modo-test

machines/kat-mail-test/default.nix

@@ -2,13 +2,18 @@
   config,
   lib,
   pkgs,
+  sources,
   ...
 }:
-
+let
+  host = "betamail.katvayor.net";
+in
 {
   imports = [
+    "${sources.nixos-mailserver}"
     ./hardware-configuration.nix
     ./disks.nix
+    ./modo.nix
   ];
 
   boot.loader.systemd-boot.enable = true;
@@ -75,5 +80,31 @@
 
   networking.firewall.enable = false;
 
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts."betamail.katvayor.net" = {
+      enableACME = true;
+      addSSL = true;
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = host;
+    domains = [ host ];
+
+    loginAccounts = {
+      "user1@${host}" = {
+        hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe";
+      };
+    };
+
+    certificateScheme = "acme";
+  };
+
   system.stateVersion = "23.11";
 }

machines/kat-mail-test/modo.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  pkgs,
+  mods,
+  lib,
+  ...
+}:
+{
+  users.users.moderators = {
+    shell = pkgs.zsh;
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
+  };
+  home-manager.users.moderators = {
+    home.stateVersion = "23.11";
+    imports = with mods.home; [
+      neovim
+      zsh
+    ];
+  };
+  mailserver.loginAccounts."moderators@betamail.katvayor.net" = {
+    hashedPassword = "";
+    sieveScript = ''
+      require "vnd.dovecot.pipe";
+      pipe "procmail-modo";
+    '';
+  };
+  services.dovecot2.sieve = {
+    extensions = [ "vnd.dovecot.pipe" ];
+    pipeBins = [
+      (lib.getExe (
+        pkgs.writeShellApplication {
+          name = "procmail-modo";
+          text = ''
+            exec /run/wrappers/bin/sudo ${lib.getExe' pkgs.procmail "procmail"} -d moderators
+          '';
+        }
+      ))
+    ];
+  };
+  security.sudo.extraRules = [
+    {
+      users = [ "virtualMail" ];
+      commands = [
+        {
+          command = "${lib.getExe' pkgs.procmail "procmail"}";
+          options = [
+            "SETENV"
+            "NOPASSWD"
+          ];
+        }
+      ];
+    }
+  ];
+}

machines/kat-r86s/configuration.nix

@@ -128,26 +128,46 @@
         };
       };
     in
-  {
-    enable = true;
-    virtualHosts =
-      builtins.mapAttrs (_: {vm, ...}: {
-        enableACME = true;
-        addSSL = true;
-        acmeFallbackHost = vm;
-        acmeFallbackRecommendedProxySettings = true;
-        locations."/" = {
-          recommendedProxySettings = true;
-          proxyPass = "https://${vm}/";
-        };
-      }) vhosts;
-      streamConfig = builtins.concatStringsSep "\n" (lib.mapAttrsToList (vhost: {vm, sshport}: ''
+    {
+      enable = true;
+      virtualHosts = builtins.mapAttrs (
+        _:
+        { vm, ... }:
+        {
+          enableACME = true;
+          addSSL = true;
+          acmeFallbackHost = vm;
+          acmeFallbackRecommendedProxySettings = true;
+          locations."/" = {
+            recommendedProxySettings = true;
+            proxyPass = "https://${vm}/";
+          };
+        }
+      ) vhosts;
+      streamConfig =
+        builtins.concatStringsSep "\n" (
+          lib.mapAttrsToList (
+            vhost:
+            { vm, sshport }:
+            ''
+              server {
+                listen ${toString sshport};
+                proxy_pass ${vm}:22;
+              }
+            ''
+          ) vhosts
+        )
+        + ''
           server {
-            listen ${toString sshport};
-            proxy_pass ${vm}:22;
+            listen 993;
+            proxy_pass 192.168.122.3:993;
           }
-      '') vhosts);
-  };
+          server {
+            listen 465;
+            proxy_pass 192.168.122.3:465;
+          }
+        '';
+    };
 
   # Open ports in the firewall.
   networking.firewall = {
@@ -156,6 +176,8 @@
       53
       80
       443
+      465
+      993
     ];
     allowedTCPPortRanges = [
       {

machines/kat-watcher/default.nix

@@ -79,14 +79,25 @@
           proxyPass = "https://${kat-r86s}/";
         };
       }) vhosts;
-      streamConfig = builtins.concatStringsSep "\n" (
-        lib.mapAttrsToList (vhost: sshport: ''
+      streamConfig =
+        builtins.concatStringsSep "\n" (
+          lib.mapAttrsToList (vhost: sshport: ''
+            server {
+              listen ${toString sshport};
+              proxy_pass ${kat-r86s}:${toString sshport};
+            }
+          '') vhosts
+        )
+        + ''
           server {
-            listen ${toString sshport};
-            proxy_pass ${kat-r86s}:${toString sshport};
+            listen 993;
+            proxy_pass ${kat-r86s}:993;
           }
-        '') vhosts
-      );
+          server {
+            listen 465;
+            proxy_pass ${kat-r86s}:465;
+          }
+        '';
     };
 
   services.dbus.packages = with pkgs; [ dconf ];
@@ -117,6 +128,8 @@
         22
         80
         443
+        993
+        465
       ];
       allowedTCPPortRanges = [
         {

npins/sources.json

@@ -65,6 +65,21 @@
       "url": "https://github.com/nix-community/nixos-images/archive/42b13bbd6fce3bcf6272a6ed664a23b9417b82c2.tar.gz",
       "hash": "1ap3z694mjbfrwa2ddqlq1sqbwqy6xrq0r68blwr53cn7nx0rn4f"
     },
+    "nixos-mailserver": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitLab",
+        "repo_path": "simple-nixos-mailserver/nixos-mailserver",
+        "server": "https://gitlab.com/"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v2.3.0",
+      "revision": "289f71efe2250e1155b0c74d188699397ba641d8",
+      "url": "https://gitlab.com/api/v4/projects/simple-nixos-mailserver%2Fnixos-mailserver/repository/archive.tar.gz?ref=v2.3.0",
+      "hash": "1flgj5hqzr76x2ff339kzbrfwilwy81wmml69nnwr2l5apmmly8j"
+    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",