diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-04-23 12:23:15 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-04-23 12:23:15 +0200 |
| commit | 937e40a5a6482cf19c9cc7e10ce2e7d772ddbb65 (patch) | |
| tree | 044d55559d9311c06a37f29f006855ef5980553a /tests/by-name/em/email-http/nodes/name_server.nix | |
| parent | hosts/server2: Use the internal stalwart directory (diff) | |
| download | nixos-server-937e40a5a6482cf19c9cc7e10ce2e7d772ddbb65.zip | |
tests/email-http: Use the factored out DNS server
Diffstat (limited to '')
| -rw-r--r-- | tests/by-name/em/email-http/nodes/name_server.nix | 210 |
1 files changed, 0 insertions, 210 deletions
diff --git a/tests/by-name/em/email-http/nodes/name_server.nix b/tests/by-name/em/email-http/nodes/name_server.nix deleted file mode 100644 index a7e3ce9..0000000 --- a/tests/by-name/em/email-http/nodes/name_server.nix +++ /dev/null @@ -1,210 +0,0 @@ -{extraModules}: { - config, - lib, - nodes, - pkgs, - ... -}: let - keyAlgoToKeyType = keyAlgo: - if keyAlgo == "ed25519-sha256" - then "ed25519" - else if keyAlgo == "rsa-sha-256" || keyAlgo == "rsa-sha-1" - then "rsa" - else builtins.throw "Impossible"; - - mkZone = user: nodes: lib: cfg: { - SOA = { - nameServer = "ns.server.com"; - adminEmail = "${user}@${user}.com"; - serial = 2024012301; - }; - - MX = [ - { - preference = 10; - exchange = "${cfg.fqdn}."; - } - ]; - - # https://www.rfc-editor.org/rfc/rfc8461.html#section-3.1 - # Also see the policy in the hmtl part. - MTA-STS = [ - { - id = "20250228Z"; - } - ]; - - # https://www.rfc-editor.org/rfc/rfc7208.html - # https://en.wikipedia.org/wiki/Sender_Policy_Framework - TXT = [ - (builtins.concatStringsSep " " - [ - "v=spf1" # The version. - "+mx" # Allow mail from this domain MX record. - "-all" # Reject all other emails if the previous mechanism did not match. - ]) - ]; - - # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1 - # https://www.rfc-editor.org/rfc/rfc6376.html#section-7.5 - DKIM = [ - { - selector = "mail"; - k = keyAlgoToKeyType cfg.security.dkimKeys."${user}.com".keyAlgorithm; - p = cfg.security.dkimKeys."${user}.com".dkimPublicKey; - s = ["email"]; - t = ["s"]; - } - ]; - - # https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3 - DMARC = [ - { - adkim = "strict"; - aspf = "strict"; - fo = ["0" "1" "d" "s"]; - p = "quarantine"; - rua = cfg.admin; - ruf = [cfg.admin]; - } - ]; - - A = [ - nodes.${user}.networking.primaryIPAddress - ]; - AAAA = [ - nodes.${user}.networking.primaryIPv6Address - ]; - }; - mkServerZone = serverName: nodes: lib: let - cfg = nodes."${serverName}_server".vhack.stalwart-mail; - in { - SOA = { - nameServer = "ns.server.com"; - adminEmail = "admin@server.com"; - serial = 2024012301; - }; - MX = [ - { - preference = 10; - exchange = "${serverName}.server.com."; - } - ]; - - # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1 - # https://www.rfc-editor.org/rfc/rfc6376.html#section-7.5 - DKIM = [ - { - selector = "mail"; - k = keyAlgoToKeyType cfg.security.dkimKeys."${serverName}.server.com".keyAlgorithm; - p = cfg.security.dkimKeys."${serverName}.server.com".dkimPublicKey; - s = ["email"]; - t = ["s"]; - } - ]; - - # https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3 - DMARC = [ - { - adkim = "strict"; - aspf = "strict"; - fo = ["0" "1" "d" "s"]; - p = "reject"; - rua = cfg.admin; - ruf = [cfg.admin]; - } - ]; - - # https://www.rfc-editor.org/rfc/rfc7208.html - # NOTE(@bpeetz): This server might not be directly sending mail, but it is still required for - # the SMTP EHLO check. <2025-02-25> - TXT = [ - (builtins.concatStringsSep " " - [ - "v=spf1" # The version. - "+mx" # Allow mail from this domain MX record. - "-all" # Reject all other emails if the previous mechanism did not match. - ]) - ]; - - A = [ - nodes."${serverName}_server".networking.primaryIPAddress - ]; - AAAA = [ - nodes."${serverName}_server".networking.primaryIPv6Address - ]; - }; -in { - imports = - extraModules - ++ [ - ../../../../../modules - ../../../../common/acme/client.nix - ]; - - networking.nameservers = lib.mkForce [ - nodes.name_server.networking.primaryIPAddress - nodes.name_server.networking.primaryIPv6Address - ]; - - vhack = { - nginx = { - enable = true; - }; - dns = { - enable = true; - openFirewall = true; - interfaces = [ - nodes.name_server.networking.primaryIPAddress - nodes.name_server.networking.primaryIPv6Address - ]; - - zones = { - "bob.com" = mkZone "bob" nodes lib nodes.mail_server.vhack.stalwart-mail; - "mail.server.com" = mkServerZone "mail" nodes lib; - "ns.server.com" = { - SOA = { - nameServer = "ns"; - adminEmail = "admin@server.com"; - serial = 2025012301; - }; - useOrigin = false; - - A = [ - nodes.name_server.networking.primaryIPAddress - ]; - AAAA = [ - nodes.name_server.networking.primaryIPv6Address - ]; - }; - "acme.test" = { - SOA = { - nameServer = "ns"; - adminEmail = "admin@server.com"; - serial = 2025012301; - }; - useOrigin = false; - - A = [ - nodes.acme.networking.primaryIPAddress - ]; - AAAA = [ - nodes.acme.networking.primaryIPv6Address - ]; - }; - "server.com" = { - SOA = { - nameServer = "ns"; - adminEmail = "admin@server.com"; - serial = 2025012301; - }; - - useOrigin = false; - NS = [ - "ns.server.com." - ]; - }; - }; - }; - }; -} |