[perso/Immae/Config/Nix.git] / modules / private / mail / dovecot.nix

{ lib, pkgs, config, myconfig,  ... }:
let
  sieve_bin = pkgs.runCommand "sieve_bin" {
    buildInputs = [ pkgs.makeWrapper ];
  } ''
    cp -a ${./sieve_bin} $out
    chmod -R u+w $out
    patchShebangs $out
    for i in $out/*; do
      wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
    done
    '';
in
{
  config = lib.mkIf config.myServices.mail.enable {
    services.backup.profiles.mail.excludeFile = ''
      + /var/lib/dhparams
      + /var/lib/dovecot
      '';
    secrets.keys = [
      {
        dest = "dovecot/ldap";
        user = config.services.dovecot2.user;
        group = config.services.dovecot2.group;
        permissions = "0400";
        text = ''
          hosts = ${myconfig.env.mail.dovecot.ldap.host}
          tls = yes

          dn = ${myconfig.env.mail.dovecot.ldap.dn}
          dnpass = ${myconfig.env.mail.dovecot.ldap.password}

          auth_bind = yes

          ldap_version = 3

          base = ${myconfig.env.mail.dovecot.ldap.base}
          scope = subtree

          user_filter = ${myconfig.env.mail.dovecot.ldap.filter}
          pass_filter = ${myconfig.env.mail.dovecot.ldap.filter}

          user_attrs = ${myconfig.env.mail.dovecot.ldap.user_attrs}
          pass_attrs = ${myconfig.env.mail.dovecot.ldap.pass_attrs}
          '';
      }
    ];

    users.users.vhost = {
      group = "vhost";
      uid = config.ids.uids.vhost;
    };
    users.groups.vhost.gid = config.ids.gids.vhost;

    # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
    services.dovecot2 = {
      enable = true;
      enablePAM = false;
      enablePop3 = true;
      enableImap = true;
      enableLmtp = true;
      protocols = [ "sieve" ];
      modules = [
        pkgs.dovecot_pigeonhole
        pkgs.dovecot_fts-xapian
      ];
      mailUser = "vhost";
      mailGroup = "vhost";
      createMailUser = false;
      mailboxes = [
        { name = "Trash";  auto = "subscribe"; specialUse = "Trash"; }
        { name = "Junk";   auto = "subscribe"; specialUse = "Junk"; }
        { name = "Sent";   auto = "subscribe"; specialUse = "Sent"; }
        { name = "Drafts"; auto = "subscribe"; specialUse = "Drafts"; }
      ];
      mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
      sslServerCert = "/var/lib/acme/mail/fullchain.pem";
      sslServerKey = "/var/lib/acme/mail/key.pem";
      sslCACert = "/var/lib/acme/mail/fullchain.pem";
      extraConfig = builtins.concatStringsSep "\n" [
        ''
          postmaster_address = postmaster@immae.eu
          mail_attribute_dict = file:%h/dovecot-attributes
          imap_idle_notify_interval = 20 mins
          namespace inbox {
            type = private
            separator = /
            inbox = yes
            list = yes
          }
        ''

        # Full text search
        ''
          # needs to be bigger than any mailbox size
          default_vsz_limit = 2GB
          mail_plugins = $mail_plugins fts fts_xapian
          plugin {
            plugin = fts fts_xapian
            fts = xapian
            fts_xapian = partial=2 full=20
            fts_autoindex = yes
            fts_autoindex_exclude = \Junk
            fts_autoindex_exclude2 = \Trash
            fts_autoindex_exclude3 = Virtual/*
          }
        ''

        # Antispam
        # https://docs.iredmail.org/dovecot.imapsieve.html
        ''
        # imap_sieve plugin added below

        plugin {
            sieve_plugins = sieve_imapsieve sieve_extprograms
            imapsieve_url = sieve://127.0.0.1:4190

            # From elsewhere to Junk folder
            imapsieve_mailbox1_name = Junk
            imapsieve_mailbox1_causes = COPY APPEND
            imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            # From Junk folder to elsewhere
            imapsieve_mailbox2_name = *
            imapsieve_mailbox2_from = Junk
            imapsieve_mailbox2_causes = COPY
            imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin

            sieve_pipe_bin_dir = ${sieve_bin}

            sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        }
        ''
        # Services to listen
        ''
        service imap-login {
          inet_listener imap {
          }
          inet_listener imaps {
          }
        }
        service pop3-login {
          inet_listener pop3 {
          }
          inet_listener pop3s {
          }
        }
        service imap {
        }
        service pop3 {
        }
        service auth {
          unix_listener auth-userdb {
          }
          unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
            mode = 0666
          }
        }
        service auth-worker {
        }
        service dict {
          unix_listener dict {
          }
        }
        service stats {
          unix_listener stats-reader {
            user = vhost
            group = vhost
            mode = 0660
          }
          unix_listener stats-writer {
            user = vhost
            group = vhost
            mode = 0660
          }
        }
        ''

        # Authentification
        ''
        first_valid_uid = ${toString config.ids.uids.vhost}
        disable_plaintext_auth = yes
        passdb {
          driver = ldap
          args = ${config.secrets.fullPaths."dovecot/ldap"}
        }
        userdb {
          driver = static
          args = user=%u uid=vhost gid=vhost home=/var/lib/vhost/%d/%n/ mail=mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap
        }
        ''

        # Zlib
        ''
        mail_plugins = $mail_plugins zlib
        plugin {
          zlib_save_level = 6
          zlib_save = gz
        }
        ''

        # Sieve
        ''
        plugin {
          sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
        }
        service managesieve-login {
        }
        service managesieve {
        }
        ''

        # Virtual mailboxes
        ''
        mail_plugins = $mail_plugins virtual
        namespace Virtual {
          prefix = Virtual/
          location = virtual:~/Virtual
        }
        ''

        # Protocol specific configuration
        # Needs to come last if there are mail_plugins entries
        ''
        protocol imap {
          mail_plugins = $mail_plugins imap_sieve
        }
        protocol lda {
          mail_plugins = $mail_plugins sieve
        }
        ''
      ];
    };
    networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
    system.activationScripts.dovecot = {
      deps = [ "users" ];
      text  =''
        install -m 0755 -o vhost -g vhost -d /var/lib/vhost
        '';
    };

    security.acme.certs."mail" = {
      postRun = ''
        systemctl restart dovecot2.service
      '';
      extraDomains = {
        "imap.immae.eu" = null;
        "pop3.immae.eu" = null;
      };
    };
  };
}
Commit	Line	Data
a929614f IB	1	{ lib, pkgs, config, myconfig, ... }:
	2	let
	3	sieve_bin = pkgs.runCommand "sieve_bin" {
	4	buildInputs = [ pkgs.makeWrapper ];
	5	} ''
	6	cp -a ${./sieve_bin} $out
	7	chmod -R u+w $out
	8	patchShebangs $out
	9	for i in $out/*; do
	10	wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils ]}
	11	done
	12	'';
	13	in
	14	{
8415083e IB	15	config = lib.mkIf config.myServices.mail.enable {
	16	services.backup.profiles.mail.excludeFile = ''
	17	+ /var/lib/dhparams
	18	+ /var/lib/dovecot
	19	'';
	20	secrets.keys = [
	21	{
	22	dest = "dovecot/ldap";
	23	user = config.services.dovecot2.user;
	24	group = config.services.dovecot2.group;
	25	permissions = "0400";
	26	text = ''
	27	hosts = ${myconfig.env.mail.dovecot.ldap.host}
	28	tls = yes
a929614f	29
8415083e IB	30	dn = ${myconfig.env.mail.dovecot.ldap.dn}
8415083e IB	31	dnpass = ${myconfig.env.mail.dovecot.ldap.password}
a929614f	32
8415083e	33	auth_bind = yes
a929614f	34
8415083e	35	ldap_version = 3
a929614f	36
8415083e IB	37	base = ${myconfig.env.mail.dovecot.ldap.base}
8415083e IB	38	scope = subtree
a929614f	39
8415083e IB	40	user_filter = ${myconfig.env.mail.dovecot.ldap.filter}
8415083e IB	41	pass_filter = ${myconfig.env.mail.dovecot.ldap.filter}
a929614f	42
8415083e IB	43	user_attrs = ${myconfig.env.mail.dovecot.ldap.user_attrs}
	44	pass_attrs = ${myconfig.env.mail.dovecot.ldap.pass_attrs}
	45	'';
	46	}
a929614f	47	];
8415083e IB	48
	49	users.users.vhost = {
	50	group = "vhost";
	51	uid = config.ids.uids.vhost;
	52	};
	53	users.groups.vhost.gid = config.ids.gids.vhost;
	54
	55	# https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
	56	services.dovecot2 = {
	57	enable = true;
	58	enablePAM = false;
	59	enablePop3 = true;
	60	enableImap = true;
	61	enableLmtp = true;
	62	protocols = [ "sieve" ];
	63	modules = [
	64	pkgs.dovecot_pigeonhole
	65	pkgs.dovecot_fts-xapian
	66	];
	67	mailUser = "vhost";
	68	mailGroup = "vhost";
	69	createMailUser = false;
	70	mailboxes = [
	71	{ name = "Trash"; auto = "subscribe"; specialUse = "Trash"; }
	72	{ name = "Junk"; auto = "subscribe"; specialUse = "Junk"; }
	73	{ name = "Sent"; auto = "subscribe"; specialUse = "Sent"; }
	74	{ name = "Drafts"; auto = "subscribe"; specialUse = "Drafts"; }
	75	];
	76	mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
	77	sslServerCert = "/var/lib/acme/mail/fullchain.pem";
	78	sslServerKey = "/var/lib/acme/mail/key.pem";
	79	sslCACert = "/var/lib/acme/mail/fullchain.pem";
	80	extraConfig = builtins.concatStringsSep "\n" [
	81	''
	82	postmaster_address = postmaster@immae.eu
	83	mail_attribute_dict = file:%h/dovecot-attributes
	84	imap_idle_notify_interval = 20 mins
	85	namespace inbox {
	86	type = private
	87	separator = /
	88	inbox = yes
	89	list = yes
	90	}
	91	''
	92
	93	# Full text search
	94	''
	95	# needs to be bigger than any mailbox size
	96	default_vsz_limit = 2GB
	97	mail_plugins = $mail_plugins fts fts_xapian
	98	plugin {
	99	plugin = fts fts_xapian
	100	fts = xapian
	101	fts_xapian = partial=2 full=20
	102	fts_autoindex = yes
	103	fts_autoindex_exclude = \Junk
	104	fts_autoindex_exclude2 = \Trash
	105	fts_autoindex_exclude3 = Virtual/*
	106	}
	107	''
	108
	109	# Antispam
	110	# https://docs.iredmail.org/dovecot.imapsieve.html
	111	''
112	# imap_sieve plugin added below
113
a929614f	114	plugin {
8415083e IB	115	sieve_plugins = sieve_imapsieve sieve_extprograms
	116	imapsieve_url = sieve://127.0.0.1:4190
	117
	118	# From elsewhere to Junk folder
	119	imapsieve_mailbox1_name = Junk
	120	imapsieve_mailbox1_causes = COPY APPEND
	121	imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	122
	123	# From Junk folder to elsewhere
	124	imapsieve_mailbox2_name = *
	125	imapsieve_mailbox2_from = Junk
	126	imapsieve_mailbox2_causes = COPY
	127	imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin
	128
	129	sieve_pipe_bin_dir = ${sieve_bin}
	130
	131	sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
a929614f	132	}
8415083e IB	133	''
	134	# Services to listen
	135	''
	136	service imap-login {
	137	inet_listener imap {
	138	}
	139	inet_listener imaps {
	140	}
a929614f	141	}
8415083e IB	142	service pop3-login {
	143	inet_listener pop3 {
	144	}
	145	inet_listener pop3s {
	146	}
a929614f	147	}
8415083e	148	service imap {
a929614f	149	}
8415083e	150	service pop3 {
a929614f	151	}
8415083e IB	152	service auth {
	153	unix_listener auth-userdb {
	154	}
	155	unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
	156	mode = 0666
	157	}
a929614f	158	}
8415083e	159	service auth-worker {
a929614f	160	}
8415083e IB	161	service dict {
	162	unix_listener dict {
	163	}
a929614f	164	}
8415083e IB	165	service stats {
	166	unix_listener stats-reader {
	167	user = vhost
	168	group = vhost
	169	mode = 0660
	170	}
	171	unix_listener stats-writer {
	172	user = vhost
	173	group = vhost
	174	mode = 0660
	175	}
a929614f	176	}
8415083e IB	177	''
	178
	179	# Authentification
	180	''
	181	first_valid_uid = ${toString config.ids.uids.vhost}
	182	disable_plaintext_auth = yes
	183	passdb {
	184	driver = ldap
	185	args = ${config.secrets.fullPaths."dovecot/ldap"}
	186	}
	187	userdb {
	188	driver = static
	189	args = user=%u uid=vhost gid=vhost home=/var/lib/vhost/%d/%n/ mail=mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap
	190	}
	191	''
a929614f	192
8415083e IB	193	# Zlib
	194	''
	195	mail_plugins = $mail_plugins zlib
	196	plugin {
	197	zlib_save_level = 6
	198	zlib_save = gz
	199	}
	200	''
a929614f	201
8415083e IB	202	# Sieve
	203	''
	204	plugin {
	205	sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve
	206	}
	207	service managesieve-login {
	208	}
	209	service managesieve {
	210	}
	211	''
	212
	213	# Virtual mailboxes
	214	''
	215	mail_plugins = $mail_plugins virtual
	216	namespace Virtual {
	217	prefix = Virtual/
	218	location = virtual:~/Virtual
	219	}
	220	''
a929614f	221
8415083e IB	222	# Protocol specific configuration
	223	# Needs to come last if there are mail_plugins entries
	224	''
	225	protocol imap {
	226	mail_plugins = $mail_plugins imap_sieve
	227	}
	228	protocol lda {
	229	mail_plugins = $mail_plugins sieve
	230	}
	231	''
	232	];
	233	};
	234	networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ];
	235	system.activationScripts.dovecot = {
	236	deps = [ "users" ];
	237	text =''
	238	install -m 0755 -o vhost -g vhost -d /var/lib/vhost
	239	'';
	240	};
	241
	242	security.acme.certs."mail" = {
	243	postRun = ''
	244	systemctl restart dovecot2.service
	245	'';
	246	extraDomains = {
	247	"imap.immae.eu" = null;
	248	"pop3.immae.eu" = null;
	249	};
a929614f IB	250	};
	251	};
	252	}
	253