]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/dovecot/sourcephile.fr.nix
mermet: knot: autogeree.net: enable dnssec-signing
[sourcephile-nix.git] / hosts / mermet / dovecot / sourcephile.fr.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) readFile;
4 inherit (config.services) dovecot2;
5 stateDir = "/var/lib/dovecot";
6 domain = "sourcephile.fr";
7 domainGroup = "sourcephile";
8 in
9 {
10 services.dovecot2.extraConfig =
11 let
12 domainConfig = ''
13 ssl_cert = </var/lib/acme/${domain}/fullchain.pem
14 ssl_key = </var/lib/acme/${domain}/key.pem
15 '';
16 in
17 lib.mkAfter ''
18 local_name mail.${domain} {
19 ${domainConfig}
20 }
21 local_name imap.${domain} {
22 ${domainConfig}
23 }
24 passdb {
25 username_filter = *@${domain}
26 # Because auth_bind=yes and auth_bind_userdn are used,
27 # this cannot prefetch any userdb_*.
28 driver = ldap
29 # The path to the ldap.conf must be unique,
30 # otherwise dovecot caches the result from other passdb,
31 # which may be wrong because of username_filter.
32 args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
33 default_fields =
34 override_fields =
35 skip = authenticated
36 }
37 '';
38 security.acme.certs."${domain}" = {
39 postRun = "systemctl reload dovecot2";
40 };
41 systemd.services.dovecot2 = {
42 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
43 after = [ "acme-selfsigned-${domain}.service" ];
44 preStart = ''
45 install -D -d -m 1770 \
46 -o "${dovecot2.user}" \
47 -g "${domainGroup}" \
48 ${stateDir}/home/${domain} \
49 ${stateDir}/control/${domain} \
50 ${stateDir}/index/${domain} \
51 ${stateDir}/acl/${domain}
52
53 # NOTE: do not set the sticky bit (+t)
54 # on acl/<domain>/, to let dovecot
55 # rename acl.db.lock (own by new user)
56 # to acl.db (own by old user)
57 chmod -t ${stateDir}/acl/${domain}
58 '';
59 };
60 services.nginx.virtualHosts."autoconfig.${domain}" = {
61 serverName = "autoconfig.${domain}";
62 #addSSL = true;
63 extraConfig = ''
64 access_log off;
65 log_not_found off;
66 '';
67 forceSSL = true;
68 useACMEHost = domain;
69 root = ./autoconfig;
70 };
71 }