From b8a62165e4f3dd6a35ebad0dcaea0971d4323735 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Fri, 10 Feb 2023 12:17:09 -0600
Subject: env/users: enable IMAP TLS

---
 env/acme/default.nix  |  6 +++++-
 env/users/mailbox.nix | 16 +++++++++-------
 sys/nspawn.nix        |  2 +-
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/env/acme/default.nix b/env/acme/default.nix
index 779b4e2..9b3db80 100644
--- a/env/acme/default.nix
+++ b/env/acme/default.nix
@@ -22,6 +22,11 @@ in
       defaults = {
         email = "security@${config.networking.domain}";
         renewInterval = "weekly";
+
+        webroot =
+          if config.security.acme.defaults.dnsProvider == null
+          then "/var/lib/acme/acme-challenge"
+          else null;
       };
 
       certs =
@@ -31,7 +36,6 @@ in
           certConfig = domains: {
             domain = domains.main;
             extraDomainNames = domainSort (attrValues (filterAttrs (k: _: k != "main") domains));
-            webroot = "/var/lib/acme/acme-challenge";
           };
         in
         mapAttrs'
diff --git a/env/users/mailbox.nix b/env/users/mailbox.nix
index e603214..9fe460e 100644
--- a/env/users/mailbox.nix
+++ b/env/users/mailbox.nix
@@ -6,6 +6,8 @@ in
   options.local.mailHost = with types; {
     enable = mkEnableOption "mailbox host service";
 
+    security.acme.defaults.dnsProvider = "gandiv5";
+
     mdaListen = mkOption {
       type = str;
     };
@@ -33,8 +35,8 @@ in
           enablePAM = false;
           enableLmtp = true;
 
-          #sslServerKey = "${cert}/key.pem";
-          #sslServerCert = "${cert}/fullchain.pem";
+          sslServerKey = "${cert}/key.pem";
+          sslServerCert = "${cert}/fullchain.pem";
 
           modules = [ pkgs.dovecot_pigeonhole ];
 
@@ -146,9 +148,9 @@ in
         # Necesario debido a 'enablePAM = false'
         pam.services.dovecot2 = { };
 
-        #acme.certs.${imapHostname} = {
-        #  inherit (config.services.dovecot2) group;
-        #};
+        acme.certs.${imapHostname} = {
+          inherit (config.services.dovecot2) group;
+        };
       };
 
       users = {
@@ -156,8 +158,8 @@ in
         groups.${config.services.dovecot2.mailGroup}.gid = 993;
       };
 
-      #networking.firewall.allowedTCPPorts = [ 143 993 ];
+      networking.firewall.allowedTCPPorts = [ 143 587 993 ];
 
-      #local.certs.imap.enable = true;
+      local.certs.imap.enable = true;
     };
 }
diff --git a/sys/nspawn.nix b/sys/nspawn.nix
index 2f23cff..195ba3c 100644
--- a/sys/nspawn.nix
+++ b/sys/nspawn.nix
@@ -123,7 +123,7 @@ in
     };
 
     networking.firewall = {
-      allowedTCPPorts = [ 25 80 143 443 587 ];
+      allowedTCPPorts = [ 25 80 443 ];
 
       interfaces.ve-dmz = {
         allowedTCPPorts = [ cfg.mailHost.saslPort cfg.mailHost.lmtpPort ];
-- 
cgit v1.2.3