homelab framework module init (everything is a mess)

machines/mail/configuration.nix

@@ -2,6 +2,7 @@
   imports = [
     ./mailserver.nix
     ./networking.nix
+    ./roundcube.nix
     inputs.simple-nixos-mailserver.nixosModule
   ];
 

machines/mail/mailserver.nix

@@ -1,10 +1,14 @@
 {config, ...}: {
   sops.secrets."service_accounts/mail/password" = {};
+  sops.secrets."cloudflare/dns-api-token" = {};
+  sops.secrets."cloudflare/zone-api-token" = {};
+
   mailserver = {
     enable = true;
     stateVersion = 3;
     fqdn = "mail.procopius.dk";
     domains = ["procopius.dk"];
+    dmarcReporting.enable = true;
     localDnsResolver = false;
     ldap = {
       enable = true;
@@ -28,10 +32,17 @@
       searchBase = "ou=people,dc=procopius,dc=dk";
     };
 
-    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
-    # down nginx and opens port 80.
-    certificateScheme = "acme-nginx";
+    certificateScheme = "acme";
+    acmeCertificateName = "mail.procopius.dk";
   };
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "david.mikael@proton.me";
+  security.acme.defaults = {
+    dnsProvider = "cloudflare";
+    dnsResolver = "1.1.1.1:53";
+    credentialFiles = {
+      "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/dns-api-token".path;
+      "CF_ZONE_API_TOKEN_FILE" = config.sops.secrets."cloudflare/zone-api-token".path;
+    };
+  };
 }

machines/mail/roundcube.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  services.roundcube = {
+    enable = true;
+    hostName = "roundcube.procopius.dk";
+    extraConfig = ''
+      # starttls needed for authentication, so the fqdn required to match
+      # the certificate
+      $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
+      $config['smtp_user'] = "%u";
+      $config['smtp_pass'] = "%p";
+    '';
+  };
+
+  services.nginx.virtualHosts."roundcube.procopius.dk" = {
+    forceSSL = lib.mkForce false;
+    enableACME = lib.mkForce false;
+  };
+}