diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /modules/private/websites/tools/mail | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'modules/private/websites/tools/mail')
-rw-r--r-- | modules/private/websites/tools/mail/default.nix | 79 | ||||
-rw-r--r-- | modules/private/websites/tools/mail/mta-sts.nix | 54 | ||||
-rw-r--r-- | modules/private/websites/tools/mail/rainloop.nix | 54 | ||||
-rw-r--r-- | modules/private/websites/tools/mail/roundcubemail.nix | 118 | ||||
-rw-r--r-- | modules/private/websites/tools/mail/www/index.html | 74 |
5 files changed, 0 insertions, 379 deletions
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix deleted file mode 100644 index 390f7ad..0000000 --- a/modules/private/websites/tools/mail/default.nix +++ /dev/null | |||
@@ -1,79 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | roundcubemail = pkgs.callPackage ./roundcubemail.nix { | ||
4 | inherit (pkgs.webapps) roundcubemail; | ||
5 | env = config.myEnv.tools.roundcubemail; | ||
6 | inherit config; | ||
7 | }; | ||
8 | rainloop = pkgs.callPackage ./rainloop.nix { | ||
9 | rainloop = pkgs.rainloop-community; | ||
10 | }; | ||
11 | cfg = config.myServices.websites.tools.email; | ||
12 | pcfg = config.services.phpfpm.pools; | ||
13 | in | ||
14 | { | ||
15 | options.myServices.websites.tools.email = { | ||
16 | enable = lib.mkEnableOption "enable email website"; | ||
17 | }; | ||
18 | |||
19 | imports = [ | ||
20 | ./mta-sts.nix | ||
21 | ]; | ||
22 | |||
23 | config = lib.mkIf cfg.enable { | ||
24 | secrets.keys = roundcubemail.keys; | ||
25 | |||
26 | services.websites.env.tools.modules = | ||
27 | [ "proxy_fcgi" ] | ||
28 | ++ rainloop.apache.modules | ||
29 | ++ roundcubemail.apache.modules; | ||
30 | |||
31 | services.websites.env.tools.vhostConfs.mail = { | ||
32 | certName = "mail"; | ||
33 | addToCerts = true; | ||
34 | hosts = ["mail.immae.eu"]; | ||
35 | root = ./www; | ||
36 | extraConfig = [ | ||
37 | (rainloop.apache.vhostConf pcfg.rainloop.socket) | ||
38 | (roundcubemail.apache.vhostConf pcfg.roundcubemail.socket) | ||
39 | '' | ||
40 | <Directory ${./www}> | ||
41 | Require all granted | ||
42 | Options -Indexes | ||
43 | </Directory> | ||
44 | '' | ||
45 | ]; | ||
46 | }; | ||
47 | systemd.services = { | ||
48 | phpfpm-rainloop = { | ||
49 | after = lib.mkAfter rainloop.phpFpm.serviceDeps; | ||
50 | wants = rainloop.phpFpm.serviceDeps; | ||
51 | }; | ||
52 | phpfpm-roundcubemail = { | ||
53 | after = lib.mkAfter roundcubemail.phpFpm.serviceDeps; | ||
54 | wants = roundcubemail.phpFpm.serviceDeps; | ||
55 | }; | ||
56 | }; | ||
57 | |||
58 | services.phpfpm.pools.roundcubemail = { | ||
59 | user = "wwwrun"; | ||
60 | group = "wwwrun"; | ||
61 | settings = roundcubemail.phpFpm.pool; | ||
62 | phpOptions = config.services.phpfpm.phpOptions + '' | ||
63 | date.timezone = 'CET' | ||
64 | ''; | ||
65 | phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.imagick ]); | ||
66 | }; | ||
67 | services.phpfpm.pools.rainloop = { | ||
68 | user = "wwwrun"; | ||
69 | group = "wwwrun"; | ||
70 | settings = rainloop.phpFpm.pool; | ||
71 | phpPackage = pkgs.php72; | ||
72 | }; | ||
73 | system.activationScripts = { | ||
74 | roundcubemail = roundcubemail.activationScript; | ||
75 | rainloop = rainloop.activationScript; | ||
76 | }; | ||
77 | }; | ||
78 | |||
79 | } | ||
diff --git a/modules/private/websites/tools/mail/mta-sts.nix b/modules/private/websites/tools/mail/mta-sts.nix deleted file mode 100644 index 77ba2d4..0000000 --- a/modules/private/websites/tools/mail/mta-sts.nix +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | domains = (lib.remove null (lib.flatten (map | ||
4 | (zone: map | ||
5 | (e: if e.receive | ||
6 | then { | ||
7 | domain = "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"; | ||
8 | mail = zone.name; | ||
9 | } | ||
10 | else null | ||
11 | ) | ||
12 | (zone.withEmail or []) | ||
13 | ) | ||
14 | config.myEnv.dns.masterZones | ||
15 | ))); | ||
16 | mxes = lib.mapAttrsToList | ||
17 | (n: v: v.mx.subdomain) | ||
18 | (lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers); | ||
19 | # FIXME: increase the id number in modules/private/dns.nix when this | ||
20 | # file change (date -u +'%Y%m%d%H%M%S'Z) | ||
21 | file = domain: pkgs.writeText "mta-sts-${domain.domain}.txt" ( | ||
22 | builtins.concatStringsSep "\r\n" ([ "version: STSv1" "mode: testing" ] | ||
23 | ++ (map (v: "mx: ${v}.${domain.mail}") mxes) | ||
24 | ++ [ "max_age: 604800" ] | ||
25 | )); | ||
26 | root = pkgs.runCommand "mta-sts_root" {} '' | ||
27 | mkdir -p $out | ||
28 | ${builtins.concatStringsSep "\n" (map (d: | ||
29 | "cp ${file d} $out/${d.domain}.txt" | ||
30 | ) domains)} | ||
31 | ''; | ||
32 | cfg = config.myServices.websites.tools.email; | ||
33 | in | ||
34 | { | ||
35 | config = lib.mkIf cfg.enable { | ||
36 | services.websites.env.tools.vhostConfs.mta_sts = { | ||
37 | certName = "mail"; | ||
38 | addToCerts = true; | ||
39 | hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.domain}") domains; | ||
40 | root = root; | ||
41 | extraConfig = [ | ||
42 | '' | ||
43 | RewriteEngine on | ||
44 | RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$ | ||
45 | RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L] | ||
46 | <Directory ${root}> | ||
47 | Require all granted | ||
48 | Options -Indexes | ||
49 | </Directory> | ||
50 | '' | ||
51 | ]; | ||
52 | }; | ||
53 | }; | ||
54 | } | ||
diff --git a/modules/private/websites/tools/mail/rainloop.nix b/modules/private/websites/tools/mail/rainloop.nix deleted file mode 100644 index 20e43a1..0000000 --- a/modules/private/websites/tools/mail/rainloop.nix +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | { lib, rainloop, writeText, stdenv, fetchurl }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/rainloop"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} | ||
8 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
9 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/data | ||
10 | ''; | ||
11 | }; | ||
12 | webRoot = rainloop.override { dataPath = "${varDir}/data"; }; | ||
13 | apache = rec { | ||
14 | user = "wwwrun"; | ||
15 | group = "wwwrun"; | ||
16 | modules = [ "proxy_fcgi" ]; | ||
17 | root = webRoot; | ||
18 | vhostConf = socket: '' | ||
19 | Alias /rainloop "${root}" | ||
20 | <Directory "${root}"> | ||
21 | DirectoryIndex index.php | ||
22 | AllowOverride All | ||
23 | Options -FollowSymlinks | ||
24 | Require all granted | ||
25 | |||
26 | <FilesMatch "\.php$"> | ||
27 | SetHandler "proxy:unix:${socket}|fcgi://localhost" | ||
28 | </FilesMatch> | ||
29 | </Directory> | ||
30 | |||
31 | <DirectoryMatch "${root}/data"> | ||
32 | Require all denied | ||
33 | </DirectoryMatch> | ||
34 | ''; | ||
35 | }; | ||
36 | phpFpm = rec { | ||
37 | serviceDeps = [ "postgresql.service" ]; | ||
38 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | ||
39 | pool = { | ||
40 | "listen.owner" = apache.user; | ||
41 | "listen.group" = apache.group; | ||
42 | "pm" = "ondemand"; | ||
43 | "pm.max_children" = "60"; | ||
44 | "pm.process_idle_timeout" = "60"; | ||
45 | |||
46 | # Needed to avoid clashes in browser cookies (same domain) | ||
47 | "php_value[session.name]" = "RainloopPHPSESSID"; | ||
48 | "php_admin_value[upload_max_filesize]" = "200M"; | ||
49 | "php_admin_value[post_max_size]" = "200M"; | ||
50 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; | ||
51 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; | ||
52 | }; | ||
53 | }; | ||
54 | } | ||
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix deleted file mode 100644 index 2661b55..0000000 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ /dev/null | |||
@@ -1,118 +0,0 @@ | |||
1 | { env, roundcubemail, apacheHttpd, config }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/roundcubemail"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
8 | ${varDir}/cache ${varDir}/logs | ||
9 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
10 | ''; | ||
11 | }; | ||
12 | keys."webapps/tools-roundcube" = { | ||
13 | user = apache.user; | ||
14 | group = apache.group; | ||
15 | permissions = "0400"; | ||
16 | text = | ||
17 | let | ||
18 | psql_url = with env.postgresql; "pgsql://${user}:${password}@unix(${socket}:${port})/${database}"; | ||
19 | in '' | ||
20 | <?php | ||
21 | $config['db_dsnw'] = '${psql_url}'; | ||
22 | $config['default_host'] = 'ssl://imap.immae.eu'; | ||
23 | $config['username_domain'] = array( | ||
24 | "imap.immae.eu" => "mail.immae.eu" | ||
25 | ); | ||
26 | $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false)); | ||
27 | $config['smtp_server'] = 'tls://smtp.immae.eu'; | ||
28 | $config['smtp_port'] = '587'; | ||
29 | $config['managesieve_host'] = 'imap.immae.eu'; | ||
30 | $config['managesieve_port'] = '4190'; | ||
31 | $config['managesieve_usetls'] = true; | ||
32 | $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false)); | ||
33 | |||
34 | $config['imap_cache'] = 'db'; | ||
35 | $config['messages_cache'] = 'db'; | ||
36 | |||
37 | $config['support_url'] = '''; | ||
38 | |||
39 | $config['des_key'] = '${env.secret}'; | ||
40 | |||
41 | $config['skin'] = 'elastic'; | ||
42 | $config['plugins'] = array( | ||
43 | 'attachment_reminder', | ||
44 | 'emoticons', | ||
45 | 'filesystem_attachments', | ||
46 | 'hide_blockquote', | ||
47 | 'identicon', | ||
48 | 'identity_select', | ||
49 | 'jqueryui', | ||
50 | 'markasjunk', | ||
51 | 'managesieve', | ||
52 | 'newmail_notifier', | ||
53 | 'vcard_attachments', | ||
54 | 'zipdownload', | ||
55 | |||
56 | 'automatic_addressbook', | ||
57 | 'message_highlight', | ||
58 | 'carddav', | ||
59 | // Ne marche pas ?: 'ident_switch', | ||
60 | // Ne marche pas ?: 'thunderbird_labels', | ||
61 | ); | ||
62 | |||
63 | $config['language'] = 'fr_FR'; | ||
64 | |||
65 | $config['drafts_mbox'] = 'Drafts'; | ||
66 | $config['junk_mbox'] = 'Junk'; | ||
67 | $config['sent_mbox'] = 'Sent'; | ||
68 | $config['trash_mbox'] = 'Trash'; | ||
69 | $config['default_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash'); | ||
70 | $config['draft_autosave'] = 60; | ||
71 | $config['enable_installer'] = false; | ||
72 | $config['log_driver'] = 'file'; | ||
73 | $config['temp_dir'] = '${varDir}/cache'; | ||
74 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; | ||
75 | ''; | ||
76 | }; | ||
77 | webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); | ||
78 | apache = rec { | ||
79 | user = "wwwrun"; | ||
80 | group = "wwwrun"; | ||
81 | modules = [ "proxy_fcgi" ]; | ||
82 | root = webRoot; | ||
83 | vhostConf = socket: '' | ||
84 | Alias /roundcube "${root}" | ||
85 | <Directory "${root}"> | ||
86 | DirectoryIndex index.php | ||
87 | AllowOverride All | ||
88 | Options FollowSymlinks | ||
89 | Require all granted | ||
90 | |||
91 | <FilesMatch "\.php$"> | ||
92 | SetHandler "proxy:unix:${socket}|fcgi://localhost" | ||
93 | </FilesMatch> | ||
94 | </Directory> | ||
95 | ''; | ||
96 | }; | ||
97 | phpFpm = rec { | ||
98 | serviceDeps = [ "postgresql.service" ]; | ||
99 | basedir = builtins.concatStringsSep ":" ( | ||
100 | [ webRoot config.secrets.fullPaths."webapps/tools-roundcube" varDir ] | ||
101 | ++ webRoot.plugins | ||
102 | ++ webRoot.skins); | ||
103 | pool = { | ||
104 | "listen.owner" = apache.user; | ||
105 | "listen.group" = apache.group; | ||
106 | "pm" = "ondemand"; | ||
107 | "pm.max_children" = "60"; | ||
108 | "pm.process_idle_timeout" = "60"; | ||
109 | |||
110 | # Needed to avoid clashes in browser cookies (same domain) | ||
111 | "php_value[session.name]" = "RoundcubemailPHPSESSID"; | ||
112 | "php_admin_value[upload_max_filesize]" = "200M"; | ||
113 | "php_admin_value[post_max_size]" = "200M"; | ||
114 | "php_admin_value[open_basedir]" = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"; | ||
115 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; | ||
116 | }; | ||
117 | }; | ||
118 | } | ||
diff --git a/modules/private/websites/tools/mail/www/index.html b/modules/private/websites/tools/mail/www/index.html deleted file mode 100644 index 88b0ebd..0000000 --- a/modules/private/websites/tools/mail/www/index.html +++ /dev/null | |||
@@ -1,74 +0,0 @@ | |||
1 | <!doctype html> | ||
2 | <html lang="fr"> | ||
3 | <head> | ||
4 | <meta charset="UTF-8"> | ||
5 | <meta name="viewport" content="width=device-width, initial-scale=1.0"> | ||
6 | <title>E-mail configuration</title> | ||
7 | <style type="text/css"> | ||
8 | body { | ||
9 | padding-top: 1em; | ||
10 | padding-left: 5px; | ||
11 | padding-right: 5px; | ||
12 | text-align: left; | ||
13 | margin: auto; | ||
14 | font: 20px Helvetica, sans-serif; | ||
15 | color: #333; | ||
16 | height: 100%; | ||
17 | min-height: 100%; | ||
18 | } | ||
19 | article { | ||
20 | text-align: justify; | ||
21 | display: block; | ||
22 | max-width: 850px; | ||
23 | margin: 0 auto; | ||
24 | padding-top: 30px; | ||
25 | } | ||
26 | span.code { | ||
27 | font-family: monospace; | ||
28 | } | ||
29 | </style> | ||
30 | </head> | ||
31 | <body> | ||
32 | <p> | ||
33 | Email configuration. For automatic configuration in your smart e-mail | ||
34 | client, use <span class="code">login@mail.immae.eu</span>. If it | ||
35 | doesn’t work, the details are there: | ||
36 | <ul> | ||
37 | <li>IMAP: <span class="code">imap.immae.eu</span> | ||
38 | <ul> | ||
39 | <li>No unencrypted access</li> | ||
40 | <li>STARTTLS: 143</li> | ||
41 | <li>SSL: 993</li> | ||
42 | </ul> | ||
43 | </li> | ||
44 | <li>POP3: <span class="code">pop3.immae.eu</span> | ||
45 | <ul> | ||
46 | <li>No unencrypted access</li> | ||
47 | <li>STARTTLS: 110</li> | ||
48 | <li>SSL: 995</li> | ||
49 | </ul> | ||
50 | </li> | ||
51 | <li>SMTP: <span class="code">smtp.immae.eu</span> | ||
52 | <ul> | ||
53 | <li>No unencrypted access</li> | ||
54 | <li>STARTTLS: 587</li> | ||
55 | <li>SSL: 465</li> | ||
56 | </ul> | ||
57 | </li> | ||
58 | <li>Sieve: <span class="code">imap.immae.eu</span> | ||
59 | <ul> | ||
60 | <li>No unencrypted access</li> | ||
61 | <li>STARTTLS: 4190</li> | ||
62 | </ul> | ||
63 | </li> | ||
64 | </ul> | ||
65 | </p> | ||
66 | <p>Webmails: | ||
67 | <ul> | ||
68 | <li><a href="/roundcube">Roundcube</a></li> | ||
69 | <li><a href="/rainloop">Rainloop</a> (experimental)</li> | ||
70 | </ul> | ||
71 | </p> | ||
72 | </body> | ||
73 | </html> | ||
74 | |||