hosts/cloud/sortug/mail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

{
  config,
  pkgs,
  ...
}: {
  # services.dovecot2.sieve.extensions = ["fileinto"];
  mailserver = {
    enable = true;
    stateVersion = 1;
    fqdn = "mail.sortug.com";
    domains = ["sortug.com" "yago.onl"];
    # workaround
    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "zh@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "jp@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "th@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "bd@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "info@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "admin@sortug.com" = {
        # legal and banking
        hashedPasswordFile = "/home/y/mail.key";
      };
      "internal@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "billing@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "polwex@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "kinode@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "hosting@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "support@sortug.com" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
      "sub@yago.onl" = {
        hashedPasswordFile = "/home/y/mail.key";
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "security@sortug.com";
  services.roundcube = {
    enable = true;
    # this is the url of the vhost, not necessarily the same as the fqdn of
    # the mailserver
    hostName = "mail.sortug.com";
    extraConfig = ''
      # starttls needed for authentication, so the fqdn required to match
      # the certificate
      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };
  services.nginx.enable = true;
}