hosts/mermet/dovecot/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) readFile;
   4   inherit (config.services) dovecot2;
   5   stateDir = "/var/lib/dovecot";
   6   domain = "sourcephile.fr";
   7   domainGroup = "sourcephile";
   8 in
   9 {
  10   services.dovecot2.extraConfig =
  11     let
  12       domainConfig = ''
  13         ssl_cert = </var/lib/acme/${domain}/fullchain.pem
  14         ssl_key = </var/lib/acme/${domain}/key.pem
  15       '';
  16     in
  17     lib.mkAfter ''
  18       local_name mail.${domain} {
  19         ${domainConfig}
  20       }
  21       local_name imap.${domain} {
  22         ${domainConfig}
  23       }
  24       passdb {
  25         username_filter = *@${domain}
  26         # Because auth_bind=yes and auth_bind_userdn are used,
  27         # this cannot prefetch any userdb_*.
  28         driver = ldap
  29         # The path to the ldap.conf must be unique,
  30         # otherwise dovecot caches the result from other passdb,
  31         # which may be wrong because of username_filter.
  32         args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
  33         default_fields =
  34         override_fields =
  35         skip = authenticated
  36       }
  37     '';
  38   security.acme.certs."${domain}" = {
  39     postRun = "systemctl reload dovecot2";
  40   };
  41   systemd.services.dovecot2 = {
  42     wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
  43     after = [ "acme-selfsigned-${domain}.service" ];
  44     preStart = ''
  45       install -D -d -m 1770 \
  46        -o "${dovecot2.user}" \
  47        -g "${domainGroup}" \
  48        ${stateDir}/home/${domain} \
  49        ${stateDir}/control/${domain} \
  50        ${stateDir}/index/${domain} \
  51        ${stateDir}/acl/${domain}
  52
  53       # NOTE: do not set the sticky bit (+t)
  54       #       on acl/<domain>/, to let dovecot
  55       #       rename acl.db.lock (own by new user)
  56       #       to     acl.db      (own by old user)
  57       chmod -t ${stateDir}/acl/${domain}
  58     '';
  59   };
  60   services.nginx.virtualHosts."autoconfig.${domain}" = {
  61     serverName = "autoconfig.${domain}";
  62     #addSSL = true;
  63     extraConfig = ''
  64       access_log off;
  65       log_not_found off;
  66     '';
  67     forceSSL = true;
  68     useACMEHost = domain;
  69     root = ./autoconfig;
  70   };
  71 }