrets/lyes/mail-passwd.age; - # }; + lyes-mail-passwd = { + owner = "postfix"; + file = ../../../secrets/lyes/mail-passwd.age; + }; + + lyes-hidden-sieve = { + file = ../../../secrets/lyes/hidden-sieve.age; + path = "/var/sieve/lyes@mail.lyes.eu/scripts/hiddensieve.sieve"; + owner = "virtualMail"; + group = "virtualMail"; + mode = "660"; + }; }; } diff --git a/secrets.nix b/secrets.nix index 743eef3..be69f5d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,7 +8,7 @@ in { # Lyes "secrets/lyes/mail-passwd.age".publicKeys = [ lyes zora ]; - "secrets/lyes/sieve.age".publicKeys = [ lyes zora ]; + "secrets/lyes/hidden-sieve.age".publicKeys = [ lyes zora ]; # Zora "secrets/zora/services/kanidm-admin-password.age".publicKeys = all; diff --git a/secrets/lyes/hidden-sieve.age b/secrets/lyes/hidden-sieve.age new file mode 100644 index 0000000..18607ae Binary files /dev/null and b/secrets/lyes/hidden-sieve.age differ diff --git a/secrets/lyes/sieve.age b/secrets/lyes/sieve.age deleted file mode 100644 index 6c16f07..0000000 Binary files a/secrets/lyes/sieve.age and /dev/null differ diff --git a/users/lyes/server/default.nix b/users/lyes/server/default.nix deleted file mode 100644 index 45d468a..0000000 --- a/users/lyes/server/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: - -{ - imports = - [ - ./sieve.nix - ]; -} diff --git a/users/lyes/server/sieve.nix b/users/lyes/server/sieve.nix deleted file mode 100644 index ae0d258..0000000 --- a/users/lyes/server/sieve.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: - -{ - age.secrets = { - lyes-sieve = { - file = ../../../secrets/lyes/sieve.age; - path = "/var/sieve/lyes@taf.lyes.eu/default.sieve"; - owner = "virtualMail"; - group = "virtualMail"; - mode = "660"; - }; - }; -}