1 files changed, 18 insertions, 1 deletions

diff --git a/systems/eldiron/mail/dovecot.nix b/systems/eldiron/mail/dovecot.nix
index a1282e3..9c9cd7c 100644
--- a/systems/eldiron/mail/dovecot.nix
+++ b/systems/eldiron/mail/dovecot.nix
@@ -44,6 +44,19 @@ in
       };
     };
     systemd.services.dovecot2.serviceConfig.Slice = "mail.slice";
+    secrets.keys."dovecot/sql" = {
+      user = config.services.dovecot2.user;
+      group = config.services.dovecot2.group;
+      permissions = "0400";
+      text = ''
+        driver = mysql
+        connect = host=${config.myEnv.mail.dovecot.mysql.socket} dbname=${config.myEnv.mail.dovecot.mysql.database} user=${config.myEnv.mail.dovecot.mysql.user} password=${config.myEnv.mail.dovecot.mysql.password}
+        password_query = SELECT NULL AS password, 'Y' as noauthenticate, destination AS user \
+          FROM forwardings WHERE \
+            ((regex = 1 AND '%u' REGEXP CONCAT('^',source,'$')) OR (regex = 0 AND source = '%u')) \
+            AND active = 1
+      '';
+    };
     secrets.keys."dovecot/ldap" = {
       user = config.services.dovecot2.user;
       group = config.services.dovecot2.group;
@@ -81,7 +94,7 @@ in
 
     nixpkgs.overlays = [
       (self: super: {
-        dovecot = super.dovecot.override { openldap = self.openldap_libressl_cyrus; };
+        dovecot = super.dovecot.override { withMySQL = true; openldap = self.openldap_libressl_cyrus; };
       })
     ];
 
@@ -238,6 +251,10 @@ in
         first_valid_uid = ${toString config.ids.uids.vhost}
         disable_plaintext_auth = yes
         passdb {
+          driver = sql
+          args = ${config.secrets.fullPaths."dovecot/sql"}
+        }
+        passdb {
           driver = ldap
           args = ${config.secrets.fullPaths."dovecot/ldap"}
         }