moved mail

machines/mail/mailserver.nix

@@ -0,0 +1,37 @@
+{config, ...}: {
+  sops.secrets."service_accounts/mail/password" = {};
+  mailserver = {
+    enable = true;
+    stateVersion = 3;
+    fqdn = "mail.procopius.dk";
+    domains = ["procopius.dk"];
+    localDnsResolver = false;
+    ldap = {
+      enable = true;
+      uris = [
+        "ldap://auth.lab:3890"
+      ];
+      bind = {
+        dn = "cn=mail,ou=people,dc=procopius,dc=dk";
+        passwordFile = config.sops.secrets."service_accounts/mail/password".path;
+      };
+      postfix = {
+        filter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(|(mail=%s)(mail-alias=%s)))"; # Will require MR!351 for aliases to work properly
+        mailAttribute = "mail";
+      };
+
+      dovecot = {
+        userFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
+        passFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
+      };
+
+      searchBase = "ou=people,dc=procopius,dc=dk";
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "david.mikael@proton.me";
+}