diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-10-18 19:43:39 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-10-18 19:43:39 +0200 |
commit | 8415083eb6acc343dfa404dbbc12fa0171a48a20 (patch) | |
tree | d83f54c99763ae49076bf3071449595b6ccae133 /modules/private/mail/dovecot.nix | |
parent | 8fa7ff2c63fb0722144bc90837512d9f8b8c929d (diff) | |
download | Nix-8415083eb6acc343dfa404dbbc12fa0171a48a20.tar.gz Nix-8415083eb6acc343dfa404dbbc12fa0171a48a20.tar.zst Nix-8415083eb6acc343dfa404dbbc12fa0171a48a20.zip |
Add new machine to nixops
Diffstat (limited to 'modules/private/mail/dovecot.nix')
-rw-r--r-- | modules/private/mail/dovecot.nix | 428 |
1 files changed, 215 insertions, 213 deletions
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 0d13a7b..dc75e0f 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix | |||
@@ -12,239 +12,241 @@ let | |||
12 | ''; | 12 | ''; |
13 | in | 13 | in |
14 | { | 14 | { |
15 | config.services.backup.profiles.mail.excludeFile = '' | 15 | config = lib.mkIf config.myServices.mail.enable { |
16 | + /var/lib/dhparams | 16 | services.backup.profiles.mail.excludeFile = '' |
17 | + /var/lib/dovecot | 17 | + /var/lib/dhparams |
18 | ''; | 18 | + /var/lib/dovecot |
19 | config.secrets.keys = [ | 19 | ''; |
20 | { | 20 | secrets.keys = [ |
21 | dest = "dovecot/ldap"; | 21 | { |
22 | user = config.services.dovecot2.user; | 22 | dest = "dovecot/ldap"; |
23 | group = config.services.dovecot2.group; | 23 | user = config.services.dovecot2.user; |
24 | permissions = "0400"; | 24 | group = config.services.dovecot2.group; |
25 | text = '' | 25 | permissions = "0400"; |
26 | hosts = ${myconfig.env.mail.dovecot.ldap.host} | 26 | text = '' |
27 | tls = yes | 27 | hosts = ${myconfig.env.mail.dovecot.ldap.host} |
28 | 28 | tls = yes | |
29 | dn = ${myconfig.env.mail.dovecot.ldap.dn} | ||
30 | dnpass = ${myconfig.env.mail.dovecot.ldap.password} | ||
31 | 29 | ||
32 | auth_bind = yes | 30 | dn = ${myconfig.env.mail.dovecot.ldap.dn} |
31 | dnpass = ${myconfig.env.mail.dovecot.ldap.password} | ||
33 | 32 | ||
34 | ldap_version = 3 | 33 | auth_bind = yes |
35 | 34 | ||
36 | base = ${myconfig.env.mail.dovecot.ldap.base} | 35 | ldap_version = 3 |
37 | scope = subtree | ||
38 | 36 | ||
39 | user_filter = ${myconfig.env.mail.dovecot.ldap.filter} | 37 | base = ${myconfig.env.mail.dovecot.ldap.base} |
40 | pass_filter = ${myconfig.env.mail.dovecot.ldap.filter} | 38 | scope = subtree |
41 | 39 | ||
42 | user_attrs = ${myconfig.env.mail.dovecot.ldap.user_attrs} | 40 | user_filter = ${myconfig.env.mail.dovecot.ldap.filter} |
43 | pass_attrs = ${myconfig.env.mail.dovecot.ldap.pass_attrs} | 41 | pass_filter = ${myconfig.env.mail.dovecot.ldap.filter} |
44 | ''; | ||
45 | } | ||
46 | ]; | ||
47 | 42 | ||
48 | config.users.users.vhost = { | 43 | user_attrs = ${myconfig.env.mail.dovecot.ldap.user_attrs} |
49 | group = "vhost"; | 44 | pass_attrs = ${myconfig.env.mail.dovecot.ldap.pass_attrs} |
50 | uid = config.ids.uids.vhost; | 45 | ''; |
51 | }; | 46 | } |
52 | config.users.groups.vhost.gid = config.ids.gids.vhost; | ||
53 | |||
54 | # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous....... | ||
55 | config.services.dovecot2 = { | ||
56 | enable = true; | ||
57 | enablePAM = false; | ||
58 | enablePop3 = true; | ||
59 | enableImap = true; | ||
60 | enableLmtp = true; | ||
61 | protocols = [ "sieve" ]; | ||
62 | modules = [ | ||
63 | pkgs.dovecot_pigeonhole | ||
64 | pkgs.dovecot_fts-xapian | ||
65 | ]; | ||
66 | mailUser = "vhost"; | ||
67 | mailGroup = "vhost"; | ||
68 | createMailUser = false; | ||
69 | mailboxes = [ | ||
70 | { name = "Trash"; auto = "subscribe"; specialUse = "Trash"; } | ||
71 | { name = "Junk"; auto = "subscribe"; specialUse = "Junk"; } | ||
72 | { name = "Sent"; auto = "subscribe"; specialUse = "Sent"; } | ||
73 | { name = "Drafts"; auto = "subscribe"; specialUse = "Drafts"; } | ||
74 | ]; | 47 | ]; |
75 | mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap"; | 48 | |
76 | sslServerCert = "/var/lib/acme/mail/fullchain.pem"; | 49 | users.users.vhost = { |
77 | sslServerKey = "/var/lib/acme/mail/key.pem"; | 50 | group = "vhost"; |
78 | sslCACert = "/var/lib/acme/mail/fullchain.pem"; | 51 | uid = config.ids.uids.vhost; |
79 | extraConfig = builtins.concatStringsSep "\n" [ | 52 | }; |
80 | '' | 53 | users.groups.vhost.gid = config.ids.gids.vhost; |
81 | postmaster_address = postmaster@immae.eu | 54 | |
82 | mail_attribute_dict = file:%h/dovecot-attributes | 55 | # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous....... |
83 | imap_idle_notify_interval = 20 mins | 56 | services.dovecot2 = { |
84 | namespace inbox { | 57 | enable = true; |
85 | type = private | 58 | enablePAM = false; |
86 | separator = / | 59 | enablePop3 = true; |
87 | inbox = yes | 60 | enableImap = true; |
88 | list = yes | 61 | enableLmtp = true; |
89 | } | 62 | protocols = [ "sieve" ]; |
90 | '' | 63 | modules = [ |
91 | 64 | pkgs.dovecot_pigeonhole | |
92 | # Full text search | 65 | pkgs.dovecot_fts-xapian |
93 | '' | 66 | ]; |
94 | # needs to be bigger than any mailbox size | 67 | mailUser = "vhost"; |
95 | default_vsz_limit = 2GB | 68 | mailGroup = "vhost"; |
96 | mail_plugins = $mail_plugins fts fts_xapian | 69 | createMailUser = false; |
70 | mailboxes = [ | ||
71 | { name = "Trash"; auto = "subscribe"; specialUse = "Trash"; } | ||
72 | { name = "Junk"; auto = "subscribe"; specialUse = "Junk"; } | ||
73 | { name = "Sent"; auto = "subscribe"; specialUse = "Sent"; } | ||
74 | { name = "Drafts"; auto = "subscribe"; specialUse = "Drafts"; } | ||
75 | ]; | ||
76 | mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap"; | ||
77 | sslServerCert = "/var/lib/acme/mail/fullchain.pem"; | ||
78 | sslServerKey = "/var/lib/acme/mail/key.pem"; | ||
79 | sslCACert = "/var/lib/acme/mail/fullchain.pem"; | ||
80 | extraConfig = builtins.concatStringsSep "\n" [ | ||
81 | '' | ||
82 | postmaster_address = postmaster@immae.eu | ||
83 | mail_attribute_dict = file:%h/dovecot-attributes | ||
84 | imap_idle_notify_interval = 20 mins | ||
85 | namespace inbox { | ||
86 | type = private | ||
87 | separator = / | ||
88 | inbox = yes | ||
89 | list = yes | ||
90 | } | ||
91 | '' | ||
92 | |||
93 | # Full text search | ||
94 | '' | ||
95 | # needs to be bigger than any mailbox size | ||
96 | default_vsz_limit = 2GB | ||
97 | mail_plugins = $mail_plugins fts fts_xapian | ||
98 | plugin { | ||
99 | plugin = fts fts_xapian | ||
100 | fts = xapian | ||
101 | fts_xapian = partial=2 full=20 | ||
102 | fts_autoindex = yes | ||
103 | fts_autoindex_exclude = \Junk | ||
104 | fts_autoindex_exclude2 = \Trash | ||
105 | fts_autoindex_exclude3 = Virtual/* | ||
106 | } | ||
107 | '' | ||
108 | |||
109 | # Antispam | ||
110 | # https://docs.iredmail.org/dovecot.imapsieve.html | ||
111 | '' | ||
112 | # imap_sieve plugin added below | ||
113 | |||
97 | plugin { | 114 | plugin { |
98 | plugin = fts fts_xapian | 115 | sieve_plugins = sieve_imapsieve sieve_extprograms |
99 | fts = xapian | 116 | imapsieve_url = sieve://127.0.0.1:4190 |
100 | fts_xapian = partial=2 full=20 | 117 | |
101 | fts_autoindex = yes | 118 | # From elsewhere to Junk folder |
102 | fts_autoindex_exclude = \Junk | 119 | imapsieve_mailbox1_name = Junk |
103 | fts_autoindex_exclude2 = \Trash | 120 | imapsieve_mailbox1_causes = COPY APPEND |
104 | fts_autoindex_exclude3 = Virtual/* | 121 | imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin |
105 | } | 122 | |
106 | '' | 123 | # From Junk folder to elsewhere |
107 | 124 | imapsieve_mailbox2_name = * | |
108 | # Antispam | 125 | imapsieve_mailbox2_from = Junk |
109 | # https://docs.iredmail.org/dovecot.imapsieve.html | 126 | imapsieve_mailbox2_causes = COPY |
110 | '' | 127 | imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin |
111 | # imap_sieve plugin added below | 128 | |
112 | 129 | sieve_pipe_bin_dir = ${sieve_bin} | |
113 | plugin { | 130 | |
114 | sieve_plugins = sieve_imapsieve sieve_extprograms | 131 | sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment |
115 | imapsieve_url = sieve://127.0.0.1:4190 | ||
116 | |||
117 | # From elsewhere to Junk folder | ||
118 | imapsieve_mailbox1_name = Junk | ||
119 | imapsieve_mailbox1_causes = COPY APPEND | ||
120 | imapsieve_mailbox1_before = file:${./sieve_scripts}/report_spam.sieve;bindir=/var/lib/vhost/.imapsieve_bin | ||
121 | |||
122 | # From Junk folder to elsewhere | ||
123 | imapsieve_mailbox2_name = * | ||
124 | imapsieve_mailbox2_from = Junk | ||
125 | imapsieve_mailbox2_causes = COPY | ||
126 | imapsieve_mailbox2_before = file:${./sieve_scripts}/report_ham.sieve;bindir=/var/lib/vhost/.imapsieve_bin | ||
127 | |||
128 | sieve_pipe_bin_dir = ${sieve_bin} | ||
129 | |||
130 | sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment | ||
131 | } | ||
132 | '' | ||
133 | # Services to listen | ||
134 | '' | ||
135 | service imap-login { | ||
136 | inet_listener imap { | ||
137 | } | 132 | } |
138 | inet_listener imaps { | 133 | '' |
134 | # Services to listen | ||
135 | '' | ||
136 | service imap-login { | ||
137 | inet_listener imap { | ||
138 | } | ||
139 | inet_listener imaps { | ||
140 | } | ||
139 | } | 141 | } |
140 | } | 142 | service pop3-login { |
141 | service pop3-login { | 143 | inet_listener pop3 { |
142 | inet_listener pop3 { | 144 | } |
145 | inet_listener pop3s { | ||
146 | } | ||
143 | } | 147 | } |
144 | inet_listener pop3s { | 148 | service imap { |
145 | } | 149 | } |
146 | } | 150 | service pop3 { |
147 | service imap { | ||
148 | } | ||
149 | service pop3 { | ||
150 | } | ||
151 | service auth { | ||
152 | unix_listener auth-userdb { | ||
153 | } | 151 | } |
154 | unix_listener ${config.services.postfix.config.queue_directory}/private/auth { | 152 | service auth { |
155 | mode = 0666 | 153 | unix_listener auth-userdb { |
154 | } | ||
155 | unix_listener ${config.services.postfix.config.queue_directory}/private/auth { | ||
156 | mode = 0666 | ||
157 | } | ||
156 | } | 158 | } |
157 | } | 159 | service auth-worker { |
158 | service auth-worker { | ||
159 | } | ||
160 | service dict { | ||
161 | unix_listener dict { | ||
162 | } | 160 | } |
163 | } | 161 | service dict { |
164 | service stats { | 162 | unix_listener dict { |
165 | unix_listener stats-reader { | 163 | } |
166 | user = vhost | ||
167 | group = vhost | ||
168 | mode = 0660 | ||
169 | } | 164 | } |
170 | unix_listener stats-writer { | 165 | service stats { |
171 | user = vhost | 166 | unix_listener stats-reader { |
172 | group = vhost | 167 | user = vhost |
173 | mode = 0660 | 168 | group = vhost |
169 | mode = 0660 | ||
170 | } | ||
171 | unix_listener stats-writer { | ||
172 | user = vhost | ||
173 | group = vhost | ||
174 | mode = 0660 | ||
175 | } | ||
174 | } | 176 | } |
175 | } | 177 | '' |
176 | '' | 178 | |
177 | 179 | # Authentification | |
178 | # Authentification | 180 | '' |
179 | '' | 181 | first_valid_uid = ${toString config.ids.uids.vhost} |
180 | first_valid_uid = ${toString config.ids.uids.vhost} | 182 | disable_plaintext_auth = yes |
181 | disable_plaintext_auth = yes | 183 | passdb { |
182 | passdb { | 184 | driver = ldap |
183 | driver = ldap | 185 | args = ${config.secrets.fullPaths."dovecot/ldap"} |
184 | args = ${config.secrets.fullPaths."dovecot/ldap"} | 186 | } |
185 | } | 187 | userdb { |
186 | userdb { | 188 | driver = static |
187 | driver = static | 189 | args = user=%u uid=vhost gid=vhost home=/var/lib/vhost/%d/%n/ mail=mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap |
188 | args = user=%u uid=vhost gid=vhost home=/var/lib/vhost/%d/%n/ mail=mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap | 190 | } |
189 | } | 191 | '' |
190 | '' | ||
191 | |||
192 | # Zlib | ||
193 | '' | ||
194 | mail_plugins = $mail_plugins zlib | ||
195 | plugin { | ||
196 | zlib_save_level = 6 | ||
197 | zlib_save = gz | ||
198 | } | ||
199 | '' | ||
200 | 192 | ||
201 | # Sieve | 193 | # Zlib |
202 | '' | 194 | '' |
203 | plugin { | 195 | mail_plugins = $mail_plugins zlib |
204 | sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve | 196 | plugin { |
205 | } | 197 | zlib_save_level = 6 |
206 | service managesieve-login { | 198 | zlib_save = gz |
207 | } | 199 | } |
208 | service managesieve { | 200 | '' |
209 | } | ||
210 | '' | ||
211 | |||
212 | # Virtual mailboxes | ||
213 | '' | ||
214 | mail_plugins = $mail_plugins virtual | ||
215 | namespace Virtual { | ||
216 | prefix = Virtual/ | ||
217 | location = virtual:~/Virtual | ||
218 | } | ||
219 | '' | ||
220 | 201 | ||
221 | # Protocol specific configuration | 202 | # Sieve |
222 | # Needs to come last if there are mail_plugins entries | 203 | '' |
223 | '' | 204 | plugin { |
224 | protocol imap { | 205 | sieve = file:~/sieve;bindir=~/.sieve-bin;active=~/.dovecot.sieve |
225 | mail_plugins = $mail_plugins imap_sieve | 206 | } |
226 | } | 207 | service managesieve-login { |
227 | protocol lda { | 208 | } |
228 | mail_plugins = $mail_plugins sieve | 209 | service managesieve { |
229 | } | 210 | } |
230 | '' | 211 | '' |
231 | ]; | 212 | |
232 | }; | 213 | # Virtual mailboxes |
233 | config.networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ]; | 214 | '' |
234 | config.system.activationScripts.dovecot = { | 215 | mail_plugins = $mail_plugins virtual |
235 | deps = [ "users" ]; | 216 | namespace Virtual { |
236 | text ='' | 217 | prefix = Virtual/ |
237 | install -m 0755 -o vhost -g vhost -d /var/lib/vhost | 218 | location = virtual:~/Virtual |
238 | ''; | 219 | } |
239 | }; | 220 | '' |
240 | 221 | ||
241 | config.security.acme.certs."mail" = { | 222 | # Protocol specific configuration |
242 | postRun = '' | 223 | # Needs to come last if there are mail_plugins entries |
243 | systemctl restart dovecot2.service | 224 | '' |
244 | ''; | 225 | protocol imap { |
245 | extraDomains = { | 226 | mail_plugins = $mail_plugins imap_sieve |
246 | "imap.immae.eu" = null; | 227 | } |
247 | "pop3.immae.eu" = null; | 228 | protocol lda { |
229 | mail_plugins = $mail_plugins sieve | ||
230 | } | ||
231 | '' | ||
232 | ]; | ||
233 | }; | ||
234 | networking.firewall.allowedTCPPorts = [ 110 143 993 995 4190 ]; | ||
235 | system.activationScripts.dovecot = { | ||
236 | deps = [ "users" ]; | ||
237 | text ='' | ||
238 | install -m 0755 -o vhost -g vhost -d /var/lib/vhost | ||
239 | ''; | ||
240 | }; | ||
241 | |||
242 | security.acme.certs."mail" = { | ||
243 | postRun = '' | ||
244 | systemctl restart dovecot2.service | ||
245 | ''; | ||
246 | extraDomains = { | ||
247 | "imap.immae.eu" = null; | ||
248 | "pop3.immae.eu" = null; | ||
249 | }; | ||
248 | }; | 250 | }; |
249 | }; | 251 | }; |
250 | } | 252 | } |