{ config , pkgs , inputs , ... }: let cfg = config.server; in { imports = [ inputs.nixos-mailserver.nixosModules.default ]; impermanence.directories = [ { directory = config.mailserver.dkimKeyDirectory; user = "opendkim"; group = "opendkim"; mode = "0755"; } { directory = config.mailserver.mailDirectory; user = "virtualMail"; group = "virtualMail"; mode = "0700"; } ]; # roundcube # TODO: fix sending mail via roundcube services.nginx.virtualHosts."mail.${cfg.domainName}" = { quic = true; enableACME = true; forceSSL = true; }; services.roundcube = { enable = true; package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]); dicts = with pkgs.aspellDicts; [ en ru ]; hostName = "mail.${cfg.domainName}"; maxAttachmentSize = 100; plugins = [ "persistent_login" ]; extraConfig = '' $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; ''; }; mailserver = { enable = true; fqdn = "mail.${cfg.domainName}"; domains = [ cfg.domainName ]; certificateScheme = "acme"; # actually this just means don't run kresd, unbound is used as the local dns resolver instead localDnsResolver = false; recipientDelimiter = "-"; lmtpSaveToDetailMailbox = "no"; hierarchySeparator = "/"; }; # Only allow local connections to noreply account mailserver.loginAccounts."noreply@${cfg.domainName}" = { # password is set in private.nix hashedPassword = cfg.hashedNoreplyPassword; sendOnly = true; }; services.dovecot2.extraConfig = let passwd = builtins.toFile "dovecot2-local-passwd" '' noreply@${cfg.domainName}:{plain}${cfg.unhashedNoreplyPassword}::::::allow_nets=local,127.0.0.0/8,::1 ''; in '' passdb { driver = passwd-file args = ${passwd} } ''; }