[perso/Immae/Config/Nix.git] / modules / private / mail / sympa.nix

{ lib, pkgs, config, ... }:
let
  domain = "lists.immae.eu";
  sympaConfig = config.myEnv.mail.sympa;
in
{
  config = lib.mkIf config.myServices.mail.enable {
    myServices.databases.postgresql.authorizedHosts = {
      backup-2 = [
        {
          username = "sympa";
          database = "sympa";
          ip4 = [config.myEnv.servers.backup-2.ips.main.ip4];
          ip6 = config.myEnv.servers.backup-2.ips.main.ip6;
        }
      ];
    };
    services.websites.env.tools.vhostConfs.mail = {
      extraConfig = lib.mkAfter [
        ''
          Alias /static-sympa/ /var/lib/sympa/static_content/
          <Directory /var/lib/sympa/static_content/>
            Require all granted
            AllowOverride none
          </Directory>
          <Location /sympa>
            SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
            Require all granted
          </Location>
          ''
      ];
    };

    secrets.keys = {
      "sympa/db_password" = {
        permissions = "0400";
        group = "sympa";
        user = "sympa";
        text = sympaConfig.postgresql.password;
      };
    }
    // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
      permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
    }) sympaConfig.data_sources
    // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
      permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
    }) sympaConfig.scenari;
    users.users.sympa.extraGroups = [ "keys" ];
    systemd.slices.mail-sympa = {
      description = "Sympa slice";
    };

    systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
    systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];

    systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
    systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
    systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
    systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
    systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";

    # https://github.com/NixOS/nixpkgs/pull/84202
    systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
    systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
    systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
    systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
    systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
    systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
    systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
    systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
    systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
    systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;

    systemd.services.wwsympa = {
      wantedBy = [ "multi-user.target" ];
      after = [ "sympa.service" ];
      serviceConfig = {
        Slice = "mail-sympa.slice";
        Type = "forking";
        PIDFile = "/run/sympa/wwsympa.pid";
        Restart = "always";
        ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
          -u sympa \
          -g sympa \
          -U wwwrun \
          -M 0600 \
          -F 2 \
          -P /run/sympa/wwsympa.pid \
          -s /run/sympa/wwsympa.socket \
          -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
        '';
        StateDirectory = "sympa";
        ProtectHome = true;
        ProtectSystem = "full";
        ProtectControlGroups = true;
      };
    };

    services.postfix = {
      mapFiles = {
        # Update relay list when changing one of those
        sympa_virtual = pkgs.writeText "virtual.sympa" ''
          sympa-request@${domain} postmaster@immae.eu
          sympa-owner@${domain}   postmaster@immae.eu

          sympa-request@cip-ca.fr postmaster@immae.eu
          sympa-owner@cip-ca.fr   postmaster@immae.eu
        '';
        sympa_transport = pkgs.writeText "transport.sympa" ''
          ${domain}                        error:User unknown in recipient table
          sympa@${domain}                  sympa:sympa@${domain}
          listmaster@${domain}             sympa:listmaster@${domain}
          bounce@${domain}                 sympabounce:sympa@${domain}
          abuse-feedback-report@${domain}  sympabounce:sympa@${domain}

          sympa@cip-ca.fr                  sympa:sympa@cip-ca.fr
          listmaster@cip-ca.fr             sympa:listmaster@cip-ca.fr
          bounce@cip-ca.fr                 sympabounce:sympa@cip-ca.fr
          abuse-feedback-report@cip-ca.fr  sympabounce:sympa@cip-ca.fr
        '';
      };
      config = {
        transport_maps = lib.mkAfter [
          "hash:/etc/postfix/sympa_transport"
          "hash:/var/lib/sympa/sympa_transport"
        ];
        virtual_alias_maps = lib.mkAfter [
          "hash:/etc/postfix/sympa_virtual"
        ];
        virtual_mailbox_maps = lib.mkAfter [
          "hash:/etc/postfix/sympa_transport"
          "hash:/var/lib/sympa/sympa_transport"
          "hash:/etc/postfix/sympa_virtual"
        ];
      };
      masterConfig = {
        sympa = {
          type = "unix";
          privileged = true;
          chroot = false;
          command = "pipe";
          args = [
            "flags=hqRu"
            "user=sympa"
            "argv=${pkgs.sympa}/libexec/queue"
            "\${nexthop}"
          ];
        };
        sympabounce = {
          type = "unix";
          privileged = true;
          chroot = false;
          command = "pipe";
          args = [
            "flags=hqRu"
            "user=sympa"
            "argv=${pkgs.sympa}/libexec/bouncequeue"
            "\${nexthop}"
          ];
        };
      };
    };
    services.sympa = {
      enable = true;
      listMasters = sympaConfig.listmasters;
      mainDomain = domain;
      domains = {
        "${domain}" = {
          webHost = "mail.immae.eu";
          webLocation = "/sympa";
        };
        "cip-ca.fr" = {
          webHost = "mail.cip-ca.fr";
          webLocation = "/sympa";
        };
      };

      database = {
        type = "PostgreSQL";
        user = sympaConfig.postgresql.user;
        host = sympaConfig.postgresql.socket;
        name = sympaConfig.postgresql.database;
        passwordFile = config.secrets.fullPaths."sympa/db_password";
        createLocally = false;
      };
      settings = {
        sendmail = "/run/wrappers/bin/sendmail";
        log_smtp = "on";
        sendmail_aliases = "/var/lib/sympa/sympa_transport";
        aliases_program = "${pkgs.postfix}/bin/postmap";
      };
      settingsFile = {
        "virtual.sympa".enable = false;
        "transport.sympa".enable = false;
      } // lib.mapAttrs' (n: v: lib.nameValuePair
        "etc/${domain}/data_sources/${n}.incl"
        { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
        // lib.mapAttrs' (n: v: lib.nameValuePair
        "etc/${domain}/scenari/${n}"
        { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
      web = {
        server = "none";
      };

      mta = {
        type = "none";
      };
    };
  };
}
Commit	Line	Data
418a4ed7 IB	1	{ lib, pkgs, config, ... }:
	2	let
	3	domain = "lists.immae.eu";
	4	sympaConfig = config.myEnv.mail.sympa;
	5	in
	6	{
	7	config = lib.mkIf config.myServices.mail.enable {
4e07970c IB	8	myServices.databases.postgresql.authorizedHosts = {
	9	backup-2 = [
	10	{
	11	username = "sympa";
	12	database = "sympa";
	13	ip4 = [config.myEnv.servers.backup-2.ips.main.ip4];
	14	ip6 = config.myEnv.servers.backup-2.ips.main.ip6;
	15	}
	16	];
	17	};
418a4ed7 IB	18	services.websites.env.tools.vhostConfs.mail = {
	19	extraConfig = lib.mkAfter [
	20	''
	21	Alias /static-sympa/ /var/lib/sympa/static_content/
	22	<Directory /var/lib/sympa/static_content/>
	23	Require all granted
	24	AllowOverride none
	25	</Directory>
	26	<Location /sympa>
	27	SetHandler "proxy:unix:/run/sympa/wwsympa.socket\|fcgi://"
	28	Require all granted
	29	</Location>
	30	''
	31	];
	32	};
	33
4c4652aa IB	34	secrets.keys = {
4c4652aa IB	35	"sympa/db_password" = {
418a4ed7 IB	36	permissions = "0400";
	37	group = "sympa";
	38	user = "sympa";
	39	text = sympaConfig.postgresql.password;
4c4652aa IB	40	};
	41	}
	42	// lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
	43	permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
418a4ed7	44	}) sympaConfig.data_sources
4c4652aa IB	45	// lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
4c4652aa IB	46	permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
418a4ed7 IB	47	}) sympaConfig.scenari;
418a4ed7 IB	48	users.users.sympa.extraGroups = [ "keys" ];
850adcf4 IB	49	systemd.slices.mail-sympa = {
	50	description = "Sympa slice";
	51	};
	52
418a4ed7 IB	53	systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
	54	systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
	55	systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
	56	systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
	57	systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
	58
850adcf4 IB	59	systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
	60	systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
	61	systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
	62	systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
	63	systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
	64
418a4ed7 IB	65	# https://github.com/NixOS/nixpkgs/pull/84202
	66	systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
	67	systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
	68	systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
	69	systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
	70	systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
	71	systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
	72	systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
	73	systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
	74	systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
	75	systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
	76
	77	systemd.services.wwsympa = {
	78	wantedBy = [ "multi-user.target" ];
	79	after = [ "sympa.service" ];
	80	serviceConfig = {
850adcf4	81	Slice = "mail-sympa.slice";
418a4ed7 IB	82	Type = "forking";
	83	PIDFile = "/run/sympa/wwsympa.pid";
	84	Restart = "always";
	85	ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
	86	-u sympa \
	87	-g sympa \
	88	-U wwwrun \
	89	-M 0600 \
	90	-F 2 \
	91	-P /run/sympa/wwsympa.pid \
	92	-s /run/sympa/wwsympa.socket \
f5761aac	93	-- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
418a4ed7 IB	94	'';
	95	StateDirectory = "sympa";
	96	ProtectHome = true;
	97	ProtectSystem = "full";
	98	ProtectControlGroups = true;
	99	};
	100	};
	101
	102	services.postfix = {
	103	mapFiles = {
22b4bd78	104	# Update relay list when changing one of those
418a4ed7 IB	105	sympa_virtual = pkgs.writeText "virtual.sympa" ''
	106	sympa-request@${domain} postmaster@immae.eu
	107	sympa-owner@${domain} postmaster@immae.eu
6c7d42fc IB	108
	109	sympa-request@cip-ca.fr postmaster@immae.eu
	110	sympa-owner@cip-ca.fr postmaster@immae.eu
418a4ed7 IB	111	'';
	112	sympa_transport = pkgs.writeText "transport.sympa" ''
	113	${domain} error:User unknown in recipient table
	114	sympa@${domain} sympa:sympa@${domain}
	115	listmaster@${domain} sympa:listmaster@${domain}
	116	bounce@${domain} sympabounce:sympa@${domain}
	117	abuse-feedback-report@${domain} sympabounce:sympa@${domain}
6c7d42fc IB	118
	119	sympa@cip-ca.fr sympa:sympa@cip-ca.fr
	120	listmaster@cip-ca.fr sympa:listmaster@cip-ca.fr
	121	bounce@cip-ca.fr sympabounce:sympa@cip-ca.fr
	122	abuse-feedback-report@cip-ca.fr sympabounce:sympa@cip-ca.fr
418a4ed7 IB	123	'';
	124	};
	125	config = {
	126	transport_maps = lib.mkAfter [
	127	"hash:/etc/postfix/sympa_transport"
	128	"hash:/var/lib/sympa/sympa_transport"
	129	];
	130	virtual_alias_maps = lib.mkAfter [
	131	"hash:/etc/postfix/sympa_virtual"
	132	];
	133	virtual_mailbox_maps = lib.mkAfter [
	134	"hash:/etc/postfix/sympa_transport"
	135	"hash:/var/lib/sympa/sympa_transport"
	136	"hash:/etc/postfix/sympa_virtual"
	137	];
	138	};
	139	masterConfig = {
	140	sympa = {
	141	type = "unix";
	142	privileged = true;
	143	chroot = false;
	144	command = "pipe";
	145	args = [
	146	"flags=hqRu"
	147	"user=sympa"
f5761aac	148	"argv=${pkgs.sympa}/libexec/queue"
418a4ed7 IB	149	"\${nexthop}"
	150	];
	151	};
	152	sympabounce = {
	153	type = "unix";
	154	privileged = true;
	155	chroot = false;
	156	command = "pipe";
	157	args = [
	158	"flags=hqRu"
	159	"user=sympa"
f5761aac	160	"argv=${pkgs.sympa}/libexec/bouncequeue"
418a4ed7 IB	161	"\${nexthop}"
	162	];
	163	};
	164	};
	165	};
	166	services.sympa = {
	167	enable = true;
	168	listMasters = sympaConfig.listmasters;
	169	mainDomain = domain;
	170	domains = {
	171	"${domain}" = {
	172	webHost = "mail.immae.eu";
	173	webLocation = "/sympa";
	174	};
6c7d42fc IB	175	"cip-ca.fr" = {
	176	webHost = "mail.cip-ca.fr";
	177	webLocation = "/sympa";
	178	};
418a4ed7 IB	179	};
	180
	181	database = {
	182	type = "PostgreSQL";
	183	user = sympaConfig.postgresql.user;
	184	host = sympaConfig.postgresql.socket;
	185	name = sympaConfig.postgresql.database;
	186	passwordFile = config.secrets.fullPaths."sympa/db_password";
	187	createLocally = false;
	188	};
	189	settings = {
	190	sendmail = "/run/wrappers/bin/sendmail";
	191	log_smtp = "on";
	192	sendmail_aliases = "/var/lib/sympa/sympa_transport";
	193	aliases_program = "${pkgs.postfix}/bin/postmap";
	194	};
	195	settingsFile = {
	196	"virtual.sympa".enable = false;
	197	"transport.sympa".enable = false;
	198	} // lib.mapAttrs' (n: v: lib.nameValuePair
	199	"etc/${domain}/data_sources/${n}.incl"
	200	{ source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
	201	// lib.mapAttrs' (n: v: lib.nameValuePair
	202	"etc/${domain}/scenari/${n}"
	203	{ source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
	204	web = {
	205	server = "none";
	206	};
	207
	208	mta = {
	209	type = "none";
	210	};
	211	};
	212	};
	213	}