1 { lib, pkgs, config, ... }:
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
7 config = lib.mkIf config.myServices.mail.enable {
8 myServices.databases.postgresql.authorizedHosts = {
13 ip4 = [config.myEnv.servers.backup-2.ips.main.ip4];
14 ip6 = config.myEnv.servers.backup-2.ips.main.ip6;
18 services.duplyBackup.profiles.sympa = {
19 rootDir = "/var/lib/sympa";
21 services.websites.env.tools.vhostConfs.mail = {
22 extraConfig = lib.mkAfter [
24 Alias /static-sympa/ /var/lib/sympa/static_content/
25 <Directory /var/lib/sympa/static_content/>
30 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
39 dest = "sympa/db_password";
43 text = sympaConfig.postgresql.password;
46 ++ lib.mapAttrsToList (n: v: {
47 dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
48 }) sympaConfig.data_sources
49 ++ lib.mapAttrsToList (n: v: {
50 dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
51 }) sympaConfig.scenari;
52 users.users.sympa.extraGroups = [ "keys" ];
53 systemd.slices.mail-sympa = {
54 description = "Sympa slice";
57 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
58 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
59 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
60 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
61 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
63 systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
64 systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
65 systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
66 systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
67 systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
69 # https://github.com/NixOS/nixpkgs/pull/84202
70 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
71 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
72 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
73 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
74 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
75 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
76 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
77 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
78 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
79 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
81 systemd.services.wwsympa = {
82 wantedBy = [ "multi-user.target" ];
83 after = [ "sympa.service" ];
85 Slice = "mail-sympa.slice";
87 PIDFile = "/run/sympa/wwsympa.pid";
89 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
95 -P /run/sympa/wwsympa.pid \
96 -s /run/sympa/wwsympa.socket \
97 -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
99 StateDirectory = "sympa";
101 ProtectSystem = "full";
102 ProtectControlGroups = true;
108 # Update relay list when changing one of those
109 sympa_virtual = pkgs.writeText "virtual.sympa" ''
110 sympa-request@${domain} postmaster@immae.eu
111 sympa-owner@${domain} postmaster@immae.eu
113 sympa-request@cip-ca.fr postmaster@immae.eu
114 sympa-owner@cip-ca.fr postmaster@immae.eu
116 sympa_transport = pkgs.writeText "transport.sympa" ''
117 ${domain} error:User unknown in recipient table
118 sympa@${domain} sympa:sympa@${domain}
119 listmaster@${domain} sympa:listmaster@${domain}
120 bounce@${domain} sympabounce:sympa@${domain}
121 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
123 sympa@cip-ca.fr sympa:sympa@cip-ca.fr
124 listmaster@cip-ca.fr sympa:listmaster@cip-ca.fr
125 bounce@cip-ca.fr sympabounce:sympa@cip-ca.fr
126 abuse-feedback-report@cip-ca.fr sympabounce:sympa@cip-ca.fr
130 transport_maps = lib.mkAfter [
131 "hash:/etc/postfix/sympa_transport"
132 "hash:/var/lib/sympa/sympa_transport"
134 virtual_alias_maps = lib.mkAfter [
135 "hash:/etc/postfix/sympa_virtual"
137 virtual_mailbox_maps = lib.mkAfter [
138 "hash:/etc/postfix/sympa_transport"
139 "hash:/var/lib/sympa/sympa_transport"
140 "hash:/etc/postfix/sympa_virtual"
152 "argv=${pkgs.sympa}/libexec/queue"
164 "argv=${pkgs.sympa}/libexec/bouncequeue"
172 listMasters = sympaConfig.listmasters;
176 webHost = "mail.immae.eu";
177 webLocation = "/sympa";
180 webHost = "mail.cip-ca.fr";
181 webLocation = "/sympa";
187 user = sympaConfig.postgresql.user;
188 host = sympaConfig.postgresql.socket;
189 name = sympaConfig.postgresql.database;
190 passwordFile = config.secrets.fullPaths."sympa/db_password";
191 createLocally = false;
194 sendmail = "/run/wrappers/bin/sendmail";
196 sendmail_aliases = "/var/lib/sympa/sympa_transport";
197 aliases_program = "${pkgs.postfix}/bin/postmap";
200 "virtual.sympa".enable = false;
201 "transport.sympa".enable = false;
202 } // lib.mapAttrs' (n: v: lib.nameValuePair
203 "etc/${domain}/data_sources/${n}.incl"
204 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
205 // lib.mapAttrs' (n: v: lib.nameValuePair
206 "etc/${domain}/scenari/${n}"
207 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;