{ description = "NixOS Mail server"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # https://nixos-mailserver.readthedocs.io/en/latest/flakes.html simple-nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11"; inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = { self, nixpkgs, simple-nixos-mailserver, ... }: { nixosModules.mail = { config, lib, pkgs, ... }: let cfg = config.mail; ldapOptions = let inherit (config.services) openldap; in { name = "ldap"; security-protocol = "LDAPS"; host = "localhost"; port = "389"; bind-dn = "uid=${openldap.services.mail.uid},ou=services,dc=${openldap.organization},dc=${openldap.extension}"; bind-password = openldap.services.mail.passwordFile; user-search-base = "ou=people,dc=${openldap.organization},dc=${openldap.extension}"; user-filter = "(&(objectclass=*)(|(uniqueIdentifier=%[1]s)(mail=%[1]s)))"; #admin-filter = "(isMemberOf=cn=mail-admins,ou=groups,${ldap.suffix})"; username-attribute = "uniqueIdentifier"; firstname-attribute = "givenName"; surname-attribute = "sn"; email-attribute = "mail"; }; in { options.mail = { enable = lib.mkOption {type = lib.types.bool;}; domain = lib.mkOption {type = lib.types.str;}; fqdn = lib.mkOption {type = lib.types.str;}; }; config = lib.mkIf cfg.enable { mailserver = { enable = true; stateVersion = 4; fqdn = cfg.fqdn; domains = [ cfg.domain ]; # Reference the existing ACME configuration created by nginx x509.useACMEHost = cfg.fqdn; # LDAP # https://nixos-mailserver.readthedocs.io/en/latest/ldap.html ldap = { enable = true; uris = [ "ldaps://localhost:389" ]; bind = { dn = ldapOptions.bind-dn; passwordFile = ldapOptions.bind-password; }; base = ldapOptions.user-search-base; scope = "one"; }; }; # nginx virtual host services.nginx.virtualHosts.${cfg.hostName} = { enableACME = true; acmeRoot = null; addSSL = true; # directs traffic to the appropriate port locations."/" = { proxyPass = "http://localhost:${cfg.port}"; proxyWebsockets = true; }; }; }; }; }; }