depot/cluster/services/mail/imap.nix

{ config, pkgs, depot, ... }:
let
  inherit (depot.lib.identity) ldap;
  inherit (depot.lib.meta) domain;

  postfixCfg = config.services.postfix;

  # TODO: switch to proper certdir
  certDir = config.security.acme.certs."mail.${domain}".directory;

  # TODO: check how this thing does lookups, apply bind dn

  ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
    uris = ${ldap.server.url}

    auth_bind = yes
    auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}
    base = ${userSearchBase}
    pass_filter = (&(objectClass=person)(${uidAttribute}=%n))
    pass_attrs = uid=user
    dn = dn=token
    dnpass = @DOVECOT2_LDAP_DNPASS@
  '';

  ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";

  writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''
    cp ${ldapConfigBase} ${ldapConfig}
    chmod 600 ${ldapConfig}
    ${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}
    chmod 400 ${ldapConfig}
  '';
in {

  age.secrets.dovecotLdapToken.file = ../../../secrets/dovecot-ldap-token.age;

  networking.firewall.allowedTCPPorts = [ 143 993 ];

  services.dovecot2 = {
    enable = true;
    enableLmtp = true;
    enableImap = true;
    enablePAM = false;
    mailUser = "vmail";
    mailGroup = "vmail";
    sslServerCert = "${certDir}/fullchain.pem";
    sslServerKey = "${certDir}/key.pem";

    modules = [ pkgs.dovecot_pigeonhole ];

    sieve = {
      extensions = [
        "variables"
        "envelope"
        "fileinto"
        "subaddress"
        "mailbox"
      ];
      scripts.after = ./sieve;
    };

    extraConfig = with config.services.dovecot2; ''
      auth_username_format = %n

      namespace {
        inbox = yes
        separator = /
      }
      userdb {
        driver = static
        args = allow_all_users=yes uid=${mailUser} gid=${mailUser} home=/var/mail/virtual/%d/%n
      }
      passdb {
        driver = ldap
        args = ${ldapConfig}
      }

      service auth {
        unix_listener auth {
          mode = 0660
          user = ${postfixCfg.user}
          group = ${postfixCfg.group}
        }
      }

      auth_mechanisms = plain login
    '';
  };

  systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];

  services.fail2ban.jails.dovecot = {};
}
treewide: massive refactor 2023-08-31 01:55:45 +03:00			`{ config, pkgs, depot, ... }:`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00			`let`
treewide: massive refactor 2023-08-31 01:55:45 +03:00			`inherit (depot.lib.identity) ldap;`
			`inherit (depot.lib.meta) domain;`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00
			`postfixCfg = config.services.postfix;`

			`# TODO: switch to proper certdir`
			`certDir = config.security.acme.certs."mail.${domain}".directory;`

			`# TODO: check how this thing does lookups, apply bind dn`
VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 20:30:49 +03:00
			`ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00			`uris = ${ldap.server.url}`

			`auth_bind = yes`
			`auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}`
			`base = ${userSearchBase}`
VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 20:30:49 +03:00			`pass_filter = (&(objectClass=person)(${uidAttribute}=%n))`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00			`pass_attrs = uid=user`
VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 20:30:49 +03:00			`dn = dn=token`
			`dnpass = @DOVECOT2_LDAP_DNPASS@`
			`'';`

			`ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";`

			`writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''`
			`cp ${ldapConfigBase} ${ldapConfig}`
			`chmod 600 ${ldapConfig}`
			`${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}`
			`chmod 400 ${ldapConfig}`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00			`'';`
			`in {`
VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 20:30:49 +03:00
cluster/services/mail: move from VEGAS/mail 2024-07-22 00:23:42 +03:00			`age.secrets.dovecotLdapToken.file = ../../../secrets/dovecot-ldap-token.age;`
VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 20:30:49 +03:00
VEGAS: full mail server 2021-10-16 21:22:48 +03:00			`networking.firewall.allowedTCPPorts = [ 143 993 ];`

			`services.dovecot2 = {`
			`enable = true;`
			`enableLmtp = true;`
			`enableImap = true;`
			`enablePAM = false;`
			`mailUser = "vmail";`
			`mailGroup = "vmail";`
			`sslServerCert = "${certDir}/fullchain.pem";`
			`sslServerKey = "${certDir}/key.pem";`

			`modules = [ pkgs.dovecot_pigeonhole ];`

VEGAS/mail: enable some sieve extensions 2024-06-07 02:05:17 +03:00			`sieve = {`
			`extensions = [`
			`"variables"`
			`"envelope"`
			`"fileinto"`
			`"subaddress"`
			`"mailbox"`
			`];`
			`scripts.after = ./sieve;`
			`};`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00
			`extraConfig = with config.services.dovecot2; ''`
			`auth_username_format = %n`

			`namespace {`
			`inbox = yes`
			`separator = /`
			`}`
			`userdb {`
			`driver = static`
			`args = allow_all_users=yes uid=${mailUser} gid=${mailUser} home=/var/mail/virtual/%d/%n`
			`}`
			`passdb {`
			`driver = ldap`
			`args = ${ldapConfig}`
			`}`

			`service auth {`
			`unix_listener auth {`
			`mode = 0660`
			`user = ${postfixCfg.user}`
			`group = ${postfixCfg.group}`
			`}`
			`}`

			`auth_mechanisms = plain login`
			`'';`
			`};`
VEGAS/mail: adjust ldap settings for idm-ldap 2023-10-25 20:30:49 +03:00
			`systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];`

VEGAS/mail: switch fail2ban jails to submodule style 2023-12-02 02:14:52 +02:00			`services.fail2ban.jails.dovecot = {};`
VEGAS: full mail server 2021-10-16 21:22:48 +03:00			`}`