From 6671651e8bcb7a4f6e887ab3fbc1af8794946e29 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 15 May 2026 22:48:37 +0200
Subject: surtr: dovecot 2.4

---
 hosts/surtr/email/default.nix | 368 ++++++++++++++++++++----------------------
 1 file changed, 179 insertions(+), 189 deletions(-)

(limited to 'hosts/surtr/email')

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 4243366c..e688f7d2 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -291,7 +291,7 @@ in {
         virtual_transport = "dvlmtp:unix:/run/dovecot-lmtp";
         smtputf8_enable = false;
 
-        authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.user}= }";
+        authorized_submit_users = "inline:{ root= postfwd= ${config.services.dovecot2.settings.mail_uid}= }";
         authorized_flush_users = "inline:{ root= }";
         authorized_mailq_users = "inline:{ root= }";
 
@@ -528,215 +528,211 @@ in {
       };
     };
 
-    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.user ];
+    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user config.services.dovecot2.settings.mail_uid ];
 
     services.redis.servers.rspamd.enable = true;
 
     users.groups.${config.services.redis.servers.rspamd.user}.members = [ config.services.rspamd.user ];
 
-    environment.systemPackages = with pkgs; [ dovecot_pigeonhole dovecot-fts-flatcurve ];
+    environment.systemPackages = with pkgs; [ dovecot_pigeonhole ];
     services.dovecot2 = {
+      package = pkgs.dovecot;
       enable = true;
       enablePAM = false;
-      sslServerCert = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
-      sslServerKey = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
-      sslCACert = toString ./ca/ca.crt;
-      mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
-      mailPlugins.globally.enable = [ "fts" "fts_flatcurve" ];
-      protocols = [ "lmtp" "sieve" ];
-      sieve = {
-        extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation" "vacation-seconds" "vnd.dovecot.debug"];
-        globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation" "vacation-seconds" "vnd.dovecot.debug"];
-      };
-      extraConfig = let
-        dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
-          driver = pgsql
-          connect = dbname=email
-          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM imap_user WHERE "user" = '%n'
-          user_query = SELECT "user", quota_rule, '${config.services.dovecot2.user}' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
-          iterate_query = SELECT "user" FROM imap_user
-        '';
-      in ''
-        mail_home = /var/lib/mail/%u
-
-        mail_plugins = $mail_plugins quota fts fts_flatcurve
-
-        first_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
-        last_valid_uid = ${toString config.users.users.${config.services.dovecot2.user}.uid}
-        first_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
-        last_valid_gid = ${toString config.users.groups.${config.services.dovecot2.group}.gid}
-
-        ${concatMapStringsSep "\n\n" (domain:
-          concatMapStringsSep "\n" (subdomain: ''
-            local_name ${subdomain} {
-              ssl_cert = </run/credentials/dovecot.service/${subdomain}.pem
-              ssl_key = </run/credentials/dovecot.service/${subdomain}.key.pem
-            }
-          '') ["imap.${domain}" domain]
-        ) emailDomains}
-
-        ssl_require_crl = no
-        ssl_verify_client_cert = yes
-
-        ssl_min_protocol = TLSv1.2
-        ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-        ssl_prefer_server_ciphers = no
-
-        auth_ssl_username_from_cert = yes
-        ssl_cert_username_field = commonName
-        auth_mechanisms = plain login external
+      settings = {
+        dovecot_config_version = "2.4.2";
+        dovecot_storage_version = "2.4.0";
 
-        auth_verbose = yes
-        verbose_ssl = yes
-        auth_debug = yes
-
-        service auth {
-          user = ${config.services.dovecot2.user}
-        }
-        service auth-worker {
-          user = ${config.services.dovecot2.user}
-        }
-
-        userdb {
-          driver = prefetch
-        }
-        userdb {
-          driver = sql
-          args = ${dovecotSqlConf}
-        }
-        passdb {
-          driver = sql
-          args = ${dovecotSqlConf}
-        }
+        sql_driver = "pgsql";
+        "pgsql /run/postgresql".parameters = {
+          dbname = "email";
+        };
 
-        protocol lmtp {
-          userdb {
-            driver = sql
-            args = ${pkgs.writeText "dovecot-sql.conf" ''
-              driver = pgsql
-              connect = dbname=email
-              user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.user}' as uid, '${config.services.dovecot2.group}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
-            ''}
-
-            skip = never
-            result_failure = return-fail
-            result_internalfail = return-fail
-          }
+        protocols = {
+          imap = true;
+          lmtp = true;
+          sieve = true;
+        };
 
-          mail_plugins = $mail_plugins sieve
-        }
+        mail_plugins = {
+          quota = true;
+          fts = true;
+          fts_flatcurve = true;
+        };
 
-        mailbox_list_index = yes
-        postmaster_address = postmaster@yggdrasil.li
-        recipient_delimiter =
-        auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-+_@
+        mail_uid = "dovecot2";
+        mail_gid = "dovecot2";
+
+        first_valid_uid = config.ids.uids.dovecot2;
+        last_valid_uid = config.ids.uids.dovecot2;
+        first_valid_gid = config.ids.gids.dovecot2;
+        last_valid_gid = config.ids.gids.dovecot2;
+
+        mail_driver = "maildir";
+        mail_path = "/var/lib/mail/%{user}/maildir";
+        mail_index_path = "/var/lib/dovecot/indices/%{user}";
+        ssl_server_ca_file = ./ca/ca.crt;
+        ssl_server_key_file = "/run/credentials/dovecot.service/surtr.yggdrasil.li.key.pem";
+        ssl_server_cert_file = "/run/credentials/dovecot.service/surtr.yggdrasil.li.pem";
+
+        mail_home = "/var/lib/mail/%{user}";
+
+        ssl_server_require_crl = false;
+        ssl_server_request_client_cert = true;
+
+        ssl_min_protocol = "TLSv1.2";
+        ssl_curve_list = "X25519MLKEM768:X25519";
+        ssl_cipher_list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";
+
+        auth_ssl_username_from_cert = "yes";
+        ssl_server_cert_username_field = "commonName";
+        auth_mechanisms = ["plain" "login" "external"];
+
+        log_debug = "category=ssl OR category=auth";
+        auth_verbose = true;
+
+        "service auth-worker".user = "$SET:default_internal_user";
+        "userdb prefetch" = {};
+        "userdb sql" = {
+          sql_query = "SELECT \"user\", quota_rule, '${config.services.dovecot2.settings.mail_uid}' as uid, 'dovecot2' as gid FROM imap_user WHERE \"user\" = '%{user | username}'";
+          sql_iterate_query = "SELECT \"user\" FROM imap_user";
+          fields = {
+            uid = "$SET:default_internal_user";
+            gid = "$SET:default_internal_user";
+          };
+        };
+        "passdb sql" = {
+          sql_query = ''
+            SELECT (CASE WHEN '%{cert}' = 'valid' AND '%{mechanism}' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%{cert}' = 'valid' AND '%{mechanism}' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, '${config.services.dovecot2.settings.mail_uid}' as uid, '${config.services.dovecot2.settings.mail_gid}' as gid FROM imap_user WHERE "user" = '%{user | username}'
+          '';
+        };
 
-        service lmtp {
-          vsz_limit = 1G
+        "protocol lmtp" = {
+          mail_plugins.sieve = true;
+          "userdb sql-lmtp" = {
+            driver = "sql";
+            sql_query = ''
+              SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, '${config.services.dovecot2.settings.mail_uid}' as uid, '${config.services.dovecot2.settings.mail_gid}' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%{user | username}' :: citext) = local || '+' || extension AND domain = ('%{user | domain}' :: citext) WHEN local IS NOT NULL THEN (local = ('%{user | username}' :: citext) OR ('%{user | username}' :: citext) ILIKE local || '+%%') AND domain = ('%{user | domain}' :: citext) WHEN extension IS NOT NULL THEN ('%{user | username}' :: citext) ILIKE '%%+' || extension AND domain = ('%{user | domain}' :: citext) ELSE domain = ('%{user | domain}' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC
+            '';
 
-          unix_listener /run/dovecot-lmtp {
-            mode = 0600
-            user = postfix
-            group = postfix
-          }
-        }
-        service auth {
-          vsz_limit = 2G
+            skip = "never";
+            result_failure = "return-fail";
+            result_internalfail = "return-fail";
+          };
+        };
 
-          unix_listener /run/dovecot-sasl {
-            mode = 0600
-            user = postfix
-            group = postfix
-          }
-        }
+        mailbox_list_index = true;
+        mailbox_list_utf8 = true;
+        postmaster_address = "postmaster@yggdrasil.li";
+        recipient_delimiter = null;
+        auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-+_@";
 
-        namespace inbox {
-          separator = /
-          inbox = yes
-          prefix =
+        "service lmtp" = {
+          vsz_limit = "1G";
 
-          mailbox Trash {
-            auto = no
-            special_use = \Trash
-          }
-          mailbox Junk {
-            auto = no
-            special_use = \Junk
-          }
-          mailbox Drafts {
-            auto = no
-            special_use = \Drafts
-          }
-          mailbox Sent {
-            auto = subscribe
-            special_use = \Sent
-          }
-          mailbox "Sent Messages" {
-            auto = no
-            special_use = \Sent
-          }
-        }
-
-        plugin {
-          quota = count
-          quota_rule = *:storage=1GB
-          quota_rule2 = Trash:storage=+10%%
-          quota_status_overquota = "552 5.2.2 Mailbox is full"
-          quota_status_success = DUNNO
-          quota_status_nouser = DUNNO
-          quota_grace = 10%%
-          quota_max_mail_size = ${toString config.services.postfix.settings.main.message_size_limit}
-          quota_vsizes = yes
-        }
-
-        protocol imap {
-          mail_max_userip_connections = 50
-          mail_plugins = $mail_plugins imap_quota imap_sieve
-        }
+          "unix_listener /run/dovecot-lmtp" = {
+            mode = "0600";
+            user = "postfix";
+            group = "postfix";
+          };
+        };
+        "service auth" = {
+          vsz_limit = "2G";
 
-        service imap-login {
-          inet_listener imap {
-            port = 0
-          }
-        }
+          "unix_listener /run/dovecot-sasl" = {
+            mode = "0600";
+            user = "postfix";
+            group = "postfix";
+          };
+        };
 
-        service managesieve-login {
-          inet_listener sieve {
-            port = 4190
-          }
-        }
+        quota_storage_size = "1G";
+        "namespace inbox" = {
+          separator = "/";
+          inbox = true;
 
-        plugin {
-          sieve_plugins = sieve_imapsieve sieve_extprograms
-          sieve = file:~/sieve;active=~/dovecot.sieve
-          sieve_redirect_envelope_from = orig_recipient
-          sieve_before = /etc/dovecot/sieve_before.d
+          "mailbox Trash" = {
+            auto = false;
+            special_use = "\\Trash";
+            quota_storage_percentage = "110";
+          };
+          "mailbox Junk" = {
+            auto = false;
+            special_use = "\\Junk";
+          };
+          "mailbox Drafts" = {
+            auto = false;
+            special_use = "\\Drafts";
+          };
+          "mailbox Sent" = {
+            auto = "subscribe";
+            special_use = "\\Sent";
+          };
+          "mailbox \"Sent Messages\"" = {
+            auto = false;
+            special_use = "\\Sent";
+          };
+        };
 
-          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
-          sieve_pipe_bin_dir = ${dovecotSievePipeBin}/pipe/bin
+        quota_status_overquota = "552 5.2.2 Mailbox is full";
+        quota_status_success = "DUNNO";
+        quota_status_nouser = "DUNNO";
+        quota_storage_grace = "100M";
+        quota_mail_size = 10 * 1024 * 1024 * 1024;
 
-          imapsieve_mailbox1_name = *
-          imapsieve_mailbox1_causes = FLAG
-          imapsieve_mailbox1_before = /etc/dovecot/sieve_flag.d/learn-junk.sieve
-        }
+        sieve_plugins = {
+          "sieve_imapsieve" = true;
+          "sieve_extprograms" = true;
+        };
+        sieve_redirect_envelope_from = "orig_recipient";
+        sieve_extensions = {
+          imapsieve = true;
+          vacation-seconds = true;
+          "vnd.dovecot.debug" = true;
+        };
+        sieve_global_extensions = {
+          "vnd.dovecot.pipe" = true;
+          "vnd.dovecot.environment" = true;
+        };
+        sieve_pipe_bin_dir = "${dovecotSievePipeBin}/pipe/bin";
 
-        plugin {
-          fts = flatcurve
+        "sieve_script before" = {
+          type = "before";
+          path = "/etc/dovecot/sieve_before.d";
+        };
+        "sieve_script flag" = {
+          type = "before";
+          cause.flag = true;
+          path = "/etc/dovecot/sieve_flag.d";
+        };
 
-          fts_languages = en de
-          fts_tokenizers = generic email-address
+        "fts flatcurve" = {
+          autoindex = true;
+        };
+        language_tokenizers = ["generic" "email-address"];
+        language_filters = ["normalizer-icu" "snowball" "stopwords"];
+        "language en" = {
+          default = true;
+          filters = ["lowercase" "snowball" "stopwords"];
+        };
+        "language de" = {};
 
-          fts_tokenizer_email_address = maxlen=100
-          fts_tokenizer_generic = algorithm=simple maxlen=30
+        "protocol imap" = {
+          mail_max_userip_connections = 50;
+          mail_plugins = {
+            imap_quota = true;
+            imap_sieve = true;
+          };
+        };
 
-          fts_filters = normalizer-icu snowball stopwords
-          fts_filters_en = lowercase snowball stopwords
-        }
+        "service imap-login"."inet_listener imap".port = 0;
+        "service managesieve-login"."inet_listener sieve".port = 4190;
 
-        service indexer-worker {
-          vsz_limit = ${toString (1024 * 1024 * 1024)}
-        }
-      '';
+        "service indexer-worker".vsz_limit = 1024 * 1024 * 1024;
+      } // (genAttrs' (concatMap (domain: ["imap.${domain}" domain]) emailDomains) (subdomain: nameValuePair "local_name ${subdomain}" {
+        ssl_server_key_file = "/run/credentials/dovecot.service/${subdomain}.key.pem";
+        ssl_server_cert_file = "/run/credentials/dovecot.service/${subdomain}.pem";
+      }));
     };
 
     environment.etc = {
@@ -793,12 +789,6 @@ in {
     };
 
     systemd.services.dovecot = {
-      preStart = ''
-        for f in /etc/dovecot/sieve_flag.d/*.sieve /etc/dovecot/sieve_before.d/*.sieve; do
-          ${getExe' pkgs.dovecot_pigeonhole "sievec"} $f
-        done
-      '';
-
       serviceConfig = {
         LoadCredential = [
           "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
-- 
cgit v1.2.3