nextcloud

2026-05-03 00:00:07 +02:00
parent b2a322b269
commit 6ab13007de
8 changed files with 159 additions and 38 deletions
--- a/system-modules/nx2site/maddy.nix
+++ b/system-modules/nx2site/maddy.nix
@@ -1,8 +1,12 @@
 { config, pkgs, ... }@all: with all; {
  sops.secrets = {
    "nx2site/maddy/nxcaldav_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+    "nx2site/maddy/nextcloud_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/lennart_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/daniel_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+    "nx2site/maddy/diane_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+    "nx2site/maddy/georg_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+    "nx2site/maddy/tessa_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
  };
  users.users."maddy" = {
    extraGroups = [ "acme" "nginx" ];
@@ -15,13 +19,21 @@
    hostname = "mail.${hyper.domain}";
    ensureAccounts = [
      "nxcaldav@${hyper.domain}"
+      "nextcloud@${hyper.domain}"
      "lennart@${hyper.domain}"
      "daniel@${hyper.domain}"
+      "diane@${hyper.domain}"
+      "georg@${hyper.domain}"
+      "tessa@${hyper.domain}"
    ];
    ensureCredentials = {
      "nxcaldav@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nxcaldav_password".path;
+      "nextcloud@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
      "lennart@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/lennart_password".path;
      "daniel@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/daniel_password".path;
+      "diane@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/diane_password".path;
+      "georg@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/georg_password".path;
+      "tessa@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/tessa_password".path;
    };

    openFirewall = true;
@@ -34,12 +46,28 @@
    };
    # Enable TLS listeners. Configuring this via the module is not yet
    # implemented, see https://github.com/NixOS/nixpkgs/pull/153372
-    config = builtins.replaceStrings [
+    config = (builtins.replaceStrings [
      "imap tcp://0.0.0.0:143"
      "submission tcp://0.0.0.0:587"
    ] [
      "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
      "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
-    ] options.services.maddy.config.default;
+    ] options.services.maddy.config.default) + ''
+      smtp tcp://127.0.0.1:2525 {
+          tls off
+          # 1. Allow local delivery (e.g., app sending to admin@nx2.site)
+          destination postmaster $(local_domains) {
+              deliver_to &local_routing
+          }
+          # 2. Allow remote delivery (e.g., app sending to gmail.com)
+          default_destination {
+              modify {
+                  # Ensure outgoing mail is signed even if sent via 2525
+                  dkim $(primary_domain) $(local_domains) default
+              }
+              deliver_to &remote_queue
+          }
+      }
+    '';
  };
 }