feat: add email

2025-11-21 14:00:47 +01:00
parent b3c5366f31
commit d6f206f0bb
5 changed files with 492 additions and 25 deletions
--- a/hosts/amzebs-01/modules/postfix.nix
+++ b/hosts/amzebs-01/modules/postfix.nix
@@ -0,0 +1,30 @@
+{ pkgs
+, lib
+, config
+, ...
+}:
+{
+  services.postfix = {
+    enable = true;
+    hostname = "amzebs-01.amz.at";
+    domain = "amz.at";
+
+    config = {
+      # Listen only on localhost for security
+      # Laravel will send via localhost, no external access needed
+      inet_interfaces = "loopback-only";
+
+      # Compatibility
+      compatibility_level = "2";
+
+      # Only accept mail from localhost
+      mynetworks = "127.0.0.0/8 [::1]/128";
+
+      # Larger message size limits for attachments
+      mailbox_size_limit = "202400000"; # ~200MB
+      message_size_limit = "51200000";  # ~50MB
+
+      # Milter configuration is handled automatically by rspamd.postfix.enable
+    };
+  };
+}
--- a/hosts/amzebs-01/modules/rspamd.nix
+++ b/hosts/amzebs-01/modules/rspamd.nix
@@ -0,0 +1,84 @@
+{ pkgs
+, config
+, ...
+}:
+let
+  domain = "amz.at";
+  selector = "amzebs-01";
+
+  localConfig = pkgs.writeText "local.conf" ''
+    logging {
+      level = "notice";
+    }
+
+    # DKIM signing configuration with host-specific selector
+    dkim_signing {
+      path = "/var/lib/rspamd/dkim/${domain}.${selector}.key";
+      selector = "${selector}";
+      allow_username_mismatch = true;
+    }
+
+    # ARC signing (Authenticated Received Chain)
+    arc {
+      path = "/var/lib/rspamd/dkim/${domain}.${selector}.key";
+      selector = "${selector}";
+      allow_username_mismatch = true;
+    }
+
+    # Add authentication results to headers
+    milter_headers {
+      use = ["authentication-results"];
+      authenticated_headers = ["authentication-results"];
+    }
+  '';
+in
+{
+  services.rspamd = {
+    enable = true;
+    extraConfig = ''
+      .include(priority=1,duplicate=merge) "${localConfig}"
+    '';
+
+    # Enable Postfix milter integration
+    postfix.enable = true;
+  };
+
+  # Copy DKIM key from sops secret to rspamd directory
+  systemd.services.rspamd-dkim-setup = {
+    description = "Setup DKIM key from sops secret for ${domain}";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "rspamd.service" ];
+    after = [ "sops-nix.service" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    script = ''
+      DKIM_DIR="/var/lib/rspamd/dkim"
+      DKIM_KEY="$DKIM_DIR/${domain}.${selector}.key"
+
+      # Create directory if it doesn't exist
+      mkdir -p "$DKIM_DIR"
+
+      # Copy key from sops secret
+      if [ -f "${config.sops.secrets.rspamd-dkim-key.path}" ]; then
+        cp "${config.sops.secrets.rspamd-dkim-key.path}" "$DKIM_KEY"
+        chown rspamd:rspamd "$DKIM_KEY"
+        chmod 600 "$DKIM_KEY"
+        echo "DKIM key deployed successfully from sops secret"
+      else
+        echo "ERROR: DKIM key not found in sops secrets!"
+        echo "Please ensure rspamd-dkim-key is defined in secrets.yaml"
+        exit 1
+      fi
+    '';
+  };
+
+  sops.secrets.rspamd-dkim-key = {
+    owner = "rspamd";
+    group = "rspamd";
+    mode = "0400";
+  };
+}