hosts/cloud/span/mail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

{
  config,
  pkgs,
  ...
}: {
  imports = [
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz";
      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
      # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack

      sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8";
    })
  ];

  services.dovecot2.sieve.extensions = ["fileinto"];
  mailserver = {
    enable = true;
    fqdn = "mail.spandrell.ch";
    domains = ["spandrell.ch"];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "s@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "book@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "site@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "lol@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail2.key";
      };
      "sub@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "security@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "parallax@spandrell.ch" = {
        hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq";
      };
      "finnem@spandrell.ch" = {
        hashedPasswordFile = "/home/span/finnem.key";
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "security@spandrell.ch";
  services.roundcube = {
    enable = true;
    # this is the url of the vhost, not necessarily the same as the fqdn of
    # the mailserver
    hostName = "mail.spandrell.ch";
    extraConfig = ''
      # starttls needed for authentication, so the fqdn required to match
      # the certificate
      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };
  services.nginx.enable = true;
}