From aa0197ab83011b3aa5c07c76c24771311704e09b Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sun, 25 Dec 2022 14:22:18 +0300
Subject: feat(ops/modules): configure offlineimap for depot@tvl.su

On the machine running public-inbox, this will start automatically
fetching mails from depot@tvl.su and making them available to
public-inbox.

Change-Id: I2469207bd41d64eba747a74ae5fda9fed548cc83
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7630
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
---
 ops/modules/depot-inbox.nix | 49 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

(limited to 'ops')

diff --git a/ops/modules/depot-inbox.nix b/ops/modules/depot-inbox.nix
index b791cc6db7..1accbe3eae 100644
--- a/ops/modules/depot-inbox.nix
+++ b/ops/modules/depot-inbox.nix
@@ -3,10 +3,31 @@
 # The account itself is a Yandex 360 account in the tvl.su organisation, which
 # is accessed via IMAP. Yandex takes care of spam filtering for us, so there is
 # no particular SpamAssassin or other configuration.
-{ config, lib, pkgs, ... }:
+{ config, depot, lib, pkgs, ... }:
 
 let
   cfg = config.services.depot.inbox;
+
+  imapConfig = pkgs.writeText "offlineimaprc" ''
+    [general]
+    accounts = depot
+
+    [Account depot]
+    localrepository = Local
+    remoterepository = Remote
+
+    [Repository Local]
+    type = Maildir
+    localfolders = /var/lib/public-inbox/depot-imap
+
+    [Repository Remote]
+    type = IMAP
+    ssl = yes
+    sslcacertfile = /etc/ssl/certs/ca-bundle.crt
+    remotehost = imap.yandex.ru
+    remoteuser = depot@tvl.su
+    remotepassfile = /var/run/agenix/depot-inbox-imap
+  '';
 in
 {
   options.services.depot.inbox = with lib; {
@@ -46,5 +67,31 @@ in
 
       settings.publicinbox.wwwlisting = "all";
     };
+
+    age.secrets.depot-inbox-imap = {
+      file = depot.ops.secrets."depot-inbox-imap.age";
+      mode = "0440";
+      group = config.users.groups."public-inbox".name;
+    };
+
+    systemd.services.offlineimap-depot = {
+      description = "download mail for depot@tvl.su";
+      wantedBy = [ "multi-user.target" ];
+      startAt = "minutely";
+
+      script = ''
+        mkdir -p /var/lib/public-inbox/depot-imap
+        ${pkgs.offlineimap}/bin/offlineimap -c ${imapConfig}
+      '';
+
+      serviceConfig = {
+        Type = "oneshot";
+
+        # Run in the same user context as public-inbox itself to avoid
+        # permissions trouble.
+        User = config.users.users."public-inbox".name;
+        Group = config.users.groups."public-inbox".name;
+      };
+    };
   };
 }
-- 
cgit 1.4.1