hosts/cloud/sing/omail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

{ config, lib, ... }: {
  imports = [
    (builtins.fetchTarball {
      # Pick a release version you are interested in and set its hash, e.g.
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz";
      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
      # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
      sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8";
    })
  ];
  
  services.dovecot2.sieve.extensions = [ "fileinto" ];
  mailserver = {
    enable = true;
    fqdn = "mail.sortug.com";
    domains = [ "sortug.com" ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "zh@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "jp@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "th@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "bd@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "info@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "admin@sortug.com" = { # legal and banking
        hashedPasswordFile = "/home/y/mail.key";
      };
      "internal@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "billing@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "polwex@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "kinode@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "hosting@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "support@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = lib.mkForce "security@sortug.com";
  services.roundcube = {
     enable = true;
     # this is the url of the vhost, not necessarily the same as the fqdn of
     # the mailserver
     hostName = "mail.sortug.com";
     extraConfig = ''
       # starttls needed for authentication, so the fqdn required to match
       # the certificate
       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
     '';
  };
  services.nginx.enable = true;
}