]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/dovecot/autogeree.net.nix
dovecot: fix passdb
[sourcephile-nix.git] / servers / mermet / dovecot / autogeree.net.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) readFile;
4 inherit (config.services) dovecot2;
5 stateDir = "/var/lib/dovecot";
6 domain = "autogeree.net";
7 domainGroup = "autogeree";
8 in
9 {
10 services.dovecot2.extraConfig =
11 let domainConfig = ''
12 ssl_cert = <${../../../../sec/openssl/autogeree.net/cert.self-signed.pem}
13 ssl_key = </run/keys/${domain}.key.pem
14 '';
15 in lib.mkAfter ''
16 local_name mail.${domain} {
17 ${domainConfig}
18 }
19 local_name imap.${domain} {
20 ${domainConfig}
21 }
22 passdb {
23 username_filter = *@${domain}
24 # Because auth_bind=yes and auth_bind_userdn are used,
25 # this cannot prefetch any userdb_*.
26 driver = ldap
27 # The path to the ldap.conf must be unique,
28 # otherwise dovecot caches the result from other passdb,
29 # which may be wrong because of username_filter.
30 args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
31 default_fields =
32 override_fields =
33 skip = authenticated
34 }
35 '';
36 systemd.services.dovecot2.after = [
37 "${domain}.key.pem-key.service"
38 ];
39 systemd.services.dovecot2 = {
40 preStart = ''
41 install -D -d -m 1770 \
42 -o "${dovecot2.user}" \
43 -g "${domainGroup}" \
44 ${stateDir}/home/${domain} \
45 ${stateDir}/control/${domain} \
46 ${stateDir}/index/${domain} \
47 ${stateDir}/acl/${domain}
48
49 # NOTE: do not set the sticky bit (+t)
50 # on acl/<domain>/, to let dovecot
51 # rename acl.db.lock (own by new user)
52 # to acl.db (own by old user)
53 chmod -t ${stateDir}/acl/${domain}
54 '';
55 };
56 services.nginx.virtualHosts."autoconfig.${domain}" = {
57 serverName = "autoconfig.${domain}";
58 #addSSL = true;
59 extraConfig = ''
60 access_log off;
61 log_not_found off;
62 '';
63 root = ./autoconfig;
64 };
65 }