Squash merge feat/mail-server into main

2025-07-14 16:18:20 +08:00 · 2025-07-14 16:18:20 +08:00 · 06bcfe62ff
commit 06bcfe62ff
parent 14f4243aee
21 changed files with 973 additions and 67 deletions
--- a/flake.nix
+++ b/flake.nix
@ -228,7 +228,7 @@
              {
                system.stateVersion = nix-version;
                home-manager = {
-                  backupFileExtension = "backup";
+                  backupFileExtension = "backup-hm";
                  useUserPackages = true;
                  useGlobalPkgs = true;
                  extraSpecialArgs = {
--- a/home/config/scripts/gamemodeStatus.sh
+++ b/home/config/scripts/gamemodeStatus.sh
@ -0,0 +1,22 @@
 #!/usr/bin/env bash
 SERVICE="gamemode"
 if [ "$1" = "toggle" ]; then
  if systemctl --user is-active --quiet "$SERVICE"; then
    systemctl --user stop "$SERVICE"
    notify-send "󰊗 Gamemode" "off" >/dev/null 2>&1
  else
    systemctl --user start "$SERVICE"
    notify-send "󰊗 Gamemode" "on" >/dev/null 2>&1
  fi
  exit 0
 fi
 if ! systemctl --user is-active --quiet "$SERVICE"; then
  echo "{\"text\": \"inactive\", \"tooltip\": \"gamemoded is inactive\", \"alt\": \"inactive\", \"class\": \"inactive\"}"
  exit 0
 fi
 echo "{\"text\": \"active\", \"tooltip\": \"gamemoded is running\", \"alt\": \"active\", \"class\": \"active\"}"
 exit 0
--- a/home/config/waybar/config.nix
+++ b/home/config/waybar/config.nix
@ -1,6 +1,10 @@
-{ terminal, osConfig }:
+{
  terminal,
  osConfig,
  wallRand,
 }:
 let
-  modulesConfig = import ./modules.nix { inherit terminal osConfig; };
+  modulesConfig = import ./modules.nix { inherit terminal osConfig wallRand; };
 in
 map (dev: dev // modulesConfig) [
  # Monitor 1
@ -26,8 +30,20 @@ map (dev: dev // modulesConfig) [
    modules-center = [
      "hyprland/window"
    ];
-    modules-right = [
+    modules-right = (
      [
        "wlr/taskbar"
      ]
      ++ (
        if osConfig.programs.gamemode.enable then
          [
            "custom/gamemode"
          ]
        else
          [ ]
      )
      ++ [
        "custom/wallRand"
        "custom/wireguard"
        "idle_inhibitor"
        "network"
@ -35,7 +51,8 @@ map (dev: dev // modulesConfig) [
        "memory"
        "pulseaudio"
        "custom/swaync"
-    ];
+      ]
    );
  }
  # Monitor 2
  {
--- a/home/config/waybar/modules.nix
+++ b/home/config/waybar/modules.nix
@ -1,4 +1,8 @@
-{ terminal, osConfig }:
+{
  terminal,
  osConfig,
  wallRand,
 }:
 let
  terminalRun = "${terminal} -e";
 in
@ -247,4 +251,21 @@ in
    return-type = "json";
    escape = true;
  };
  "custom/gamemode" = {
    format = "{icon}";
    format-icons = {
      active = "󰊗";
      inactive = "󰺷";
    };
    exec = "~/.config/scripts/gamemodeStatus.sh";
    on-click = "~/.config/scripts/gamemodeStatus.sh toggle";
    tooltip = true;
    interval = 3;
    return-type = "json";
    escape = true;
  };
  "custom/wallRand" = {
    format = "";
    on-click = "${wallRand}/bin/wallRand";
  };
 }
--- a/home/config/waybar/style.css
+++ b/home/config/waybar/style.css
@ -43,6 +43,8 @@ tooltip label {
 #idle_inhibitor,
 #custom-cava,
 #custom-wireguard,
 #custom-gamemode,
 #custom-wallRand,
 #clock,
 #cpu,
 #memory,
@ -80,6 +82,8 @@ tooltip label {
 #temperature,
 #network,
 #custom-wireguard,
 #custom-gamemode,
 #custom-wallRand,
 #battery {
  margin-left: 4px;
 }
@ -126,6 +130,8 @@ tooltip label {
 /* Center Icon */
 #custom-os,
 #custom-wireguard,
 #custom-gamemode,
 #custom-wallRand,
 #network,
 #idle_inhibitor {
  padding-left: 10px; padding-right: 14px;
--- a/home/user/environment.nix
+++ b/home/user/environment.nix
@ -33,7 +33,5 @@
    GTK_CSD = "0";
    GTK_USE_PORTAL = "1";
    GTK_IM_MODULE = "";
    MAIL = "~/Mailbox";
  };
 }
--- a/home/user/hypr/bind.nix
+++ b/home/user/hypr/bind.nix
@ -1,8 +1,10 @@
 {
  settings,
  mainMod,
  nvidia-offload-enabled,
  pkgs,
 }:
 with builtins;
 let
  firefox = "firefox";
  prefix = if nvidia-offload-enabled then "nvidia-offload" else "";
@ -17,6 +19,8 @@ let
  screenshotFolder = "--output-folder ~/Pictures/Screenshots";
  clipboardOnly = "${screenshotFolder}";
  gamingWorkspace = 7;
  toggleWlogout = pkgs.writeShellScriptBin "toggle" ''
    if ${pkgs.busybox}/bin/pgrep wlogout > /dev/null; then
      ${pkgs.busybox}/bin/pkill wlogout
@ -32,6 +36,13 @@ let
        rofi "$@"
    fi
  '';
  scrollStep =
    let
      monitorsNum = length settings.hyprland.monitors;
    in
    toString (if (monitorsNum == 0) then 1 else monitorsNum);
 in
 [
  ''${mainMod}, F, exec, ${browser}''
@ -73,8 +84,8 @@ in
  ''${mainMod}, k, movefocus, u''
  ''${mainMod}, j, movefocus, d''
-  ''${mainMod}, mouse_down, workspace, e-1''
+  ''${mainMod}, mouse_down, workspace, e-${scrollStep}''
-  ''${mainMod}, mouse_up, workspace, e+1''
+  ''${mainMod}, mouse_up, workspace, e+${scrollStep}''
  ''${mainMod} SHIFT, l, movewindow, r''
  ''${mainMod} SHIFT, h, movewindow, l''
@ -90,6 +101,8 @@ in
  '',XF86AudioStop, exec, playerctl stop''
  '',XF86AudioMute, exec, wpctl set-mute @DEFAULT_SINK@ toggle''
  ''${mainMod}, G, workspace, ${toString gamingWorkspace}''
  ''${mainMod} SHIFT, G, movetoworkspace, ${toString gamingWorkspace}''
  # ==== Plugins ==== #
  # Overview
  # ''${mainMod}, o, hyprtasking:toggle, cursor''
--- a/home/user/hypr/windowrule.nix
+++ b/home/user/hypr/windowrule.nix
@ -35,8 +35,10 @@
    "float, class:^(steam)$,title:^(Friends List)$"
    # Steam
-    "workspace: 5 silent, class: ^(steam)$"
+    "workspace: 7 silent, class: ^(steam)$"
    "workspace: unset, class: ^(steam)$, floating: 1"
    # steam game
    "workspace: 7 silent, initialClass: steam_app_*"
    # Line
    "workspace: 2, initialTitle: ^(LINE)$"
--- a/home/user/hyprland.nix
+++ b/home/user/hyprland.nix
@ -28,6 +28,50 @@ let
    song_info=$(playerctl metadata --format '{{title}}  󰎆    {{artist}}')
       echo "$song_info"
  '';
  wallpapers = [
    (pkgs.fetchurl {
      url = "http://files.net.dn/dennis-yu-fVadSuPPE8M-unsplash.jpg";
      hash = "sha256-YCusefLnTntOZAh2fIoWuJbm1+iE+RNeWTbn22UDjSU=";
    })
    (pkgs.fetchurl {
      url = "http://files.net.dn/karsten-winegeart-LZRZJam4Avg-unsplash.jpg";
      hash = "sha256-NpJhRJRiFCFmdDP/8FDmzIBellSdJ1Y6Pz63QJzkPMk=";
    })
    (pkgs.fetchurl {
      url = "http://files.net.dn/nick-design-q3s4a7FZgjY-unsplash.jpg";
      hash = "sha256-kJajqRuf+ZMTaORKKK4A+8MNzGd2SHjMcRYnq9T8LmA=";
    })
    (pkgs.fetchurl {
      url = "http://files.net.dn/oleg-demakov-zEIApnww3fU-unsplash.jpg";
      hash = "sha256-79JRnxJdCZOh2u8+5LcUDGjzwE1mMM2ZHrKLn36wd40=";
    })
    "$HOME/.config/wallpapers/wall.png"
  ];
  # Change Wallpaper
  wallRand = pkgs.writeShellScriptBin "wallRand" (
    with builtins;
    let
      pathString = concatStringsSep " " (map (w: "\"" + w + "\"") wallpapers);
    in
    ''
      wallpapers=(
        ${pathString}
      )
      count="''${#wallpapers[@]}"
      random_index=$(( RANDOM % count ))
      selected="''${wallpapers[$random_index]}"
      if [ ! -f "$selected" ]; then
        echo "File not exist: $selected"
        exit 1
      fi
      ${pkgs.hyprland}/bin/hyprctl hyprpaper wallpaper ",$selected"
    ''
  );
 in
 {
  home.packages = with pkgs; [
@ -63,6 +107,7 @@ in
          disable_logs = true;
        };
        bind = import ./hypr/bind.nix {
          inherit settings;
          inherit mainMod;
          inherit pkgs;
          nvidia-offload-enabled = osConfig.hardware.nvidia.prime.offload.enableOffloadCmd;
@ -88,11 +133,18 @@ in
      // input;
  };
  # === gamemode === #
  systemd.user.services.gamemode = lib.mkIf osConfig.programs.gamemode.enable {
    Service = {
      ExecStart = "${pkgs.gamemode}/bin/gamemoded -r";
    };
  };
  # === hyprpaper === #
  services.hyprpaper = {
    enable = true;
    settings = {
-      preload = [ "~/.config/wallpapers/wall.png" ];
+      preload = wallpapers;
      wallpaper = [ ", ~/.config/wallpapers/wall.png" ];
      splash = false;
      ipc = "on";
@ -309,7 +361,7 @@ in
  programs.waybar = {
    enable = true;
    style = ../../home/config/waybar/style.css;
-    settings = import ../../home/config/waybar/config.nix { inherit terminal osConfig; };
+    settings = import ../../home/config/waybar/config.nix { inherit terminal osConfig wallRand; };
    systemd = {
      enable = true;
    };
--- a/home/user/packages.nix
+++ b/home/user/packages.nix
@ -56,6 +56,8 @@
      # Thumbnail
      ffmpegthumbnailer
      thunderbird
    ]
    ++ (
      if osConfig.programs.steam.enable then
--- a/home/user/swaync.nix
+++ b/home/user/swaync.nix
@ -46,6 +46,7 @@
        font-size: 15px;
        border-width: 3px;
        border-color: #ebdbb2;
        color: #ebdbb2;
      }
      .control-center .notification-row:focus,
@ -154,7 +155,7 @@
      .widget-title>button:hover {
        background: @borderc;
-        color: #282828;
+        color: @textc;
      }
      .widget-label {
@ -163,7 +164,7 @@
      .widget-label>label {
        font-size: 1rem;
-        color: @textc;
+        color: @borderc;
      }
      .widget-mpris {
--- a/system/dev/dn-pre7780/boot.nix
+++ b/system/dev/dn-pre7780/boot.nix
@ -37,18 +37,6 @@
    ];
  };
  # fileSystems."/mnt/nextcloud" = {
  #   enable = true;
  #   depends = [ "/mnt/windows" ];
  #   device = "/mnt/windows/Linux/nextcloud";
  #
  #   fsType = "none";
  #   options = [
  #     "nofail"
  #     "bind"
  #   ];
  # };
  boot.supportedFilesystems = [ "ntfs" ];
  boot.loader.systemd-boot.enable = true;
--- a/system/dev/dn-pre7780/default.nix
+++ b/system/dev/dn-pre7780/default.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  settings,
  config,
  ...
 }:
 {
@ -14,6 +15,7 @@
    ./boot.nix
    ./sops-conf.nix
    # ./nginx.nix
    ../../modules/certbot.nix
    ../../modules/presets/basic.nix
    ../../modules/gaming.nix
    ../../modules/secure-boot.nix
@ -26,8 +28,28 @@
    #   datadir = "/mnt/nextcloud";
    #   https = false;
    # })
    ../../modules/mail-server
  ];
  mail-server = {
    enable = true;
    mailDir = "~/Maildir";
    virtualMailDir = "/var/mail/vhosts";
    domain = "vmail.net.dn";
    networks = [
      "127.0.0.0/8"
      "10.0.0.0/24"
    ];
    openFirewall = true;
    sslKey = "/etc/letsencrypt/live/vmail.net.dn/privkey.pem";
    sslCert = "/etc/letsencrypt/live/vmail.net.dn/fullchain.pem";
    dovecot.ldapFile = config.sops.secrets."dovecot/openldap".path;
    openldap = {
      passwordFile = config.sops.secrets."openldap/adminPassword".path;
      enableWebUI = true;
    };
  };
  home-manager = {
    users."${settings.personal.username}" = {
      imports = [
@ -46,10 +68,13 @@
  ];
  users.users = {
-    "${settings.personal.username}".openssh.authorizedKeys.keys = [
+    "${settings.personal.username}" = {
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D"
      ];
    };
  };
 }
--- a/system/dev/dn-pre7780/secret.yaml
+++ b/system/dev/dn-pre7780/secret.yaml
@ -1,12 +1,14 @@
 wireguard:
    conf: ENC[AES256_GCM,data:ozLdARKsxx5WNxyDgNttKW+FC9/4xEZ0UYmayf04IYNwzzps5Njdtwz1M8/sJoFKoqR7FlQ8eEz1RLCHl9nFwwLkcd14Qm3Du/8Rujw2ZiGJWxO1H71tnJwZBNg0Hr0ex5j4aCs7A38yWA+Grj4FOPvfyMt/zTzUZfu2PYWfPuwMmxR6EU8AMTSDaHUhf26ZwpWg5TG3QjiEJHKnJPzjUo8Imff7XnMENmVMbRSgxCe7CDyrKIAkxQ568sqJpNIovtEXRdEtdLnzI3wUW8WEEnRrfpPwACBsxJxyXLvkr2KIboA4caKiqcFNnx0dzVbDbbWOcgipN3b/ztzNU+mp,iv:p+ITGhlXfDsbx4V+1+P0wKy4OCMXxQZb4loflzFUcrw=,tag:bJuOcphL/K9pBHs/CLQ8rA==,type:str]
 dovecot:
    openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str]
 nextcloud:
    adminPassword: ENC[AES256_GCM,data:7rC29qpvDGDZOuW+ONot,iv:+A7yoeys74IRsAR5unH4eHcgjbzF/UKZWY9Q0AVLN7U=,tag:v/KWQH+p0Yh9CIt7sHHDGA==,type:str]
 openldap:
    adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str]
 lam:
    env: ENC[AES256_GCM,data:f1LlC/VvilH8o2Ra7MrSHsMEGlGw3LOV2O9JJf9f,iv:u7cXM8n3jJeLBfxXtA0QMyijBqTcC+yJeW/OO9JuZMI=,tag:QL5FkcCPI5Gxudi0NmCZWg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
          enc: |
@ -17,8 +19,7 @@ sops:
            MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
            lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-28T04:43:00Z"
+    lastmodified: "2025-06-15T08:18:50Z"
-    mac: ENC[AES256_GCM,data:EQgrbquDQa0+U8jUKA5XxVqueiwibuRXHoXUcvgGOvhvXkOR2WdKvyia+UhWze2DBfYXWgAEG2Ljt1xUWSo0OhCjLbHTHmu9DCywbpeiRpAAFH0xj0wdvSVG3amsEIN6a3RyLpCq8P/n8F2HeB9dLNZvddmTgBsfGxyS0okUGuk=,iv:zntdTMwkOs+c3fIevzqCalSZjB7lAHvGB2PhEnLB3Hc=,tag:ngtyM1wMESWfGEFdxCcwDg==,type:str]
+    mac: ENC[AES256_GCM,data:sq+/fpOeNO5wn9S1kFqzRy6xCOVkSBcAkral7MTn4UxRebBDa78KF76Nsba0+o5bzwCchoGl/TC6vySIzGq8FUYwd1tQ9nH5DlqYBVVRgRlKLRyhxXf14BTyYgzHzFuRWdFyY8i4j0flZtlDHk4dVQrE4OhHvhLQ2Zvet5HQ20I=,iv:qoPZ+8tAHJxcR53M2PNwukYgdguSRrAVB+FtKYbf+aM=,tag:FYaPzh6o0ZI27Ul5jEhgVg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2
--- a/system/dev/dn-pre7780/sops-conf.nix
+++ b/system/dev/dn-pre7780/sops-conf.nix
@ -1,8 +1,20 @@
 { config, lib, ... }:
 {
  sops = {
    secrets = {
      "wireguard/conf" = { };
      "nextcloud/adminPassword" = { };
      "openldap/adminPassword" = lib.mkIf config.services.openldap.enable {
        owner = config.users.users.openldap.name;
        group = config.users.users.openldap.group;
        mode = "0660";
      };
      "lam/env" = { };
      "dovecot/openldap" = lib.mkIf (config.services.postfix.enable && config.services.openldap.enable) {
        owner = config.services.dovecot2.user;
        group = config.services.dovecot2.group;
        mode = "0660";
      };
    };
  };
 }
--- a/system/modules/certbot.nix
+++ b/system/modules/certbot.nix
@ -1,4 +1,9 @@
-{ pkgs, ... }:
+{
  pkgs,
  lib,
  config,
  ...
 }:
 {
  systemd.timers."certbot-renew" = {
    enable = true;
@ -11,7 +16,7 @@
    wantedBy = [ "timers.target" ];
  };
-  systemd.timers."certbot-nginx-reload" = {
+  systemd.timers."certbot-nginx-reload" = lib.mkIf config.services.nginx.enable {
    enable = true;
    description = "certbot renew";
    timerConfig = {
@ -24,8 +29,7 @@
  systemd.services."certbot-renew" = {
    enable = true;
-    after = [
+    after = (if config.services.nginx.enable then [ "nginx.service" ] else [ ]) ++ [
      "nginx.service"
      "network.target"
    ];
    environment = {
@ -33,11 +37,11 @@
    };
    serviceConfig = {
      ExecStart = ''${pkgs.certbot}/bin/certbot renew --no-random-sleep-on-renew --force-renewal'';
-      ExecStartPost = "${pkgs.busybox}/bin/chown nginx:nginx -R /etc/letsencrypt";
+      ExecStartPost = lib.mkIf config.services.nginx.enable "${pkgs.busybox}/bin/chown nginx:nginx -R /etc/letsencrypt";
    };
  };
-  systemd.services."nginx-config-reload" = {
+  systemd.services."nginx-config-reload" = lib.mkIf config.services.nginx.enable {
    after = [ "certbot-renew.service" ];
    wantedBy = [ "certbot-renew.service" ];
    serviceConfig = {
--- a/system/modules/mail-server.nix
+++ b/system/modules/mail-server.nix
@ -0,0 +1,323 @@
 {
  fqdn ? null,
  origin ? null,
  destination ? null,
  networks ? null,
  rootAlias ? "root",
  extraAliases ? "",
  enableOpenldap ? true,
  dovecotLdapSecretFile,
  openldapAdmPassPath,
  sslKeyPath,
  sslCertPath,
 }:
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  postfixFqdn = if fqdn != null then fqdn else config.networking.fqdn;
  postfixOrigin = if origin != null then origin else postfixFqdn;
  postfixDest =
    if destination != null then
      destination
    else
      [
        "localhost"
        "localhost.${postfixFqdn}"
      ];
  postfixNet =
    if networks != null then
      networks
    else
      [
        "127.0.0.0/8"
        "[::1]/128"
      ];
  postfixMailDir = "~/Maildir";
  mailLocationPrefix = "/var/mail/vhosts";
  mailLocation = "${mailLocationPrefix}/%d/%n/";
  dcList = lib.strings.splitString "." postfixFqdn;
  domain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
  dovecotSecretPath = "/run/dovecot2-secret";
  ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
  ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
    ldap_version = 3
    auth_bind_userdn = uid=%u,ou=mail,${domain}
    auth_bind = yes
    hosts = ${postfixFqdn}
    dn = cn=admin,${domain}
    base = ou=mail,${domain}
    pass_filter = (&(objectClass=inetorgperson)(uid=%u))
    user_filter = (&(objectClass=inetorgperson)(uid=%u))
  '';
  mailUser = "vmail";
 in
 with builtins;
 {
  environment.sessionVariables = {
    MAILDIR = postfixMailDir;
  };
  networking.firewall.allowedTCPPorts = [
    25 # SMTP
    465 # SMTPS
    587 # STARTTLS
    80
    143 # IMAP STARTTLS
    993 # IMAPS
    110 # POP3 STARTTLS
    995 # POP3S
  ];
  users.groups.${mailUser} = {
    gid = 5000;
  };
  users.users.${mailUser} = {
    isSystemUser = true;
    uid = 5000;
    group = mailUser;
  };
  services.postfix = {
    inherit rootAlias;
    enable = lib.mkDefault true;
    hostname = postfixFqdn;
    origin = postfixOrigin;
    destination = postfixDest;
    networks = postfixNet;
    sslKey = sslKeyPath;
    sslCert = sslCertPath;
    config = {
      virtual_uid_maps = [
        "static:${toString config.users.users.vmail.uid}"
      ];
      virtual_gid_maps = [
        "static:${toString config.users.groups.vmail.gid}"
      ];
      virtual_mailbox_domains = [ postfixFqdn ];
      virtual_transport = "lmtp:unix:private/dovecot-lmtp";
      tls_preempt_cipherlist = "yes";
      smtpd_use_tls = "yes";
      smtpd_tls_security_level = "may";
      smtpd_sasl_type = "dovecot";
      smtpd_sasl_path = "private/auth";
      smtpd_sasl_auth_enable = "yes";
      smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
      smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
      home_mailbox = postfixMailDir;
    };
    postmasterAlias = "root";
    extraAliases =
      ''
        mailer-daemon: postmaster
        nobody: root
        hostmaster: root
        usenet: root
        news: root
        webmaster: root
        www: root
        ftp: root
        abuse: root
        noc: root
        security: root
      ''
      + extraAliases;
  };
  services.dovecot2 = {
    enable = lib.mkDefault true;
    enableImap = true;
    enablePop3 = true;
    enableLmtp = true;
    mailLocation = lib.mkDefault "maildir:${mailLocation}";
    mailUser = mailUser;
    mailGroup = mailUser;
    sslServerKey = sslKeyPath;
    sslServerCert = sslCertPath;
    sslCACert = config.security.pki.caBundle;
    extraConfig = ''
      log_path  = /var/log/dovecot.log
      auth_debug = yes
      mail_debug = yes
      auth_mechanisms = plain login
      ssl = yes
      ssl_dh_parameters_length = 2048
      ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
      ssl_prefer_server_ciphers = yes
      service auth {
        unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
          mode = 0660
          user = ${config.services.postfix.user}
          group = ${config.services.postfix.group}
        }
      }
      service lmtp {
        unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
          mode = 0600
          user = ${config.services.postfix.user}
          group = ${config.services.postfix.group}
        }
      }
      passdb ldap {
        driver = ldap
        args = ${ldapSecretConf}
      }
      userdb {
        driver = static
        args = uid=${mailUser} gid=${mailUser} home=${mailLocation}
      }
      lda_mailbox_autosubscribe = yes
      lda_mailbox_autocreate = yes
    '';
  };
  systemd.services.dovecot2 = {
    serviceConfig = {
      RuntimeDirectory = [ "dovecot2-secret" ];
      RuntimeDirectoryMode = "0640";
      ExecStartPre = [
        ''${pkgs.busybox.out}/bin/mkdir -p ${mailLocationPrefix}''
        ''${pkgs.busybox.out}/bin/chown -R ${mailUser}:${mailUser} ${mailLocationPrefix}''
        ''${pkgs.busybox.out}/bin/chmod 770 ${mailLocationPrefix}''
        ''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${dovecotLdapSecretFile} > ${ldapSecretConf}"''
      ];
    };
  };
  services.openldap = lib.mkIf enableOpenldap {
    enable = true;
    urlList = [ "ldap:///" ];
    settings = {
      attrs = {
        olcLogLevel = "conns config";
      };
      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
        ];
        "olcDatabase={1}mdb".attrs = {
          objectClass = [
            "olcDatabaseConfig"
            "olcMdbConfig"
          ];
          olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/lib/openldap/data";
          olcSuffix = "${domain}";
          olcRootDN = "cn=admin,${domain}";
          olcRootPW.path = openldapAdmPassPath;
          olcAccess = [
            ''
              {0}to attrs=userPassword
                by dn="cn=admin,${domain}" read
                by self write
                by anonymous auth
                by * none
            ''
            ''
              {1}to *
                by * read
            ''
          ];
        };
      };
    };
  };
  environment.etc."openldap/base.ldif" = {
    mode = "0770";
    user = config.services.openldap.user;
    group = config.services.openldap.group;
    text = ''
      dn: ${domain}
      objectClass: top
      objectClass: domain
      dc: ${elemAt dcList 0}
    '';
  };
  systemd.services.openldap-init-base = {
    wantedBy = [ "openldap.service" ];
    requires = [ "openldap.service" ];
    after = [ "openldap.service" ];
    serviceConfig = {
      User = config.services.openldap.user;
      Group = config.services.openldap.group;
      Type = "oneshot";
      ExecStart =
        let
          dcScript = pkgs.writeShellScriptBin "openldap-init" ''
            BASE_DN="${domain}"
            LDIF_FILE="/etc/openldap/base.ldif"
            ADMIN_DN="cn=admin,${domain}"
            ${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
            if [ $? -ne 0 ]; then
              echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
              ${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${openldapAdmPassPath} -W -f "$LDIF_FILE"
            else
              echo "Base DN $BASE_DN exists, skip"
            fi
          '';
        in
        "${dcScript}/bin/openldap-init";
    };
  };
  virtualisation = {
    docker = {
      enable = lib.mkDefault true;
      rootless = {
        enable = true;
        setSocketVariable = true;
      };
    };
    oci-containers = {
      backend = "docker";
      containers = {
        lam = {
          image = "ghcr.io/ldapaccountmanager/lam:9.2";
          extraOptions = [ "--network=host" ];
          autoStart = true;
          environment = {
            LDAP_DOMAIN = postfixFqdn;
            LDAP_SERVER = "ldap://${postfixFqdn}";
            LDAP_USERS_DN = "ou=mail,${domain}";
          };
        };
      };
    };
  };
 }
--- a/system/modules/mail-server/default.nix
+++ b/system/modules/mail-server/default.nix
@ -0,0 +1,127 @@
 {
  config,
  lib,
  ...
 }:
 with lib;
 {
  options.mail-server = {
    enable = mkEnableOption "mail-server";
    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = ''
        This option results in following configuration:
        networking.firewall.allowedTCPPorts = [
          25  # SMTP
          465 # SMTPS
          587 # STARTTLS
          143 # IMAP STARTTLS
          993 # IMAPS
          110 # POP3 STARTTLS
          995 # POP3S
        ];
      '';
    };
    extraAliases = mkOption {
      type = with types; str;
      default = "";
      description = "Extra aliases";
      example = ''
        something: root
        gender: root
      '';
    };
    mailDir = mkOption {
      type = with types; uniq str;
      description = "Path to store local mails";
      default = "~/Maildir";
      example = "~/Maildir";
    };
    virtualMailDir = mkOption {
      type = with types; path;
      description = "Path to store virtual mails";
      default = "/var/mail/vhosts";
      example = "/var/mail/vmails";
    };
    uid = mkOption {
      type = with types; int;
      default = 5000;
      description = "UID for \"vmail\"";
    };
    gid = mkOption {
      type = with types; int;
      default = 5000;
      description = "GID for \"vmail\"";
    };
    domain = mkOption {
      type = with types; uniq str;
      default = config.networking.fqdn;
      description = "Domain name used for mail server";
    };
    origin = mkOption {
      type = with types; uniq str;
      default = "";
      description = "Origin to use in outgoing e-mail. Leave blank to use hostname.";
    };
    destination = mkOption {
      type = with types; listOf str;
      default = [ ];
      description = "Postfix destination";
    };
    networks = mkOption {
      type = with types; listOf str;
      default = [ ];
      description = "Postfix networks";
    };
    sslKey = mkOption {
      type = with types; path;
      description = "Path to the SSL key";
      example = "/etc/ssl/private/key.pem";
    };
    sslCert = mkOption {
      type = with types; path;
      description = "Path to the SSL Certification";
      example = "/etc/ssl/private/cert.pem";
    };
    dovecot = {
      ldapFile = mkOption {
        type = with types; path;
        description = "Path to the dovecot openldap config file";
        example = "/run/secrets/dovecot/ldap";
      };
    };
    openldap = {
      passwordFile = mkOption {
        type = with types; path;
        description = "Path to the openldap admin password file";
        example = "/run/secrets/openldap/passwd";
      };
      enableWebUI = mkOption {
        type = types.bool;
        default = false;
        description = "Use docker to run Ldap Account Manager for using web ui.";
      };
    };
  };
  imports = [
    ./server.nix
  ];
 }
--- a/system/modules/mail-server/server.nix
+++ b/system/modules/mail-server/server.nix
@ -0,0 +1,288 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.mail-server;
  dcList = lib.strings.splitString "." cfg.domain;
  ldapDomain = lib.strings.concatStringsSep "," (lib.lists.forEach dcList (x: "dc=" + x));
  dovecotSecretPath = "/run/dovecot2-secret";
  ldapDefaultConf = pkgs.writeText "dovecot-ldap.conf.ext" ''
    ldap_version = 3
    auth_bind_userdn = uid=%u,ou=mail,${ldapDomain}
    auth_bind = yes
    hosts = ${cfg.domain}
    dn = cn=admin,${ldapDomain}
    base = ou=mail,${ldapDomain}
    pass_filter = (&(objectClass=inetorgperson)(uid=%u))
    user_filter = (&(objectClass=inetorgperson)(uid=%u))
  '';
  ldapSecretConf = "${dovecotSecretPath}/dovecot-ldap.conf.ext";
 in
 with builtins;
 with lib;
 {
  config = mkIf cfg.enable {
    # ===== Postfix ===== #
    environment.sessionVariables = {
      MAILDIR = cfg.mailDir;
    };
    services.postfix = {
      enable = true;
      hostname = cfg.domain;
      origin = cfg.origin;
      destination = cfg.destination;
      networks = cfg.networks;
      config = {
        virtual_uid_maps = [
          "static:${toString cfg.uid}"
        ];
        virtual_gid_maps = [
          "static:${toString cfg.gid}"
        ];
        virtual_mailbox_domains = [ cfg.domain ];
        virtual_transport = "lmtp:unix:private/dovecot-lmtp";
        tls_preempt_cipherlist = "yes";
        smtpd_use_tls = "yes";
        smtpd_tls_security_level = "may";
        smtpd_sasl_type = "dovecot";
        smtpd_sasl_path = "private/auth";
        smtpd_sasl_auth_enable = "yes";
        smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
        smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
        home_mailbox = cfg.mailDir;
      };
      postmasterAlias = "root";
      extraAliases =
        ''
          mailer-daemon: postmaster
          nobody: root
          hostmaster: root
          usenet: root
          news: root
          webmaster: root
          www: root
          ftp: root
          abuse: root
          noc: root
          security: root
        ''
        + cfg.extraAliases;
    };
    # ===== Dovecot ===== #
    services.dovecot2 = {
      enable = lib.mkDefault true;
      enableImap = true;
      enablePop3 = true;
      enableLmtp = true;
      mailLocation = lib.mkDefault "maildir:${cfg.virtualMailDir}";
      mailUser = "vmail";
      mailGroup = "vmail";
      sslServerKey = cfg.sslKey;
      sslServerCert = cfg.sslCert;
      sslCACert = config.security.pki.caBundle;
      extraConfig = ''
        log_path  = /var/log/dovecot.log
        auth_debug = yes
        mail_debug = yes
        auth_mechanisms = plain login
        ssl = yes
        ssl_dh_parameters_length = 2048
        ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
        ssl_prefer_server_ciphers = yes
        service auth {
          unix_listener ${config.services.postfix.config.queue_directory}/private/auth {
            mode = 0660
            user = ${config.services.postfix.user}
            group = ${config.services.postfix.group}
          }
        }
        service lmtp {
          unix_listener ${config.services.postfix.config.queue_directory}/private/dovecot-lmtp {
            mode = 0600
            user = ${config.services.postfix.user}
            group = ${config.services.postfix.group}
          }
        }
        passdb ldap {
          driver = ldap
          args = ${ldapSecretConf}
        }
        userdb {
          driver = static
          args = uid=${toString cfg.uid} gid=${toString cfg.gid} home=${cfg.virtualMailDir}/%d/%n/
        }
        lda_mailbox_autosubscribe = yes
        lda_mailbox_autocreate = yes
      '';
    };
    systemd.services.dovecot2 = {
      serviceConfig = {
        RuntimeDirectory = [ "dovecot2-secret" ];
        RuntimeDirectoryMode = "0640";
        ExecStartPre = [
          ''${pkgs.busybox.out}/bin/mkdir -p ${cfg.virtualMailDir}''
          ''${pkgs.busybox.out}/bin/chown -R vmail:vmail ${cfg.virtualMailDir}''
          ''${pkgs.busybox.out}/bin/chmod 770 ${cfg.virtualMailDir}''
          ''${pkgs.busybox.out}/bin/sh -c "${pkgs.busybox.out}/bin/cat ${ldapDefaultConf} ${cfg.dovecot.ldapFile} > ${ldapSecretConf}"''
        ];
      };
    };
    services.openldap = {
      enable = true;
      urlList = [ "ldap:///" ];
      settings = {
        attrs = {
          olcLogLevel = "conns config";
        };
        children = {
          "cn=schema".includes = [
            "${pkgs.openldap}/etc/schema/core.ldif"
            "${pkgs.openldap}/etc/schema/cosine.ldif"
            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
            "${pkgs.openldap}/etc/schema/nis.ldif"
          ];
          "olcDatabase={1}mdb".attrs = {
            objectClass = [
              "olcDatabaseConfig"
              "olcMdbConfig"
            ];
            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";
            olcSuffix = "${ldapDomain}";
            olcRootDN = "cn=admin,${ldapDomain}";
            olcRootPW.path = cfg.openldap.passwordFile;
            olcAccess = [
              ''
                {0}to attrs=userPassword
                  by dn="cn=admin,${ldapDomain}" read
                  by self write
                  by anonymous auth
                  by * none
              ''
              ''
                {1}to *
                  by * read
              ''
            ];
          };
        };
      };
    };
    # Openldap auto create baseDN
    environment.etc."openldap/base.ldif" = {
      mode = "0770";
      user = config.services.openldap.user;
      group = config.services.openldap.group;
      text = ''
        dn: ${ldapDomain}
        objectClass: top
        objectClass: domain
        dc: ${elemAt dcList 0}
      '';
    };
    systemd.services.openldap-init-base = {
      wantedBy = [ "openldap.service" ];
      requires = [ "openldap.service" ];
      after = [ "openldap.service" ];
      serviceConfig = {
        User = config.services.openldap.user;
        Group = config.services.openldap.group;
        Type = "oneshot";
        ExecStart =
          let
            dcScript = pkgs.writeShellScriptBin "openldap-init" ''
              BASE_DN="${ldapDomain}"
              LDIF_FILE="/etc/openldap/base.ldif"
              ADMIN_DN="cn=admin,${ldapDomain}"
              ${pkgs.openldap}/bin/ldapsearch -x -b "$BASE_DN" -s base "(objectclass=*)" > /dev/null 2>&1
              if [ $? -ne 0 ]; then
                echo "Base DN $BASE_DN not exist, import $LDIF_FILE"
                ${pkgs.openldap}/bin/ldapadd -x -D "$ADMIN_DN" -y ${cfg.openldap.passwordFile} -W -f "$LDIF_FILE"
              else
                echo "Base DN $BASE_DN exists, skip"
              fi
            '';
          in
          "${dcScript}/bin/openldap-init";
      };
    };
    # ===== Firewall ===== #
    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
      25 # SMTP
      465 # SMTPS
      587 # STARTTLS
      143 # IMAP STARTTLS
      993 # IMAPS
      110 # POP3 STARTTLS
      995 # POP3S
    ];
    # ===== Virtual Mail User ===== #
    users.groups.vmail = {
      gid = cfg.gid;
    };
    users.users.vmail = {
      uid = cfg.uid;
      group = "vmail";
    };
    virtualisation = mkIf cfg.openldap.enableWebUI {
      docker = {
        enable = lib.mkDefault true;
        rootless = {
          enable = true;
          setSocketVariable = true;
        };
      };
      oci-containers = {
        backend = "docker";
        containers = {
          lam = {
            image = "ghcr.io/ldapaccountmanager/lam:9.2";
            extraOptions = [ "--network=host" ];
            autoStart = true;
            environment = {
              LDAP_DOMAIN = cfg.domain;
              LDAP_SERVER = "ldap://${cfg.domain}";
              LDAP_USERS_DN = "ou=mail,${ldapDomain}";
            };
          };
        };
      };
    };
  };
 }
--- a/system/modules/programs.nix
+++ b/system/modules/programs.nix
@ -48,10 +48,5 @@
        fi
      '';
    };
    # mail
    msmtp = {
      enable = true;
    };
  };
 }
--- a/system/modules/users.nix
+++ b/system/modules/users.nix
@ -1,15 +1,24 @@
-{ settings, pkgs, ... }:
+{
  settings,
  pkgs,
  lib,
  config,
  ...
 }:
 {
  users.users.${settings.personal.username} = {
    isNormalUser = true;
    shell = pkgs.bash; # Actually fish
-    extraGroups = [
+    extraGroups = (
      [
        "wheel"
        "input"
        "networkmanager"
        "docker"
        "kvm"
-    ];
+      ]
      ++ (if config.programs.gamemode.enable then [ "gamemode" ] else [ ])
    );
  };
 }