{ pkgs, lib, config, ... }:
let
+ inherit (builtins) readFile;
inherit (config.services) dovecot2;
stateDir = "/var/lib/dovecot";
domain = "sourcephile.fr";
domainGroup = "sourcephile";
- domainConfig = ''
- ssl_cert = <${../../../../sec/openssl/sourcephile.fr/cert.self-signed.pem}
- ssl_key = </run/keys/${domain}.key.pem
- '';
in
{
+services.dovecot2.extraConfig =
+ let domainConfig = ''
+ ssl_cert = </var/lib/acme/${domain}/fullchain.pem
+ ssl_key = </var/lib/acme/${domain}/key.pem
+ '';
+ in lib.mkAfter ''
+ local_name mail.${domain} {
+ ${domainConfig}
+ }
+ local_name imap.${domain} {
+ ${domainConfig}
+ }
+ passdb {
+ username_filter = *@${domain}
+ # Because auth_bind=yes and auth_bind_userdn are used,
+ # this cannot prefetch any userdb_*.
+ driver = ldap
+ # The path to the ldap.conf must be unique,
+ # otherwise dovecot caches the result from other passdb,
+ # which may be wrong because of username_filter.
+ args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
+ default_fields =
+ override_fields =
+ skip = authenticated
+ }
+'';
+security.acme.certs."${domain}" = {
+ postRun = "systemctl reload dovecot2";
+};
systemd.services.dovecot2 = {
+ wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
+ after = [ "acme-selfsigned-${domain}.service" ];
preStart = ''
install -D -d -m 1770 \
-o "${dovecot2.user}" \
chmod -t ${stateDir}/acl/${domain}
'';
};
-services.dovecot2 = {
- extraConfig = lib.mkAfter ''
- passdb {
- username_filter = *@${domain}
- driver = ldap
- # Because auth_bind=yes and auth_bind_userdn are used,
- # this cannot prefetch any userdb_*.
- args = ${./ldap.conf}
- default_fields =
- override_fields =
- }
- local_name mail.${domain} {
- ${domainConfig}
- }
- local_name imap.${domain} {
- ${domainConfig}
- }
- '';
-};
services.nginx.virtualHosts."autoconfig.${domain}" = {
serverName = "autoconfig.${domain}";
#addSSL = true;
access_log off;
log_not_found off;
'';
- root = pkgs.writeTextFile {
- name = "autoconfig";
- destination = "/mail/config-v1.1.xml";
- text = ''
- <?xml version="1.0"?>
- <clientConfig version="1.1">
- <emailProvider id="%EMAILDOMAIN%">
- <!-- <displayName></displayName> -->
- <!-- <displayShortName></displayShortName> -->
- <domain>%EMAILDOMAIN%</domain>
- <incomingServer type="imap">
- <hostname>mail.%EMAILDOMAIN%</hostname>
- <port>993</port>
- <socketType>SSL</socketType>
- <username>%EMAILADDRESS%</username>
- <authentication>password-cleartext</authentication>
- </incomingServer>
- <incomingServer type="pop3">
- <hostname>mail.%EMAILDOMAIN%</hostname>
- <port>995</port>
- <socketType>SSL</socketType>
- <username>%EMAILADDRESS%</username>
- <authentication>password-cleartext</authentication>
- <pop3>
- <leaveMessagesOnServer>false</leaveMessagesOnServer>
- <downloadOnBiff>true</downloadOnBiff>
- </pop3>
- </incomingServer>
- <outgoingServer type="smtp">
- <hostname>mail.%EMAILDOMAIN%</hostname>
- <port>465</port>
- <socketType>SSL</socketType> <!-- see above -->
- <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
- <authentication>password-cleartext</authentication>
- <!-- <restriction>client-IP-address</restriction> -->
- <addThisServer>true</addThisServer>
- <useGlobalPreferredServer>false</useGlobalPreferredServer>
- </outgoingServer>
- </emailProvider>
- <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
- </clientConfig>
- '';
- };
+ forceSSL = true;
+ useACMEHost = domain;
+ root = ./autoconfig;
};
}
sourcephile / git / sourcephile-nix.git / blobdiff