Add Roundcube

dns.tf

@@ -23,6 +23,14 @@ resource "hetznerdns_record" "backend1_a" {
   ttl     = 600
 }
 
+resource "hetznerdns_record" "webmail_a" {
+  zone_id = data.hetznerdns_zone.banditlair_zone.id
+  name    = "webmail"
+  value   = hcloud_server.backend1.ipv4_address
+  type    = "A"
+  ttl     = 600
+}
+
 resource "hetznerdns_record" "mail2_a" {
   zone_id = data.hetznerdns_zone.banditlair_zone.id
   name    = "mail2"

modules/mailserver.nix

@@ -23,7 +23,9 @@
     enable = true;
     fqdn = "mail.banditlair.com";
     domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
+    enableManageSieve = true;
     mailDirectory = "/nix/var/data/vmail";
+    sieveDirectory = "/nix/var/data/sieve";
     lmtpSaveToDetailMailbox = "no";
     loginAccounts = {
       "paultrial@banditlair.com" = {

modules/nextcloud.nix

@@ -11,7 +11,6 @@ in
   sops.secrets = {
     sshfsKey = {
       key = "sshfs_keys/private";
-      restartUnits = [ "var-lib-nextcloud-data.mount" ];
     };
     nextcloudDbPassword = {
       owner = config.users.users.nextcloud.name;
@@ -30,7 +29,7 @@ in
   ];
 
   systemd.services.nextcloud-data-sshfs = {
-    wantedBy = [ "multi-user.target" ];
+    wantedBy = [ "multi-user.target" "nextcloud-setup.service" ];
     before = [ "phpfpm-nextcloud.service" ];
     restartIfChanged = false;
     serviceConfig = {

modules/postgresql.nix

@@ -7,12 +7,14 @@
     initialScript = pkgs.writeText "postgres-init.sql" ''
       CREATE ROLE "synapse";
       CREATE ROLE "nextcloud";
+      CREATE ROLE "roundcube";
     '';
     enableTCPIP = true;
     identMap = ''
       root_as_others         root                  postgres
       root_as_others         root                  synapse
       root_as_others         root                  nextcloud
+      root_as_others         root                  roundcube
     '';
     authentication = ''
       local  all     postgres               peer
@@ -32,6 +34,11 @@
       key = "nextcloud/db_password";
       restartUnits = [ "postgresql-setup.service" ];
     };
+    roundcubeDbPassword = {
+      owner = config.services.postgresql.superUser;
+      key = "roundcube/db_password";
+      restartUnits = [ "postgresql-setup.service" ];
+    };
   };
 
   systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in
@@ -50,11 +57,14 @@
         }
         PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
         PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
+        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
 
         synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
         PSQL -tAc  "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
         nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')"
         PSQL -tAc  "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
+        roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')"
+        PSQL -tAc  "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
       '';
 
       serviceConfig = {

modules/roundcube.nix

@@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+{
+
+  sops.secrets = {
+    pgPassFile = {
+      owner = "nginx";
+      key = "roundcube/pg_pass_file";
+    };
+    dbPassword = {
+      owner = "nginx";
+      key = "roundcube/db_password";
+    };
+  };
+
+  services.roundcube = {
+    enable = true;
+    plugins = [ "managesieve" ];
+    dicts = with pkgs.aspellDicts; [ en fr de ];
+    hostName = "webmail.banditlair.com";
+    database = {
+      host = "10.0.1.11";
+      username = "roundcube";
+      dbname = "roundcube";
+      passwordFile = config.sops.secrets.pgPassFile.path;
+    };
+
+
+    extraConfig = ''
+      # This override is required as a workaround for the nixpkgs config because we need a plain password instead of a pgpass file
+      $password = file_get_contents('${config.sops.secrets.dbPassword.path}');
+      $config['db_dsnw'] = 'pgsql://roundcube:' . $password . '@10.0.1.11/roundcube';
+
+      $config['default_host'] = 'ssl://mail.banditlair.com:993';
+      $config['smtp_server'] = 'ssl://%h';
+      $config['smtp_user'] = '%u';
+      $config['smtp_pass'] = '%p';
+      $config['identities_level'] = 0;
+      $config['managesieve_host'] = 'tls://%h';
+      $config['managesieve_auth_type'] = 'PLAIN';
+    '';
+  };
+}

profiles/backend.nix

@@ -12,6 +12,7 @@
     ../modules/custom-monit.nix
     ../modules/dokuwiki.nix
     ../modules/website-marie.nix
+    ../modules/roundcube.nix
   ];
 
   sops.secrets = {

profiles/db.nix

@@ -23,6 +23,7 @@
     preHook = ''
       ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
       ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
+      ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
     '';
     postHook = "touch /nix/var/data/backup/backup-ok";
     startAt = "03:00";

profiles/storage.nix

@@ -60,5 +60,7 @@
       if failed port 443 protocol https with timeout 20 seconds then alert
     check host website-marie with address osteopathie.froidmont.org
       if failed port 443 protocol https with timeout 20 seconds then alert
+    check host webmail with address webmail.banditlair.com
+      if failed port 443 protocol https with timeout 20 seconds then alert
   '';
 }

secrets.enc.yml

@@ -4,6 +4,9 @@ synapse:
 nextcloud:
     db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str]
     admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str]
+roundcube:
+    db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str]
+    pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str]
 murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str]
 transmission:
     rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str]
@@ -44,8 +47,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-12-27T03:39:30Z"
-    mac: ENC[AES256_GCM,data:5M1iio7bFvUVlP0ECwlRMUbboVtTaXGiM0pQkiv738W9hzsCPEKSqOGFNv02r0I6CKf1f88Yvet5VJVK1vbneCAvlp9Io9uSAH+dHPQ4OHABi0LHj58b2lUB0o8DZAL87GlpL7/riTvonEoO1GuO+e4ELoZAtkt2zQXm5576ZWo=,iv:ZfVPvAFGrLCvT8dHql9BWXnBJssvIE3fFih9lEOZJ+U=,tag:CHePtD5xW8Guni6xYc11FQ==,type:str]
+    lastmodified: "2021-12-27T05:31:16Z"
+    mac: ENC[AES256_GCM,data:cvOznEdfRPo/jl1kYMqWlb9LJ7FqjZ6MwIOgB/1CbSI3DWytX+JsMouFCIR8yatqYpFhZCQmtIKhsvwAoufiWwTYO3Ou329x2NbUIPq1C7BLJaJQJanDygbgNvbxM4ZZL78PUMVAsJnj0sxhcnBPeZUJPss3VtQ/HnRKOPe0Oq4=,iv:TzikJsF211SOiL7mm7yHtXux8kdYAhJk9bybGGmBTpo=,tag:8RwlTxh+2mEEPmKDtelu7A==,type:str]
     pgp:
         - created_at: "2021-11-29T00:57:34Z"
           enc: |