hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
- FROM forwardings_merge
+ FROM forwardings
WHERE
((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
AND active = 1
hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
- FROM forwardings_merge
+ FROM forwardings
WHERE
(
(regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
alias_database = "\$alias_maps";
### Virtual mailboxes config
- virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}";
+ virtual_alias_maps = [
+ "hash:/etc/postfix/virtual"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
+ "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
+ ];
virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
++ lib.remove null (lib.flatten (map
(zone: map
)
config.myEnv.dns.masterZones
));
- virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
+ virtual_mailbox_maps = [
+ "hash:/etc/postfix/host_dummy_mailboxes"
+ "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"
+ ];
dovecot_destination_recipient_limit = "1";
virtual_transport = "dovecot";
--- /dev/null
+{ lib, pkgs, config, ... }:
+let
+ domain = "lists.immae.eu";
+ sympaConfig = config.myEnv.mail.sympa;
+in
+{
+ config = lib.mkIf config.myServices.mail.enable {
+ services.duplyBackup.profiles.sympa = {
+ rootDir = "/var/lib/sympa";
+ };
+ services.websites.env.tools.vhostConfs.mail = {
+ extraConfig = lib.mkAfter [
+ ''
+ Alias /static-sympa/ /var/lib/sympa/static_content/
+ <Directory /var/lib/sympa/static_content/>
+ Require all granted
+ AllowOverride none
+ </Directory>
+ <Location /sympa>
+ SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
+ Require all granted
+ </Location>
+ ''
+ ];
+ };
+
+ secrets.keys = [
+ {
+ dest = "sympa/db_password";
+ permissions = "0400";
+ group = "sympa";
+ user = "sympa";
+ text = sympaConfig.postgresql.password;
+ }
+ ]
+ ++ lib.mapAttrsToList (n: v: {
+ dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
+ }) sympaConfig.data_sources
+ ++ lib.mapAttrsToList (n: v: {
+ dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
+ }) sympaConfig.scenari;
+ users.users.sympa.extraGroups = [ "keys" ];
+ systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
+ systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
+ systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
+ systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
+ systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
+
+ # https://github.com/NixOS/nixpkgs/pull/84202
+ systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
+ systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
+ systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
+ systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
+ systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
+ systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
+ systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
+ systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
+ systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
+ systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
+
+ systemd.services.wwsympa = {
+ wantedBy = [ "multi-user.target" ];
+ after = [ "sympa.service" ];
+ serviceConfig = {
+ Type = "forking";
+ PIDFile = "/run/sympa/wwsympa.pid";
+ Restart = "always";
+ ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
+ -u sympa \
+ -g sympa \
+ -U wwwrun \
+ -M 0600 \
+ -F 2 \
+ -P /run/sympa/wwsympa.pid \
+ -s /run/sympa/wwsympa.socket \
+ -- ${pkgs.sympa}/bin/wwsympa.fcgi
+ '';
+ StateDirectory = "sympa";
+ ProtectHome = true;
+ ProtectSystem = "full";
+ ProtectControlGroups = true;
+ };
+ };
+
+ services.postfix = {
+ mapFiles = {
+ sympa_virtual = pkgs.writeText "virtual.sympa" ''
+ sympa-request@${domain} postmaster@immae.eu
+ sympa-owner@${domain} postmaster@immae.eu
+ '';
+ sympa_transport = pkgs.writeText "transport.sympa" ''
+ ${domain} error:User unknown in recipient table
+ sympa@${domain} sympa:sympa@${domain}
+ listmaster@${domain} sympa:listmaster@${domain}
+ bounce@${domain} sympabounce:sympa@${domain}
+ abuse-feedback-report@${domain} sympabounce:sympa@${domain}
+ '';
+ };
+ config = {
+ transport_maps = lib.mkAfter [
+ "hash:/etc/postfix/sympa_transport"
+ "hash:/var/lib/sympa/sympa_transport"
+ ];
+ virtual_alias_maps = lib.mkAfter [
+ "hash:/etc/postfix/sympa_virtual"
+ ];
+ virtual_mailbox_maps = lib.mkAfter [
+ "hash:/etc/postfix/sympa_transport"
+ "hash:/var/lib/sympa/sympa_transport"
+ "hash:/etc/postfix/sympa_virtual"
+ ];
+ };
+ masterConfig = {
+ sympa = {
+ type = "unix";
+ privileged = true;
+ chroot = false;
+ command = "pipe";
+ args = [
+ "flags=hqRu"
+ "user=sympa"
+ "argv=${pkgs.sympa}/bin/queue"
+ "\${nexthop}"
+ ];
+ };
+ sympabounce = {
+ type = "unix";
+ privileged = true;
+ chroot = false;
+ command = "pipe";
+ args = [
+ "flags=hqRu"
+ "user=sympa"
+ "argv=${pkgs.sympa}/bin/bouncequeue"
+ "\${nexthop}"
+ ];
+ };
+ };
+ };
+ services.sympa = {
+ enable = true;
+ listMasters = sympaConfig.listmasters;
+ mainDomain = domain;
+ domains = {
+ "${domain}" = {
+ webHost = "mail.immae.eu";
+ webLocation = "/sympa";
+ };
+ };
+
+ database = {
+ type = "PostgreSQL";
+ user = sympaConfig.postgresql.user;
+ host = sympaConfig.postgresql.socket;
+ name = sympaConfig.postgresql.database;
+ passwordFile = config.secrets.fullPaths."sympa/db_password";
+ createLocally = false;
+ };
+ settings = {
+ sendmail = "/run/wrappers/bin/sendmail";
+ log_smtp = "on";
+ sendmail_aliases = "/var/lib/sympa/sympa_transport";
+ aliases_program = "${pkgs.postfix}/bin/postmap";
+ };
+ settingsFile = {
+ "virtual.sympa".enable = false;
+ "transport.sympa".enable = false;
+ } // lib.mapAttrs' (n: v: lib.nameValuePair
+ "etc/${domain}/data_sources/${n}.incl"
+ { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
+ // lib.mapAttrs' (n: v: lib.nameValuePair
+ "etc/${domain}/scenari/${n}"
+ { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
+ web = {
+ server = "none";
+ };
+
+ mta = {
+ type = "none";
+ };
+ };
+ };
+}
projects / perso / Immae / Config / Nix.git / commitdiff
