]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/sympa.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add chatons infos
[perso/Immae/Config/Nix.git] / modules / private / mail / sympa.nix
1 { lib, pkgs, config, ... }:
2 let
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
5 in
6 {
7 config = lib.mkIf config.myServices.mail.enable {
8 myServices.chatonsProperties.services.sympa = {
9 file.datetime = "2022-08-22T00:50:00";
10 service = {
11 name = "Sympa";
12 description = "Mailing lists service";
13 website = "https://mail.immae.eu/sympa";
14 logo = "https://mail.immae.eu/static-sympa/icons/favicon_sympa.png";
15 status.level = "OK";
16 status.description = "OK";
17 registration."" = ["MEMBER" "CLIENT"];
18 registration.load = "OPEN";
19 install.type = "PACKAGE";
20 };
21 software = {
22 name = "Sympa";
23 website = "https://www.sympa.org/";
24 license.url = "https://github.com/sympa-community/sympa/blob/sympa-6.2/COPYING";
25 license.name = "GNU General Public License v2.0";
26 version = pkgs.sympa.version;
27 source.url = "https://github.com/sympa-community/sympa/";
28 };
29 };
30 myServices.databases.postgresql.authorizedHosts = {
31 backup-2 = [
32 {
33 username = "sympa";
34 database = "sympa";
35 ip4 = config.myEnv.servers.backup-2.ips.main.ip4;
36 ip6 = map (v: "${v}/128") config.myEnv.servers.backup-2.ips.main.ip6;
37 }
38 ];
39 };
40 services.websites.env.tools.vhostConfs.mail = {
41 extraConfig = lib.mkAfter [
42 ''
43 Alias /static-sympa/ /var/lib/sympa/static_content/
44 <Directory /var/lib/sympa/static_content/>
45 Require all granted
46 AllowOverride none
47 </Directory>
48 <Location /sympa>
49 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
50 Require all granted
51 </Location>
52 ''
53 ];
54 };
55
56 secrets.keys = {
57 "sympa/db_password" = {
58 permissions = "0400";
59 group = "sympa";
60 user = "sympa";
61 text = sympaConfig.postgresql.password;
62 };
63 }
64 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
65 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
66 }) sympaConfig.data_sources
67 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
68 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
69 }) sympaConfig.scenari;
70 users.users.sympa.extraGroups = [ "keys" ];
71 systemd.slices.mail-sympa = {
72 description = "Sympa slice";
73 };
74
75 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
76 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
77 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
78 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
79 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
80
81 systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
82 systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
83 systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
84 systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
85 systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
86
87 # https://github.com/NixOS/nixpkgs/pull/84202
88 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
89 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
90 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
91 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
92 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
93 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
94 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
95 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
96 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
97 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
98
99 systemd.services.wwsympa = {
100 wantedBy = [ "multi-user.target" ];
101 after = [ "sympa.service" ];
102 serviceConfig = {
103 Slice = "mail-sympa.slice";
104 Type = "forking";
105 PIDFile = "/run/sympa/wwsympa.pid";
106 Restart = "always";
107 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
108 -u sympa \
109 -g sympa \
110 -U wwwrun \
111 -M 0600 \
112 -F 2 \
113 -P /run/sympa/wwsympa.pid \
114 -s /run/sympa/wwsympa.socket \
115 -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
116 '';
117 StateDirectory = "sympa";
118 ProtectHome = true;
119 ProtectSystem = "full";
120 ProtectControlGroups = true;
121 };
122 };
123
124 services.postfix = {
125 mapFiles = {
126 # Update relay list when changing one of those
127 sympa_virtual = pkgs.writeText "virtual.sympa" ''
128 sympa-request@${domain} postmaster@immae.eu
129 sympa-owner@${domain} postmaster@immae.eu
130
131 sympa-request@cip-ca.fr postmaster@immae.eu
132 sympa-owner@cip-ca.fr postmaster@immae.eu
133 '';
134 sympa_transport = pkgs.writeText "transport.sympa" ''
135 ${domain} error:User unknown in recipient table
136 sympa@${domain} sympa:sympa@${domain}
137 listmaster@${domain} sympa:listmaster@${domain}
138 bounce@${domain} sympabounce:sympa@${domain}
139 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
140
141 sympa@cip-ca.fr sympa:sympa@cip-ca.fr
142 listmaster@cip-ca.fr sympa:listmaster@cip-ca.fr
143 bounce@cip-ca.fr sympabounce:sympa@cip-ca.fr
144 abuse-feedback-report@cip-ca.fr sympabounce:sympa@cip-ca.fr
145 '';
146 };
147 config = {
148 transport_maps = lib.mkAfter [
149 "hash:/etc/postfix/sympa_transport"
150 "hash:/var/lib/sympa/sympa_transport"
151 ];
152 virtual_alias_maps = lib.mkAfter [
153 "hash:/etc/postfix/sympa_virtual"
154 ];
155 virtual_mailbox_maps = lib.mkAfter [
156 "hash:/etc/postfix/sympa_transport"
157 "hash:/var/lib/sympa/sympa_transport"
158 "hash:/etc/postfix/sympa_virtual"
159 ];
160 };
161 masterConfig = {
162 sympa = {
163 type = "unix";
164 privileged = true;
165 chroot = false;
166 command = "pipe";
167 args = [
168 "flags=hqRu"
169 "user=sympa"
170 "argv=${pkgs.sympa}/libexec/queue"
171 "\${nexthop}"
172 ];
173 };
174 sympabounce = {
175 type = "unix";
176 privileged = true;
177 chroot = false;
178 command = "pipe";
179 args = [
180 "flags=hqRu"
181 "user=sympa"
182 "argv=${pkgs.sympa}/libexec/bouncequeue"
183 "\${nexthop}"
184 ];
185 };
186 };
187 };
188 services.sympa = {
189 enable = true;
190 listMasters = sympaConfig.listmasters;
191 mainDomain = domain;
192 domains = {
193 "${domain}" = {
194 webHost = "mail.immae.eu";
195 webLocation = "/sympa";
196 };
197 "cip-ca.fr" = {
198 webHost = "mail.cip-ca.fr";
199 webLocation = "/sympa";
200 };
201 };
202
203 database = {
204 type = "PostgreSQL";
205 user = sympaConfig.postgresql.user;
206 host = sympaConfig.postgresql.socket;
207 name = sympaConfig.postgresql.database;
208 passwordFile = config.secrets.fullPaths."sympa/db_password";
209 createLocally = false;
210 };
211 settings = {
212 sendmail = "/run/wrappers/bin/sendmail";
213 log_smtp = "on";
214 sendmail_aliases = "/var/lib/sympa/sympa_transport";
215 aliases_program = "${pkgs.postfix}/bin/postmap";
216 create_list = "listmaster";
217 };
218 settingsFile = {
219 "virtual.sympa".enable = false;
220 "transport.sympa".enable = false;
221 } // lib.mapAttrs' (n: v: lib.nameValuePair
222 "etc/${domain}/data_sources/${n}.incl"
223 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
224 // lib.mapAttrs' (n: v: lib.nameValuePair
225 "etc/${domain}/scenari/${n}"
226 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
227 web = {
228 server = "none";
229 };
230
231 mta = {
232 type = "none";
233 };
234 };
235 };
236 }
My infrastructure configuration