Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository

5 files changed, 430 insertions, 0 deletions

diff --git a/systems/eldiron/websites/mail/default.nix b/systems/eldiron/websites/mail/default.nix
new file mode 100644
index 0000000..0a0342b
--- /dev/null
+++ b/systems/eldiron/websites/mail/default.nix
@@ -0,0 +1,141 @@
+{ lib, pkgs, config,  ... }:
+let
+  roundcubemail = pkgs.callPackage ./roundcubemail.nix {
+    roundcubemail = pkgs.webapps-roundcubemail;
+    env = config.myEnv.tools.roundcubemail;
+    inherit config;
+  };
+  rainloop = pkgs.callPackage ./rainloop.nix {
+    rainloop = pkgs.rainloop-community;
+  };
+  cfg = config.myServices.websites.tools.email;
+  pcfg = config.services.phpfpm.pools;
+in
+{
+  options.myServices.websites.tools.email = {
+    enable = lib.mkEnableOption "enable email website";
+  };
+
+  imports = [
+    ./mta-sts.nix
+  ];
+
+  config = lib.mkIf cfg.enable {
+    #myServices.chatonsProperties.services.mail-rainloop = {
+    #  file.datetime = "2022-08-22T00:30:00";
+    #  service = {
+    #    name = "Rainloop";
+    #    description = "Simple, modern & fast web-based email client";
+    #    website = "https://mail.immae.eu/rainloop";
+    #    logo = "https://www.rainloop.net/static/img/logo-16x16.png";
+    #    status.level = "ERROR";
+    #    status.description = "Stopped due to CVE-2022-29360";
+    #    registration."" = ["MEMBER" "CLIENT"];
+    #    registration.load = "OPEN";
+    #    install.type = "PACKAGE";
+    #  };
+    #  software = {
+    #    name = "Rainloop";
+    #    website = "https://www.rainloop.net/";
+    #    license.url = "https://www.rainloop.net/licensing/";
+    #    license.name = "GNU Affero General Public License v3.0";
+    #    version = rainloop.webRoot.version;
+    #    source.url = "https://github.com/RainLoop/rainloop-webmail";
+    #  };
+    #};
+    #myServices.chatonsProperties.services.mail-roundcube = {
+    #  file.datetime = "2022-08-22T00:30:00";
+    #  service = {
+    #    name = "Roundcube";
+    #    description = "The Roundcube Webmail suite";
+    #    website = "https://mail.immae.eu/roundcube";
+    #    logo = "https://mail.immae.eu/roundcube/skins/elastic/images/favicon.ico";
+    #    status.level = "OK";
+    #    status.description = "OK";
+    #    registration."" = ["MEMBER" "CLIENT"];
+    #    registration.load = "OPEN";
+    #    install.type = "PACKAGE";
+    #  };
+    #  software = {
+    #    name = "Roundcube";
+    #    website = "https://roundcube.net/";
+    #    license.url = "https://github.com/roundcube/roundcubemail/blob/master/LICENSE";
+    #    license.name = "GNU General Public License v3.0";
+    #    version = roundcubemail.webRoot.version;
+    #    source.url = "https://github.com/roundcube/roundcubemail";
+    #    modules = map (a: a.pluginName) roundcubemail.webRoot.plugins ++ map (a: a.skinName) roundcubemail.webRoot.skins;
+    #  };
+    #};
+
+    myServices.dns.zones."immae.eu".subdomains.mail =
+      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
+
+    secrets.keys = roundcubemail.keys;
+
+    services.websites.env.tools.modules =
+      [ "proxy_fcgi" ]
+      ++ rainloop.apache.modules
+      ++ roundcubemail.apache.modules;
+
+    security.acme.certs.mail.extraDomainNames = [ "mail.immae.eu" ];
+    services.websites.env.tools.vhostConfs.mail = {
+      certName   = "mail";
+      hosts      = ["mail.immae.eu"];
+      root       = ./www;
+      extraConfig = [
+        (rainloop.apache.vhostConf pcfg.rainloop.socket)
+        (roundcubemail.apache.vhostConf pcfg.roundcubemail.socket)
+        ''
+          <Directory ${./www}>
+            Require all granted
+            Options -Indexes
+          </Directory>
+        ''
+      ];
+    };
+    systemd.services = {
+      phpfpm-rainloop = {
+        after = lib.mkAfter rainloop.phpFpm.serviceDeps;
+        wants = rainloop.phpFpm.serviceDeps;
+      };
+      phpfpm-roundcubemail = {
+        after = lib.mkAfter roundcubemail.phpFpm.serviceDeps;
+        wants = roundcubemail.phpFpm.serviceDeps;
+      };
+    };
+
+    services.phpfpm.pools.roundcubemail = {
+      user = "wwwrun";
+      group = "wwwrun";
+      settings = roundcubemail.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        date.timezone = 'CET'
+      '';
+      phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.imagick all.redis ]);
+    };
+    services.phpfpm.pools.rainloop = {
+      user = "wwwrun";
+      group = "wwwrun";
+      settings = rainloop.phpFpm.pool;
+      phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
+    };
+    system.activationScripts = {
+      roundcubemail = roundcubemail.activationScript;
+      rainloop = rainloop.activationScript;
+    };
+    myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
+    myServices.monitoring.fromMasterObjects.service = [
+      {
+        service_description = "roundcube website is running on mail.immae.eu";
+        host_name = config.hostEnv.fqdn;
+        use = "external-web-service";
+        check_command = ["check_https" "mail.immae.eu" "/roundcube/" "<title>Roundcube"];
+
+        servicegroups = "webstatus-webapps,webstatus-email";
+        _webstatus_name = "Roundcube";
+        _webstatus_url = "https://mail.immae.eu/roundcube/";
+      }
+    ];
+  };
+
+}
diff --git a/systems/eldiron/websites/mail/mta-sts.nix b/systems/eldiron/websites/mail/mta-sts.nix
new file mode 100644
index 0000000..2438702
--- /dev/null
+++ b/systems/eldiron/websites/mail/mta-sts.nix
@@ -0,0 +1,42 @@
+{ lib, pkgs, config,  ... }:
+let
+  getDomains = p: lib.mapAttrsToList (n: v: v) (lib.filterAttrs (n: v: v.receive) p.emailPolicies);
+  bydomain = builtins.mapAttrs (n: getDomains) config.myServices.dns.zones;
+  domains = lib.flatten (builtins.attrValues bydomain);
+  mxes = lib.mapAttrsToList
+    (n: v: v.mx.subdomain)
+    (lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers);
+  file = d: pkgs.writeText "mta-sts-${d.fqdn}.txt" (
+    builtins.concatStringsSep "\r\n" ([ "version: STSv1" "mode: testing" ]
+    ++ (map (v: "mx: ${v}.${d.domain}") mxes)
+    ++ [ "max_age: 604800" ]
+    ));
+  root = pkgs.runCommand "mta-sts_root" {} ''
+    mkdir -p $out
+    ${builtins.concatStringsSep "\n" (map (d:
+      "cp ${file d} $out/${d.fqdn}.txt"
+    ) domains)}
+    '';
+  cfg = config.myServices.websites.tools.email;
+in
+{
+  config = lib.mkIf cfg.enable {
+    security.acme.certs.mail.extraDomainNames = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
+    services.websites.env.tools.vhostConfs.mta_sts = {
+      certName   = "mail";
+      hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.fqdn}") domains;
+      root = root;
+      extraConfig = [
+        ''
+          RewriteEngine on
+          RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$
+          RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L]
+          <Directory ${root}>
+            Require all granted
+            Options -Indexes
+          </Directory>
+        ''
+      ];
+    };
+  };
+}
diff --git a/systems/eldiron/websites/mail/rainloop.nix b/systems/eldiron/websites/mail/rainloop.nix
new file mode 100644
index 0000000..f821005
--- /dev/null
+++ b/systems/eldiron/websites/mail/rainloop.nix
@@ -0,0 +1,54 @@
+{ lib, rainloop, writeText, stdenv, fetchurl }:
+rec {
+  varDir = "/var/lib/rainloop";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
+    '';
+  };
+  webRoot = rainloop.override { dataPath = "${varDir}/data"; };
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    root = webRoot;
+    vhostConf = socket: ''
+    Alias /rainloop "${root}"
+    <Directory "${root}">
+      DirectoryIndex index.php
+      AllowOverride All
+      Options -FollowSymlinks
+      Require all denied
+
+      <FilesMatch "\.php$">
+        SetHandler "proxy:unix:${socket}|fcgi://localhost"
+      </FilesMatch>
+    </Directory>
+
+    <DirectoryMatch "${root}/data">
+      Require all denied
+    </DirectoryMatch>
+    '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
+    pool = {
+      "listen.owner" = apache.user;
+      "listen.group" = apache.group;
+      "pm" = "ondemand";
+      "pm.max_children" = "60";
+      "pm.process_idle_timeout" = "60";
+
+      # Needed to avoid clashes in browser cookies (same domain)
+      "php_value[session.name]" = "RainloopPHPSESSID";
+      "php_admin_value[upload_max_filesize]" = "200M";
+      "php_admin_value[post_max_size]" = "200M";
+      "php_admin_value[open_basedir]" = "${basedir}:/tmp";
+      "php_admin_value[session.save_handler]" = "redis";
+      "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Rainloop:'";
+    };
+  };
+}
diff --git a/systems/eldiron/websites/mail/roundcubemail.nix b/systems/eldiron/websites/mail/roundcubemail.nix
new file mode 100644
index 0000000..21a10fe
--- /dev/null
+++ b/systems/eldiron/websites/mail/roundcubemail.nix
@@ -0,0 +1,119 @@
+{ env, roundcubemail, apacheHttpd, config }:
+rec {
+  varDir = "/var/lib/roundcubemail";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+        ${varDir}/cache ${varDir}/logs
+    '';
+  };
+  keys."webapps/tools-roundcube" = {
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text =
+      let
+        psql_url = with env.postgresql; "pgsql://${user}:${password}@unix(${socket}:${port})/${database}";
+      in ''
+      <?php
+        $config['db_dsnw'] = '${psql_url}';
+        $config['default_host'] = 'ssl://imap.immae.eu';
+        $config['username_domain'] = array(
+          "imap.immae.eu" => "mail.immae.eu"
+        );
+        $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
+        $config['smtp_server'] = 'tls://smtp.immae.eu';
+        $config['smtp_port'] = '587';
+        $config['managesieve_host'] = 'imap.immae.eu';
+        $config['managesieve_port'] = '4190';
+        $config['managesieve_usetls'] = true;
+        $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
+
+        $config['imap_cache'] = 'db';
+        $config['messages_cache'] = 'db';
+
+        $config['support_url'] = ''';
+
+        $config['des_key'] = '${env.secret}';
+
+        $config['skin'] = 'elastic';
+        $config['plugins'] = array(
+          'attachment_reminder',
+          'emoticons',
+          'filesystem_attachments',
+          'hide_blockquote',
+          'identicon',
+          'identity_select',
+          'jqueryui',
+          'markasjunk',
+          'managesieve',
+          'newmail_notifier',
+          'vcard_attachments',
+          'zipdownload',
+
+          'automatic_addressbook',
+          'message_highlight',
+          'carddav',
+          // Ne marche pas ?: 'ident_switch',
+          // Ne marche pas ?: 'thunderbird_labels',
+        );
+
+        $config['language'] = 'fr_FR';
+
+        $config['drafts_mbox'] = 'Drafts';
+        $config['junk_mbox'] = 'Junk';
+        $config['sent_mbox'] = 'Sent';
+        $config['trash_mbox'] = 'Trash';
+        $config['default_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash');
+        $config['draft_autosave'] = 60;
+        $config['enable_installer'] = false;
+        $config['log_driver'] = 'file';
+        $config['temp_dir'] = '${varDir}/cache';
+        $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
+    '';
+    keyDependencies = [ apacheHttpd ];
+  };
+  webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]);
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    root = webRoot;
+    vhostConf = socket: ''
+    Alias /roundcube "${root}"
+    <Directory "${root}">
+        DirectoryIndex index.php
+        AllowOverride All
+        Options FollowSymlinks
+        Require all granted
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" ];
+    basedir = builtins.concatStringsSep ":" (
+      [ webRoot config.secrets.fullPaths."webapps/tools-roundcube" varDir ]
+      ++ webRoot.plugins
+      ++ webRoot.skins);
+    pool = {
+      "listen.owner" = apache.user;
+      "listen.group" = apache.group;
+      "pm" = "ondemand";
+      "pm.max_children" = "60";
+      "pm.process_idle_timeout" = "60";
+
+      # Needed to avoid clashes in browser cookies (same domain)
+      "php_value[session.name]" = "RoundcubemailPHPSESSID";
+      "php_admin_value[upload_max_filesize]" = "200M";
+      "php_admin_value[post_max_size]" = "200M";
+      "php_admin_value[open_basedir]" = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp";
+      "php_admin_value[session.save_handler]" = "redis";
+      "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Roundcubemail:'";
+    };
+  };
+}
diff --git a/systems/eldiron/websites/mail/www/index.html b/systems/eldiron/websites/mail/www/index.html
new file mode 100644
index 0000000..88b0ebd
--- /dev/null
+++ b/systems/eldiron/websites/mail/www/index.html
@@ -0,0 +1,74 @@
+<!doctype html>
+<html lang="fr">
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>E-mail configuration</title>
+    <style type="text/css">
+      body {
+        padding-top: 1em;
+        padding-left: 5px;
+        padding-right: 5px;
+        text-align: left;
+        margin: auto;
+        font: 20px Helvetica, sans-serif;
+        color: #333;
+        height: 100%;
+        min-height: 100%;
+      }
+      article {
+        text-align: justify;
+        display: block;
+        max-width: 850px;
+        margin: 0 auto;
+        padding-top: 30px;
+      }
+      span.code {
+        font-family: monospace;
+      }
+    </style>
+  </head>
+  <body>
+    <p>
+      Email configuration. For automatic configuration in your smart e-mail
+      client, use <span class="code">login@mail.immae.eu</span>. If it
+      doesn’t work, the details are there:
+      <ul>
+        <li>IMAP: <span class="code">imap.immae.eu</span>
+          <ul>
+            <li>No unencrypted access</li>
+            <li>STARTTLS: 143</li>
+            <li>SSL: 993</li>
+          </ul>
+        </li>
+        <li>POP3: <span class="code">pop3.immae.eu</span>
+          <ul>
+            <li>No unencrypted access</li>
+            <li>STARTTLS: 110</li>
+            <li>SSL: 995</li>
+          </ul>
+        </li>
+        <li>SMTP: <span class="code">smtp.immae.eu</span>
+          <ul>
+            <li>No unencrypted access</li>
+            <li>STARTTLS: 587</li>
+            <li>SSL: 465</li>
+          </ul>
+        </li>
+        <li>Sieve: <span class="code">imap.immae.eu</span>
+          <ul>
+            <li>No unencrypted access</li>
+            <li>STARTTLS: 4190</li>
+          </ul>
+        </li>
+      </ul>
+    </p>
+    <p>Webmails:
+      <ul>
+        <li><a href="/roundcube">Roundcube</a></li>
+        <li><a href="/rainloop">Rainloop</a> (experimental)</li>
+      </ul>
+    </p>
+  </body>
+</html>
+