mail: add roundcube + radicale, enable virus scanning, upgrade passwords to bcrypt

config/mail/default.nix

@@ -1,4 +1,9 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
   mailDomain = config.customOps.domain;
 in {
   sops.secrets = {
@@ -11,6 +16,8 @@ in {
     fqdn = mailDomain;
     domains = [mailDomain];
 
+    virusScanning = true;
+
     systemDomain = mailDomain;
     systemName = mailDomain;
 
@@ -57,4 +64,51 @@ in {
     };
     certificateScheme = "acme";
   };
+
+  services.roundcube = {
+    enable = true;
+    hostName = "mail.${mailDomain}";
+    extraConfig = ''
+      $config['imap_host'] = "ssl://${mailDomain}";
+      $config['smtp_host'] = "ssl://${mailDomain}";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+    '';
+  };
+
+  services.radicale = let
+    mailAccounts = config.mailserver.loginAccounts;
+    htpasswd = pkgs.writeText "radicale.users" (
+      lib.concatStrings
+      (lib.flip lib.mapAttrsToList mailAccounts (
+        mail: user:
+          mail + ":" + user.hashedPassword + "\n"
+      ))
+    );
+  in {
+    enable = true;
+    settings = {
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "${htpasswd}";
+        htpasswd_encryption = "bcrypt";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."cal.${mailDomain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:5232/";
+        extraConfig = ''
+          proxy_set_header  X-Script-Name /;
+          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_pass_header Authorization;
+        '';
+      };
+    };
+  };
 }