]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, ... }: | |
2 | let | |
3 | domain = "lists.immae.eu"; | |
4 | sympaConfig = config.myEnv.mail.sympa; | |
5 | in | |
6 | { | |
7 | config = lib.mkIf config.myServices.mail.enable { | |
8 | myServices.databases.postgresql.authorizedHosts = { | |
9 | backup-2 = [ | |
10 | { | |
11 | username = "sympa"; | |
12 | database = "sympa"; | |
13 | ip4 = [config.myEnv.servers.backup-2.ips.main.ip4]; | |
14 | ip6 = config.myEnv.servers.backup-2.ips.main.ip6; | |
15 | } | |
16 | ]; | |
17 | }; | |
18 | services.duplyBackup.profiles.sympa = { | |
19 | rootDir = "/var/lib/sympa"; | |
20 | }; | |
21 | services.websites.env.tools.vhostConfs.mail = { | |
22 | extraConfig = lib.mkAfter [ | |
23 | '' | |
24 | Alias /static-sympa/ /var/lib/sympa/static_content/ | |
25 | <Directory /var/lib/sympa/static_content/> | |
26 | Require all granted | |
27 | AllowOverride none | |
28 | </Directory> | |
29 | <Location /sympa> | |
30 | SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" | |
31 | Require all granted | |
32 | </Location> | |
33 | '' | |
34 | ]; | |
35 | }; | |
36 | ||
37 | secrets.keys = [ | |
38 | { | |
39 | dest = "sympa/db_password"; | |
40 | permissions = "0400"; | |
41 | group = "sympa"; | |
42 | user = "sympa"; | |
43 | text = sympaConfig.postgresql.password; | |
44 | } | |
45 | ] | |
46 | ++ lib.mapAttrsToList (n: v: { | |
47 | dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | |
48 | }) sympaConfig.data_sources | |
49 | ++ lib.mapAttrsToList (n: v: { | |
50 | dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | |
51 | }) sympaConfig.scenari; | |
52 | users.users.sympa.extraGroups = [ "keys" ]; | |
53 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
54 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
55 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
56 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
57 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
58 | ||
59 | # https://github.com/NixOS/nixpkgs/pull/84202 | |
60 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
61 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
62 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
63 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
64 | systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
65 | systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
66 | systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
67 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
68 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
69 | systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
70 | ||
71 | systemd.services.wwsympa = { | |
72 | wantedBy = [ "multi-user.target" ]; | |
73 | after = [ "sympa.service" ]; | |
74 | serviceConfig = { | |
75 | Type = "forking"; | |
76 | PIDFile = "/run/sympa/wwsympa.pid"; | |
77 | Restart = "always"; | |
78 | ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ | |
79 | -u sympa \ | |
80 | -g sympa \ | |
81 | -U wwwrun \ | |
82 | -M 0600 \ | |
83 | -F 2 \ | |
84 | -P /run/sympa/wwsympa.pid \ | |
85 | -s /run/sympa/wwsympa.socket \ | |
86 | -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi | |
87 | ''; | |
88 | StateDirectory = "sympa"; | |
89 | ProtectHome = true; | |
90 | ProtectSystem = "full"; | |
91 | ProtectControlGroups = true; | |
92 | }; | |
93 | }; | |
94 | ||
95 | services.postfix = { | |
96 | mapFiles = { | |
97 | # Update relay list when changing one of those | |
98 | sympa_virtual = pkgs.writeText "virtual.sympa" '' | |
99 | sympa-request@${domain} postmaster@immae.eu | |
100 | sympa-owner@${domain} postmaster@immae.eu | |
101 | ''; | |
102 | sympa_transport = pkgs.writeText "transport.sympa" '' | |
103 | ${domain} error:User unknown in recipient table | |
104 | sympa@${domain} sympa:sympa@${domain} | |
105 | listmaster@${domain} sympa:listmaster@${domain} | |
106 | bounce@${domain} sympabounce:sympa@${domain} | |
107 | abuse-feedback-report@${domain} sympabounce:sympa@${domain} | |
108 | ''; | |
109 | }; | |
110 | config = { | |
111 | transport_maps = lib.mkAfter [ | |
112 | "hash:/etc/postfix/sympa_transport" | |
113 | "hash:/var/lib/sympa/sympa_transport" | |
114 | ]; | |
115 | virtual_alias_maps = lib.mkAfter [ | |
116 | "hash:/etc/postfix/sympa_virtual" | |
117 | ]; | |
118 | virtual_mailbox_maps = lib.mkAfter [ | |
119 | "hash:/etc/postfix/sympa_transport" | |
120 | "hash:/var/lib/sympa/sympa_transport" | |
121 | "hash:/etc/postfix/sympa_virtual" | |
122 | ]; | |
123 | }; | |
124 | masterConfig = { | |
125 | sympa = { | |
126 | type = "unix"; | |
127 | privileged = true; | |
128 | chroot = false; | |
129 | command = "pipe"; | |
130 | args = [ | |
131 | "flags=hqRu" | |
132 | "user=sympa" | |
133 | "argv=${pkgs.sympa}/libexec/queue" | |
134 | "\${nexthop}" | |
135 | ]; | |
136 | }; | |
137 | sympabounce = { | |
138 | type = "unix"; | |
139 | privileged = true; | |
140 | chroot = false; | |
141 | command = "pipe"; | |
142 | args = [ | |
143 | "flags=hqRu" | |
144 | "user=sympa" | |
145 | "argv=${pkgs.sympa}/libexec/bouncequeue" | |
146 | "\${nexthop}" | |
147 | ]; | |
148 | }; | |
149 | }; | |
150 | }; | |
151 | services.sympa = { | |
152 | enable = true; | |
153 | listMasters = sympaConfig.listmasters; | |
154 | mainDomain = domain; | |
155 | domains = { | |
156 | "${domain}" = { | |
157 | webHost = "mail.immae.eu"; | |
158 | webLocation = "/sympa"; | |
159 | }; | |
160 | }; | |
161 | ||
162 | database = { | |
163 | type = "PostgreSQL"; | |
164 | user = sympaConfig.postgresql.user; | |
165 | host = sympaConfig.postgresql.socket; | |
166 | name = sympaConfig.postgresql.database; | |
167 | passwordFile = config.secrets.fullPaths."sympa/db_password"; | |
168 | createLocally = false; | |
169 | }; | |
170 | settings = { | |
171 | sendmail = "/run/wrappers/bin/sendmail"; | |
172 | log_smtp = "on"; | |
173 | sendmail_aliases = "/var/lib/sympa/sympa_transport"; | |
174 | aliases_program = "${pkgs.postfix}/bin/postmap"; | |
175 | }; | |
176 | settingsFile = { | |
177 | "virtual.sympa".enable = false; | |
178 | "transport.sympa".enable = false; | |
179 | } // lib.mapAttrs' (n: v: lib.nameValuePair | |
180 | "etc/${domain}/data_sources/${n}.incl" | |
181 | { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources | |
182 | // lib.mapAttrs' (n: v: lib.nameValuePair | |
183 | "etc/${domain}/scenari/${n}" | |
184 | { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; | |
185 | web = { | |
186 | server = "none"; | |
187 | }; | |
188 | ||
189 | mta = { | |
190 | type = "none"; | |
191 | }; | |
192 | }; | |
193 | }; | |
194 | } |