stura-infra/configuration.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let
  generatedAliases = pkgs.writeText "generated-aliases" (
    lib.concatStringsSep "\n" (
      lib.mapCartesianProduct ({ aliases, domain }: "${aliases}@${domain}  root@test.htw.stura-dresden.de") {
        aliases = [
          "abuse"
          "hostmaster"
          "noreply"
          "postmaster"
          "webmaster"
        ];
        domain = config.mailserver.domains;
      }
    )
  );

in
{
  imports = [
    ./hardware-configuration.nix
    ./authentik.nix
  ];

  security.pam.loginLimits = [
    {
      domain = "*";
      type = "soft";
      item = "nofile";
      value = "8192";
    }
  ];
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  nix.settings.trusted-users = [ "administration" ];
  nix.settings.download-buffer-size = 6710886400;
  # boot.loader.grub.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.grub.efiInstallAsRemovable = true;

  networking.hostName = "mail";
  networking.extraHosts = ''
    127.0.0.1 auth.test.htw.stura-dresden.de
  '';
  networking.domain = "test.htw.stura-dresden.de";
  networking.interfaces.ens18.ipv4.addresses = [
    {
      address = "167.235.225.23";
      prefixLength = 32;
    }
  ];

  networking.interfaces.ens18.ipv6.addresses = [
    {
      address = "2a01:4f8:c012:6bd7::1";
      prefixLength = 32;
    }
  ];
  networking.defaultGateway.address = "172.31.1.1";
  networking.nameservers = [
    "9.9.9.9"
    "1.1.1.1"
  ];

  time.timeZone = "Europe/Berlin";

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = lib.mkForce "de";
    useXkbConfig = true; # use xkb.options in tty.
  };

  users.users.administration = {
    isNormalUser = true;
    initialPassword = "test";
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
    ];
    packages = with pkgs; [
    ];
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
  ];

  # users.ldap = {
  #   server = "ldaps://auth.test.htw.stura-dresden.de:6636";
  #   enable = true;
  #   bind = {
  #     distinguishedName = "cn=dovecot,ou=users,dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
  #     passwordFile = "/var/lib/dovecot_ldap_passwd";
  #   };
  #   base = "dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
  # };

  environment.systemPackages = with pkgs; [
    tmux
    git
    htop
    neovim
  ];

  services.openssh.enable = true;
  services.dovecot2 = {
    # extraConfig = ''
    #   auth_verbose = yes
    #   auth_debug = yes
    #   auth_debug_passwords = yes
    # '';
  };

  services.nginx.virtualHosts."auth.test.htw.stura-dresden.de".locations."/".extraConfig = ''
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  '';
  services.nginx.virtualHosts."lists.${config.networking.domain}" = {
    enableACME = true;
    forceSSL = true;
    # locations."/" = {
    #   proxyPass = "http://127.0.0.1:18507";
    # };
  };
  services.mailman = {
    enable = true;
    hyperkitty = {
      enable = true;
    };
    serve.enable = true;
    webHosts = [
      "lists.${config.networking.domain}"
    ];
  };

  services.mailman.siteOwner = "mailman@${config.networking.domain}";
  mailserver = {
    enable = true;
    fqdn = "mail.${config.networking.domain}";
    domains = [
      "${config.networking.domain}"
      "lists.${config.networking.domain}"
    ];
    ldap = {
      enable = true;
      bind = {
        dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
        passwordFile = "/var/lib/dovecot_ldap_passwd";
      };
      dovecot = {
        userFilter = "(&(objectClass=posixAccount)(mail=%u))";
        passFilter = "(&(objectClass=posixAccount)(mail=%u))";
        userAttrs = "cn";
      };
      postfix = {
        filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))";
        mailAttribute = "mail";
        uidAttribute = "cn";
      };
      searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
      uris = [
        "ldap://auth.test.htw.stura-dresden.de:3389"
      ];
    };

    certificateScheme = "acme-nginx";
    enableImap = true;
    enableImapSsl = true;
    enableManageSieve = true;
    enableSubmission = true;
    enableSubmissionSsl = true;
    extraVirtualAliases = { };
    lmtpSaveToDetailMailbox = "no"; # DOS potential
    mailboxes = {
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Spam = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };
    maxConnectionsPerUser = 10;
    messageSizeLimit = 10 * 1000 * 1024; # 10 MiB

  };

  # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
  services.postfix =
    let
      submissionOptions = {
        # hash:/etc/postfix/virtual,
        smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
      };
    in
    {
      masterConfig = {
        submission = {
          args = [ "-v" ];
        };
        submissions = {
          args = [ "-v" ];
        };
      };
      config = {
        unknown_local_recipient_reject_code = 550;
        # virtual_mailbox_domains = [
        #   "ldap:/run/postfix/ldap-sender-login-map.cf"
        # ];
        # virtual_mailbox_maps = [
        #   "ldap:/run/postfix/ldap-virtual-mailbox-map.cf"
        # ];
        # virtual_alias_maps = [
        #   "texthash:${generatedAliases}"
        #   "ldap:/run/postfix/ldap-sender-login-map.cf"
        # ];

        # smtpd_sender_login_maps = [
        #   "texthash:${generatedAliases}"
        #   "ldap:/run/postfix/ldap-sender-login-map.cf"
        # ];

        relay_domains = [
          "hash:/var/lib/mailman/data/postfix_domains"
        ];
        transport_maps = [
          "hash:/var/lib/mailman/data/postfix_lmtp"
        ];
        local_recipient_maps = [
          "hash:/var/lib/mailman/data/postfix_lmtp"
        ];
      };
      # mapFiles = {
      #   "valias" = lib.mkForce "/var/lib/postfix/valias";
      #   "virtual" = lib.mkForce "/var/lib/postfix/virtual";
      # };
      submissionOptions = submissionOptions;
      submissionsOptions = submissionOptions;
    };

  # virtualisation.docker.enable = true;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "cert@stura.htw-dresden.de";

  networking.firewall.allowedTCPPorts = [
    25
    80
    443
    597
  ];

  system.stateVersion = "24.11";

}