diff --git a/dns.tf b/dns.tf index 30dadb1..782c0c8 100644 --- a/dns.tf +++ b/dns.tf @@ -23,6 +23,14 @@ resource "hetznerdns_record" "backend1_a" { ttl = 600 } +resource "hetznerdns_record" "webmail_a" { + zone_id = data.hetznerdns_zone.banditlair_zone.id + name = "webmail" + value = hcloud_server.backend1.ipv4_address + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "mail2_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "mail2" diff --git a/modules/mailserver.nix b/modules/mailserver.nix index 2f6477b..658e9ad 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -23,7 +23,9 @@ enable = true; fqdn = "mail.banditlair.com"; domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ]; + enableManageSieve = true; mailDirectory = "/nix/var/data/vmail"; + sieveDirectory = "/nix/var/data/sieve"; lmtpSaveToDetailMailbox = "no"; loginAccounts = { "paultrial@banditlair.com" = { diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 791afc4..afac462 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -11,7 +11,6 @@ in sops.secrets = { sshfsKey = { key = "sshfs_keys/private"; - restartUnits = [ "var-lib-nextcloud-data.mount" ]; }; nextcloudDbPassword = { owner = config.users.users.nextcloud.name; @@ -30,7 +29,7 @@ in ]; systemd.services.nextcloud-data-sshfs = { - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" "nextcloud-setup.service" ]; before = [ "phpfpm-nextcloud.service" ]; restartIfChanged = false; serviceConfig = { diff --git a/modules/postgresql.nix b/modules/postgresql.nix index b016581..95a8659 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -7,12 +7,14 @@ initialScript = pkgs.writeText "postgres-init.sql" '' CREATE ROLE "synapse"; CREATE ROLE "nextcloud"; + CREATE ROLE "roundcube"; ''; enableTCPIP = true; identMap = '' root_as_others root postgres root_as_others root synapse root_as_others root nextcloud + root_as_others root roundcube ''; authentication = '' local all postgres peer @@ -32,6 +34,11 @@ key = "nextcloud/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; + roundcubeDbPassword = { + owner = config.services.postgresql.superUser; + key = "roundcube/db_password"; + restartUnits = [ "postgresql-setup.service" ]; + }; }; systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in @@ -50,11 +57,14 @@ } PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')" PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'" + roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')" + PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" ''; serviceConfig = { diff --git a/modules/roundcube.nix b/modules/roundcube.nix new file mode 100644 index 0000000..ab50ff8 --- /dev/null +++ b/modules/roundcube.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, config, ... }: +{ + + sops.secrets = { + pgPassFile = { + owner = "nginx"; + key = "roundcube/pg_pass_file"; + }; + dbPassword = { + owner = "nginx"; + key = "roundcube/db_password"; + }; + }; + + services.roundcube = { + enable = true; + plugins = [ "managesieve" ]; + dicts = with pkgs.aspellDicts; [ en fr de ]; + hostName = "webmail.banditlair.com"; + database = { + host = "10.0.1.11"; + username = "roundcube"; + dbname = "roundcube"; + passwordFile = config.sops.secrets.pgPassFile.path; + }; + + + extraConfig = '' + # This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file + $password = file_get_contents('${config.sops.secrets.dbPassword.path}'); + $config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube'; + + $config['default_host'] = 'ssl://mail.banditlair.com:993'; + $config['smtp_server'] = 'ssl://%h'; + $config['smtp_user'] = '%u'; + $config['smtp_pass'] = '%p'; + $config['identities_level'] = 0; + $config['managesieve_host'] = 'tls://%h'; + $config['managesieve_auth_type'] = 'PLAIN'; + ''; + }; +} diff --git a/profiles/backend.nix b/profiles/backend.nix index 9cbfd18..70d3adb 100644 --- a/profiles/backend.nix +++ b/profiles/backend.nix @@ -12,6 +12,7 @@ ../modules/custom-monit.nix ../modules/dokuwiki.nix ../modules/website-marie.nix + ../modules/roundcube.nix ]; sops.secrets = { diff --git a/profiles/db.nix b/profiles/db.nix index dc02d15..5d848a2 100644 --- a/profiles/db.nix +++ b/profiles/db.nix @@ -23,6 +23,7 @@ preHook = '' ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp + ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp ''; postHook = "touch /nix/var/data/backup/backup-ok"; startAt = "03:00"; diff --git a/profiles/storage.nix b/profiles/storage.nix index f5b4275..75a3353 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -60,5 +60,7 @@ if failed port 443 protocol https with timeout 20 seconds then alert check host website-marie with address osteopathie.froidmont.org if failed port 443 protocol https with timeout 20 seconds then alert + check host webmail with address webmail.banditlair.com + if failed port 443 protocol https with timeout 20 seconds then alert ''; } diff --git a/secrets.enc.yml b/secrets.enc.yml index 87d6f92..48740aa 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -4,6 +4,9 @@ synapse: nextcloud: db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str] admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str] +roundcube: + db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] + pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str] transmission: rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str] @@ -44,8 +47,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-12-27T03:39:30Z" - mac: ENC[AES256_GCM,data:5M1iio7bFvUVlP0ECwlRMUbboVtTaXGiM0pQkiv738W9hzsCPEKSqOGFNv02r0I6CKf1f88Yvet5VJVK1vbneCAvlp9Io9uSAH+dHPQ4OHABi0LHj58b2lUB0o8DZAL87GlpL7/riTvonEoO1GuO+e4ELoZAtkt2zQXm5576ZWo=,iv:ZfVPvAFGrLCvT8dHql9BWXnBJssvIE3fFih9lEOZJ+U=,tag:CHePtD5xW8Guni6xYc11FQ==,type:str] + lastmodified: "2021-12-27T05:31:16Z" + mac: ENC[AES256_GCM,data:cvOznEdfRPo/jl1kYMqWlb9LJ7FqjZ6MwIOgB/1CbSI3DWytX+JsMouFCIR8yatqYpFhZCQmtIKhsvwAoufiWwTYO3Ou329x2NbUIPq1C7BLJaJQJanDygbgNvbxM4ZZL78PUMVAsJnj0sxhcnBPeZUJPss3VtQ/HnRKOPe0Oq4=,iv:TzikJsF211SOiL7mm7yHtXux8kdYAhJk9bybGGmBTpo=,tag:8RwlTxh+2mEEPmKDtelu7A==,type:str] pgp: - created_at: "2021-11-29T00:57:34Z" enc: |