feat(vesuvio): add roundcube

secrets/secrets.nix

@@ -44,4 +44,5 @@ in
 
   "vesuvio/maddyEnv.age".publicKeys = main ++ [ vesuvio ];
   "vesuvio/rspamdPassword.age".publicKeys = main ++ [ vesuvio ];
+  "vesuvio/roundcubeDbPass.age".publicKeys = main ++ [ vesuvio ];
 }

secrets/vesuvio/roundcubeDbPass.age

@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWT25OSmIrTXhwUHdETkUx
+OHRmMWZ1Mk16N1g5U0RRaENLWlcvOW9rd3drCm9xUDlCVDJIeFVhQ2hydHZORTV1
+QzgxK29XL2huWkxTWFE1R0JINjVyUGsKLT4gWDI1NTE5IHM4d29FbVlkeDAxd1hR
+c01kTFA3VXM5eXB2NDV1bFlDOGF3M2tBM0lyMzAKZjVicDdqK0xSckpPa1NYZ0pJ
+R2lIOWlhdWVMVXcwQnJaYjFCYVFRNkFoSQotPiBYMjU1MTkgbFRIWjBFUEtENnRv
+OHRZS0kyR1R4MDBzMnV1SnVQWUp3Y1pFQmdhRjgyQQpZbjgrSFdyMytZblFEa0pQ
+Z0s1OHpqZWJ2V1d6am1TSjZsTHNzSFQ1QlU0Ci0+IFgyNTUxOSAwVGpXendsWXRQ
+OCtTUHR6U21oM0hnM2NrKzJVS0U0b25FMkNQREtYQ2dzClJuaXRwbGNiNXpGSDFv
+TnpLcEhTa0k3Nk9sYnlpQk1TeEEyYVljNTB1Y2cKLS0tIHgvSmEwVzhEVk5wODhG
+bllxRStVNmYvcGJQb2QwWDlTa0JjQW1kaFlGRWMKM12Lg3igLg34PJDFDUPFwC09
+nlJTd91zRU7OO7Kvso+PbYL6sxughQpcEW9ZFYcgty4Hlgs5nQsBUxLQmAQ2kLu9
+hWLNgwC5oGR2IpnBDglcZ5BE5VhuJush46IcCaWfiRK1TN4=
+-----END AGE ENCRYPTED FILE-----

systems/etna/postgresql.nix

@@ -10,10 +10,12 @@
 
       ensureDatabases = [
         "maddy"
+        "roundcube"
       ];
 
       authentication = ''
         host maddy maddy vesuvio.fossa-macaroni.ts.net scram-sha-256
+        host roundcube roundcube vesuvio.fossa-macaroni.ts.net scram-sha-256
       '';
     };
 

systems/vesuvio/default.nix

@@ -19,6 +19,9 @@
       ports = [ 4269 ];
       openFirewall = true;
     };
+
+    # despite not having postgres here, we match with etna for safety
+    postgresql.package = pkgs.postgresql_16;
   };
 
   networking.firewall.allowedTCPPorts = [

systems/vesuvio/mail/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ./maddy.nix
     ./mta-sts.nix
+    ./roundcube.nix
     ./rspamd.nix
   ];
 }

systems/vesuvio/mail/roundcube.nix

@@ -0,0 +1,38 @@
+{
+  pkgs,
+  config,
+  _utils,
+  ...
+}:
+let
+  dbPass = _utils.setupSingleSecret config "roundcubeDbPass" {
+    owner = "nginx";
+  };
+in
+{
+  imports = [ dbPass.generate ];
+
+  services = {
+    roundcube = {
+      enable = true;
+      hostName = "mail.uku3lig.net";
+      dicts = with pkgs.aspellDicts; [
+        en
+        fr
+      ];
+
+      # nginx is automatically configured, ssl and acme are enabled
+
+      database = {
+        host = "etna";
+        dbname = "roundcube";
+        username = "roundcube";
+        passwordFile = dbPass.path;
+      };
+
+      extraConfig = ''
+        $config['imap_host'] = 'ssl://mx1.uku3lig.net:993';
+      '';
+    };
+  };
+}