From 31417b97a71c3e112bf25e309f3101544df1a6d5 Mon Sep 17 00:00:00 2001
From: toufic ar <contact@toufy.me>
Date: Wed, 28 Jan 2026 18:52:48 +0200
Subject: [PATCH] mail: add roundcube + radicale, enable virus scanning,
 upgrade passwords to bcrypt

---
 config/mail/default.nix | 56 ++++++++++++++++++++++++++++++++++++++++-
 secrets.yaml            |  8 +++---
 2 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/config/mail/default.nix b/config/mail/default.nix
index 757873a..b9a3afc 100644
--- a/config/mail/default.nix
+++ b/config/mail/default.nix
@@ -1,4 +1,9 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
   mailDomain = config.customOps.domain;
 in {
   sops.secrets = {
@@ -11,6 +16,8 @@ in {
     fqdn = mailDomain;
     domains = [mailDomain];
 
+    virusScanning = true;
+
     systemDomain = mailDomain;
     systemName = mailDomain;
 
@@ -57,4 +64,51 @@ in {
     };
     certificateScheme = "acme";
   };
+
+  services.roundcube = {
+    enable = true;
+    hostName = "mail.${mailDomain}";
+    extraConfig = ''
+      $config['imap_host'] = "ssl://${mailDomain}";
+      $config['smtp_host'] = "ssl://${mailDomain}";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+    '';
+  };
+
+  services.radicale = let
+    mailAccounts = config.mailserver.loginAccounts;
+    htpasswd = pkgs.writeText "radicale.users" (
+      lib.concatStrings
+      (lib.flip lib.mapAttrsToList mailAccounts (
+        mail: user:
+          mail + ":" + user.hashedPassword + "\n"
+      ))
+    );
+  in {
+    enable = true;
+    settings = {
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "${htpasswd}";
+        htpasswd_encryption = "bcrypt";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."cal.${mailDomain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:5232/";
+        extraConfig = ''
+          proxy_set_header  X-Script-Name /;
+          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_pass_header Authorization;
+        '';
+      };
+    };
+  };
 }
diff --git a/secrets.yaml b/secrets.yaml
index a798b95..e9d6535 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -3,8 +3,8 @@ ssh:
         owner: ENC[AES256_GCM,data:LqatOCIAcAvYF354I5itm/rAp5S8UdyONgtK/CEvUq66isiqp+QhV3L1WiW10R8OOm4+nD70uzu4hMnSVxGfNPd8ysE7PUoTGstNFf06uwDtbRiVkJ8=,iv:LW2LwZexi/WliJ7zsoWG0nUSjk2rk5y5++LFI80qLBQ=,tag:3MpE+WVLtMwl8XeFno5FBQ==,type:str]
         nix-deploy: ENC[AES256_GCM,data:zPNvcKrGwsBJUPeYUhGVB9jPsqxG0Wo5G1hj+iwu34u12Egq1w8MYLF/kOj8XN7OOtcNmN2sr09EaD/a70gIltSeNVmEJh8u+kIehFp2UC5IKYJ5FHlGJP8+BQ==,iv:t93JWiWsdi3ihxfI6zvt4KJbywvNw2IyIWeKu+KspX8=,tag:XhD3LD8DXFAEWZXt34MC+g==,type:str]
 mailserver:
-    contact: ENC[AES256_GCM,data:bDC9e4GzBn6c+yT4NOOVlcqQ86ynDkTZhKKE6Ck6xlwWpPYfngP+rffzsX0bL61N0ruMUuUD1XEcdRNz,iv:wqgBzTYa3ipeuUN7YhkH87U6vKb9pGyOS89SekqojLc=,tag:lQfSZm9OVYJ9dgT2WoBYsg==,type:str]
-    forgejo: ENC[AES256_GCM,data:nDGMlxhJIlLr3ynR9ftRPqSdKNxxy8FVItRNLXVrbbbaIttpHUve68hz7O7s/v9qo1a14HvP5Z/NKuErRVsUzJJFRuDqwoywWg==,iv:eyf33mOOCOtEfRGLQqXFO2KEIJzWAflUXssf8qWwck4=,tag:sti3pRMbhunTsAVqQ6JJVw==,type:str]
+    contact: ENC[AES256_GCM,data:VjQfXiEzvBrIeLwLtS2UPjG/fAICk3hUtFPRKHN+v7cd8aSc45u90Ho3uKyKvnIaVyfoRwN21NvK4Vbb,iv:VJbxNwzipmV2yIruBsHX4z/FNy+AJq8Xp97bw/Bogpc=,tag:bc3BwY4xQNmQbQZpIEynYQ==,type:str]
+    forgejo: ENC[AES256_GCM,data:7bZQ5+WET1aAFXO2+R9kt9aA2PpEqhDaj9IE1t4UEgGNzn5D+tRsh+YEI73PPTRmjH7p8HKoo/eutVj3,iv:FD+gjIz5/o1sZGWRMMQEzoX09UJD8Ptk37GuMGcnB7o=,tag:6syos0wvs2e98JNyIoFHsg==,type:str]
 searx: ENC[AES256_GCM,data:n451XLvOi2D2YvL0/+ko+HyXWEU7uuVlivkFsKxIzq1EWqMVEhFgEAt1k8W15AdgLY1xo455fUbL6/W1uSFO8w==,iv:QfX7s4l4QuZ8/85Q/+0OWezDGqOKXdY7B5M6wq/5tAM=,tag:ppZXewIAN0IdRMgrIIKTmg==,type:str]
 actions_runner:
     token: ENC[AES256_GCM,data:K3l1i8TlOh4P0m0HvI/U97weP2BzPxkiz1DYvAFL8ergFVYHsE62A92rVxIAlQ==,iv:BIITpfqKa/IA7dQfmoNTA2dhB91jn7Ay7Ihib+2Mddg=,tag:Ojk4407BhM7b4LjmnPuZjA==,type:str]
@@ -23,7 +23,7 @@ sops:
             L0NsZWFmd3UwblExc3UrVVVraHVTTm8KyUN1t1NgQG8+zHViKXT4fwnuFBVgzhYw
             WbCHfzut3a55ta1B50hQGFlPcUZDPImUg4wKmkdc7vurg02vOTgwUQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-07T04:26:03Z"
-    mac: ENC[AES256_GCM,data:4gTYhPcQ9ejFDiCtCqH5y+pDEez7pvtoAIySp2tyJ/8Q/DUQE2xhqBd7kvCZyo88jOujpjIbbppKKwfrOafK9M31v6tUgqTHLu9bsl2T91+qJCZVrrDZ8xMj4FoQ2c5zXNWPVQCjsMHWbRJTxgdb+HCb9PtUO//et+okiSoITek=,iv:GqVlL+126jmUfVhyQuvorULlkDDE2w+idYsAqrAqw7Q=,tag:p3dPQMFllXNKG8C9CfM7Xg==,type:str]
+    lastmodified: "2026-01-28T16:51:31Z"
+    mac: ENC[AES256_GCM,data:WEbG4365DWEy9Fz/SyP6uI8Vr6+wbi6o5J82lxvTB7QXLMqXSKyKdMMy1LOdiY2EVnXIBlgC9rzMJoJgwr00SdgVjH/ZJRZWjM7f8qk8yUzMqnMk+M82/SqD6pLqoLrguuSEsRgHSHNSt5qn0mH4vJ6OABAiquCsRHy4swe6Z8g=,iv:1WPSoebje5WRTIe7ww2/9iLpeVvS4xS/SRharN8B4/s=,tag:a28eAA7d3tHL3rQ+gQkFHQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0