X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fpostfix.nix;h=f8f86f6fea521b87be331b5d00b0a9e875ea21de;hb=ab8f306d7c2c49b8116e1af7b355ed2384617ed9;hp=dfe6129af9ef847db361a819a69ec8b96f833388;hpb=afcc5de071dfffdc507995d1845372ba40dc1dc2;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index dfe6129..f8f86f6 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,234 +1,327 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config, ... }:
 {
-  config.secrets.keys = [
-    {
-      dest = "postfix/mysql_alias_maps";
-      user = config.services.postfix.user;
-      group = config.services.postfix.group;
-      permissions = "0440";
-      text = ''
-        # We need to specify that option to trigger ssl connection
-        tls_ciphers = TLSv1.2
-        user = ${myconfig.env.mail.postfix.mysql.user}
-        password = ${myconfig.env.mail.postfix.mysql.password}
-        hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
-        dbname = ${myconfig.env.mail.postfix.mysql.database}
-        query = SELECT DISTINCT destination
-          FROM forwardings_merge
-          WHERE
-            ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
-            AND active = 1
-            AND '%s' NOT IN
-            (
-              SELECT source
+  config = lib.mkIf config.myServices.mail.enable {
+    services.duplyBackup.profiles.mail.excludeFile = ''
+      + /var/lib/postfix
+      '';
+    secrets.keys = [
+      {
+        dest = "postfix/mysql_alias_maps";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          query = SELECT DISTINCT destination
+            FROM forwardings_merge
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
+              AND active = 1
+              AND '%s' NOT IN
+              (
+                SELECT source
+                FROM forwardings_blacklisted
+                WHERE source = '%s'
+              ) UNION
+              SELECT 'devnull@immae.eu'
               FROM forwardings_blacklisted
               WHERE source = '%s'
-            ) UNION
-            SELECT 'devnull@immae.eu'
-            FROM forwardings_blacklisted
-            WHERE source = '%s'
-        '';
-    }
-    {
-      dest = "postfix/mysql_mailbox_maps";
-      user = config.services.postfix.user;
-      group = config.services.postfix.group;
-      permissions = "0440";
-      text = ''
-        # We need to specify that option to trigger ssl connection
-        tls_ciphers = TLSv1.2
-        user = ${myconfig.env.mail.postfix.mysql.user}
-        password = ${myconfig.env.mail.postfix.mysql.password}
-        hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
-        dbname = ${myconfig.env.mail.postfix.mysql.database}
-        result_format = /%d/%u
-        query = SELECT DISTINCT '%s'
-          FROM mailboxes
-          WHERE active = 1
-          AND (
-            (domain = '%d' AND user = '%u' AND regex = 0)
-            OR (
-              regex = 1
-              AND '%d' REGEXP CONCAT('^',domain,'$')
-              AND '%u' REGEXP CONCAT('^',user,'$')
+          '';
+      }
+      {
+        dest = "postfix/mysql_mailbox_maps";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          result_format = /%d/%u
+          query = SELECT DISTINCT '%s'
+            FROM mailboxes
+            WHERE active = 1
+            AND (
+              (domain = '%d' AND user = '%u' AND regex = 0)
+              OR (
+                regex = 1
+                AND '%d' REGEXP CONCAT('^',domain,'$')
+                AND '%u' REGEXP CONCAT('^',user,'$')
+              )
             )
-          )
-          LIMIT 1
-      '';
-    }
-    {
-      dest = "postfix/mysql_sender_login_maps";
-      user = config.services.postfix.user;
-      group = config.services.postfix.group;
-      permissions = "0440";
-      text = ''
-        # We need to specify that option to trigger ssl connection
-        tls_ciphers = TLSv1.2
-        user = ${myconfig.env.mail.postfix.mysql.user}
-        password = ${myconfig.env.mail.postfix.mysql.password}
-        hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
-        dbname = ${myconfig.env.mail.postfix.mysql.database}
-        query = SELECT DISTINCT destination
-          FROM forwardings_merge
-          WHERE
-            ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
-            AND active = 1
+            LIMIT 1
         '';
-    }
-  ];
+      }
+      {
+        dest = "postfix/mysql_sender_login_maps";
+        user = config.services.postfix.user;
+        group = config.services.postfix.group;
+        permissions = "0440";
+        text = ''
+          # We need to specify that option to trigger ssl connection
+          tls_ciphers = TLSv1.2
+          user = ${config.myEnv.mail.postfix.mysql.user}
+          password = ${config.myEnv.mail.postfix.mysql.password}
+          hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+          dbname = ${config.myEnv.mail.postfix.mysql.database}
+          query = SELECT DISTINCT destination
+            FROM forwardings_merge
+            WHERE
+              ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
+              AND active = 1
+            UNION SELECT '%s' AS destination
+          '';
+      }
+    ];
 
-  config.networking.firewall.allowedTCPPorts = [ 25 587 ];
+    networking.firewall.allowedTCPPorts = [ 25 465 587 ];
 
-  config.nixpkgs.overlays = [ (self: super: {
-    postfix = super.postfix.override { withMySQL = true; };
-  }) ];
-  config.users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
-  config.services.filesWatcher.postfix = {
-    restart = true;
-    paths = [
-      config.secrets.fullPaths."postfix/mysql_alias_maps"
-      config.secrets.fullPaths."postfix/mysql_mailbox_maps"
-      config.secrets.fullPaths."postfix/mysql_sender_login_maps"
-    ];
-  };
-  config.services.postfix = {
-    mapFiles = let
-      name = n: i: "relay_${n}_${toString i}";
-      pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
-        if m.type == "hash"
-        then pkgs.writeText (name n i) m.content
-        else null
-      );
-      pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
-    in
-      lib.attrsets.filterAttrs (k: v: v != null) (
-        lib.attrsets.listToAttrs (lib.flatten (
-          lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
-        ))
-      );
-    config = {
-      ### postfix module overrides
-      readme_directory = "${pkgs.postfix}/share/postfix/doc";
-      smtp_tls_CAfile = lib.mkForce "";
-      smtp_tls_cert_file = lib.mkForce "";
-      smtp_tls_key_file = lib.mkForce "";
+    nixpkgs.overlays = [ (self: super: {
+      postfix = super.postfix.override { withMySQL = true; };
+    }) ];
+    users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
+    services.filesWatcher.postfix = {
+      restart = true;
+      paths = [
+        config.secrets.fullPaths."postfix/mysql_alias_maps"
+        config.secrets.fullPaths."postfix/mysql_mailbox_maps"
+        config.secrets.fullPaths."postfix/mysql_sender_login_maps"
+      ];
+    };
+    services.postfix = {
+      extraAliases = let
+        toScript = name: script: pkgs.writeScript name ''
+          #! ${pkgs.stdenv.shell}
+          mail=$(${pkgs.coreutils}/bin/cat -)
+          output=$(echo "$mail" | ${script} 2>&1)
+          ret=$?
+
+          if [ "$ret" != "0" ]; then
+            echo "$mail" \
+              | ${pkgs.procmail}/bin/formail -i "X-Return-Code: $ret" \
+              | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
 
-      message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
-      alias_database = "\$alias_maps";
+          messageId=$(echo "$mail" | ${pkgs.procmail}/bin/formail -x "Message-Id:")
+          repeat=$(echo "$mail" | ${pkgs.procmail}/bin/formail -X "From:" -X "Received:")
 
-      ### Virtual mailboxes config
-      virtual_alias_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
-      virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
-       ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
-          (zone: map
-            (e: if e.receive
-            then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
+          ${pkgs.coreutils}/bin/cat <<EOF | /run/wrappers/bin/sendmail -i scripts_error+${name}@mail.immae.eu
+          $repeat
+          To: scripts_error+${name}@mail.immae.eu
+          Subject: Log from script error
+          Content-Type: text/plain; charset="UTF-8"
+          Content-Transfer-Encoding: 8bit
+          References:$messageId
+          MIME-Version: 1.0
+          X-Return-Code: $ret
+
+          Error code: $ret
+          Output of message:
+          --------------
+          $output
+          --------------
+          EOF
+          fi
+          '';
+        scripts = lib.attrsets.mapAttrs (n: v:
+          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+        ) config.myEnv.mail.scripts;
+      in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
+      mapFiles = let
+        recipient_maps = let
+          name = n: i: "relay_${n}_${toString i}";
+          pair = n: i: m: lib.attrsets.nameValuePair (name n i) (
+            if m.type == "hash"
+            then pkgs.writeText (name n i) m.content
             else null
+          );
+          pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
+        in lib.attrsets.filterAttrs (k: v: v != null) (
+          lib.attrsets.listToAttrs (lib.flatten (
+            lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
+          ))
+        );
+        relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
+          lib.attrsets.mapAttrs' (n: v:
+            lib.attrsets.nameValuePair "recipient_access_${n}" (
+              if lib.attrsets.hasAttr "relay_restrictions" v
+              then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
+              else null
+            )
+          ) config.myEnv.mail.postfix.backup_domains
+        );
+        virtual_map = {
+          virtual = pkgs.writeText "postfix-virtual" (
+            builtins.concatStringsSep "\n" (
+              lib.attrsets.mapAttrsToList (
+                n: v: ''
+                  script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
+                ''
+              ) config.myEnv.mail.scripts
             )
-            (zone.withEmail or [])
-          )
-          myconfig.env.dns.masterZones
-        )));
-      virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
-      dovecot_destination_recipient_limit = "1";
-      virtual_transport = "dovecot";
+          );
+        };
+      in
+        recipient_maps // relay_restrictions // virtual_map;
+      config = {
+        ### postfix module overrides
+        readme_directory = "${pkgs.postfix}/share/postfix/doc";
+        smtp_tls_CAfile = lib.mkForce "";
+        smtp_tls_cert_file = lib.mkForce "";
+        smtp_tls_key_file = lib.mkForce "";
 
-      ### Relay domains
-      relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
-      relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
-        lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
-      ) myconfig.env.mail.postfix.backup_domains);
+        message_size_limit = "1073741824"; # Don't put 0 here, it's not equivalent to "unlimited"
+        mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
+        alias_database = "\$alias_maps";
 
-      ### Additional smtpd configuration
-      smtpd_tls_received_header = "yes";
-      smtpd_tls_loglevel = "1";
+        ### Virtual mailboxes config
+        virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
+        virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
+        ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
+            (zone: map
+              (e: if e.receive
+              then "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}"
+              else null
+              )
+              (zone.withEmail or [])
+            )
+            config.myEnv.dns.masterZones
+          )));
+        virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+        dovecot_destination_recipient_limit = "1";
+        virtual_transport = "dovecot";
 
-      ### Email sending configuration
-      smtp_tls_security_level = "may";
-      smtp_tls_loglevel = "1";
+        ### Relay domains
+        relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
+        relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
+          lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
+        ) config.myEnv.mail.postfix.backup_domains);
+        smtpd_relay_restrictions = [
+          "permit_mynetworks"
+          "permit_sasl_authenticated"
+          "defer_unauth_destination"
+        ] ++ lib.flatten (lib.attrsets.mapAttrsToList (n: v:
+          if lib.attrsets.hasAttr "relay_restrictions" v
+          then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
+          else []
+        ) config.myEnv.mail.postfix.backup_domains);
 
-      ### Force ip bind for smtp
-      smtp_bind_address  = myconfig.env.servers.eldiron.ips.main.ip4;
-      smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
+        ### Additional smtpd configuration
+        smtpd_tls_received_header = "yes";
+        smtpd_tls_loglevel = "1";
 
-      # #Unneeded if postfix can only send e-mail from "self" domains
-      # #smtp_sasl_auth_enable = "yes";
-      # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
-      # #smtp_sasl_security_options = "noanonymous";
-      # #smtp_sender_dependent_authentication = "yes";
-      # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+        ### Email sending configuration
+        smtp_tls_security_level = "may";
+        smtp_tls_loglevel = "1";
 
-      ### opendkim, opendmarc, openarc milters
-      non_smtpd_milters = [
-        "unix:${config.myServices.mail.milters.sockets.opendkim}"
-        "unix:${config.myServices.mail.milters.sockets.opendmarc}"
-        "unix:${config.myServices.mail.milters.sockets.openarc}"
-      ];
-      smtpd_milters = [
-        "unix:${config.myServices.mail.milters.sockets.opendkim}"
-        "unix:${config.myServices.mail.milters.sockets.opendmarc}"
-        "unix:${config.myServices.mail.milters.sockets.openarc}"
-      ];
-    };
-    enable = true;
-    enableSmtp = true;
-    enableSubmission = true;
-    submissionOptions = {
-      smtpd_tls_security_level = "encrypt";
-      smtpd_sasl_auth_enable = "yes";
-      smtpd_tls_auth_only = "yes";
-      smtpd_sasl_tls_security_options = "noanonymous";
-      smtpd_sasl_type = "dovecot";
-      smtpd_sasl_path = "private/auth";
-      smtpd_reject_unlisted_recipient = "no";
-      smtpd_client_restrictions = "permit_sasl_authenticated,reject";
-      # Refuse to send e-mails with a From that is not handled
-      smtpd_sender_restrictions =
-        "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
-      smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
-      smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
-      milter_macro_daemon_name = "ORIGINATING";
-      smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
-    };
-    # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
-    # prioritized MX, which provokes "mail for localhost.immae.eu loops
-    # back to myself" errors. This transport entry forces to push
-    # e-mails to its right destination.
-    transport = ''
-      localhost.immae.eu   smtp:[immae.eu]:25
-      '';
-    destination = ["localhost"];
-    # This needs to reverse DNS
-    hostname = "eldiron.immae.eu";
-    setSendmail = true;
-    sslCert = "/var/lib/acme/mail/fullchain.pem";
-    sslKey = "/var/lib/acme/mail/key.pem";
-    recipientDelimiter = "+";
-    masterConfig = {
-      dovecot = {
-        type = "unix";
-        privileged = true;
-        chroot = false;
-        command = "pipe";
-        args = let
-          # rspamd could be used as a milter, but then it cannot apply
-          # its checks "per user" (milter is not yet dispatched to
-          # users), so we wrap dovecot-lda inside rspamc per recipient
-          # here.
-          dovecot_exe = "${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f \${sender} -a \${original_recipient} -d \${user}@\${nexthop}";
-        in [
-          "flags=DRhu" "user=vhost:vhost"
-          "argv=${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d \${user}@\${nexthop} --mime --exec {${dovecot_exe}}"
+        ### Force ip bind for smtp
+        smtp_bind_address  = config.myEnv.servers.eldiron.ips.main.ip4;
+        smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
+
+        # #Unneeded if postfix can only send e-mail from "self" domains
+        # #smtp_sasl_auth_enable = "yes";
+        # #smtp_sasl_password_maps = "hash:/etc/postfix/relay_creds";
+        # #smtp_sasl_security_options = "noanonymous";
+        # #smtp_sender_dependent_authentication = "yes";
+        # #sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+
+        ### opendkim, opendmarc, openarc milters
+        non_smtpd_milters = [
+          "unix:${config.myServices.mail.milters.sockets.opendkim}"
+          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
+          "unix:${config.myServices.mail.milters.sockets.openarc}"
+        ];
+        smtpd_milters = [
+          "unix:${config.myServices.mail.milters.sockets.opendkim}"
+          "unix:${config.myServices.mail.milters.sockets.opendmarc}"
+          "unix:${config.myServices.mail.milters.sockets.openarc}"
         ];
       };
+      enable = true;
+      enableSmtp = true;
+      enableSubmission = true;
+      submissionOptions = {
+        smtpd_tls_security_level = "encrypt";
+        smtpd_sasl_auth_enable = "yes";
+        smtpd_tls_auth_only = "yes";
+        smtpd_sasl_tls_security_options = "noanonymous";
+        smtpd_sasl_type = "dovecot";
+        smtpd_sasl_path = "private/auth";
+        smtpd_reject_unlisted_recipient = "no";
+        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+        # Refuse to send e-mails with a From that is not handled
+        smtpd_sender_restrictions =
+          "reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenticated,reject";
+        smtpd_sender_login_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_sender_login_maps"}";
+        smtpd_recipient_restrictions = "permit_sasl_authenticated,reject";
+        milter_macro_daemon_name = "ORIGINATING";
+        smtpd_milters = "unix:${config.myServices.mail.milters.sockets.opendkim}";
+      };
+      # FIXME: Mail adressed to localhost.immae.eu will still have mx-1 as
+      # prioritized MX, which provokes "mail for localhost.immae.eu loops
+      # back to myself" errors. This transport entry forces to push
+      # e-mails to its right destination.
+      transport = ''
+        localhost.immae.eu   smtp:[immae.eu]:25
+        '';
+      destination = ["localhost"];
+      # This needs to reverse DNS
+      hostname = "eldiron.immae.eu";
+      setSendmail = true;
+      sslCert = "/var/lib/acme/mail/fullchain.pem";
+      sslKey = "/var/lib/acme/mail/key.pem";
+      recipientDelimiter = "+";
+      masterConfig = {
+        submissions = {
+          type = "inet";
+          private = false;
+          command = "smtpd";
+          args = ["-o" "smtpd_tls_wrappermode=yes" ] ++ (let
+            mkKeyVal = opt: val: [ "-o" (opt + "=" + val) ];
+          in lib.concatLists (lib.mapAttrsToList mkKeyVal config.services.postfix.submissionOptions)
+          );
+        };
+        dovecot = {
+          type = "unix";
+          privileged = true;
+          chroot = false;
+          command = "pipe";
+          args = let
+            # rspamd could be used as a milter, but then it cannot apply
+            # its checks "per user" (milter is not yet dispatched to
+            # users), so we wrap dovecot-lda inside rspamc per recipient
+            # here.
+            rspamc_dovecot = pkgs.writeScriptBin "rspamc_dovecot" ''
+              #! ${pkgs.stdenv.shell}
+              sender="$1"
+              original_recipient="$2"
+              user="$3"
+
+              ${pkgs.coreutils}/bin/cat - | \
+                (${pkgs.rspamd}/bin/rspamc -h ${config.myServices.mail.rspamd.sockets.worker-controller} -c bayes -d "$user" --mime || true) | \
+                ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
+              '';
+          in [
+            "flags=DRhu" "user=vhost:vhost"
+            "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
+          ];
+        };
+      };
     };
-  };
-  config.security.acme.certs."mail" = {
-    postRun = ''
-      systemctl restart postfix.service
-      '';
-    extraDomains = {
-      "smtp.immae.eu" = null;
+    security.acme.certs."mail" = {
+      postRun = ''
+        systemctl restart postfix.service
+        '';
+      extraDomains = {
+        "smtp.immae.eu" = null;
+      };
     };
   };
 }