nixos/hosts/web-arm/sites/webmail.cloonar.com.nix

{ config, pkgs, lib, ... }:
let
  domain = config.networking.domain;
  roundcubeRoot = "${config.services.roundcube.package}/public_html";
  # PHP-FPM socket created by the roundcube module (pool named "roundcube"):
  fpmSocket = config.services.phpfpm.pools.roundcube.socket;
in
{
  # DB for Roundcube (PostgreSQL shown; MariaDB works too)
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "roundcube" ];
    ensureUsers = [
      { name = "roundcube"; ensureDBOwnership = true; }
    ];
  };

  services.roundcube = {
    enable = true;
    configureNginx = false;        # <-- you’ll provide your own vhost
    plugins = [ "managesieve" "archive" "zipdownload" ];
    database = {
      host = "localhost";
      dbname = "roundcube";
      username = "roundcube";
    };

    extraConfig = ''
      // IMAP & SMTP
      $config['imap_host'] = 'ssl://imap.${domain}:993';
      $config['smtp_host'] = 'tls://mail.${domain}:587';
      $config['smtp_user'] = '%u';
      $config['smtp_pass'] = '%p';

      // ManageSieve (filters + vacation)
      $config['managesieve_host'] = 'tls://imap.${domain}:4190';
    '';
  };

  services.nginx = {
    enable = true;

    virtualHosts."webmail.${domain}" = {
      forceSSL = true;
      enableACME = true;
      root = roundcubeRoot;

      extraConfig = ''
        client_max_body_size 50m;
      '';

      locations = {
        # Serve static assets directly
        "~* ^/(favicon\\.ico|robots\\.txt|browserconfig\\.xml)$".tryFiles = "$uri =404";
        "~* ^/(assets|installer|public|skins|plugins)/" = {
          tryFiles = "$uri =404";
        };

        # PHP entry points
        "~ \\.php$" = {
          extraConfig = ''
            include ${pkgs.nginx}/conf/fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param HTTPS on;
            fastcgi_pass unix:${fpmSocket};
            fastcgi_buffers 16 16k;
            fastcgi_buffer_size 32k;
          '';
        };

        # Default: let Roundcube handle routing
        "/" = {
          tryFiles = "$uri /index.php?$query_string";
        };
      };
    };
  };
}