feat: change dovecot2 sieve

hosts/fw/modules/wireguard.nix

@@ -22,7 +22,7 @@
           allowedIPs = [ "${config.networkPrefix}.98.202/32" ];
         }
         { # GPD Win 4
-          publicKey = "HE4eX4IMKG8eRDzcriy6XdIPV71uBY5VTqjKzfHPsFI=";
+          publicKey = "p3wnxXK7hurOKxruFCRoefj6gCoQeD5XXxD/ogMpew8=";
           allowedIPs = [ "${config.networkPrefix}.98.203/32" ];
         }
         {

hosts/mail/modules/dovecot.nix

@@ -189,10 +189,15 @@ in
         managesieve_logout_format = bytes ( in=%i : out=%o )
       }
 
+      lda_original_recipient_header = X-Original-To
+
       plugin {
         sieve_dir = /var/vmail/%d/%n/sieve/scripts/
         sieve = /var/vmail/%d/%n/sieve/active-script.sieve
-        sieve_extensions = +vacation-seconds +editheader
+        sieve_extensions = +vacation +vacation-seconds +editheader
+        sieve_vacation_use_original_recipient = yes
+        sieve_vacation_dont_check_recipient = yes
+        sieve_vacation_database = file:/var/vmail/%d/%n/sieve/vacation.db;
         sieve_vacation_min_period = 1min
 
         fts = lucene

hosts/mail/modules/openldap.nix

@@ -111,52 +111,6 @@ in {
         ];
       };
 
-      "olcDatabase={3}mdb".attrs = {
-        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
-
-        olcDatabase = "{3}mdb";
-        olcDbDirectory = "/var/lib/openldap/data";
-
-        olcSuffix = "dc=ghetto,dc=at";
-
-        olcAccess = [
-          ''
-            {0}to attrs=userPassword
-              by self write
-              by anonymous auth
-              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
-              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * none
-          ''
-          ''
-            {1}to attrs=pgpPublicKey
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to *
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-        ];
-      };
-      "olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
-        objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
-        olcOverlay = "memberof";
-        olcMemberOfRefint = "TRUE";
-      };
-      "olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
-        objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
-        olcOverlay = "ppolicy";
-        olcPPolicyHashCleartext = "TRUE";
-      };
-
       "olcDatabase={4}mdb".attrs = {
         objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
 

hosts/nb/modules/desktop/default.nix

@@ -38,6 +38,7 @@ in {
     })
 
     vscode
+    code-cursor
 
 
     dracula-theme

hosts/nb/users/dominik.nix

@@ -179,38 +179,6 @@ in
       '';
     };
 
-    /* Here goes the rest of your home-manager config, e.g. home.packages = [ pkgs.foo ]; */
-    # home.persistence."/nix/persist/user/dominik" = {
-    #   allowOther = true;
-    #   directories = [
-    #     ".ApacheDirectoryStudio"
-    #     ".config/Creality"
-    #     ".config/github-copilot"
-    #     ".config/libreoffice"
-    #     ".config/Nextcloud"
-    #     ".config/OrcaSlicer"
-    #     ".config/rustdesk"
-    #     ".config/rustdesk-epicenter"
-    #     ".config/Signal"
-    #     ".config/Signal-work"
-    #     ".config/sops"
-    #     ".config/VirtualBox"
-    #     ".local/share/keyrings"
-    #     ".local/share/Steam"
-    #     ".mozilla"
-    #     ".ssh"
-    #     ".thunderbird"
-    #     ".var"
-    #     "cloud.cloonar.com"
-    #     "nextcloud.cloonar.com"
-    #     "cloud.epicenter.works"
-    #     "OpenAudible"
-    #     "VirtualBox VMs"
-    #     "projects"
-    #     "go"
-    #   ];
-    # };
-
     gtk = {
       enable = true;
       gtk2.extraConfig = ''

hosts/web-arm/configuration.nix

@@ -35,6 +35,7 @@
 
     ./sites/autoconfig.cloonar.com.nix
     ./sites/feeds.cloonar.com.nix
+    ./sites/webmail.cloonar.com.nix
 
     ./sites/vcard.cloonar.dev.nix
     ./sites/vcard.cloonar.com.nix

hosts/web-arm/modules/blackbox-exporter.nix

@@ -7,7 +7,9 @@ let
 
   cfg = config.services.blackbox-exporter;
   nginxVHosts = config.services.nginx.virtualHosts or {};
-  allDomains = lib.attrNames nginxVHosts;
+  allDomains = (lib.attrNames nginxVHosts) ++ [
+    "foundry-vtt.cloonar.com"
+  ];
   filteredDomains = builtins.filter (d: !builtins.elem d cfg.blacklistDomains) allDomains;
   httpsDomains = lib.map (d: "https://${d}") filteredDomains;
   domainsString = builtins.concatStringsSep "\n          "
@@ -45,8 +47,16 @@ in {
     # Configuration file for Blackbox Exporter
     environment.etc."blackbox_exporter/blackbox.yml".text = ''
       modules:
-        http_2xx:
+        http_200_final:
           prober: http
+          http:
+            method: GET
+            follow_redirects: true
+            preferred_ip_protocol: "ip4"   # <-- important: avoid blanket IPv6 failures
+            # optional: if you want to prefer v6 but fall back to v4, add:
+            # ip_protocol_fallback: true
+            valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]  # tidy, not required but nice
+            valid_status_codes: [200]
     '';
 
     # Add scrape config for VictoriaMetrics agent
@@ -55,7 +65,7 @@ in {
         - job_name: "blackbox_http_all_domains"
           metrics_path: "/probe"
           params:
-            module: ["http_2xx"]
+            module: ["http_200_final"]
 
           static_configs:
             - targets:

hosts/web-arm/modules/grafana/alerting/websites/default.nix

@@ -3,7 +3,10 @@
 let
   cfg = config.services.blackbox-exporter;
   nginxVHosts = config.services.nginx.virtualHosts or {};
-  allDomains = lib.attrNames nginxVHosts;
+  allDomains =
+    (lib.attrNames nginxVHosts) ++ [
+      "foundry-vtt.cloonar.com"
+    ];
   filteredDomains = builtins.filter (d: !builtins.elem d cfg.blacklistDomains) allDomains;
   httpsDomains = lib.map (d: "https://${d}") filteredDomains;
   websiteAlertRules = lib.map (target:

hosts/web-arm/sites/webmail.cloonar.com.nix

@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = config.networking.domain;
+  roundcubeRoot = "${config.services.roundcube.package}/public_html";
+  # PHP-FPM socket created by the roundcube module (pool named "roundcube"):
+  fpmSocket = config.services.phpfpm.pools.roundcube.socket;
+in
+{
+  # DB for Roundcube (PostgreSQL shown; MariaDB works too)
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "roundcube" ];
+    ensureUsers = [
+      { name = "roundcube"; ensureDBOwnership = true; }
+    ];
+  };
+
+  services.roundcube = {
+    enable = true;
+    configureNginx = false;        # <-- you’ll provide your own vhost
+    plugins = [ "managesieve" "archive" "zipdownload" ];
+    database = {
+      host = "localhost";
+      dbname = "roundcube";
+      username = "roundcube";
+    };
+
+    extraConfig = ''
+      // IMAP & SMTP
+      $config['imap_host'] = 'ssl://imap.${domain}:993';
+      $config['smtp_host'] = 'tls://mail.${domain}:587';
+      $config['smtp_user'] = '%u';
+      $config['smtp_pass'] = '%p';
+
+      // ManageSieve (filters + vacation)
+      $config['managesieve_host'] = 'tls://imap.${domain}:4190';
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."webmail.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      root = roundcubeRoot;
+
+      extraConfig = ''
+        client_max_body_size 50m;
+      '';
+
+      locations = {
+        # Serve static assets directly
+        "~* ^/(favicon\\.ico|robots\\.txt|browserconfig\\.xml)$".tryFiles = "$uri =404";
+        "~* ^/(assets|installer|public|skins|plugins)/" = {
+          tryFiles = "$uri =404";
+        };
+
+        # PHP entry points
+        "~ \\.php$" = {
+          extraConfig = ''
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param HTTPS on;
+            fastcgi_pass unix:${fpmSocket};
+            fastcgi_buffers 16 16k;
+            fastcgi_buffer_size 32k;
+          '';
+        };
+
+        # Default: let Roundcube handle routing
+        "/" = {
+          tryFiles = "$uri /index.php?$query_string";
+        };
+      };
+    };
+  };
+}