haccfiles/configuration/hosts/hainich/services/mail.nix

{ config, pkgs, lib, ... }:

{
  imports = let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in [
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz";
      sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k";
    })
  ];

  mailserver = {
    mailDirectory = "/data/mail";
    enable = true;
    fqdn = "mail.hacc.space";
    domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" ];

    loginAccounts = {
        "hexchen@hacc.space" = {
            hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";

            aliases = [
                "postmaster@hacc.space"
                "abuse@hacc.space"
            ];
        };

        "octycs@hacc.space" = {
            hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";

            aliases = [
                "markus@hacc.space"
            ];
        };

        "raphael@hacc.space" = {
            hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
        };

        "engelsystem@hacc.space" = {
            hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/";
        };

        "schweby@hacc.space" = {
            hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
        };

        "zauberberg@hacc.space" = {
            hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
            aliases = [
                "lukas@hacc.space"
            ];
        };

        "talx@hacc.space" = {
            hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31";
        };

        "unms@hacc.space" = {
            hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1";
        };

        "noreply@hacc.space" = {
            hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
        };
        "stuebinm@hacc.space" = {
            hashedPassword = "$6$jNfYD91wf/$YvJqo0QLzbnHcKigzAYgsE1gCc/07DUbKuNwAYBCKpQeqhBlUWjijXBuMH9wl7xH/i5HwOIyYhg6zuvejlfDN.";
        };
    };

    extraVirtualAliases = {
        # address = forward address;
        "info@hacc.space" = [
            "hexchen@hacc.space"
            "octycs@hacc.space"
            "raphael@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
            "stuebinm@hacc.space"
        ];
        "himmel@hacc.space" = [
            "hexchen@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
        ];
        "admin@hacc.space" = [
            "hexchen@hacc.space"
            "schweby@hacc.space"
        ];
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 3;

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
  services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
  services.postfix.virtual = ''@4future.dev @hacc.space
@4futu.re @hacc.space
@hacc.earth @hacc.space
contact@hacc.space info@hacc.space'';

  #mailman
  services.postfix = {
    relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
    config = {
      transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
      local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
      inet_protocols = "ipv4, ipv6";
    };
  };

  services.mailman = {
    enable = true;
    siteOwner = "admin@hacc.space";
    webUser = config.services.uwsgi.user;
    hyperkitty.enable = true;
    # Have mailman talk directly to hyperkitty, bypassing nginx:
    hyperkitty.baseUrl = "http://localhost:33141/hyperkitty/";
    webHosts = [ "lists.hacc.space" ];
  };

  systemd.services.uwsgi.restartTriggers = [
    config.environment.etc."mailman3/settings.py".source
  ];

  systemd.services.mailman-settings.script = ''
    chmod o+x /var/lib/mailman-web
  '';

  services.uwsgi = {
    enable = true;
    plugins = ["python3"];
    instance = {
      type = "normal";
      # uwsgi protocol socket for nginx
      socket = "127.0.0.1:33140";
      pythonPackages = self: with self; [ mailman-web ];
      # http socket for mailman core to reach the hyperkitty API directly
      http-socket = "127.0.0.1:33141";
      wsgi-file = "${pkgs.python3.pkgs.mailman-web}/lib/python3.8/site-packages/mailman_web/wsgi.py";
      chdir = "/var/lib/mailman-web";
      master = true;
      processes = 4;
      vacuum = true;
    };
  };

  services.nginx.virtualHosts."lists.hacc.space" = {
    enableACME = true;
    forceSSL = true;
    locations."/static/".alias = "/var/lib/mailman-web-static/";
    locations."/".extraConfig = ''
    uwsgi_pass 127.0.0.1:33140;
    include ${config.services.nginx.package}/conf/uwsgi_params;
    '';
  };

}