From 78907aa98c1af8624a62ca123d088c6c16424f41 Mon Sep 17 00:00:00 2001
From: polwex <polwex@sortug.com>
Date: Sun, 21 Jul 2024 01:09:48 +0700
Subject: init

---
 hosts/cloud/spanm/mail.nix | 67 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 hosts/cloud/spanm/mail.nix

(limited to 'hosts/cloud/spanm/mail.nix')

diff --git a/hosts/cloud/spanm/mail.nix b/hosts/cloud/spanm/mail.nix
new file mode 100644
index 0000000..d020fec
--- /dev/null
+++ b/hosts/cloud/spanm/mail.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, ... }: {
+  imports = [
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz";
+      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
+      # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
+
+      sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8";
+    })
+  ];
+
+  services.dovecot2.sieve.extensions = [ "fileinto" ];
+  mailserver = {
+    enable = true;
+    fqdn = "mail.spandrell.ch";
+    domains = [ "spandrell.ch" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "s@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "book@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "site@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "lol@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "sub@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "security@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "parallax@spandrell.ch" = {
+        hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq";
+      };
+      "finnem@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/finnem.key";
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@spandrell.ch";
+  services.roundcube = {
+     enable = true;
+     # this is the url of the vhost, not necessarily the same as the fqdn of
+     # the mailserver
+     hostName = "mail.spandrell.ch";
+     extraConfig = ''
+       # starttls needed for authentication, so the fqdn required to match
+       # the certificate
+       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+       $config['smtp_user'] = "%u";
+       $config['smtp_pass'] = "%p";
+     '';
+  };
+  services.nginx.enable = true;
+}
-- 
cgit v1.2.3