From c0ab9dde6662f89eaf543d12adca762aeef9b9e2 Mon Sep 17 00:00:00 2001 From: Andreas Zweili Date: Tue, 10 Oct 2023 20:58:47 +0200 Subject: [PATCH] Add roundcube to mail.zweili.org --- modules/default.nix | 1 + modules/services/roundcube/default.nix | 86 ++++++++++++++++++++++++++ systems/mail/default.nix | 5 +- 3 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 modules/services/roundcube/default.nix diff --git a/modules/default.nix b/modules/default.nix index a2e7ae3..783373d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -44,6 +44,7 @@ ./services/restic-client-server-mysql ./services/restic-client-server-postgres ./services/restic-server + ./services/roundcube ./services/rss-bridge ./services/syslog ./services/telegram-notifications diff --git a/modules/services/roundcube/default.nix b/modules/services/roundcube/default.nix new file mode 100644 index 0000000..d162c76 --- /dev/null +++ b/modules/services/roundcube/default.nix @@ -0,0 +1,86 @@ +{ config, inputs, lib, pkgs, ... }: +let + cfg = config.services.az-roundcube; +in +{ + options = { + services.az-roundcube.enable = lib.mkEnableOption "My configuration to enable roundcube."; + }; + + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + security.acme = { + acceptTerms = true; + defaults.email = "admin+acme@zweili.ch"; + }; + services = { + az-postgresql.enable = true; + nginx = { + enable = true; + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=63072000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + recommendedOptimisation = true; + recommendedTlsSettings = true; + }; + postgresql = { + ensureDatabases = [ "roundcube" ]; + ensureUsers = [{ + name = "roundcube"; + ensurePermissions = { + "DATABASE roundcube" = "ALL PRIVILEGES"; + }; + }]; + }; + roundcube = { + database = { + username = "roundcube"; + }; + # dicts = with pkgs.aspellDicts; [ en de ]; + enable = true; + extraConfig = '' + $config['imap_host'] = array( + 'ssl://mail.zweili.org:993' => "Zweili", + ); + $config['username_domain'] = array( + 'mail.zweili.org' => 'zweili.ch', + ); + $config['x_frame_options'] = false; + $config['smtp_host'] = "ssl://mail.zweili.org:465"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + hostName = "mail.zweili.org"; + maxAttachmentSize = 25; + plugins = [ "carddav" "persistent_login" "managesieve" ]; + package = pkgs.roundcube.withPlugins (plugins: + with plugins; [ carddav persistent_login ] + ); + }; + }; + }; +} diff --git a/systems/mail/default.nix b/systems/mail/default.nix index 0bd1bd3..a5add9d 100644 --- a/systems/mail/default.nix +++ b/systems/mail/default.nix @@ -10,15 +10,12 @@ services = { az-mailserver.enable = true; - az-nginx-proxy = { - enable = true; - domain = "mail.zweili.org"; - }; az-restic-client-server = { enable = true; path = "/home/andreas"; time = "01:00"; }; + az-roundcube.enable = true; }; }