adonis/config/mail/default.nix

{config, ...}: let
  mailDomain = config.customOps.domain;
in {
  sops.secrets = {
    "mailserver/contact".owner = "dovecot2";
    "radicale".owner = "radicale";
  };

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = mailDomain;
    domains = [mailDomain];

    virusScanning = true;

    systemDomain = mailDomain;
    systemName = mailDomain;

    dmarcReporting.enable = true;
    fullTextSearch.enable = true;

    mailboxes = {
      Archive = {
        auto = "subscribe";
        specialUse = "Archive";
      };
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Junk = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };

    loginAccounts = {
      "contact@${mailDomain}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
        aliases = [
          "root@${mailDomain}"
          "postmaster@${mailDomain}"
          "security@${mailDomain}"
          "abuse@${mailDomain}"
          "webmaster@${mailDomain}"
          "admin@${mailDomain}"
          "info@${mailDomain}"
          "support@${mailDomain}"
        ];
      };
    };
    certificateScheme = "acme";
  };

  services.roundcube = {
    enable = true;
    hostName = "mail.${mailDomain}";
    extraConfig = ''
      $config['imap_host'] = "ssl://${mailDomain}";
      $config['smtp_host'] = "ssl://${mailDomain}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_filename = config.sops.secrets."radicale".path;
        htpasswd_encryption = "bcrypt";
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."cal.${mailDomain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:5232/";
        extraConfig = ''
          proxy_set_header  X-Script-Name /;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass_header Authorization;
        '';
      };
    };
  };
}