From c8a44b9b48da35c708686528938b4bd8abcc1395 Mon Sep 17 00:00:00 2001
From: Thomas Preisner <mail@tpreisner.de>
Date: Thu, 5 Dec 2024 15:52:03 +0100
Subject: [PATCH] mailsystem: Add configuration for roundcube as webmail
 interface

---
 mailsystem/default.nix   |  1 +
 mailsystem/roundcube.nix | 56 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 mailsystem/roundcube.nix

diff --git a/mailsystem/default.nix b/mailsystem/default.nix
index 16ea299..7cc0dc6 100644
--- a/mailsystem/default.nix
+++ b/mailsystem/default.nix
@@ -159,6 +159,7 @@ in {
     ./nginx.nix
     ./postfix.nix
     ./redis.nix
+    ./roundcube.nix
     ./rspamd.nix
     ./user.nix
   ];
diff --git a/mailsystem/roundcube.nix b/mailsystem/roundcube.nix
new file mode 100644
index 0000000..bebffaf
--- /dev/null
+++ b/mailsystem/roundcube.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with (import ./common.nix {inherit config;}); let
+  cfg = config.mailsystem;
+  roundcubeCfg = config.mailsystem.roundcube;
+in {
+  options.mailsystem.roundcube = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to enable roundcube in order to provide a webmail interface";
+    };
+    hostName = lib.mkOption {
+      type = lib.types.str;
+      default = cfg.fqdn;
+      description = "FQDN to be used by roundcube. Defaults to {option}`mailsystem.fqdn`.";
+    };
+    passwordHashingAlgorithm = lib.mkOption {
+      type = lib.types.str;
+      default = "BLF-CRYPT";
+      description = "Password hashing algorithm to be used with `doveadm pw`";
+    };
+  };
+
+  config = lib.mkIf (cfg.enable && roundcubeCfg.enable) {
+    services.roundcube = {
+      enable = true;
+      hostName = roundcubeCfg.hostName;
+      plugins = ["managesieve" "password"];
+      extraConfig = ''
+        // Use starttls for authentication
+        $config['smtp_host'] = "tls://${cfg.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+
+        $config['managesieve_host'] = "localhost";
+
+        $config['password_driver'] = "dovecot_passwdfile";
+        $config['password_confirm_current'] = true;
+        $config['password_minimum_length'] = 8;
+        $config['password_algorithm'] = "dovecot";
+        // Enables saving the new password even if it machtes the old password. Useful
+        // for upgrading the stored passwords after the encryption scheme has changed.
+        $config['password_force_save'] = true;
+        $config['password_dovecot_passwdfile_path'] = "${pkgs.dovecot}/bin/doveadm pw";
+        $config['password_dovecotpw'] = "${dovecotDynamicPasswdFile}";
+        $config['password_dovecotpw_method'] = "${roundcubeCfg.passwordHashingAlgorithm}";
+        $config['password_dovecotpw_with_method'] = true;
+      '';
+    };
+  };
+}