nixos/automx2: init (#333320)

nixos/modules/module-list.nix

@@ -656,6 +656,7 @@
   ./services/logging/syslogd.nix
   ./services/logging/vector.nix
   ./services/logging/ulogd.nix
+  ./services/mail/automx2.nix
   ./services/mail/clamsmtp.nix
   ./services/mail/davmail.nix
   ./services/mail/dkimproxy-out.nix

nixos/modules/services/mail/automx2.nix

@@ -0,0 +1,108 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.automx2;
+  format = pkgs.formats.json { };
+in
+{
+  options = {
+    services.automx2 = {
+      enable = lib.mkEnableOption "automx2";
+
+      package = lib.mkPackageOption pkgs [
+        "python3Packages"
+        "automx2"
+      ] { };
+
+      domain = lib.mkOption {
+        type = lib.types.str;
+        example = "example.com";
+        description = ''
+          E-Mail-Domain for which mail client autoconfig/autoconfigure should be set up.
+          The `autoconfig` and `autodiscover` subdomains are automatically prepended and set up with ACME.
+          The names of those domains are hardcoded in the mail clients and are not configurable.
+        '';
+      };
+
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 4243;
+        description = "Port used by automx2.";
+      };
+
+      settings = lib.mkOption {
+        inherit (format) type;
+        description = ''
+          Bootstrap json to populate database.
+          See [docs](https://rseichter.github.io/automx2/#_sqlite) for details.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "autoconfig.${cfg.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          serverAliases = [ "autodiscover.${cfg.domain}" ];
+          locations = {
+            "/".proxyPass = "http://127.0.0.1:${toString cfg.port}/";
+            "/initdb".extraConfig = ''
+              # Limit access to clients connecting from localhost
+              allow 127.0.0.1;
+              deny all;
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.services.automx2 = {
+      after = [ "network.target" ];
+      postStart = ''
+        sleep 3
+        ${lib.getExe pkgs.curl} -X POST --json @${format.generate "automx2.json" cfg.settings} http://127.0.0.1:${toString cfg.port}/initdb/
+      '';
+      serviceConfig = {
+        Environment = [
+          "AUTOMX2_CONF=${pkgs.writeText "automx2-conf" ''
+            [automx2]
+            loglevel = WARNING
+            db_uri = sqlite:///:memory:
+            proxy_count = 1
+          ''}"
+          "FLASK_APP=automx2.server:app"
+          "FLASK_CONFIG=production"
+        ];
+        ExecStart = "${
+          pkgs.python3.buildEnv.override { extraLibs = [ cfg.package ]; }
+        }/bin/flask run --host=127.0.0.1 --port=${toString cfg.port}";
+        Restart = "always";
+        StateDirectory = "automx2";
+        User = "automx2";
+        WorkingDirectory = "/var/lib/automx2";
+      };
+      unitConfig = {
+        Description = "MUA configuration service";
+        Documentation = "https://rseichter.github.io/automx2/";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    users = {
+      groups.automx2 = { };
+      users.automx2 = {
+        group = "automx2";
+        isSystemUser = true;
+      };
+    };
+  };
+}