system/nixos/hosts/magenta/services/mailserver.nix

70 lines
1.7 KiB
Nix
Raw Normal View History

{ config, pkgs, ... }:
2022-10-18 00:42:23 +03:00
let
cfg = config.mailserver;
certsDir = "/var/certs";
dumpTraefikMailCerts = pkgs.writeScript "dump-mail-certs" ''
#!/bin/sh
${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .certificate' /var/lib/traefik/acme.json | base64 -d > ${cfg.certificateFile}
${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .key' /var/lib/traefik/acme.json | base64 -d > ${cfg.keyFile}
'';
in
2022-10-18 00:42:23 +03:00
{
2022-10-19 19:17:37 +03:00
imports = [ ./mailserver-accounts.secret.nix ];
2022-10-18 00:42:23 +03:00
# See: https://nixos-mailserver.readthedocs.io/en/latest/options.html
mailserver = {
enable = true;
fqdn = "mail.pleshevski.ru";
domains = [ "pleshevski.ru" ];
# We use traefik to generate certificates
certificateScheme = 1;
certificateFile = "${certsDir}/cert-${cfg.fqdn}.pem";
keyFile = "${certsDir}/key-${cfg.fqdn}.pem";
2022-10-18 00:42:23 +03:00
hierarchySeparator = "/";
};
2023-03-04 23:22:03 +03:00
services.traefik.dynamicConfigOptions.http = {
routers.mailserver_acme = {
rule = "Host(`${cfg.fqdn}`)";
entryPoints = [ "http" ];
tls = {
certResolver = "le";
domains = [
{
main = cfg.fqdn;
sans = cfg.domains;
}
];
};
service = "noop@internal";
};
2023-03-04 23:22:03 +03:00
};
systemd = {
services.dump-traefik-mail-cert = {
unitConfig = {
Description = "Restart mail cert service";
After = [ "network.target" ];
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${dumpTraefikMailCerts}";
};
wantedBy = [ "multi-user.target" ];
};
paths.dump-traefik-mail-cert = {
wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged = "/var/lib/traefik/acme.json";
};
};
2022-10-18 00:42:23 +03:00
}