ctucx.git: nixfiles

machines/trabbi/mail: add sieve filters

diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix
@@ -21,8 +21,8 @@
 
     # communication
     ./fedi
+    ./mail
     ./matrix-synapse.nix
-    ./mail.nix
 
     # websites
     ./websites

diff --git a/machines/trabbi/mail.nix b/machines/trabbi/mail.nix
@@ -1,174 +0,0 @@
-{ inputs, pkgs, config, ... }:
-
-let
-  mailAutoConfig = ''
-    <?xml version="1.0" encoding="UTF-8"?>
-    <clientConfig version="1.1">
-     <emailProvider id="ctu.cx">
-       <domain>ctu.cx</domain>
-       <displayName>${config.networking.fqdn}</displayName>
-       <displayShortName>${config.networking.domain}</displayShortName>
-       <incomingServer type="imap">
-         <hostname>${config.networking.fqdn}</hostname>
-         <port>993</port>
-         <socketType>SSL</socketType>
-         <authentication>password-cleartext</authentication>
-         <username>%EMAILADDRESS%</username>
-       </incomingServer>
-       <outgoingServer type="smtp">
-         <hostname>${config.networking.fqdn}</hostname>
-         <port>465</port>
-         <socketType>SSL</socketType>
-         <authentication>password-cleartext</authentication>
-         <username>%EMAILADDRESS%</username>
-       </outgoingServer>
-     </emailProvider>
-    </clientConfig>
-  '';
-
-in {
-
-  imports = [
-    inputs.simple-nixos-mailserver.nixosModule
-  ];
-
-  age.secrets.restic-mail.file              = ./. + "/../../secrets/${config.networking.hostName}/restic/mail.age";
-  age.secrets.mail-password-leah.file       = ./. + "/../../secrets/${config.networking.hostName}/mail/password-leah-ctu.cx.age";
-  age.secrets.mail-password-zugnetwork.file = ./. + "/../../secrets/${config.networking.hostName}/mail/password-mail-zug.network.age";
-
-  dns.zones = with pkgs.dns.lib.combinators; let
-    TXT   = [ "v=spf1 a mx ip4:${config.networking.primaryIP4} +ip6:${config.networking.primaryIP} ~all" ];
-    DMARC = "v=DMARC1; p=none";
-    MX    = with mx; [ (mx 10 "${config.networking.fqdn}.") ];
-  in {
-    "ctu.cx" = {
-      inherit MX TXT;
-
-      SRV = [
-        { proto = "tcp"; service = "imaps"; priority = 0; weight = 1; port = 993; target = "${config.networking.fqdn}."; }
-        { proto = "tcp"; service = "imap"; priority = 0; weight = 1; port = 143; target = "${config.networking.fqdn}."; }
-        { proto = "tcp"; service = "submission"; priority = 0; weight = 1; port = 587; target = "${config.networking.fqdn}."; }
-      ];
-
-      subdomains = {
-        autoconfig.CNAME         = [ config.networking.hostName ];
-        _dmarc.TXT               = [ DMARC ];
-        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKryfX99NkcU5Xe4AmG+kO/sfuYSXk5RqJhzxS4uMqERE8UszgEGdteXcD8pqON2MfDmA3G6cA+Oa+N4tIWdIYNwTISVXXMGdHvjFIsVUEW0turM104tXESELaPRntkCvDBk/yOgsBDRZQHSx5MdGwpzeRC8TLdCbalh3W0jp5PQIDAQAB" ];
-      };
-    };
-
-    "ctucx.de" = {
-      inherit MX TXT;
-
-      subdomains = {
-        _dmarc.TXT               = [ DMARC ];
-        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5fu690bKYCZLPAFfQQK+nl+aAmtetaWBKCWzGj6pt7HjpFjystgtgnQ6+DZLFXWUp8GRfMEycySB5kQULtYtSMUmx0gQBnTTLsRj+e55/CYUllLV6YXb5uca7LuVhlWPpH3sCr6TvC2VFWe4t0UC3uIXhYPrCm6p8OE7g+TdHHwIDAQAB" ];
-      };
-    };
-
-    "thein.ovh" = {
-      inherit MX TXT;
-
-      subdomains = {
-        _dmarc.TXT               = [ DMARC ];
-        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8oumqNkHboF/S4dnKue+hEC3V226ToMmL/fmXqbAhsW88m+jUuLgZE8Nl7kc/lzD9yY7JmCXcWFzoLJWE8xusfmT1yMOW9sQmee7g0tHsm1fVqFMUetmC4+QuqAdvjIGU5QndjdWHP/gssIoLPT7lCNUL4/lkaPmFiiDyvaMpkQIDAQAB" ];
-      };
-    };
-
-    "flauschehorn.sexy" = {
-      inherit MX TXT;
-
-      subdomains = {
-        _dmarc.TXT               = [ DMARC ];
-        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvEPR8068KtlsiWiexSPWqagKmd07ggGvDcYICzOvhxVB0MDrn+/VYIXEbVX0Y9z60oT1ynjkhFjDWEofk11EoXwrg7xjkqZuszDrhdYqUnoLrzlugmnK4jXO3cAD0qeblX0rDmu30cmPP1Aj21tLTU6loYpORY+y4VaVfwtHswwIDAQAB" ];
-      };
-    };
-  };
-
-  security.acme.certs."${config.networking.fqdn}".reloadServices = [
-    "postfix.service"
-    "dovecot2.service"
-  ];
-
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "${config.networking.fqdn}" = {
-        enableACME = true;
-        forceSSL   = true;
-      };
-
-      "autoconfig.ctu.cx" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."= /mail/config-v1.1.xml".return = "200 '${mailAutoConfig}'";
-      };
-    };
-  };
-
-  services.redis.servers.rspamd.bind = "::1";
-
-  mailserver = {
-    enable  = true;
-    fqdn    = config.networking.fqdn;
-
-    openFirewall        = true;
-    localDnsResolver    = false;
-    virusScanning       = false;
-
-    redis.address       = "[::1]";
-
-    certificateScheme   = "manual";
-    certificateFile     = "${config.security.acme.certs.${config.networking.fqdn}.directory}/fullchain.pem";
-    keyFile             = "${config.security.acme.certs.${config.networking.fqdn}.directory}/key.pem";
-
-    enableManageSieve   = true;
-    enableSubmission    = true;
-    enableSubmissionSsl = true;
-    enableImap          = true;
-    enableImapSsl       = true;
-    enablePop3          = false;
-    enablePop3Ssl       = false;
-
-    mailDirectory       = "/var/lib/mailboxes";
-    sieveDirectory      = "/var/lib/sieve";
-    dkimKeyDirectory    = "/var/lib/dkimKeys";
-
-    domains = [
-      "ctu.cx"
-      "ctucx.de"
-      "thein.ovh"
-      "zug.network"
-      "flauschehorn.sexy"
-    ];
-
-    loginAccounts = {
-      "leah@ctu.cx" = {
-        hashedPasswordFile = config.age.secrets.mail-password-leah.path;
-        aliases = [
-          "@ctu.cx"
-          "@ctucx.de"
-          "leah@thein.ovh"
-          "leon@thein.ovh"
-        ];
-      };
-
-      "mail@zug.network" = {
-        hashedPasswordFile = config.age.secrets.mail-password-zugnetwork.path;      	
-        aliases = [
-          "@zug.network"
-    	  ];
-      };
-    };
-  };
-
-  restic-backups.mail = {
-    passwordFile = config.age.secrets.restic-mail.path;
-    paths        = [
-      "/var/lib/mailboxes"
-      "/var/lib/dkimKeys"
-      "/var/lib/sieve"
-    ];
-  };
-
-}

diff --git a/machines/trabbi/mail/default.nix b/machines/trabbi/mail/default.nix
@@ -0,0 +1,182 @@
+{ inputs, pkgs, config, ... }:
+
+let
+  mailAutoConfig = ''
+    <?xml version="1.0" encoding="UTF-8"?>
+    <clientConfig version="1.1">
+     <emailProvider id="ctu.cx">
+       <domain>ctu.cx</domain>
+       <displayName>${config.networking.fqdn}</displayName>
+       <displayShortName>${config.networking.domain}</displayShortName>
+       <incomingServer type="imap">
+         <hostname>${config.networking.fqdn}</hostname>
+         <port>993</port>
+         <socketType>SSL</socketType>
+         <authentication>password-cleartext</authentication>
+         <username>%EMAILADDRESS%</username>
+       </incomingServer>
+       <outgoingServer type="smtp">
+         <hostname>${config.networking.fqdn}</hostname>
+         <port>465</port>
+         <socketType>SSL</socketType>
+         <authentication>password-cleartext</authentication>
+         <username>%EMAILADDRESS%</username>
+       </outgoingServer>
+     </emailProvider>
+    </clientConfig>
+  '';
+
+in {
+
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+
+  age.secrets.restic-mail.file              = ./. + "/../../../secrets/${config.networking.hostName}/restic/mail.age";
+  age.secrets.mail-password-leah.file       = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-leah-ctu.cx.age";
+  age.secrets.mail-password-zugnetwork.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-mail-zug.network.age";
+
+  dns.zones = with pkgs.dns.lib.combinators; let
+    TXT   = [ "v=spf1 a mx ip4:${config.networking.primaryIP4} +ip6:${config.networking.primaryIP} ~all" ];
+    DMARC = "v=DMARC1; p=none";
+    MX    = with mx; [ (mx 10 "${config.networking.fqdn}.") ];
+  in {
+    "ctu.cx" = {
+      inherit MX TXT;
+
+      SRV = [
+        { proto = "tcp"; service = "imaps"; priority = 0; weight = 1; port = 993; target = "${config.networking.fqdn}."; }
+        { proto = "tcp"; service = "imap"; priority = 0; weight = 1; port = 143; target = "${config.networking.fqdn}."; }
+        { proto = "tcp"; service = "submission"; priority = 0; weight = 1; port = 587; target = "${config.networking.fqdn}."; }
+      ];
+
+      subdomains = {
+        autoconfig.CNAME         = [ config.networking.hostName ];
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKryfX99NkcU5Xe4AmG+kO/sfuYSXk5RqJhzxS4uMqERE8UszgEGdteXcD8pqON2MfDmA3G6cA+Oa+N4tIWdIYNwTISVXXMGdHvjFIsVUEW0turM104tXESELaPRntkCvDBk/yOgsBDRZQHSx5MdGwpzeRC8TLdCbalh3W0jp5PQIDAQAB" ];
+      };
+    };
+
+    "ctucx.de" = {
+      inherit MX TXT;
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5fu690bKYCZLPAFfQQK+nl+aAmtetaWBKCWzGj6pt7HjpFjystgtgnQ6+DZLFXWUp8GRfMEycySB5kQULtYtSMUmx0gQBnTTLsRj+e55/CYUllLV6YXb5uca7LuVhlWPpH3sCr6TvC2VFWe4t0UC3uIXhYPrCm6p8OE7g+TdHHwIDAQAB" ];
+      };
+    };
+
+    "thein.ovh" = {
+      inherit MX TXT;
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8oumqNkHboF/S4dnKue+hEC3V226ToMmL/fmXqbAhsW88m+jUuLgZE8Nl7kc/lzD9yY7JmCXcWFzoLJWE8xusfmT1yMOW9sQmee7g0tHsm1fVqFMUetmC4+QuqAdvjIGU5QndjdWHP/gssIoLPT7lCNUL4/lkaPmFiiDyvaMpkQIDAQAB" ];
+      };
+    };
+
+    "flauschehorn.sexy" = {
+      inherit MX TXT;
+
+      subdomains = {
+        _dmarc.TXT               = [ DMARC ];
+        "mail._domainkey".TXT    = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvEPR8068KtlsiWiexSPWqagKmd07ggGvDcYICzOvhxVB0MDrn+/VYIXEbVX0Y9z60oT1ynjkhFjDWEofk11EoXwrg7xjkqZuszDrhdYqUnoLrzlugmnK4jXO3cAD0qeblX0rDmu30cmPP1Aj21tLTU6loYpORY+y4VaVfwtHswwIDAQAB" ];
+      };
+    };
+  };
+
+  security.acme.certs."${config.networking.fqdn}".reloadServices = [
+    "postfix.service"
+    "dovecot2.service"
+  ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "${config.networking.fqdn}" = {
+        enableACME = true;
+        forceSSL   = true;
+      };
+
+      "autoconfig.ctu.cx" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."= /mail/config-v1.1.xml".return = "200 '${mailAutoConfig}'";
+      };
+    };
+  };
+
+  services.redis.servers.rspamd.bind = "::1";
+
+  services.dovecot2.extraConfig = ''
+    plugin {
+      # Use editheader
+      sieve_extensions = +editheader
+    }
+  '';
+
+  mailserver = {
+    enable  = true;
+    fqdn    = config.networking.fqdn;
+
+    openFirewall        = true;
+    localDnsResolver    = false;
+    virusScanning       = false;
+
+    redis.address       = "[::1]";
+
+    certificateScheme   = "manual";
+    certificateFile     = "${config.security.acme.certs.${config.networking.fqdn}.directory}/fullchain.pem";
+    keyFile             = "${config.security.acme.certs.${config.networking.fqdn}.directory}/key.pem";
+
+    enableManageSieve   = true;
+    enableSubmission    = true;
+    enableSubmissionSsl = true;
+    enableImap          = true;
+    enableImapSsl       = true;
+    enablePop3          = false;
+    enablePop3Ssl       = false;
+
+    mailDirectory       = "/var/lib/mailboxes";
+    sieveDirectory      = "/var/lib/sieve";
+    dkimKeyDirectory    = "/var/lib/dkimKeys";
+
+    domains = [
+      "ctu.cx"
+      "ctucx.de"
+      "thein.ovh"
+      "zug.network"
+      "flauschehorn.sexy"
+    ];
+
+    loginAccounts = {
+      "leah@ctu.cx" = {
+        hashedPasswordFile = config.age.secrets.mail-password-leah.path;
+        sieveScript = builtins.readFile ./rules-leah.sieve;
+        aliases = [
+          "@ctu.cx"
+          "@ctucx.de"
+          "leah@thein.ovh"
+          "leon@thein.ovh"
+        ];
+      };
+
+      "mail@zug.network" = {
+        hashedPasswordFile = config.age.secrets.mail-password-zugnetwork.path;      	
+        aliases = [
+          "@zug.network"
+    	  ];
+      };
+    };
+  };
+
+  restic-backups.mail = {
+    passwordFile = config.age.secrets.restic-mail.path;
+    paths        = [
+      "/var/lib/mailboxes"
+      "/var/lib/dkimKeys"
+      "/var/lib/sieve"
+    ];
+  };
+
+}

diff --git a/machines/trabbi/mail/rules-leah.sieve b/machines/trabbi/mail/rules-leah.sieve
@@ -0,0 +1,64 @@
+require [
+  "variables", "date", "regex", 
+  "fileinto", "mailbox", "editheader",
+  "imap4flags"
+];
+
+
+if currentdate :matches "year" "*" { set "year" "${1}"; }
+if currentdate :matches "month" "*" { set "month" "${1}"; }
+
+
+if address :is "to" "le0nth3in@gmail.com" {
+  if header :matches "Subject" "*" {
+     set "subject" "${1}";
+  }
+
+  deleteheader "Subject";
+  addheader :last "Subject" "[OLD GMAIL] ${subject}";
+}
+
+if header :contains "subject" [ "Fahrgastrechteanträge", "Fahrgastrechteantrag" ] {
+  fileinto :create "Archive.FGR${year}";
+  stop;
+}
+
+if header :contains "From" [ "@amazon.de" ] {
+  fileinto "INBOX.Amazon"; 
+  stop;
+}
+
+if header :contains "From" [ "@apple.com", "@email.apple.com" ] {
+  fileinto "INBOX.Apple"; 
+  stop;
+}
+
+if header :contains "From" [ "@bahn.de", "@mailing.bahn.de" ] {
+  fileinto "INBOX.Bahn"; 
+  stop;
+}
+
+if header :contains "From" [ "@bunq.com", "@hello.bunq.com" ] {
+  fileinto "INBOX.Bunq"; 
+  stop;
+}
+
+if header :contains "From" [ "@dhl.de" ] {
+  fileinto "INBOX.DHL"; 
+  stop;
+}
+
+if header :contains "From" [ "@ebay.de", "@ebay.com" ] {
+  fileinto "INBOX.eBay"; 
+  stop;
+}
+
+if header :contains "From" [ "@google.com", "@accounts.google.com" ] {
+  fileinto "INBOX.Google"; 
+  stop;
+}
+
+if header :contains "From" [ "@paypal.com", "@emails.paypal.com" ] {
+  fileinto "INBOX.PayPal"; 
+  stop;
+}