mail2-nixos-config/roundcube.nix

{ config, lib, pkgs, ... }:

let
  poolName = "roundcube_pool";

  roundcube = (pkgs.callPackage ./pkg-roundcube.nix {
    conf = pkgs.writeText "roundcube-config.inc.php" ''
      <?php
      $config = array();
      $config['db_dsnw'] = 'sqlite:///${config.variables.roundcubeDataDir}/roundcube.sqlite?mode=0600';
      $config['default_host'] = 'tls://${config.variables.myFQDN}';
      $config['smtp_server'] = 'tls://${config.variables.myFQDN}';
      $config['smtp_port'] = 587;
      $config['smtp_user'] = '%u';
      $config['smtp_pass'] = '%p';
      $config['product_name'] = 'Webmail';
      $config['des_key'] = file_get_contents("${config.variables.roundcubeDataDir}/des_key");;
      $config['cipher_method'] = 'AES-256-CBC';
      $config['plugins'] = array(
        'archive',
        'managesieve',
        'zipdownload',
        );
      $config['skin'] = 'larry';
      '';
    temp = "${config.variables.roundcubeDataDir}/temp";
    logs = "${config.variables.roundcubeDataDir}/logs";
  } );
in
{
  services.nginx.virtualHosts."${config.variables.roundcubeFQDN}" = {
    forceSSL = config.variables.useSSL;
    enableACME = config.variables.useSSL;
    root = "${roundcube}/public_html";
    extraConfig = ''
      access_log off;
      add_header Permissions-Policy "interest-cohort=()" always;
      '';
    locations."~ ^/favicon.ico/.*$" = {
      extraConfig = ''
        try_files $uri kins/larry/images/$uri;
        add_header Permissions-Policy "interest-cohort=()" always;
        '';
    };
    locations."/" = {
      extraConfig = ''
        index index.php;
        try_files $uri /public/$uri /index.php$is_args$args;
        etag off;
        add_header etag "\"${builtins.substring 11 32 roundcube}\"";
        add_header Permissions-Policy "interest-cohort=()" always;
        '';
    };
    locations."~ [^/]\.php(/|$)" = {
      extraConfig = ''
        etag off;
        add_header etag "\"${builtins.substring 11 32 roundcube}\"";
        add_header Permissions-Policy "interest-cohort=()" always;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
    
        fastcgi_pass unix:${config.services.phpfpm.pools."${poolName}".socket};
        fastcgi_index index.php;

        fastcgi_param   QUERY_STRING            $query_string;
        fastcgi_param   REQUEST_METHOD          $request_method;
        fastcgi_param   CONTENT_TYPE            $content_type;
        fastcgi_param   CONTENT_LENGTH          $content_length;

        fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
        fastcgi_param   PATH_INFO               $fastcgi_path_info;
        fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
        fastcgi_param   REQUEST_URI             $request_uri;
        fastcgi_param   DOCUMENT_URI            $document_uri;
        fastcgi_param   DOCUMENT_ROOT           $document_root;
        fastcgi_param   SERVER_PROTOCOL         $server_protocol;

        fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
        fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;

        fastcgi_param   REMOTE_ADDR             $remote_addr;
        fastcgi_param   REMOTE_PORT             $remote_port;
        fastcgi_param   SERVER_ADDR             $server_addr;
        fastcgi_param   SERVER_PORT             $server_port;
        fastcgi_param   SERVER_NAME             $server_name;

        fastcgi_param   HTTPS                   $https;
        fastcgi_param   HTTP_PROXY              "";
      '';
    };
  };
  systemd.services.roundcube-install = {
    serviceConfig.Type = "oneshot";
    wantedBy = [ "multi-user.target" ];
    script = ''
      mkdir -p ${config.variables.roundcubeDataDir}/temp ${config.variables.roundcubeDataDir}/logs
      chown -Rc ${config.variables.roundcubeUser}:${config.variables.roundcubeGroup} ${config.variables.roundcubeDataDir}
      chmod -c 700 ${config.variables.roundcubeDataDir}
      # Regenerate the key every now and then. This invalidates all sessions, but during reboot should be good enough.
      [ -f "${config.variables.roundcubeDataDir}/des_key" ] && ${pkgs.coreutils}/bin/shred "${config.variables.roundcubeDataDir}/des_key"
      ${pkgs.coreutils}/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null | ${pkgs.coreutils}/bin/base64 > "${config.variables.roundcubeDataDir}/des_key"
      chown -c "${config.variables.roundcubeUser}":${config.variables.roundcubeGroup} "${config.variables.roundcubeDataDir}/des_key"
      chmod -c 400 "${config.variables.roundcubeDataDir}/des_key"
      if [ -s "${config.variables.roundcubeDataDir}/roundcube.sqlite" ]; then
        # Just go ahead and remove the sessions, the key to decrypt them has just been destroyed anyway.
        ${pkgs.sqlite}/bin/sqlite3 "${config.variables.roundcubeDataDir}/roundcube.sqlite" "DELETE FROM session;"
      fi
    '';
  };
  services.phpfpm.pools."${poolName}" = {
    user = "${config.variables.roundcubeUser}";
    group = "${config.variables.roundcubeUser}";
    settings = {
      "pm" = "dynamic";
      "pm.max_children" = 75;
      "pm.min_spare_servers" = 5;
      "pm.max_spare_servers" = 20;
      "pm.max_requests" = 10;
      "catch_workers_output" = 1;
      "listen.owner" = "nginx";
      "listen.group" = "nginx";
    };
  };
  users.extraUsers."${config.variables.roundcubeUser}" = { };
  users.extraGroups."${config.variables.roundcubeUser}" = { };
  users.groups."${config.variables.roundcubeGroup}" = { };
  users.users."${config.variables.roundcubeUser}" = {
    isSystemUser = true;
    group = "${config.variables.roundcubeGroup}";
    description = "PHP User for roundcube";
  };
}
first import of mailserver config 2019-05-10 23:21:28 +02:00			`{ config, lib, pkgs, ... }:`

			`let`
			`poolName = "roundcube_pool";`

			`roundcube = (pkgs.callPackage ./pkg-roundcube.nix {`
			`conf = pkgs.writeText "roundcube-config.inc.php" ''`
			`<?php`
			`$config = array();`
			`$config['db_dsnw'] = 'sqlite:///${config.variables.roundcubeDataDir}/roundcube.sqlite?mode=0600';`
			`$config['default_host'] = 'tls://${config.variables.myFQDN}';`
			`$config['smtp_server'] = 'tls://${config.variables.myFQDN}';`
			`$config['smtp_port'] = 587;`
			`$config['smtp_user'] = '%u';`
			`$config['smtp_pass'] = '%p';`
			`$config['product_name'] = 'Webmail';`
Dont use a public des key... 2019-06-17 20:40:08 +02:00			`$config['des_key'] = file_get_contents("${config.variables.roundcubeDataDir}/des_key");;`
roundcube: try again with another cipher 2019-09-07 00:55:53 +02:00			`$config['cipher_method'] = 'AES-256-CBC';`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`$config['plugins'] = array(`
			`'archive',`
			`'managesieve',`
			`'zipdownload',`
			`);`
			`$config['skin'] = 'larry';`
			`'';`
			`temp = "${config.variables.roundcubeDataDir}/temp";`
			`logs = "${config.variables.roundcubeDataDir}/logs";`
			`} );`
			`in`
			`{`
			`services.nginx.virtualHosts."${config.variables.roundcubeFQDN}" = {`
			`forceSSL = config.variables.useSSL;`
			`enableACME = config.variables.useSSL;`
			`root = "${roundcube}/public_html";`
nginx: disable access log (global doesnt work...) 2019-08-11 17:02:16 +02:00			`extraConfig = ''`
			`access_log off;`
fu google 2021-05-01 18:42:06 +02:00			`add_header Permissions-Policy "interest-cohort=()" always;`
			`'';`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`locations."~ ^/favicon.ico/.*$" = {`
fu google 2021-05-01 18:42:06 +02:00			`extraConfig = ''`
			`try_files $uri kins/larry/images/$uri;`
			`add_header Permissions-Policy "interest-cohort=()" always;`
			`'';`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`};`
			`locations."/" = {`
fu google 2021-05-01 18:42:06 +02:00			`extraConfig = ''`
			`index index.php;`
			`try_files $uri /public/$uri /index.php$is_args$args;`
			`etag off;`
			`add_header etag "\"${builtins.substring 11 32 roundcube}\"";`
			`add_header Permissions-Policy "interest-cohort=()" always;`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`'';`
			`};`
			`locations."~ [^/]\.php(/\|$)" = {`
			`extraConfig = ''`
			`etag off;`
			`add_header etag "\"${builtins.substring 11 32 roundcube}\"";`
fu google 2021-05-01 18:42:06 +02:00			`add_header Permissions-Policy "interest-cohort=()" always;`
first import of mailserver config 2019-05-10 23:21:28 +02:00
			`fastcgi_split_path_info ^(.+?\.php)(/.*)$;`
			`if (!-f $document_root$fastcgi_script_name) {`
			`return 404;`
			`}`

migrate phpfpm to unix sockets 2019-11-29 20:48:13 +01:00			`fastcgi_pass unix:${config.services.phpfpm.pools."${poolName}".socket};`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`fastcgi_index index.php;`

			`fastcgi_param QUERY_STRING $query_string;`
			`fastcgi_param REQUEST_METHOD $request_method;`
			`fastcgi_param CONTENT_TYPE $content_type;`
			`fastcgi_param CONTENT_LENGTH $content_length;`

			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`fastcgi_param SCRIPT_NAME $fastcgi_script_name;`
			`fastcgi_param PATH_INFO $fastcgi_path_info;`
			`fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;`
			`fastcgi_param REQUEST_URI $request_uri;`
			`fastcgi_param DOCUMENT_URI $document_uri;`
			`fastcgi_param DOCUMENT_ROOT $document_root;`
			`fastcgi_param SERVER_PROTOCOL $server_protocol;`

			`fastcgi_param GATEWAY_INTERFACE CGI/1.1;`
			`fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;`

			`fastcgi_param REMOTE_ADDR $remote_addr;`
			`fastcgi_param REMOTE_PORT $remote_port;`
			`fastcgi_param SERVER_ADDR $server_addr;`
			`fastcgi_param SERVER_PORT $server_port;`
			`fastcgi_param SERVER_NAME $server_name;`

			`fastcgi_param HTTPS $https;`
			`fastcgi_param HTTP_PROXY "";`
			`'';`
			`};`
			`};`
			`systemd.services.roundcube-install = {`
			`serviceConfig.Type = "oneshot";`
			`wantedBy = [ "multi-user.target" ];`
			`script = ''`
			`mkdir -p ${config.variables.roundcubeDataDir}/temp ${config.variables.roundcubeDataDir}/logs`
Fix phpfpm on roundcube for NixOS 19.09 2019-10-11 22:36:07 +02:00			`chown -Rc ${config.variables.roundcubeUser}:${config.variables.roundcubeGroup} ${config.variables.roundcubeDataDir}`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`chmod -c 700 ${config.variables.roundcubeDataDir}`
roundcube: recreate the session key on any restart of the install service, which includes any reboot 2019-09-07 00:48:56 +02:00			`# Regenerate the key every now and then. This invalidates all sessions, but during reboot should be good enough.`
			`[ -f "${config.variables.roundcubeDataDir}/des_key" ] && ${pkgs.coreutils}/bin/shred "${config.variables.roundcubeDataDir}/des_key"`
			`${pkgs.coreutils}/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null \| ${pkgs.coreutils}/bin/base64 > "${config.variables.roundcubeDataDir}/des_key"`
Fix phpfpm on roundcube for NixOS 19.09 2019-10-11 22:36:07 +02:00			`chown -c "${config.variables.roundcubeUser}":${config.variables.roundcubeGroup} "${config.variables.roundcubeDataDir}/des_key"`
roundcube: recreate the session key on any restart of the install service, which includes any reboot 2019-09-07 00:48:56 +02:00			`chmod -c 400 "${config.variables.roundcubeDataDir}/des_key"`
Remove roundcube sessions on boot and shutdown 2019-06-17 23:01:31 +02:00			`if [ -s "${config.variables.roundcubeDataDir}/roundcube.sqlite" ]; then`
roundcube: recreate the session key on any restart of the install service, which includes any reboot 2019-09-07 00:48:56 +02:00			`# Just go ahead and remove the sessions, the key to decrypt them has just been destroyed anyway.`
fix sqlite command name 2019-06-17 23:07:50 +02:00			`${pkgs.sqlite}/bin/sqlite3 "${config.variables.roundcubeDataDir}/roundcube.sqlite" "DELETE FROM session;"`
Remove roundcube sessions on boot and shutdown 2019-06-17 23:01:31 +02:00			`fi`
			`'';`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`};`
			`services.phpfpm.pools."${poolName}" = {`
update phpfpm settings for NixOS 19.09 2019-10-11 20:44:59 +02:00			`user = "${config.variables.roundcubeUser}";`
Fix phpfpm on roundcube for NixOS 19.09 2019-10-11 22:36:07 +02:00			`group = "${config.variables.roundcubeUser}";`
phpfpm: fix permission errors for roundcube (first try) 2019-11-29 20:55:13 +01:00			`settings = {`
			`"pm" = "dynamic";`
			`"pm.max_children" = 75;`
			`"pm.min_spare_servers" = 5;`
			`"pm.max_spare_servers" = 20;`
			`"pm.max_requests" = 10;`
			`"catch_workers_output" = 1;`
			`"listen.owner" = "nginx";`
			`"listen.group" = "nginx";`
			`};`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`};`
			`users.extraUsers."${config.variables.roundcubeUser}" = { };`
Fix phpfpm on roundcube for NixOS 19.09 2019-10-11 22:36:07 +02:00			`users.extraGroups."${config.variables.roundcubeUser}" = { };`
			`users.groups."${config.variables.roundcubeGroup}" = { };`
			`users.users."${config.variables.roundcubeUser}" = {`
			`isSystemUser = true;`
			`group = "${config.variables.roundcubeGroup}";`
			`description = "PHP User for roundcube";`
			`};`
first import of mailserver config 2019-05-10 23:21:28 +02:00			`}`