infra/nix/os/containers/mailserver.nix

{
  repoFlake,
  hostAddress,
  localAddress,
  imapsPort ? 993,
  sievePort ? 4190,
  autoStart ? false,
}: let
  passwords = import ../../variables/passwords.crypt.nix;
in {
  config = {
    pkgs,
    config,
    ...
  }: {
    system.stateVersion = "21.11"; # Did you read the comment?

    imports = [
      ../profiles/containers/configuration.nix

      repoFlake.inputs.sops-nix.nixosModules.sops
      ../profiles/common/user.nix
    ];

    # sops.defaultSopsFile = ./mailserver_secrets.yaml;
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets.email_mailStefanjunkerDe = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_schtifATwebDe = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_dovecot_steveej = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };

    networking.firewall.enable = false;

    services.ddclientovh = {
      enable = true;
      domain = "mailserver.svc.stefanjunker.de";
    };

    services.dovecot2 = {
      enable = true;

      modules = [pkgs.dovecot_pigeonhole];
      protocols = ["sieve"];

      enableImap = true;
      enableLmtp = true;
      enablePAM = true;
      showPAMFailure = true;
      mailLocation = "maildir:~/.maildir";
      sslServerCert = "/etc/secrets/server.pem";
      sslServerKey = "/etc/secrets/server.key";

      #configFile = "/etc/dovecot/dovecot2_manual.conf";
      extraConfig = ''
        auth_mechanisms = cram-md5 digest-md5
        auth_verbose = yes

        passdb {
          driver = passwd-file
          args = scheme=CRYPT username_format=%u /etc/dovecot/users
        }

        protocol lda {
          postmaster_address = "mail@stefanjunker.de"
          mail_plugins = $mail_plugins sieve
        }

        protocol imap {
          mail_max_userip_connections = 64
        }
      '';
    };

    # environment.etc."dovecot/users".text = ''
    #   steveej:${passwords.email.steveej}
    # '';
    environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;

    systemd.services.steveej-getmail-stefanjunker = {
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      serviceConfig.RestartSec = 600;
      serviceConfig.Restart = "always";
      description = "Getmail service";
      path = [pkgs.getmail6];
      script = let
        rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
          [options]
          verbose = 1
          read_all = 0
          delete_after = 30

          [retriever]
          type = SimpleIMAPSSLRetriever
          server = ssl0.ovh.net
          port = 993
          username = mail@stefanjunker.de
          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
          mailboxes = ('INBOX',)

          [destination]
          type = MDA_external
          path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
        '';
      in ''
        getmail --rcfile=${rc} --idle=INBOX
      '';
    };

    systemd.services.steveej-getmail-webde = {
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      description = "Getmail service";
      path = [pkgs.getmail6];
      serviceConfig.RestartSec = 1000;
      serviceConfig.Restart = "always";
      script = let
        rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
          [options]
          verbose = 1
          read_all = 0
          delete_after = 30

          [retriever]
          type = SimpleIMAPSSLRetriever
          server = imap.web.de
          port = 993
          username = schtif
          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
          mailboxes = ('INBOX',)

          [destination]
          type = Maildir
          path = ~/.maildir/
        '';
      in ''
        getmail --rcfile=${rc}
      '';
    };
  };

  inherit autoStart;

  bindMounts = {
    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;

    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
      isReadOnly = false;
    };

    "/home" = {
      hostPath = "/var/lib/container-volumes/mailserver/home";
      isReadOnly = false;
    };
  };

  extraFlags = ["--resolv-conf=bind-host"];

  privateNetwork = true;
  forwardPorts = [
    {
      # imaps
      containerPort = 993;
      hostPort = imapsPort;
      protocol = "tcp";
    }

    {
      # sieve
      containerPort = 4190;
      hostPort = sievePort;
      protocol = "tcp";
    }
  ];

  inherit hostAddress localAddress;
}
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`{`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`repoFlake,`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`hostAddress,`
			`localAddress,`
			`imapsPort ? 993,`
			`sievePort ? 4190,`
			`autoStart ? false,`
			`}: let`
			`passwords = import ../../variables/passwords.crypt.nix;`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`in {`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`config = {`
			`pkgs,`
			`config,`
			`...`
			`}: {`
nix/os/devices/srv0.home-ch.stefanjunker.de: bump nixos 21.11 -> 22.05 2022-10-30 16:11:21 +01:00			`system.stateVersion = "21.11"; # Did you read the comment?`

feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`imports = [`
			`../profiles/containers/configuration.nix`

			`repoFlake.inputs.sops-nix.nixosModules.sops`
			`../profiles/common/user.nix`
			`];`

			`# sops.defaultSopsFile = ./mailserver_secrets.yaml;`
			`sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];`
			`sops.secrets.email_mailStefanjunkerDe = {`
			`sopsFile = ./mailserver_secrets.yaml;`
			`owner = config.users.users.steveej.name;`
			`};`
			`sops.secrets.email_schtifATwebDe = {`
			`sopsFile = ./mailserver_secrets.yaml;`
			`owner = config.users.users.steveej.name;`
			`};`
			`sops.secrets.email_dovecot_steveej = {`
			`sopsFile = ./mailserver_secrets.yaml;`
			`owner = config.users.users.dovecot2.name;`
			`};`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00
			`networking.firewall.enable = false;`

nix/os/containers: configure ddclient-ovh respectively 2019-02-03 11:58:07 +01:00			`services.ddclientovh = {`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`enable = true;`
			`domain = "mailserver.svc.stefanjunker.de";`
nix/os/containers: configure ddclient-ovh respectively 2019-02-03 11:58:07 +01:00			`};`

nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`services.dovecot2 = {`
			`enable = true;`

chore: format with alejandra 2023-02-07 18:24:28 +01:00			`modules = [pkgs.dovecot_pigeonhole];`
			`protocols = ["sieve"];`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00
			`enableImap = true;`
			`enableLmtp = true;`
			`enablePAM = true;`
			`showPAMFailure = true;`
			`mailLocation = "maildir:~/.maildir";`
			`sslServerCert = "/etc/secrets/server.pem";`
			`sslServerKey = "/etc/secrets/server.key";`

			`#configFile = "/etc/dovecot/dovecot2_manual.conf";`
			`extraConfig = ''`
			`auth_mechanisms = cram-md5 digest-md5`
			`auth_verbose = yes`
chore: nixfmt * 2022-10-31 11:04:38 +01:00
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`passdb {`
			`driver = passwd-file`
			`args = scheme=CRYPT username_format=%u /etc/dovecot/users`
			`}`

nix/os/containers/mailserver: enable sieve for LDA 2019-02-17 10:02:16 +01:00			`protocol lda {`
			`postmaster_address = "mail@stefanjunker.de"`
			`mail_plugins = $mail_plugins sieve`
			`}`
containers/mailserver/dovecot: increase max concurrent connections 2020-07-16 10:59:05 +02:00
			`protocol imap {`
			`mail_max_userip_connections = 64`
			`}`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`'';`
			`};`

feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`# environment.etc."dovecot/users".text = ''`
			`# steveej:${passwords.email.steveej}`
			`# '';`
			`environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00
			`systemd.services.steveej-getmail-stefanjunker = {`
			`enable = true;`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`wantedBy = ["multi-user.target"];`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`serviceConfig.User = "steveej";`
containers/mailserver: run getmail jobs as group dovecot2 Necessary due to this error: ``` Mar 06 16:18:44 mailserver 3afdapvhkdmv2df2hc3lrnwd21ai0hmj-unit-script-steveej-getmail-stefanjunker-start[342]: msg 2117/2118 (3008 bytes), delivery error (command dovecot-lda 358 wrote to stderr: lda(steveej,)Error: net_connect_unix(/run/dovecot2/stats-writer) failed: Permission denied) ``` 2019-03-06 17:23:19 +01:00			`serviceConfig.Group = "dovecot2";`
nix/os/containers/mailserver: use LDA delivery and fix restart times 2019-02-17 10:02:16 +01:00			`serviceConfig.RestartSec = 600;`
			`serviceConfig.Restart = "always";`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`description = "Getmail service";`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`path = [pkgs.getmail6];`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`script = let`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''`
			`[options]`
			`verbose = 1`
			`read_all = 0`
			`delete_after = 30`

			`[retriever]`
			`type = SimpleIMAPSSLRetriever`
			`server = ssl0.ovh.net`
			`port = 993`
			`username = mail@stefanjunker.de`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`mailboxes = ('INBOX',)`

			`[destination]`
			`type = MDA_external`
			`path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda`
			`'';`
			`in ''`
			`getmail --rcfile=${rc} --idle=INBOX`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`'';`
			`};`

			`systemd.services.steveej-getmail-webde = {`
			`enable = true;`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`wantedBy = ["multi-user.target"];`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`serviceConfig.User = "steveej";`
containers/mailserver: run getmail jobs as group dovecot2 Necessary due to this error: ``` Mar 06 16:18:44 mailserver 3afdapvhkdmv2df2hc3lrnwd21ai0hmj-unit-script-steveej-getmail-stefanjunker-start[342]: msg 2117/2118 (3008 bytes), delivery error (command dovecot-lda 358 wrote to stderr: lda(steveej,)Error: net_connect_unix(/run/dovecot2/stats-writer) failed: Permission denied) ``` 2019-03-06 17:23:19 +01:00			`serviceConfig.Group = "dovecot2";`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`description = "Getmail service";`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`path = [pkgs.getmail6];`
nix/os/containers/mailserver: use LDA delivery and fix restart times 2019-02-17 10:02:16 +01:00			`serviceConfig.RestartSec = 1000;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`serviceConfig.Restart = "always";`
			`script = let`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''`
			`[options]`
			`verbose = 1`
			`read_all = 0`
			`delete_after = 30`

			`[retriever]`
			`type = SimpleIMAPSSLRetriever`
			`server = imap.web.de`
			`port = 993`
			`username = schtif`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`mailboxes = ('INBOX',)`

			`[destination]`
			`type = Maildir`
			`path = ~/.maildir/`
			`'';`
			`in ''`
			`getmail --rcfile=${rc}`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`'';`
			`};`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`};`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00
[WIP] feat: migrate containers to vmd102066 2022-11-03 16:48:06 +01:00			`inherit autoStart;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00
			`bindMounts = {`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;`
			`"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;`

chore: nixfmt * 2022-10-31 11:04:38 +01:00			`"/etc/secrets/" = {`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";`
			`isReadOnly = false;`
			`};`

chore: nixfmt * 2022-10-31 11:04:38 +01:00			`"/home" = {`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`hostPath = "/var/lib/container-volumes/mailserver/home";`
			`isReadOnly = false;`
			`};`
			`};`

chore: format with alejandra 2023-02-07 18:24:28 +01:00			`extraFlags = ["--resolv-conf=bind-host"];`
[WIP] feat: migrate containers to vmd102066 2022-11-03 16:48:06 +01:00
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`privateNetwork = true;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`forwardPorts = [`
			`{`
			`# imaps`
			`containerPort = 993;`
containers: make all host ports configurable 2020-09-14 19:38:36 +02:00			`hostPort = imapsPort;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`protocol = "tcp";`
			`}`

			`{`
			`# sieve`
			`containerPort = 4190;`
containers: make all host ports configurable 2020-09-14 19:38:36 +02:00			`hostPort = sievePort;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`protocol = "tcp";`
			`}`
			`];`
containers: make all variables explicit Instead of merging the argument set just make all arguments explicit. 2020-09-15 17:21:28 +02:00
			`inherit hostAddress localAddress;`
nix/os,CFB4ED74: add mailserver container 2019-01-28 15:50:31 +01:00			`}`