nix-config/hosts/mail/default.nix

{ config, lib, ... }:

{
  microvm.mem = 2048;

  networking.hostName = "mail";

  c3d2 = {
    deployment.server = "server10";
  };

  mailserver = let
    inherit (config.security) ldap;
    ldapFilter = ldap.searchFilterWithGroupFilter "mail-users" "(uid=%n)";
  in {
    enable = true;
    certificateScheme = "acme-nginx";
    # dmarcReporting = {
    #   enable = true;
    #   domain = "c3d2.de";
    #   organizationName = "Netzbiotop Dresden e.V.";
    # };
    domains = [ "netzbiotop.org" ];
    dkimKeyBits = 2048;
    dkimSelector = "default";
    dkimSigning = true;
    enableImap = true;
    enableImapSsl = true;
    enableManageSieve = true;
    enablePop3 = true;
    enablePop3Ssl = true;
    enableSubmission = true;
    enableSubmissionSsl = true;
    extraVirtualAliases = {};
    fqdn = "mail.flpk.zentralwerk.org";
    ldap = {
      enable = true;
      bind = {
        dn = ldap.bindDN;
        passwordFile = config.sops.secrets."dovecot/ldapSearchUserPassword".path;
      };
      dovecot = {
        passFilter = ldapFilter;
        # userAttrs = "uidNumber=uid";
        userFilter = ldapFilter;
      };
      postfix = {
        filter = ldap.searchFilterWithGroupFilter "mail-users" "(isMemberOf=cn=%d-mail-users,ou=groups,dc=c3d2,dc=de)";
        mailAttribute = "uid";
        # uidAttribute = "uid";
      };
      searchBase = ldap.userBaseDN;
      uris = [ "ldaps://${ldap.domainName}" ];
    };
    mailboxes = {
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Spam = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };
    maxConnectionsPerUser = 10;
    messageSizeLimit = 10240000; # 10 MiB
    monitoring = {
      # enable = true;
      # alertAddress = "example@c3d2.de";
    };
    rejectRecipients = [ config.mailserver.dmarcReporting.localpart ];
    virusScanning = false;
    vmailGroupName = "vmail";
    vmailUserName = "vmail";
  };

  services = {
    backup = {
      enable = true;
      paths = [
        "/var/lib/dovecot/"
        "/var/lib/postfix/"
        "/var/dkim/"
        "/var/sieve/"
        "/var/vmail/"
      ];
    };

    portunus.addToHosts = true;

    postfix.mapFiles."valias" = lib.mkForce "/home/root/valias";

    nginx = {
      enable = true;
      commonHttpConfig = /* nginx */ ''
        proxy_headers_hash_bucket_size 96;
      '';
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets."dovecot/ldapSearchUserPassword" = {
      owner = config.users.users.dovecot2.name;
    };
  };

  system.stateVersion = "23.11";
}