]>
Commit | Line | Data |
---|---|---|
418a4ed7 IB |
1 | { lib, pkgs, config, ... }: |
2 | let | |
3 | domain = "lists.immae.eu"; | |
4 | sympaConfig = config.myEnv.mail.sympa; | |
5 | in | |
6 | { | |
7 | config = lib.mkIf config.myServices.mail.enable { | |
1a64deeb IB |
8 | myServices.dns.zones."immae.eu".emailPolicies."lists".receive = true; |
9 | myServices.dns.zones."immae.eu".subdomains.lists = | |
10 | with config.myServices.dns.helpers; lib.mkMerge [ | |
11 | (ips servers.eldiron.ips.main) | |
12 | (mailCommon "immae.eu") | |
13 | mailSend | |
14 | ]; | |
15 | ||
16 | myServices.chatonsProperties.services.sympa = { | |
17 | file.datetime = "2022-08-22T00:50:00"; | |
18 | service = { | |
19 | name = "Sympa"; | |
20 | description = "Mailing lists service"; | |
21 | website = "https://mail.immae.eu/sympa"; | |
22 | logo = "https://mail.immae.eu/static-sympa/icons/favicon_sympa.png"; | |
23 | status.level = "OK"; | |
24 | status.description = "OK"; | |
25 | registration."" = ["MEMBER" "CLIENT"]; | |
26 | registration.load = "OPEN"; | |
27 | install.type = "PACKAGE"; | |
28 | }; | |
29 | software = { | |
30 | name = "Sympa"; | |
31 | website = "https://www.sympa.org/"; | |
32 | license.url = "https://github.com/sympa-community/sympa/blob/sympa-6.2/COPYING"; | |
33 | license.name = "GNU General Public License v2.0"; | |
34 | version = pkgs.sympa.version; | |
35 | source.url = "https://github.com/sympa-community/sympa/"; | |
36 | }; | |
37 | }; | |
4e07970c IB |
38 | myServices.databases.postgresql.authorizedHosts = { |
39 | backup-2 = [ | |
40 | { | |
41 | username = "sympa"; | |
42 | database = "sympa"; | |
1a64deeb IB |
43 | ip4 = config.myEnv.servers.backup-2.ips.main.ip4; |
44 | ip6 = map (v: "${v}/128") config.myEnv.servers.backup-2.ips.main.ip6; | |
4e07970c IB |
45 | } |
46 | ]; | |
47 | }; | |
418a4ed7 IB |
48 | services.websites.env.tools.vhostConfs.mail = { |
49 | extraConfig = lib.mkAfter [ | |
50 | '' | |
51 | Alias /static-sympa/ /var/lib/sympa/static_content/ | |
52 | <Directory /var/lib/sympa/static_content/> | |
53 | Require all granted | |
54 | AllowOverride none | |
55 | </Directory> | |
56 | <Location /sympa> | |
57 | SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" | |
58 | Require all granted | |
59 | </Location> | |
60 | '' | |
61 | ]; | |
62 | }; | |
63 | ||
4c4652aa IB |
64 | secrets.keys = { |
65 | "sympa/db_password" = { | |
418a4ed7 IB |
66 | permissions = "0400"; |
67 | group = "sympa"; | |
68 | user = "sympa"; | |
69 | text = sympaConfig.postgresql.password; | |
4c4652aa IB |
70 | }; |
71 | } | |
72 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" { | |
73 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | |
418a4ed7 | 74 | }) sympaConfig.data_sources |
4c4652aa IB |
75 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" { |
76 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | |
418a4ed7 IB |
77 | }) sympaConfig.scenari; |
78 | users.users.sympa.extraGroups = [ "keys" ]; | |
850adcf4 IB |
79 | systemd.slices.mail-sympa = { |
80 | description = "Sympa slice"; | |
81 | }; | |
82 | ||
418a4ed7 IB |
83 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; |
84 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
85 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
86 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
87 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | |
88 | ||
850adcf4 IB |
89 | systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice"; |
90 | systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice"; | |
91 | systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice"; | |
92 | systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice"; | |
93 | systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice"; | |
94 | ||
418a4ed7 IB |
95 | # https://github.com/NixOS/nixpkgs/pull/84202 |
96 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
97 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
98 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
99 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
100 | systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; | |
101 | systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
102 | systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
103 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
104 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
105 | systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; | |
106 | ||
107 | systemd.services.wwsympa = { | |
108 | wantedBy = [ "multi-user.target" ]; | |
109 | after = [ "sympa.service" ]; | |
110 | serviceConfig = { | |
850adcf4 | 111 | Slice = "mail-sympa.slice"; |
418a4ed7 IB |
112 | Type = "forking"; |
113 | PIDFile = "/run/sympa/wwsympa.pid"; | |
114 | Restart = "always"; | |
115 | ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ | |
116 | -u sympa \ | |
117 | -g sympa \ | |
118 | -U wwwrun \ | |
119 | -M 0600 \ | |
120 | -F 2 \ | |
121 | -P /run/sympa/wwsympa.pid \ | |
122 | -s /run/sympa/wwsympa.socket \ | |
f5761aac | 123 | -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi |
418a4ed7 IB |
124 | ''; |
125 | StateDirectory = "sympa"; | |
126 | ProtectHome = true; | |
127 | ProtectSystem = "full"; | |
128 | ProtectControlGroups = true; | |
129 | }; | |
130 | }; | |
131 | ||
132 | services.postfix = { | |
133 | mapFiles = { | |
22b4bd78 | 134 | # Update relay list when changing one of those |
418a4ed7 IB |
135 | sympa_virtual = pkgs.writeText "virtual.sympa" '' |
136 | sympa-request@${domain} postmaster@immae.eu | |
137 | sympa-owner@${domain} postmaster@immae.eu | |
138 | ''; | |
139 | sympa_transport = pkgs.writeText "transport.sympa" '' | |
140 | ${domain} error:User unknown in recipient table | |
141 | sympa@${domain} sympa:sympa@${domain} | |
142 | listmaster@${domain} sympa:listmaster@${domain} | |
143 | bounce@${domain} sympabounce:sympa@${domain} | |
144 | abuse-feedback-report@${domain} sympabounce:sympa@${domain} | |
145 | ''; | |
146 | }; | |
147 | config = { | |
148 | transport_maps = lib.mkAfter [ | |
149 | "hash:/etc/postfix/sympa_transport" | |
150 | "hash:/var/lib/sympa/sympa_transport" | |
151 | ]; | |
152 | virtual_alias_maps = lib.mkAfter [ | |
153 | "hash:/etc/postfix/sympa_virtual" | |
154 | ]; | |
155 | virtual_mailbox_maps = lib.mkAfter [ | |
156 | "hash:/etc/postfix/sympa_transport" | |
157 | "hash:/var/lib/sympa/sympa_transport" | |
158 | "hash:/etc/postfix/sympa_virtual" | |
159 | ]; | |
160 | }; | |
161 | masterConfig = { | |
162 | sympa = { | |
163 | type = "unix"; | |
164 | privileged = true; | |
165 | chroot = false; | |
166 | command = "pipe"; | |
167 | args = [ | |
168 | "flags=hqRu" | |
169 | "user=sympa" | |
f5761aac | 170 | "argv=${pkgs.sympa}/libexec/queue" |
418a4ed7 IB |
171 | "\${nexthop}" |
172 | ]; | |
173 | }; | |
174 | sympabounce = { | |
175 | type = "unix"; | |
176 | privileged = true; | |
177 | chroot = false; | |
178 | command = "pipe"; | |
179 | args = [ | |
180 | "flags=hqRu" | |
181 | "user=sympa" | |
f5761aac | 182 | "argv=${pkgs.sympa}/libexec/bouncequeue" |
418a4ed7 IB |
183 | "\${nexthop}" |
184 | ]; | |
185 | }; | |
186 | }; | |
187 | }; | |
188 | services.sympa = { | |
189 | enable = true; | |
190 | listMasters = sympaConfig.listmasters; | |
191 | mainDomain = domain; | |
192 | domains = { | |
193 | "${domain}" = { | |
194 | webHost = "mail.immae.eu"; | |
195 | webLocation = "/sympa"; | |
196 | }; | |
197 | }; | |
198 | ||
199 | database = { | |
200 | type = "PostgreSQL"; | |
201 | user = sympaConfig.postgresql.user; | |
202 | host = sympaConfig.postgresql.socket; | |
203 | name = sympaConfig.postgresql.database; | |
204 | passwordFile = config.secrets.fullPaths."sympa/db_password"; | |
205 | createLocally = false; | |
206 | }; | |
207 | settings = { | |
208 | sendmail = "/run/wrappers/bin/sendmail"; | |
209 | log_smtp = "on"; | |
210 | sendmail_aliases = "/var/lib/sympa/sympa_transport"; | |
211 | aliases_program = "${pkgs.postfix}/bin/postmap"; | |
1a64deeb | 212 | create_list = "listmaster"; |
418a4ed7 IB |
213 | }; |
214 | settingsFile = { | |
215 | "virtual.sympa".enable = false; | |
216 | "transport.sympa".enable = false; | |
217 | } // lib.mapAttrs' (n: v: lib.nameValuePair | |
218 | "etc/${domain}/data_sources/${n}.incl" | |
219 | { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources | |
220 | // lib.mapAttrs' (n: v: lib.nameValuePair | |
221 | "etc/${domain}/scenari/${n}" | |
222 | { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; | |
223 | web = { | |
224 | server = "none"; | |
225 | }; | |
226 | ||
227 | mta = { | |
228 | type = "none"; | |
229 | }; | |
230 | }; | |
231 | }; | |
232 | } |