nxcaldav

system-modules/nx2site/maddy.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }@all: with all; {
+  sops.secrets = {
+    "nx2site/maddy/nxcaldav_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+    "nx2site/maddy/lennart_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+    "nx2site/maddy/daniel_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
+  };
+  users.users."maddy" = {
+    extraGroups = [ "acme" "nginx" ];
+  };
+  services.maddy = {
+    enable = true;
+    primaryDomain = hyper.domain;
+    user = "maddy";
+    group = "maddy";
+    hostname = "mail.${hyper.domain}";
+    ensureAccounts = [
+      "nxcaldav@${hyper.domain}"
+      "lennart@${hyper.domain}"
+      "daniel@${hyper.domain}"
+    ];
+    ensureCredentials = {
+      "nxcaldav@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nxcaldav_password".path;
+      "lennart@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/lennart_password".path;
+      "daniel@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/daniel_password".path;
+    };
+
+    openFirewall = true;
+    tls = {
+      loader = "file";
+      certificates = [{
+        keyPath = "/var/lib/acme/nx2.site/key.pem";
+        certPath = "/var/lib/acme/nx2.site/cert.pem";
+      }];
+    };
+    # Enable TLS listeners. Configuring this via the module is not yet
+    # implemented, see https://github.com/NixOS/nixpkgs/pull/153372
+    config = builtins.replaceStrings [
+      "imap tcp://0.0.0.0:143"
+      "submission tcp://0.0.0.0:587"
+    ] [
+      "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+      "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+    ] options.services.maddy.config.default;
+  };
+}