sp-config/sp-modules/simple-nixos-mailserver/config.nix

{
  config,
  lib,
  pkgs,
  ...
}@nixos-args:
let
  sp = config.selfprivacy;

  inherit (import ./common.nix { inherit config pkgs; })
    auth-passthru
    group
    is-auth-enabled
    ;
  mailserver-service-account = {
    mailserver-service-account-name = "sp.mailserver.service-account";
    mailserver-service-account-token-name = "mailserver-service-account-token";
    mailserver-service-account-token-fp = "/run/keys/${group}/kanidm-service-account-token"; # FIXME sync with auth module
  };

  modulesConfig = builtins.mapAttrs (
    _: value: {
      inherit (value) hashedPasswordFile sendOnly;
    }
  ) sp.email;
  extraDomains = lib.mapAttrsToList (_: value: value.domain) sp.email;
  extraTargets = lib.mapAttrsToList (_: value: value.systemdTargets) sp.email;
in
lib.mkIf sp.modules.simple-nixos-mailserver.enable (
  lib.mkMerge [
    {
      assertions = [
        {
          assertion =
            config.selfprivacy.modules.simple-nixos-mailserver.enableSso -> config.selfprivacy.sso.enable;
          message = "SSO cannot be enabled for Mailserver when SSO is disabled globally.";
        }
      ];
      fileSystems = lib.mkIf sp.useBinds {
        "/var/vmail" = {
          device = "/volumes/${sp.modules.simple-nixos-mailserver.location}/vmail";
          options = [
            "bind"
            "x-systemd.required-by=postfix.service"
            "x-systemd.before=postfix.service"
          ];
        };
        "/var/sieve" = {
          device = "/volumes/${sp.modules.simple-nixos-mailserver.location}/sieve";
          options = [
            "bind"
            "x-systemd.required-by=dovecot2.service"
            "x-systemd.before=dovecot2.service"
          ];
        };
      };

      users.users = {
        virtualMail = {
          isNormalUser = false;
        };
      };

      users.groups.acmereceivers.members = [
        "dovecot2"
        "postfix"
        "virtualMail"
      ];

      mailserver = {
        enable = true;
        fqdn = sp.domain;
        domains = [ sp.domain ] ++ extraDomains;
        localDnsResolver = false;

        # A list of all login accounts. To create the password hashes, use
        # mkpasswd -m sha-512 "super secret password"
        loginAccounts = (
          {
            "${sp.username}@${sp.domain}" = {
              hashedPassword = sp.hashedMasterPassword;
              sieveScript = ''
                require ["fileinto", "mailbox"];
                if header :contains "Chat-Version" "1.0"
                {
                  fileinto :create "DeltaChat";
                  stop;
                }
              '';
            };
          }
          // builtins.listToAttrs (
            builtins.map (user: {
              name = "${user.username}@${sp.domain}";
              value = {
                hashedPassword = user.hashedPassword;
                sieveScript = ''
                  require ["fileinto", "mailbox"];
                  if header :contains "Chat-Version" "1.0"
                  {
                    fileinto :create "DeltaChat";
                    stop;
                  }
                '';
              };
            }) sp.users
          )
          // modulesConfig
        );

        extraVirtualAliases = {
          "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
        };

        certificateScheme = "manual";
        certificateFile = "/var/lib/acme/root-${sp.domain}/fullchain.pem";
        keyFile = "/var/lib/acme/root-${sp.domain}/key.pem";

        # Enable IMAP and POP3
        enableImap = true;
        enableImapSsl = true;
        enablePop3 = false;
        enablePop3Ssl = false;
        dkimSelector = "selector";

        # Enable the ManageSieve protocol
        enableManageSieve = true;

        virusScanning = false;

        mailDirectory = "/var/vmail";
      };

      systemd = {
        services = {
          dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
          postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
          rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
          redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";

          dovecot.wants = extraTargets;
          dovecot2.wants = extraTargets;
        };
        slices."simple_nixos_mailserver" = {
          name = "simple_nixos_mailserver.slice";
          description = "Simple NixOS Mailserver service slice";
        };
      };
    }
    # the following parts are active only when "auth" module is enabled
    (lib.mkIf is-auth-enabled {
      mailserver = {
        extraVirtualAliases = lib.mkForce { };
        loginAccounts = lib.mkForce modulesConfig;
        # LDAP is needed for Postfix to query Kanidm about email address ownership.
        # LDAP is needed for Dovecot also.
        ldap = {
          # false; otherwise, simple-nixos-mailserver enables auth via LDAP
          enable = false;

          # bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
          bind.dn = "dn=token";
          # TODO change in this file should trigger system restart dovecot
          bind.passwordFile = mailserver-service-account.mailserver-service-account-token-fp;

          # searchBase = "ou=persons," + ldap_base_dn;
          searchBase = auth-passthru.ldap-base-dn; # TODO refine this

          # NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS)
          uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
        };
      };
    })
    (lib.mkIf is-auth-enabled (import ./auth-dovecot.nix mailserver-service-account nixos-args))
    (lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args))
  ]
)