hosts/cloud/span/mail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

{ config, pkgs, ... }: {
  imports = [
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz";
      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
      # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack

      sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8";
    })
  ];

  services.dovecot2.sieve.extensions = [ "fileinto" ];
  mailserver = {
    enable = true;
    fqdn = "mail.spandrell.ch";
    domains = [ "spandrell.ch" ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "s@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "book@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "site@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "lol@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "sub@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "security@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "parallax@spandrell.ch" = {
        hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq";
      };
      "finnem@spandrell.ch" = {
        hashedPasswordFile = "/home/span/finnem.key";
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "security@spandrell.ch";
  services.roundcube = {
     enable = true;
     # this is the url of the vhost, not necessarily the same as the fqdn of
     # the mailserver
     hostName = "mail.spandrell.ch";
     extraConfig = ''
       # starttls needed for authentication, so the fqdn required to match
       # the certificate
       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
     '';
  };
  services.nginx.enable = true;
}