]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/sympa.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use attrs for secrets instead of lists
[perso/Immae/Config/Nix.git] / modules / private / mail / sympa.nix
1 { lib, pkgs, config, ... }:
2 let
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
5 in
6 {
7 config = lib.mkIf config.myServices.mail.enable {
8 myServices.databases.postgresql.authorizedHosts = {
9 backup-2 = [
10 {
11 username = "sympa";
12 database = "sympa";
13 ip4 = [config.myEnv.servers.backup-2.ips.main.ip4];
14 ip6 = config.myEnv.servers.backup-2.ips.main.ip6;
15 }
16 ];
17 };
18 services.duplyBackup.profiles.sympa = {
19 rootDir = "/var/lib/sympa";
20 };
21 services.websites.env.tools.vhostConfs.mail = {
22 extraConfig = lib.mkAfter [
23 ''
24 Alias /static-sympa/ /var/lib/sympa/static_content/
25 <Directory /var/lib/sympa/static_content/>
26 Require all granted
27 AllowOverride none
28 </Directory>
29 <Location /sympa>
30 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
31 Require all granted
32 </Location>
33 ''
34 ];
35 };
36
37 secrets.keys = {
38 "sympa/db_password" = {
39 permissions = "0400";
40 group = "sympa";
41 user = "sympa";
42 text = sympaConfig.postgresql.password;
43 };
44 }
45 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
46 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
47 }) sympaConfig.data_sources
48 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
49 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
50 }) sympaConfig.scenari;
51 users.users.sympa.extraGroups = [ "keys" ];
52 systemd.slices.mail-sympa = {
53 description = "Sympa slice";
54 };
55
56 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
57 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
58 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
59 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
60 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
61
62 systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
63 systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
64 systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
65 systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
66 systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
67
68 # https://github.com/NixOS/nixpkgs/pull/84202
69 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
70 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
71 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
72 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
73 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
74 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
75 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
76 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
77 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
78 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
79
80 systemd.services.wwsympa = {
81 wantedBy = [ "multi-user.target" ];
82 after = [ "sympa.service" ];
83 serviceConfig = {
84 Slice = "mail-sympa.slice";
85 Type = "forking";
86 PIDFile = "/run/sympa/wwsympa.pid";
87 Restart = "always";
88 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
89 -u sympa \
90 -g sympa \
91 -U wwwrun \
92 -M 0600 \
93 -F 2 \
94 -P /run/sympa/wwsympa.pid \
95 -s /run/sympa/wwsympa.socket \
96 -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
97 '';
98 StateDirectory = "sympa";
99 ProtectHome = true;
100 ProtectSystem = "full";
101 ProtectControlGroups = true;
102 };
103 };
104
105 services.postfix = {
106 mapFiles = {
107 # Update relay list when changing one of those
108 sympa_virtual = pkgs.writeText "virtual.sympa" ''
109 sympa-request@${domain} postmaster@immae.eu
110 sympa-owner@${domain} postmaster@immae.eu
111
112 sympa-request@cip-ca.fr postmaster@immae.eu
113 sympa-owner@cip-ca.fr postmaster@immae.eu
114 '';
115 sympa_transport = pkgs.writeText "transport.sympa" ''
116 ${domain} error:User unknown in recipient table
117 sympa@${domain} sympa:sympa@${domain}
118 listmaster@${domain} sympa:listmaster@${domain}
119 bounce@${domain} sympabounce:sympa@${domain}
120 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
121
122 sympa@cip-ca.fr sympa:sympa@cip-ca.fr
123 listmaster@cip-ca.fr sympa:listmaster@cip-ca.fr
124 bounce@cip-ca.fr sympabounce:sympa@cip-ca.fr
125 abuse-feedback-report@cip-ca.fr sympabounce:sympa@cip-ca.fr
126 '';
127 };
128 config = {
129 transport_maps = lib.mkAfter [
130 "hash:/etc/postfix/sympa_transport"
131 "hash:/var/lib/sympa/sympa_transport"
132 ];
133 virtual_alias_maps = lib.mkAfter [
134 "hash:/etc/postfix/sympa_virtual"
135 ];
136 virtual_mailbox_maps = lib.mkAfter [
137 "hash:/etc/postfix/sympa_transport"
138 "hash:/var/lib/sympa/sympa_transport"
139 "hash:/etc/postfix/sympa_virtual"
140 ];
141 };
142 masterConfig = {
143 sympa = {
144 type = "unix";
145 privileged = true;
146 chroot = false;
147 command = "pipe";
148 args = [
149 "flags=hqRu"
150 "user=sympa"
151 "argv=${pkgs.sympa}/libexec/queue"
152 "\${nexthop}"
153 ];
154 };
155 sympabounce = {
156 type = "unix";
157 privileged = true;
158 chroot = false;
159 command = "pipe";
160 args = [
161 "flags=hqRu"
162 "user=sympa"
163 "argv=${pkgs.sympa}/libexec/bouncequeue"
164 "\${nexthop}"
165 ];
166 };
167 };
168 };
169 services.sympa = {
170 enable = true;
171 listMasters = sympaConfig.listmasters;
172 mainDomain = domain;
173 domains = {
174 "${domain}" = {
175 webHost = "mail.immae.eu";
176 webLocation = "/sympa";
177 };
178 "cip-ca.fr" = {
179 webHost = "mail.cip-ca.fr";
180 webLocation = "/sympa";
181 };
182 };
183
184 database = {
185 type = "PostgreSQL";
186 user = sympaConfig.postgresql.user;
187 host = sympaConfig.postgresql.socket;
188 name = sympaConfig.postgresql.database;
189 passwordFile = config.secrets.fullPaths."sympa/db_password";
190 createLocally = false;
191 };
192 settings = {
193 sendmail = "/run/wrappers/bin/sendmail";
194 log_smtp = "on";
195 sendmail_aliases = "/var/lib/sympa/sympa_transport";
196 aliases_program = "${pkgs.postfix}/bin/postmap";
197 };
198 settingsFile = {
199 "virtual.sympa".enable = false;
200 "transport.sympa".enable = false;
201 } // lib.mapAttrs' (n: v: lib.nameValuePair
202 "etc/${domain}/data_sources/${n}.incl"
203 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
204 // lib.mapAttrs' (n: v: lib.nameValuePair
205 "etc/${domain}/scenari/${n}"
206 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
207 web = {
208 server = "none";
209 };
210
211 mta = {
212 type = "none";
213 };
214 };
215 };
216 }
My infrastructure configuration