{ tree, lib, inputs, config, pkgs, ... }: let ports = [ # SMTP 25 # Submission 587 # Submission w/ SSL 465 # IMAP 143 # IMAP w/ SSL 993 # Sieve 4190 ]; # Using secrets from Host secrets = config.services.secrets.secrets; secrets_list = [ "mail_restic_password" "mail_restic_env" "private_mail_aliases" "chaos_mail_passwd" "system_mail_passwd" "gotosocial_mail_passwd" ]; shared_files = [ "/var/lib/acme/mail.owo.monster/fullchain.pem" "/var/lib/acme/mail.owo.monster/key.pem" ]; in { containers.mail = { autoStart = true; bindMounts = lib.mkMerge [ (lib.mkMerge (lib.forEach secrets_list (secret_name: let path = "${secrets.${secret_name}.path}"; in { "${path}" = { hostPath = "${path}"; }; }))) (lib.mkMerge (lib.forEach shared_files (file: { "${file}" = { hostPath = "${file}"; }; }))) ]; config = { config, pkgs, ... }: { _module.args = { inherit inputs; inherit tree; host_secrets = secrets; }; imports = with tree; [ profiles.base inputs.home-manager-unstable.nixosModules.home-manager profiles.nginx modules.nixos.secrets users.root ] ++ (with hosts.hetzner-vm.containers.mail; [ modules.mailserver profiles.mailserver profiles.restic ]); # For Shared Secrets systemd.tmpfiles.rules = [ "d ${config.services.secrets.secretsDir} - root root" "d /var/lib/acme - root root" "d /var/lib/acme/mail.owo.monster - root root" ]; networking.firewall = { enable = false; }; home-manager.users.root = { imports = with tree; [home.base home.dev.small]; home.stateVersion = "23.05"; }; # Manually configure nameserver. Using resolved inside the container seems to fail # currently environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; system.stateVersion = "23.05"; }; }; # users for secrets users.users."dovecot2" = { uid = config.ids.uids.dovecot2; group = "dovecot2"; }; users.groups."dovecot2".gid = config.ids.gids.dovecot2; # ssl for mail services.nginx = { enable = true; virtualHosts."mail.owo.monster" = { serverName = "mail.owo.monster"; serverAliases = ["owo.monster"]; forceSSL = true; enableACME = true; acmeRoot = "/var/lib/acme/acme-challenge"; # also being used for webmail locations."/" = { proxyPass = "http://unix:/var/lib/nixos-containers/mail/var/sockets/roundcube.sock"; }; }; }; networking.firewall = { allowedTCPPorts = ports; allowedUDPPorts = ports; }; }