From 1cf3881efa61d9e4768f25835a253d4567c13744 Mon Sep 17 00:00:00 2001
From: Cassie Cheung <me@soopy.moe>
Date: Wed, 24 Jul 2024 20:15:10 +0800
Subject: [PATCH] host(kita): basic dovecot setup

---
 systems/kita/services/mail/default.nix |  1 +
 systems/kita/services/mail/dovecot.nix | 69 ++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 systems/kita/services/mail/dovecot.nix

diff --git a/systems/kita/services/mail/default.nix b/systems/kita/services/mail/default.nix
index b017811..7f7e17c 100644
--- a/systems/kita/services/mail/default.nix
+++ b/systems/kita/services/mail/default.nix
@@ -4,5 +4,6 @@
 
     # HELL
     ./postfix.nix
+    ./dovecot.nix
   ];
 }
diff --git a/systems/kita/services/mail/dovecot.nix b/systems/kita/services/mail/dovecot.nix
new file mode 100644
index 0000000..19f1eab
--- /dev/null
+++ b/systems/kita/services/mail/dovecot.nix
@@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # IMPORTANT: needed for ssh_dh in dovecot.
+  security.dhparams = {
+    enable = true;
+    params.dovecot2 = {};
+  };
+
+  services.dovecot2 = {
+    enable = true;
+
+    createMailUser = true;
+    mailUser = "vmail";
+    mailGroup = "vmail";
+
+    # we ignore nixos options and do our own config because order matters.
+    configFile = pkgs.writeText "dovecot.conf" ''
+      # ssl config
+      ssl = required
+      disable_plaintext_auth = yes
+      ssl_cert = <${config.security.acme.certs."kita.c.soopy.moe".directory + "/full.pem"}
+      ssl_key = <${config.security.acme.certs."kita.c.soopy.moe".directory + "/full.pem"}
+      ssl_dh = <${config.security.dhparams.params.dovecot2.path}
+      ssl_min_protocol = TLSv1.2
+      # default ssl cipher list without non ec deffie-hellman algos
+      ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+
+      # default configurations
+      base_dir = /run/dovecot2
+      maildir_copy_with_hardlinks = yes
+      sendmail_path = /run/wrappers/bin/sendmail
+      default_internal_user = dovecot2  # nixos weirdness
+      default_internal_group = dovecot2  # nixos weirdness
+
+      # namespaces (mailboxes)
+      # see dovecot/doc/example-config/conf.d/{10-mail,15-mailboxes}.conf for details
+      namespace inbox {
+        type = private
+        inbox = yes
+        list = yes
+
+        # special mailboxes
+        mailbox Drafts {
+          special_use = \Drafts
+          auto = create
+        }
+        mailbox Junk {
+          special_use = \Junk
+          auto = create
+        }
+        mailbox Trash {
+          special_use = \Trash
+          auto = create
+        }
+        mailbox Sent {
+          special_use = \Sent
+          auto = create
+        }
+      }
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    993 # imaps
+  ];
+}