From 979e49fb31d5cf1bc528bdbad4884eeb7b67decd Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 15 Jul 2025 10:35:35 +0200
Subject: ...

---
 hosts/surtr/email/default.nix | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

(limited to 'hosts/surtr/email/default.nix')

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 2879c4a6..fa7ddac6 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -261,7 +261,7 @@ in {
         virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
         smtputf8_enable = false;
 
-        authorized_submit_users = "inline:{ root= postfwd= dovecot2= }";
+        authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.user}= }";
         authorized_flush_users = "inline:{ root= }";
         authorized_mailq_users = "inline:{ root= }";
 
@@ -503,7 +503,7 @@ in {
       };
     };
 
-    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];
+    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.user ];
 
     services.redis.servers.rspamd.enable = true;
 
@@ -513,8 +513,8 @@ in {
     services.dovecot2 = {
       enable = true;
       enablePAM = false;
-      sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";
-      sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";
+      sslServerCert = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
+      sslServerKey = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
       sslCACert = toString ./ca/ca.crt;
       mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
       mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
@@ -527,8 +527,8 @@ in {
         dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
           driver = pgsql
           connect = dbname=email
-          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
-          user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
+          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM imap_user WHERE "user" = '%n'
+          user_query = SELECT "user", quota_rule, '${config.services.dovecot2.user}' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
           iterate_query = SELECT "user" FROM imap_user
         '';
       in ''
@@ -536,16 +536,16 @@ in {
 
         mail_plugins = $mail_plugins quota
 
-        first_valid_uid = ${toString config.users.users.dovecot2.uid}
-        last_valid_uid = ${toString config.users.users.dovecot2.uid}
-        first_valid_gid = ${toString config.users.groups.dovecot2.gid}
-        last_valid_gid = ${toString config.users.groups.dovecot2.gid}
+        first_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
+        last_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
+        first_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
+        last_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
 
         ${concatMapStringsSep "\n\n" (domain:
           concatMapStringsSep "\n" (subdomain: ''
             local_name ${subdomain} {
-              ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
-              ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
+              ssl_cert = </run/credentials/dovecot.service/${subdomain}.pem
+              ssl_key = </run/credentials/dovecot.service/${subdomain}.key.pem
             }
           '') ["imap.${domain}" domain]
         ) emailDomains}
@@ -566,10 +566,10 @@ in {
         auth_debug = yes
 
         service auth {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
         }
         service auth-worker {
-          user = dovecot2
+          user = ${config.services.dovecot2.user}
         }
 
         userdb {
@@ -590,7 +590,7 @@ in {
             args = ${pkgs.writeText "dovecot-sql.conf" ''
               driver = pgsql
               connect = dbname=email
-              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
+              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
             ''}
 
             skip = never
@@ -713,8 +713,8 @@ in {
 
     systemd.services.dovecot-fts-xapian-optimize = {
       description = "Optimize dovecot indices for fts_xapian";
-      requisite = [ "dovecot2.service" ];
-      after = [ "dovecot2.service" ];
+      requisite = [ "dovecot.service" ];
+      after = [ "dovecot.service" ];
       startAt = "*-*-* 22:00:00 Europe/Berlin";
       serviceConfig = {
         Type = "oneshot";
@@ -779,14 +779,14 @@ in {
 
     security.acme.rfc2136Domains = {
       "surtr.yggdrasil.li" = {
-        restartUnits = [ "postfix.service" "dovecot2.service" ];
+        restartUnits = [ "postfix.service" "dovecot.service" ];
       };
     } // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains)
     // listToAttrs (concatMap (domain: [
-      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot2.service"]; })
+      (nameValuePair domain { restartUnits = ["postfix.service" "dovecot.service"]; })
       (nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; })
       (nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; })
-      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot2.service"]; })
+      (nameValuePair "imap.${domain}" { restartUnits = ["dovecot.service"]; })
       (nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; })
     ]) emailDomains);
 
@@ -798,7 +798,7 @@ in {
       ] ++ concatMap (domain: map tlsCredential [domain "mailin.${domain}" "mailsub.${domain}"]) emailDomains;
     };
 
-    systemd.services.dovecot2 = {
+    systemd.services.dovecot = {
       preStart = ''
         for f in /etc/dovecot/sieve_flag.d/*.sieve /etc/dovecot/sieve_before.d/*.sieve; do
           ${getExe' pkgs.dovecot_pigeonhole "sievec"} $f
-- 
cgit v1.2.3