domainGroup = "sourcephile";
in
{
-services.dovecot2.extraConfig =
- let domainConfig = ''
- ssl_cert = </var/lib/acme/${domain}/fullchain.pem
- ssl_key = </var/lib/acme/${domain}/key.pem
- '';
- in lib.mkAfter ''
- local_name mail.${domain} {
- ${domainConfig}
- }
- local_name imap.${domain} {
- ${domainConfig}
- }
- passdb {
- username_filter = *@${domain}
- # Because auth_bind=yes and auth_bind_userdn are used,
- # this cannot prefetch any userdb_*.
- driver = ldap
- # The path to the ldap.conf must be unique,
- # otherwise dovecot caches the result from other passdb,
- # which may be wrong because of username_filter.
- args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
- default_fields =
- override_fields =
- skip = authenticated
- }
-'';
-security.acme.certs."${domain}" = {
- postRun = "systemctl reload dovecot2";
-};
-systemd.services.dovecot2 = {
- wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
- after = [ "acme-selfsigned-${domain}.service" ];
- preStart = ''
- install -D -d -m 1770 \
- -o "${dovecot2.user}" \
- -g "${domainGroup}" \
- ${stateDir}/home/${domain} \
- ${stateDir}/control/${domain} \
- ${stateDir}/index/${domain} \
- ${stateDir}/acl/${domain}
+ services.dovecot2.extraConfig =
+ let
+ domainConfig = ''
+ ssl_cert = </var/lib/acme/${domain}/fullchain.pem
+ ssl_key = </var/lib/acme/${domain}/key.pem
+ '';
+ in
+ lib.mkAfter ''
+ local_name mail.${domain} {
+ ${domainConfig}
+ }
+ local_name imap.${domain} {
+ ${domainConfig}
+ }
+ passdb {
+ username_filter = *@${domain}
+ # Because auth_bind=yes and auth_bind_userdn are used,
+ # this cannot prefetch any userdb_*.
+ driver = ldap
+ # The path to the ldap.conf must be unique,
+ # otherwise dovecot caches the result from other passdb,
+ # which may be wrong because of username_filter.
+ args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
+ default_fields =
+ override_fields =
+ skip = authenticated
+ }
+ '';
+ security.acme.certs."${domain}" = {
+ postRun = "systemctl reload dovecot2";
+ };
+ systemd.services.dovecot2 = {
+ wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
+ after = [ "acme-selfsigned-${domain}.service" ];
+ preStart = ''
+ install -D -d -m 1770 \
+ -o "${dovecot2.user}" \
+ -g "${domainGroup}" \
+ ${stateDir}/home/${domain} \
+ ${stateDir}/control/${domain} \
+ ${stateDir}/index/${domain} \
+ ${stateDir}/acl/${domain}
- # NOTE: do not set the sticky bit (+t)
- # on acl/<domain>/, to let dovecot
- # rename acl.db.lock (own by new user)
- # to acl.db (own by old user)
- chmod -t ${stateDir}/acl/${domain}
- '';
-};
-services.nginx.virtualHosts."autoconfig.${domain}" = {
- serverName = "autoconfig.${domain}";
- #addSSL = true;
- extraConfig = ''
- access_log off;
- log_not_found off;
- '';
- forceSSL = true;
- useACMEHost = domain;
- root = ./autoconfig;
-};
+ # NOTE: do not set the sticky bit (+t)
+ # on acl/<domain>/, to let dovecot
+ # rename acl.db.lock (own by new user)
+ # to acl.db (own by old user)
+ chmod -t ${stateDir}/acl/${domain}
+ '';
+ };
+ services.nginx.virtualHosts."autoconfig.${domain}" = {
+ serverName = "autoconfig.${domain}";
+ #addSSL = true;
+ extraConfig = ''
+ access_log off;
+ log_not_found off;
+ '';
+ forceSSL = true;
+ useACMEHost = domain;
+ root = ./autoconfig;
+ };
}