From ce07874e232010ba5b1a486a750c777d3677946d Mon Sep 17 00:00:00 2001
From: Cassie Cheung <me@soopy.moe>
Date: Thu, 25 Jul 2024 00:32:50 +0800
Subject: [PATCH] host(kita): setup lmtp

---
 creds/sops/kita/default.yaml           |  6 ++--
 systems/kita/services/mail/dovecot.nix | 47 ++++++++++++++++++++++++--
 systems/kita/services/mail/postfix.nix | 11 ++++++
 3 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/creds/sops/kita/default.yaml b/creds/sops/kita/default.yaml
index 17cee15..752bd6f 100644
--- a/creds/sops/kita/default.yaml
+++ b/creds/sops/kita/default.yaml
@@ -2,6 +2,8 @@ vmetrics:
     auth: ENC[AES256_GCM,data:FA3YrlJuaoW2TJesX7I/amRM9NMRBBuICQDf/LDPMfzeYj3KRvFOP3YYfVht/kor/QaPD3Vgq9cndb+doBypZgD12X1lHrXn7NVKjNj/CW0Zyrgs0V8KsWsUSfFUjj1RI3kWOhQ4aq3VEPW6bcIbRkrYIzweLQ8FtVCK4w5dq9mK6D4sHa662aI1fF2+lAJHYTc8svXLBiENnKJoybnBvOFLBacu9wuImUFBPA==,iv:abGTu/sywBaDpBYYExivqxaHpk3rTOCKmcf8USczVXQ=,tag:zZAnB3Qa/TgucCDD9TE30Q==,type:str]
 lego:
     cf_token: ENC[AES256_GCM,data:Mdbow7N8R+SDCjYCO/8nwitXAJsark+xEoKdJkvigkC4WICvG56AJA==,iv:mSrMj7ze50ue7V5/3PO29Wq38iUDxzXJ96DUeZU1RwU=,tag:/pnnP6oTcdCXFtvO1Qb/Ag==,type:str]
+dovecot:
+    db_password: ENC[AES256_GCM,data:1sBvlYMg12mc62D0SE8fJjROZJJr/s8IC5lFPHM9WGa1Jowy++eUWDtOLyGYwSLb1ghr0+ZpkKcMallbus2w9doQKgw0JrBtJBAIT1VACusuxLBGpbMYSRXu68I4h4nV,iv:dX6HkDhz3r4huRWtP9UlxhKycQg5TMG+Wwei9rtVz0I=,tag:obblyLF4XFEhoP7YJ43CBQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -35,8 +37,8 @@ sops:
             R3BvNDMzK0c2UUlxWmRoWGpodFc3NkUKFCg/Fu40Qq8aE1IChae19F4tJQVn9AeA
             yQPw/uO+wRpv/DfYH/sRUtr8UhSk7vGGBCRcddK2T5X9lzLN1kbKPw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-20T08:52:43Z"
-    mac: ENC[AES256_GCM,data:pXavn60kaMiqxHF31AsHQTYd3p3FYwizS5AZbVc5GEhdWoFElw8Rb/WX4Wqk7vtCE9EPPPfZGeKpaSZAfUnfqiRbrZJQrMisuHUgByTcrLABCGdQYx7OKmHcJn7CGHaiyccRBgSeMHDG3e2B7OFus+IfCjXNLv/H6rIlPPVJi9Y=,iv:GI5pIYy5cYfmp6EzdjVxvnl2LKM0mMw4uTLKxGRO4Yk=,tag:dhngrW0qJYgrYKcQHrqa3g==,type:str]
+    lastmodified: "2024-07-24T07:48:36Z"
+    mac: ENC[AES256_GCM,data:2ZhQImOCoYr1I47pEX5oJxz/KBOw4F6KgWL9kDUkVrS2V4tHUBvbIrp2YbJYFcho21d+8kUIUmByRPdVBcHEgtQrWhFVkbYTx56CttebGiYiQv94Hw/Mr/dYHnLAhWVofuQeHK/hTuDZAOITsMljEUJ66/VY+XfKssSXfO/y6xk=,iv:7q2cxzVUNgC/Rj9mOf0PD964h4xmKGCP9N1GVE6ZbCU=,tag:/v5VB9MBQMw9k+8Db+AYFg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/systems/kita/services/mail/dovecot.nix b/systems/kita/services/mail/dovecot.nix
index c8192be..ccf8485 100644
--- a/systems/kita/services/mail/dovecot.nix
+++ b/systems/kita/services/mail/dovecot.nix
@@ -38,6 +38,31 @@
       mail_location = maildir:~/Mail
       maildir_copy_with_hardlinks = yes
 
+      # protocols
+      protocols = imap lmtp
+      auth_mechanisms = plain login # since we enforce ssl/tls we can safely use plain.
+
+      # lmtp config w/ postfix
+      service lmtp {
+        unix_listener ${config.services.postfix.config.queue_directory}/dovecot-lmtp {
+          user = postfix
+          group = postfix
+          mode = 0600
+        }
+      }
+
+      # user/password databases
+      passdb {
+        driver = sql
+        args = ${config.sops.templates."dovecot-sql.conf".path} # see bottom
+      }
+
+      userdb {
+        # for mail_location see above.
+        driver = static
+        args = uid=${builtins.toString config.users.users.vmail.uid} gid=${builtins.toString config.users.groups.vmail.gid} home=/var/vmail/%d/%n
+      }
+
       # namespaces (mailboxes)
       # see dovecot/doc/example-config/conf.d/{10-mail,15-mailboxes}.conf for details
       namespace inbox {
@@ -67,16 +92,34 @@
   };
 
   users.users.vmail = {
-    uid = 1024;
+    uid = 988;
     description = "Virtual Mail User";
     group = config.users.groups.vmail.name;
     isSystemUser = true;
     home = "/var/vmail";
     createHome = true;
   };
-  users.groups.vmail.gid = 1024;
+  users.groups.vmail.gid = 988;
+
+  sops.secrets."dovecot/db_password" = {};
+  sops.templates."dovecot-sql.conf".content = ''
+    driver = pgsql
+    connect = host=localhost dbname=maildb user=maildb password=${config.sops.placeholder."dovecot/db_password"}
+
+    password_query = SELECT username, domain, passwd AS password FROM users WHERE username = '%n' AND domain = '%d'
+    # this doesn't work because we need a sql userdb for iterative queries
+    #iterate_query = SELECT username, domain FROM users
+    # user_query not needed since we handle that staticly with a template.
+  '';
 
   networking.firewall.allowedTCPPorts = [
     993 # imaps
   ];
+
+  # 最低
+  nixpkgs.overlays = [
+    (final: prev: {
+      dovecot = prev.dovecot.override {withPgSQL = true;};
+    })
+  ];
 }
diff --git a/systems/kita/services/mail/postfix.nix b/systems/kita/services/mail/postfix.nix
index b2790e5..5899145 100644
--- a/systems/kita/services/mail/postfix.nix
+++ b/systems/kita/services/mail/postfix.nix
@@ -55,6 +55,17 @@ in {
         "permit_sasl_authenticated"
         "reject_unauth_destination"
       ];
+      smtpd_recipient_restrictions = [
+        "reject_unknown_recipient_domain"
+        "reject_unverified_recipient" # dovecot lmtp check, requires dovecot
+      ];
+
+      # dovecot integration with lmtp
+      virtual_transport = "lmtp:unix:/var/mail/dovecot-lmtp";
+      virtual_mailbox_domains = [
+        "soopy.moe"
+        "services.soopy.moe"
+      ];
     };
   };