about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--mail.nix87
1 files changed, 47 insertions, 40 deletions
diff --git a/mail.nix b/mail.nix
index a76cd40..2909d36 100644
--- a/mail.nix
+++ b/mail.nix
@@ -28,50 +28,57 @@ in {
     993 # IMAPS
   ];
 
-  security = {
-    acme.certs.${hostname} = {
-      group = config.services.maddy.group;
-      webroot = "/var/lib/acme/acme-challenge";
+  services = {
+    alps = {
+      enable = true;
+      imaps.host = hostname;
+      theme = "alps";
     };
-    pam.services.maddy = { };
-  };
 
-  services.maddy = {
-    config = ''
-      auth_map email_localpart
-    '' + (builtins.replaceStrings [
-      ''
-        auth.pass_table local_authdb {
-          table sql_table {
-            driver sqlite3
-            dsn credentials.db
-            table_name passwords
+    maddy = {
+      config = ''
+        auth_map email_localpart
+      '' + (builtins.replaceStrings [
+        ''
+          auth.pass_table local_authdb {
+            table sql_table {
+              driver sqlite3
+              dsn credentials.db
+              table_name passwords
+            }
+          }
+        ''
+        "imap tcp://0.0.0.0:143"
+        "submission tcp://0.0.0.0:587"
+      ] [
+        ''
+          auth.shadow local_authdb {
+            debug yes
+            use_helper no
           }
-        }
-      ''
-      "imap tcp://0.0.0.0:143"
-      "submission tcp://0.0.0.0:587"
-    ] [
-      ''
-        auth.shadow local_authdb {
-          debug yes
-          use_helper no
-        }
-      ''
-      "imap tls://0.0.0.0:993"
-      "submission tls://0.0.0.0:465"
-    ] options.services.maddy.config.default);
-    enable = true;
-    hostname = hostname;
-    primaryDomain = domain;
-    tls = {
-      loader = "file";
-      certificates = [{
-        certPath = "${certDir}/cert.pem";
-        keyPath = "${certDir}/key.pem";
-      }];
+        ''
+        "imap tls://0.0.0.0:993"
+        "submission tls://0.0.0.0:465"
+      ] options.services.maddy.config.default);
+      enable = true;
+      hostname = hostname;
+      primaryDomain = domain;
+      tls = {
+        loader = "file";
+        certificates = [{
+          certPath = "${certDir}/cert.pem";
+          keyPath = "${certDir}/key.pem";
+        }];
+      };
+    };
+
+    nginx.virtualHosts.${hostname} = let alps = config.services.alps;
+    in {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://${alps.bindIP}:${toString alps.port}";
     };
   };
 
-  users.extraUsers.maddy.extraGroups = [ "shadow" ];
+  users.extraUsers.maddy.extraGroups = [ "nginx" "shadow" ];
 }