diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
| commit | d7ac88762db111a7962c4e14b5f4e37ab85ccac7 (patch) | |
| tree | 0c2c8c4383bef74215e3b7c48a2f6b0117f084bc /sys/mta/default.nix | |
| parent | 504589d1035f27b766bd33040b415b2725ece4ca (diff) | |
tree-wide: reformat using alejandra after enabling trivionomicon
Diffstat (limited to '')
| -rw-r--r-- | sys/mta/default.nix | 232 |
1 files changed, 130 insertions, 102 deletions
diff --git a/sys/mta/default.nix b/sys/mta/default.nix index 4305f70..57c1c27 100644 --- a/sys/mta/default.nix +++ b/sys/mta/default.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.mta; @@ -22,13 +27,12 @@ with lib; let if isPrimary then "lmtp:inet:${cfg.mdaAddr}:${toString cfg.lmtpPort}" else "error:bad transport"; -in -{ +in { options.local.mta = { enable = mkEnableOption "mail transfer agent"; mode = mkOption { - type = types.enum [ "primary" "backup" ]; + type = types.enum ["primary" "backup"]; }; mdaAddr = mkOption { @@ -58,7 +62,7 @@ in enable = true; group = "postfix"; - domains = "csl:" + concatStringsSep "," ([ domain ] ++ attrNames virtualDomains); + domains = "csl:" + concatStringsSep "," ([domain] ++ attrNames virtualDomains); selector = "202408"; configFile = pkgs.writeText "opendkim.conf" '' @@ -76,7 +80,7 @@ in hostname = mtaDomain.main; #TODO: check_recipient_access para rechazar localhost desde afuera - destination = optionals isPrimary [ "localhost" "$mydomain" ]; + destination = optionals isPrimary ["localhost" "$mydomain"]; origin = "$mydomain"; networksStyle = "host"; @@ -95,20 +99,25 @@ in # También es postmaster rootAlias = config.local.sysadmin; - extraAliases = optionalString isPrimary + extraAliases = + optionalString isPrimary (concatLines (flatten (mapAttrsToList - (name: user: map + (name: user: + map (alias: "${alias}: ${name}") user.hardAliases) users))); - localRecipients = optionals isPrimary + localRecipients = + optionals isPrimary (map (user: "${user}@${domain}") (attrNames (users // virtual.${domain}.users))); - virtual = optionalString isPrimary + virtual = + optionalString isPrimary (concatLines (flatten (mapAttrsToList - (name: virtual: mapAttrsToList + (name: virtual: + mapAttrsToList (alias: targets: "${alias}@${name} ${concatStringsSep ", " targets}") virtual.aliases) virtual))); @@ -116,101 +125,108 @@ in mapFiles = optionalAttrs isPrimary { sender_ccerts = pkgs.writeText "postfix-sender_ccerts" - (concatLines (flatten (mapAttrsToList - (username: user: map - (alias: "${alias}@${domain} CCERTS ${concatStringsSep "," - (map (certPath: config.local.pki.byPath.${certPath}.fingerprint.sha256-bytes-upper) - user.mail.certs)}") - ([ username ] ++ user.hardAliases)) - (filterAttrs (_: user: user.mail.certs != [ ]) users)))); + (concatLines (flatten (mapAttrsToList + (username: user: + map + (alias: "${alias}@${domain} CCERTS ${concatStringsSep "," + (map (certPath: config.local.pki.byPath.${certPath}.fingerprint.sha256-bytes-upper) + user.mail.certs)}") + ([username] ++ user.hardAliases)) + (filterAttrs (_: user: user.mail.certs != []) users)))); sender_login = pkgs.writeText "postfix-sender_login" - (concatLines (flatten (mapAttrsToList - (username: user: map - (alias: "${alias}@${domain} ${username}") - ([ username ] ++ user.hardAliases)) - users))); + (concatLines (flatten (mapAttrsToList + (username: user: + map + (alias: "${alias}@${domain} ${username}") + ([username] ++ user.hardAliases)) + users))); virtual_recipients = pkgs.writeText "postfix-virtual_recipients" - (concatLines (flatten (mapAttrsToList - (virtualDomain: virtual: mapAttrsToList - # El lado derecho de esta tabla debe existir pero nunca se usa - (username: _: "${username}@${virtualDomain} foo") - virtual.users) - virtualDomains))); + (concatLines (flatten (mapAttrsToList + (virtualDomain: virtual: + mapAttrsToList + # El lado derecho de esta tabla debe existir pero nunca se usa + (username: _: "${username}@${virtualDomain} foo") + virtual.users) + virtualDomains))); virtual_rules = pkgs.writeText "postfix-virtual_rules" - (concatLines (flatten (mapAttrsToList - (name: virtual: map - (rule: "/^${rule.pattern}@${name}$/ ${concatStringsSep ", " rule.targets}") - virtual.rules) - virtual))); + (concatLines (flatten (mapAttrsToList + (name: virtual: + map + (rule: "/^${rule.pattern}@${name}$/ ${concatStringsSep ", " rule.targets}") + virtual.rules) + virtual))); }; - config = { - # user+extension@domain.tld - recipient_delimiter = optionalString isPrimary "+"; - - message_size_limit = toString (50 * 1048576); - - local_transport = mdaTransport; - virtual_transport = mdaTransport; - - smtpd_tls_auth_only = true; - # Nota: smtpd_tls_dh1024_param_file fue deprecado en 3.9 - - tls_append_default_CA = false; # Crítico - - # https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ - smtpd_helo_required = true; - disable_vrfy_command = true; - } // optionalAttrs isPrimary { - virtual_alias_maps = mkAfter [ "pcre:/etc/postfix/virtual_rules" ]; - virtual_mailbox_domains = attrNames virtualDomains; - virtual_mailbox_maps = [ "hash:/etc/postfix/virtual_recipients" ]; - - smtpd_sasl_type = "dovecot"; - smtpd_sasl_path = "inet:${cfg.mdaAddr}:${toString cfg.saslPort}"; - smtpd_sasl_local_domain = "$mydomain"; - smtpd_sasl_security_options = [ "noanonymous" ]; - - smtpd_tls_CAfile = "${config.local.pki.ca.mail.fullchain}"; - smtpd_tls_ccert_verifydepth = "1"; - - # Inventado, no es parámetro de postfix - local_submission_client_restrictions = [ - "permit_tls_all_clientcerts" - "permit_sasl_authenticated" - "reject" - ]; - - smtpd_sender_login_maps = [ "hash:/etc/postfix/sender_login" ]; - - smtpd_relay_restrictions = [ - "permit_mynetworks" - "permit_tls_all_clientcerts" - "permit_sasl_authenticated" - "reject_unauth_destination" - ]; - - smtpd_sender_restrictions = [ - "check_sender_access hash:/etc/postfix/sender_ccerts" - "reject_sender_login_mismatch" - ]; - - smtpd_milters = "unix:/run/opendkim/opendkim.sock"; - non_smtpd_milters = "$smtpd_milters"; - milter_default_action = "accept"; - } // optionalAttrs isBackup { - inet_interfaces = [ cfg.relayListen ]; - - smtpd_relay_restrictions = [ - "reject_unauth_destination" - ]; - }; + config = + { + # user+extension@domain.tld + recipient_delimiter = optionalString isPrimary "+"; + + message_size_limit = toString (50 * 1048576); + + local_transport = mdaTransport; + virtual_transport = mdaTransport; + + smtpd_tls_auth_only = true; + # Nota: smtpd_tls_dh1024_param_file fue deprecado en 3.9 + + tls_append_default_CA = false; # Crítico + + # https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ + smtpd_helo_required = true; + disable_vrfy_command = true; + } + // optionalAttrs isPrimary { + virtual_alias_maps = mkAfter ["pcre:/etc/postfix/virtual_rules"]; + virtual_mailbox_domains = attrNames virtualDomains; + virtual_mailbox_maps = ["hash:/etc/postfix/virtual_recipients"]; + + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "inet:${cfg.mdaAddr}:${toString cfg.saslPort}"; + smtpd_sasl_local_domain = "$mydomain"; + smtpd_sasl_security_options = ["noanonymous"]; + + smtpd_tls_CAfile = "${config.local.pki.ca.mail.fullchain}"; + smtpd_tls_ccert_verifydepth = "1"; + + # Inventado, no es parámetro de postfix + local_submission_client_restrictions = [ + "permit_tls_all_clientcerts" + "permit_sasl_authenticated" + "reject" + ]; + + smtpd_sender_login_maps = ["hash:/etc/postfix/sender_login"]; + + smtpd_relay_restrictions = [ + "permit_mynetworks" + "permit_tls_all_clientcerts" + "permit_sasl_authenticated" + "reject_unauth_destination" + ]; + + smtpd_sender_restrictions = [ + "check_sender_access hash:/etc/postfix/sender_ccerts" + "reject_sender_login_mismatch" + ]; + + smtpd_milters = "unix:/run/opendkim/opendkim.sock"; + non_smtpd_milters = "$smtpd_milters"; + milter_default_action = "accept"; + } + // optionalAttrs isBackup { + inet_interfaces = [cfg.relayListen]; + + smtpd_relay_restrictions = [ + "reject_unauth_destination" + ]; + }; # Importante: existe submissionOptions por aparte, no son iguales submissionsOptions = optionalAttrs isPrimary { @@ -223,19 +239,31 @@ in }; #TODO: solo para las destination addresses necesarias - networking.firewall.allowedTCPPorts = optionals isPrimary [ 25 465 ]; + networking.firewall.allowedTCPPorts = optionals isPrimary [25 465]; local = { - boot.impermanence.directories = [ - { directory = "/var/lib/postfix"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; } - ] ++ optionals isPrimary [ - { directory = "/var/lib/opendkim"; user = "opendkim"; group = "postfix"; mode = "u=rwx,g=,o="; } - ]; + boot.impermanence.directories = + [ + { + directory = "/var/lib/postfix"; + user = "root"; + group = "root"; + mode = "u=rwx,g=rx,o=rx"; + } + ] + ++ optionals isPrimary [ + { + directory = "/var/lib/opendkim"; + user = "opendkim"; + group = "postfix"; + mode = "u=rwx,g=,o="; + } + ]; certs.smtp.enable = isPrimary; certs.smtp-backup.enable = isBackup; }; - security.acme.certs.${mtaDomain.main}.reloadServices = [ "postfix.service" ]; + security.acme.certs.${mtaDomain.main}.reloadServices = ["postfix.service"]; }; } |