2023-02-07 18:24:28 +01:00
|
|
|
{
|
2024-06-01 21:46:09 +02:00
|
|
|
specialArgs,
|
2024-08-24 00:16:29 +02:00
|
|
|
hostBridge,
|
2023-02-07 18:24:28 +01:00
|
|
|
hostAddress,
|
|
|
|
|
localAddress,
|
|
|
|
|
imapsPort ? 993,
|
|
|
|
|
sievePort ? 4190,
|
|
|
|
|
autoStart ? false,
|
2024-11-15 10:17:56 +01:00
|
|
|
}:
|
|
|
|
|
{
|
2024-06-01 21:46:09 +02:00
|
|
|
inherit specialArgs;
|
2024-11-15 10:17:56 +01:00
|
|
|
config =
|
|
|
|
|
{
|
|
|
|
|
pkgs,
|
|
|
|
|
config,
|
|
|
|
|
repoFlake,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
{
|
|
|
|
|
system.stateVersion = "22.05"; # Did you read the comment?
|
|
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
|
../profiles/containers/configuration.nix
|
|
|
|
|
|
|
|
|
|
repoFlake.inputs.sops-nix.nixosModules.sops
|
|
|
|
|
../profiles/common/user.nix
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
imapsPort
|
|
|
|
|
sievePort
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
|
|
|
|
|
# sops.defaultSopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
|
|
|
|
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
|
|
|
sops.secrets.email_mailStefanjunkerDe = {
|
|
|
|
|
sopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
owner = config.users.users.steveej.name;
|
|
|
|
|
};
|
|
|
|
|
sops.secrets.email_mailStefanjunkerDeHetzner = {
|
|
|
|
|
sopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
owner = config.users.users.steveej.name;
|
|
|
|
|
};
|
|
|
|
|
sops.secrets.email_schtifATwebDe = {
|
|
|
|
|
sopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
owner = config.users.users.steveej.name;
|
|
|
|
|
};
|
|
|
|
|
sops.secrets.email_dovecot_steveej = {
|
|
|
|
|
sopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
owner = config.users.users.dovecot2.name;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# TODO: switch to something other than ddclient as it's no longer maintained
|
|
|
|
|
|
|
|
|
|
# TODO: switch to a let's encrypt certificate
|
|
|
|
|
sops.secrets.dovecotSslServerCert = {
|
|
|
|
|
sopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
owner = config.users.users.dovecot2.name;
|
|
|
|
|
};
|
|
|
|
|
sops.secrets.dovecotSslServerKey = {
|
|
|
|
|
sopsFile = ./mailserver_secrets.yaml;
|
|
|
|
|
owner = config.users.users.dovecot2.name;
|
|
|
|
|
};
|
|
|
|
|
services.dovecot2 = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
modules = [ pkgs.dovecot_pigeonhole ];
|
|
|
|
|
protocols = [ "sieve" ];
|
|
|
|
|
|
|
|
|
|
enableImap = true;
|
|
|
|
|
enableLmtp = true;
|
|
|
|
|
enablePAM = true;
|
|
|
|
|
showPAMFailure = true;
|
|
|
|
|
mailLocation = "maildir:~/.maildir";
|
|
|
|
|
sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
|
|
|
|
|
sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
|
|
|
|
|
|
|
|
|
|
#configFile = "/etc/dovecot/dovecot2_manual.conf";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
auth_mechanisms = cram-md5 digest-md5
|
|
|
|
|
auth_verbose = yes
|
|
|
|
|
|
|
|
|
|
passdb {
|
|
|
|
|
driver = passwd-file
|
|
|
|
|
args = scheme=CRYPT username_format=%u /etc/dovecot/users
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protocol lda {
|
|
|
|
|
postmaster_address = "mail@stefanjunker.de"
|
|
|
|
|
mail_plugins = $mail_plugins sieve
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protocol imap {
|
|
|
|
|
mail_max_userip_connections = 64
|
|
|
|
|
}
|
2022-10-31 11:04:38 +01:00
|
|
|
'';
|
2024-11-15 10:17:56 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
|
|
|
|
|
|
|
|
|
|
systemd.services.steveej-getmail-stefanjunker = {
|
|
|
|
|
enable = true;
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
serviceConfig.User = "steveej";
|
|
|
|
|
serviceConfig.Group = "dovecot2";
|
|
|
|
|
serviceConfig.RestartSec = 600;
|
|
|
|
|
serviceConfig.Restart = "always";
|
|
|
|
|
description = "Getmail service";
|
|
|
|
|
path = [ pkgs.getmail6 ];
|
|
|
|
|
script =
|
|
|
|
|
let
|
|
|
|
|
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
|
|
|
|
|
[options]
|
|
|
|
|
verbose = 1
|
|
|
|
|
read_all = 0
|
|
|
|
|
delete_after = 30
|
|
|
|
|
|
|
|
|
|
[retriever]
|
|
|
|
|
type = SimpleIMAPSSLRetriever
|
|
|
|
|
server = ssl0.ovh.net
|
|
|
|
|
port = 993
|
|
|
|
|
username = mail@stefanjunker.de
|
|
|
|
|
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
|
|
|
|
|
mailboxes = ('INBOX',)
|
|
|
|
|
|
|
|
|
|
[destination]
|
|
|
|
|
type = MDA_external
|
|
|
|
|
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
|
|
|
|
|
'';
|
|
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
getmail --idle=INBOX --rcfile=${rc}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.steveej-getmail-stefanjunker-hetzner = {
|
|
|
|
|
enable = true;
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
serviceConfig.User = "steveej";
|
|
|
|
|
serviceConfig.Group = "dovecot2";
|
|
|
|
|
serviceConfig.RestartSec = 60;
|
|
|
|
|
serviceConfig.Restart = "always";
|
|
|
|
|
description = "Getmail service";
|
|
|
|
|
path = [ pkgs.getmail6 ];
|
|
|
|
|
script =
|
|
|
|
|
let
|
|
|
|
|
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
|
|
|
|
|
[options]
|
|
|
|
|
verbose = 2
|
|
|
|
|
read_all = 0
|
|
|
|
|
delete_after = 30
|
|
|
|
|
|
|
|
|
|
[retriever]
|
|
|
|
|
type = SimpleIMAPSSLRetriever
|
|
|
|
|
server = mail.your-server.de
|
|
|
|
|
port = 993
|
|
|
|
|
username = mail@stefanjunker.de
|
|
|
|
|
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
|
|
|
|
|
mailboxes = ('INBOX',)
|
|
|
|
|
|
|
|
|
|
[destination]
|
|
|
|
|
type = MDA_external
|
|
|
|
|
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
|
|
|
|
|
'';
|
|
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
getmail --rcfile=${rc} --idle=INBOX
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.steveej-getmail-webde = {
|
|
|
|
|
enable = true;
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
serviceConfig.User = "steveej";
|
|
|
|
|
serviceConfig.Group = "dovecot2";
|
|
|
|
|
description = "Getmail service";
|
|
|
|
|
path = [ pkgs.getmail6 ];
|
|
|
|
|
serviceConfig.RestartSec = 1000;
|
|
|
|
|
serviceConfig.Restart = "always";
|
|
|
|
|
script =
|
|
|
|
|
let
|
|
|
|
|
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
|
|
|
|
|
[options]
|
|
|
|
|
verbose = 1
|
|
|
|
|
read_all = 0
|
|
|
|
|
delete_after = 30
|
|
|
|
|
|
|
|
|
|
[retriever]
|
|
|
|
|
type = SimpleIMAPSSLRetriever
|
|
|
|
|
server = imap.web.de
|
|
|
|
|
port = 993
|
|
|
|
|
username = schtif
|
|
|
|
|
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
|
|
|
|
|
mailboxes = ('INBOX',)
|
|
|
|
|
|
|
|
|
|
[destination]
|
|
|
|
|
type = Maildir
|
|
|
|
|
path = ~/.maildir/
|
|
|
|
|
'';
|
|
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
getmail --rcfile=${rc} --idle=INBOX
|
|
|
|
|
'';
|
|
|
|
|
};
|
2019-01-28 15:50:31 +01:00
|
|
|
};
|
|
|
|
|
|
2022-11-03 16:48:06 +01:00
|
|
|
inherit autoStart;
|
2019-01-28 15:50:31 +01:00
|
|
|
|
|
|
|
|
bindMounts = {
|
2023-07-09 20:15:06 +02:00
|
|
|
# FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
|
2023-07-05 15:55:04 +02:00
|
|
|
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
|
|
|
|
|
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
|
|
|
|
|
|
2022-10-31 11:04:38 +01:00
|
|
|
"/home" = {
|
2019-01-28 15:50:31 +01:00
|
|
|
hostPath = "/var/lib/container-volumes/mailserver/home";
|
|
|
|
|
isReadOnly = false;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2022-10-31 11:04:38 +01:00
|
|
|
privateNetwork = true;
|
2019-01-28 15:50:31 +01:00
|
|
|
forwardPorts = [
|
|
|
|
|
{
|
|
|
|
|
# imaps
|
|
|
|
|
containerPort = 993;
|
2020-09-14 19:38:36 +02:00
|
|
|
hostPort = imapsPort;
|
2019-01-28 15:50:31 +01:00
|
|
|
protocol = "tcp";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
# sieve
|
|
|
|
|
containerPort = 4190;
|
2020-09-14 19:38:36 +02:00
|
|
|
hostPort = sievePort;
|
2019-01-28 15:50:31 +01:00
|
|
|
protocol = "tcp";
|
|
|
|
|
}
|
|
|
|
|
];
|
2020-09-15 17:21:28 +02:00
|
|
|
|
2024-08-24 00:16:29 +02:00
|
|
|
inherit hostBridge hostAddress localAddress;
|
2019-01-28 15:50:31 +01:00
|
|
|
}
|
