mail-server/dovecot.nix

489 lines
14 KiB
Nix
Raw Normal View History

2023-09-17 09:57:55 -07:00
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.mail.dovecot;
2023-09-24 13:33:54 -07:00
sieveDirectory = "${cfg.state-directory}/sieves";
2023-09-17 09:57:55 -07:00
in {
options.fudo.mail.dovecot = with types; {
enable = mkEnableOption "Enable Dovecot2 IMAP server.";
debug = mkEnableOption "Enable debug logs.";
state-directory = mkOption {
type = str;
description = "Directory at which to store server state.";
};
2023-09-30 18:54:17 -07:00
mail-directory = mkOption {
type = str;
description = "Directory at which to store user email.";
};
2023-09-17 09:57:55 -07:00
ports = {
lmtp = mkOption {
type = port;
description = "Port on which to listen for LMTP connections.";
default = 24;
};
auth = mkOption {
type = port;
description = "Port on which to listen for auth requests.";
default = 5447;
};
userdb = mkOption {
type = port;
description = "Port on which to listen for userdb requests.";
default = 5448;
};
metrics = mkOption {
type = port;
description = "Port on which to serve metrics data.";
default = 5034;
};
};
mail-user = mkOption {
type = str;
description = "User as which to run store & access mail.";
default = "fudo-mail";
};
mail-group = mkOption {
type = str;
description = "Group as which to store & access mail.";
default = "fudo-mail";
};
ssl = {
certificate = mkOption {
type = str;
description = "Location of the Dovecot SSL certificate.";
};
private-key = mkOption {
type = str;
description = "Location of the Dovecot SSL private key.";
};
};
metrics = {
user = mkOption {
type = str;
description = "User as which to fetch metrics.";
default = "dovecot-metrics";
};
group = mkOption {
type = str;
description = "Group as which to fetch metrics.";
default = "dovecot-metrics";
};
};
mailboxes = let
mailboxOpts = { name, ... }: {
options = {
auto = mkOption {
type = enum [ "no" "create" "subscribe" ];
description = "Whether to auto-create/subscribe.";
default = "no";
};
specialUse = mkOption {
type = nullOr (enum [
"All"
"Archive"
"Drafts"
"Flagged"
"Junk"
"Sent"
"Trash"
]);
description = "Mailbox special use.";
default = null;
};
autoexpunge = mkOption {
type = nullOr str;
description =
"How long to wait before clearing mail from this mailbox. Null is never.";
default = null;
};
};
};
in mkOption {
type = attrsOf (submodule mailboxOpts);
description = "Mailboxes to be created for dovecot.";
default = {
Trash = {
auto = "create";
specialUse = "Trash";
autoexpunge = "30d";
};
Junk = {
auto = "create";
specialUse = "Junk";
autoexpunge = "60d";
};
Drafts = {
auto = "create";
specialUse = "Drafts";
autoexpunge = "60d";
};
Sent = {
auto = "create";
specialUse = "Sent";
};
2023-09-24 13:31:24 -07:00
Archive = {
auto = "no";
specialUse = "Archive";
};
2023-09-17 09:57:55 -07:00
Flagged = {
auto = "subscribe";
specialUse = "Flagged";
};
};
};
rspamd = {
host = mkOption {
type = str;
description = "Host to which spam/ham will be forwarded.";
};
port = mkOption {
2023-09-24 14:16:59 -07:00
type = port;
2023-09-17 09:57:55 -07:00
description = "Port to which spam/ham will be forwarded.";
};
};
2023-10-10 17:43:39 -07:00
solr = {
host = mkOption {
type = str;
description = "Host providing full-text search with Solr.";
};
port = mkOption {
type = port;
description = "Port on which Solr is listening.";
};
};
2023-09-17 09:57:55 -07:00
max-user-connections = mkOption {
type = int;
description = "Maximum allowed simultaneous connections by one user.";
default = 5;
};
2023-09-21 18:01:44 -07:00
ldap-conf = mkOption {
type = str;
description = "Path to LDAP dovecot2 configuration.";
2023-09-17 09:57:55 -07:00
};
};
config = mkIf cfg.enable {
users = {
users = {
"${cfg.mail-user}" = {
isSystemUser = true;
group = cfg.mail-group;
2023-09-29 13:36:54 -07:00
uid = 5025;
2023-09-17 09:57:55 -07:00
};
"${cfg.metrics.user}" = {
2023-09-24 13:07:49 -07:00
isSystemUser = true;
2023-09-17 09:57:55 -07:00
group = cfg.metrics.group;
};
};
groups = {
2023-09-29 13:36:54 -07:00
"${cfg.mail-group}" = {
members = [ cfg.mail-user ];
gid = 5025;
};
2023-09-17 09:57:55 -07:00
"${cfg.metrics.group}".members = [ cfg.metrics.user ];
};
};
2023-09-29 14:59:54 -07:00
# FIXME: TEMPORARY FOR TESTING
2023-09-29 15:01:50 -07:00
environment.systemPackages = with pkgs; [ openldap ];
2023-09-29 14:59:54 -07:00
2023-09-17 09:57:55 -07:00
systemd = {
tmpfiles.rules = [
"d ${cfg.state-directory} 0711 root root - -"
2023-09-30 18:54:17 -07:00
"d ${cfg.mail-directory} 0750 ${cfg.mail-user} ${cfg.mail-group} - -"
2023-09-29 10:19:09 -07:00
"d ${cfg.state-directory}/sieves 0750 ${config.services.dovecot2.user} ${config.services.dovecot2.group} - -"
2023-09-17 09:57:55 -07:00
];
2023-09-25 12:18:41 -07:00
2023-10-10 17:43:39 -07:00
timers = {
solr-commit = {
wantedBy = [ "timers.target" "dovecot2.service" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "5m";
Unit = "solr-commit.service";
};
};
solr-optimize = {
wantedBy = [ "timers.target" "dovecot2.service" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "5m";
Unit = "solr-optimize.service";
};
};
};
services = let
solrJob = params: {
requires = [ "dovecot2.service" ];
path = with pkgs; [ curl ];
serviceConfig = {
DynamicUser = true;
ExecStart =
"curl http://${cfg.solr.host}:${cfg.solr.port}/solr/dovecot/update?${params}";
PrivateDevices = true;
PrivateTmp = true;
PrivateMounts = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectSystem = true;
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
Type = "oneshot";
};
};
in {
solr-commit = solrJob "commit=true";
solr-optimize = solrJob "optimize=true";
2023-09-29 10:19:09 -07:00
prometheus-dovecot-exporter = {
requires = [ "dovecot2.service" ];
after = [ "dovecot2.service" ];
};
dovecot-sieve-generator = let
isRegularFile = _: type: type == "regular";
sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
headOrNull = lst: if lst == [ ] then null else head lst;
stripExt = ext: filename:
headOrNull (builtins.match "(.+)[.]${ext}$" filename);
compileFile = filename: _:
let
filePath = ./sieves + "/${filename}";
fileBaseName = stripExt "sieve" filename;
in ''
2023-09-29 14:03:02 -07:00
if [ -f "${sieveDirectory}/${fileBaseName}.sieve" ]; then
rm "${sieveDirectory}/${fileBaseName}.sieve" "${sieveDirectory}/${fileBaseName}.svbin"
fi
cp ${filePath} "${sieveDirectory}/${fileBaseName}.sieve"
sievec "${sieveDirectory}/${fileBaseName}.sieve" "${sieveDirectory}/${fileBaseName}.svbin"
chmod u+w "${sieveDirectory}/${fileBaseName}.sieve"
2023-09-29 10:19:09 -07:00
'';
in {
wantedBy = [ "dovecot2.service" ];
after = [ "dovecot2.service" ];
path = with pkgs; [ dovecot_pigeonhole ];
serviceConfig = {
User = config.services.dovecot2.user;
ReadWritePaths = [ sieveDirectory "/run/dovecot2" ];
ExecStart = pkgs.writeShellScript "generate-sieves.sh"
(concatStringsSep "\n" (mapAttrsToList compileFile sieves));
PrivateDevices = true;
PrivateTmp = true;
PrivateMounts = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectSystem = true;
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
Type = "oneshot";
};
2023-09-25 12:18:41 -07:00
};
};
2023-09-17 09:57:55 -07:00
};
2023-09-24 13:02:51 -07:00
services = {
prometheus.exporters.dovecot = {
enable = true;
scopes = [ "user" "global" ];
user = cfg.metrics.user;
2023-09-24 13:05:44 -07:00
listenAddress = "127.0.0.1";
2023-09-24 13:10:50 -07:00
port = cfg.ports.metrics;
2023-09-24 13:02:51 -07:00
socketPath = "/var/run/dovecot2/old-stats";
};
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
dovecot2 = {
enable = true;
enableImap = true;
enableLmtp = true;
2023-09-29 14:41:59 -07:00
enablePAM = false;
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
mailUser = cfg.mail-user;
mailGroup = cfg.mail-group;
2023-09-30 18:54:17 -07:00
mailLocation = "maildir:${cfg.mail-directory}/%u/";
2023-09-24 13:02:51 -07:00
createMailUser = false;
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
sslServerCert = cfg.ssl.certificate;
sslServerKey = cfg.ssl.private-key;
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
mailboxes = cfg.mailboxes;
2023-09-17 09:57:55 -07:00
2023-09-24 14:20:32 -07:00
modules = with pkgs; [ dovecot_pigeonhole ];
2023-09-24 13:02:51 -07:00
protocols = [ "sieve" ];
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
mailPlugins.globally.enable = [ "old_stats" ];
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
sieveScripts = {
after = builtins.toFile "spam.sieve" ''
require "fileinto";
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
if header :is "X-Spam" "Yes" {
fileinto "Junk";
stop;
}
'';
2023-09-17 09:57:55 -07:00
};
2023-09-21 18:01:44 -07:00
2023-09-24 13:02:51 -07:00
extraConfig = let
# Add learn_ham & learn_spam to dovecot2 path for use by sieves
pipeBin = let
teachRspamd = msg:
pkgs.writeShellApplication {
name = "rspamd_${msg}";
runtimeInputs = with pkgs; [ rspamd ];
2023-09-24 14:16:59 -07:00
text = "exec rspamc -h ${cfg.rspamd.host}:${
toString cfg.rspamd.port
} ${msg}";
2023-09-24 13:02:51 -07:00
};
learnHam = teachRspamd "learn_ham";
learnSpam = teachRspamd "learn_spam";
in pkgs.buildEnv {
name = "rspam_pipe_bin";
paths = [ learnHam learnSpam ];
};
mailUserUid = config.users.users."${cfg.mail-user}".uid;
mailUserGid = config.users.group."${cfg.mail-group}".gid;
in ''
## Extra Config
2023-10-10 17:43:39 -07:00
mail_plugins = $mail_plugins fts fts_solr
2023-09-24 13:02:51 -07:00
${lib.optionalString cfg.debug ''
mail_debug = yes
auth_debug = yes
verbose_ssl = yes
''}
protocol imap {
mail_max_userip_connections = ${toString cfg.max-user-connections}
mail_plugins = $mail_plugins imap_sieve
2023-09-29 15:37:20 -07:00
}
2023-09-24 13:02:51 -07:00
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
2023-09-17 09:57:55 -07:00
2023-10-10 17:43:39 -07:00
plugin {
fts = solr
fts_solr = url=http://${cfg.solr.host}:${cfg.solr.port}/solr/dovecot
}
2023-09-24 13:02:51 -07:00
mail_access_groups = ${cfg.mail-group}
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
# When looking up usernames, just use the name, not the full address
auth_username_format = %n
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
auth_mechanisms = login plain
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
service lmtp {
# Enable logging in debug mode
${optionalString cfg.debug "executable = lmtp -L"}
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
inet_listener dovecot-lmtp {
address = 0.0.0.0
port = ${toString cfg.ports.lmtp}
}
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
# Drop privs, since all mail is owned by one user
user = ${cfg.mail-user}
# group = ${cfg.mail-group}
# user = root
}
2023-09-17 09:57:55 -07:00
2023-09-24 13:02:51 -07:00
passdb {
driver = ldap
args = ${cfg.ldap-conf}
}
# All users map to one actual system user
userdb {
driver = static
2023-09-30 18:54:17 -07:00
args = uid=${toString mailUserUid} home=${cfg.mail-directory}/%u
2023-09-30 12:47:05 -07:00
}
2023-09-24 13:02:51 -07:00
service imap {
vsz_limit = 1024M
2023-09-17 09:57:55 -07:00
}
2023-09-24 13:02:51 -07:00
namespace inbox {
separator = "/"
inbox = yes
2023-09-17 09:57:55 -07:00
}
2023-09-24 13:02:51 -07:00
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve = file:${cfg.state-directory}/sieves/%u/scripts;active=${cfg.state-directory}/sieves/%u/active.sieve
2023-09-24 13:33:54 -07:00
sieve_default = file:${sieveDirectory}/%u/default.sieve
2023-09-24 13:02:51 -07:00
sieve_default_name = default
# From elsewhere to Spam folder
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
2023-09-25 12:28:53 -07:00
imapsieve_mailbox1_before = file:${sieveDirectory}/spam.svbin
2023-09-24 13:02:51 -07:00
# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
2023-09-25 12:28:53 -07:00
imapsieve_mailbox2_before = file:${sieveDirectory}/ham.svbin
2023-09-24 13:02:51 -07:00
sieve_pipe_bin_dir = ${pipeBin}/bin
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
2023-09-17 09:57:55 -07:00
}
2023-09-24 13:02:51 -07:00
recipient_delimiter = +
lmtp_save_to_detail_mailbox = yes
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
service old-stats {
unix_listener old-stats {
user = ${cfg.metrics.user}
group = ${cfg.metrics.group}
}
fifo_listener old-stats-mail {
mode = 0660
user = ${config.services.dovecot2.user}
group = ${config.services.dovecot2.group}
}
fifo_listener old-stats-user {
mode = 0660
user = ${config.services.dovecot2.user}
group = ${config.services.dovecot2.group}
}
2023-09-17 09:57:55 -07:00
}
2023-09-24 13:02:51 -07:00
plugin {
old_stats_refresh = 30 secs
old_stats_track_cmds = yes
}
'';
};
2023-09-17 09:57:55 -07:00
};
};
}