Add roundcube to mail.zweili.org

2023-10-10 20:58:47 +02:00 · 2023-10-10 20:58:47 +02:00 · c0ab9dde66
parent 93294b7b5c
commit c0ab9dde66
3 changed files with 88 additions and 4 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -44,6 +44,7 @@
    ./services/restic-client-server-mysql
    ./services/restic-client-server-postgres
    ./services/restic-server
+    ./services/roundcube
    ./services/rss-bridge
    ./services/syslog
    ./services/telegram-notifications
--- a/modules/services/roundcube/default.nix
+++ b/modules/services/roundcube/default.nix
@ -0,0 +1,86 @@
+{ config, inputs, lib, pkgs, ... }:
+let
+  cfg = config.services.az-roundcube;
+in
+{
+  options = {
+    services.az-roundcube.enable = lib.mkEnableOption "My configuration to enable roundcube.";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "admin+acme@zweili.ch";
+    };
+    services = {
+      az-postgresql.enable = true;
+      nginx = {
+        enable = true;
+        commonHttpConfig = ''
+          # Add HSTS header with preloading to HTTPS requests.
+          # Adding this header to HTTP requests is discouraged
+          map $scheme $hsts_header {
+              https   "max-age=63072000; includeSubdomains; preload";
+          }
+          add_header Strict-Transport-Security $hsts_header;
+
+          # Enable CSP for your services.
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+          # Minimize information leaked to other domains
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+          # Prevent injection of code in other mime types (XSS Attacks)
+          add_header X-Content-Type-Options nosniff;
+
+          # Enable XSS protection of the browser.
+          # May be unnecessary when CSP is configured properly (see above)
+          add_header X-XSS-Protection "1; mode=block";
+
+          # This might create errors
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        '';
+        recommendedOptimisation = true;
+        recommendedTlsSettings = true;
+      };
+      postgresql = {
+        ensureDatabases = [ "roundcube" ];
+        ensureUsers = [{
+          name = "roundcube";
+          ensurePermissions = {
+            "DATABASE roundcube" = "ALL PRIVILEGES";
+          };
+        }];
+      };
+      roundcube = {
+        database = {
+          username = "roundcube";
+        };
+        # dicts = with pkgs.aspellDicts; [ en de ];
+        enable = true;
+        extraConfig = ''
+          $config['imap_host'] = array(
+            'ssl://mail.zweili.org:993' => "Zweili",
+          );
+          $config['username_domain'] = array(
+            'mail.zweili.org' => 'zweili.ch',
+          );
+          $config['x_frame_options'] = false;
+          $config['smtp_host'] = "ssl://mail.zweili.org:465";
+          $config['smtp_user'] = "%u";
+          $config['smtp_pass'] = "%p";
+        '';
+        hostName = "mail.zweili.org";
+        maxAttachmentSize = 25;
+        plugins = [ "carddav" "persistent_login" "managesieve" ];
+        package = pkgs.roundcube.withPlugins (plugins:
+          with plugins; [ carddav persistent_login ]
+        );
+      };
+    };
+  };
+}
--- a/systems/mail/default.nix
+++ b/systems/mail/default.nix
@ -10,15 +10,12 @@

  services = {
    az-mailserver.enable = true;
-    az-nginx-proxy = {
-      enable = true;
-      domain = "mail.zweili.org";
-    };
    az-restic-client-server = {
      enable = true;
      path = "/home/andreas";
      time = "01:00";
    };
+    az-roundcube.enable = true;
  };
 }