]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/sympa.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add sympa mailing-list
[perso/Immae/Config/Nix.git] / modules / private / mail / sympa.nix
1 { lib, pkgs, config, ... }:
2 let
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
5 in
6 {
7 config = lib.mkIf config.myServices.mail.enable {
8 services.duplyBackup.profiles.sympa = {
9 rootDir = "/var/lib/sympa";
10 };
11 services.websites.env.tools.vhostConfs.mail = {
12 extraConfig = lib.mkAfter [
13 ''
14 Alias /static-sympa/ /var/lib/sympa/static_content/
15 <Directory /var/lib/sympa/static_content/>
16 Require all granted
17 AllowOverride none
18 </Directory>
19 <Location /sympa>
20 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
21 Require all granted
22 </Location>
23 ''
24 ];
25 };
26
27 secrets.keys = [
28 {
29 dest = "sympa/db_password";
30 permissions = "0400";
31 group = "sympa";
32 user = "sympa";
33 text = sympaConfig.postgresql.password;
34 }
35 ]
36 ++ lib.mapAttrsToList (n: v: {
37 dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
38 }) sympaConfig.data_sources
39 ++ lib.mapAttrsToList (n: v: {
40 dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
41 }) sympaConfig.scenari;
42 users.users.sympa.extraGroups = [ "keys" ];
43 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
44 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
45 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
46 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
47 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
48
49 # https://github.com/NixOS/nixpkgs/pull/84202
50 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
51 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
52 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
53 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
54 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
55 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
56 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
57 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
58 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
59 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
60
61 systemd.services.wwsympa = {
62 wantedBy = [ "multi-user.target" ];
63 after = [ "sympa.service" ];
64 serviceConfig = {
65 Type = "forking";
66 PIDFile = "/run/sympa/wwsympa.pid";
67 Restart = "always";
68 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
69 -u sympa \
70 -g sympa \
71 -U wwwrun \
72 -M 0600 \
73 -F 2 \
74 -P /run/sympa/wwsympa.pid \
75 -s /run/sympa/wwsympa.socket \
76 -- ${pkgs.sympa}/bin/wwsympa.fcgi
77 '';
78 StateDirectory = "sympa";
79 ProtectHome = true;
80 ProtectSystem = "full";
81 ProtectControlGroups = true;
82 };
83 };
84
85 services.postfix = {
86 mapFiles = {
87 sympa_virtual = pkgs.writeText "virtual.sympa" ''
88 sympa-request@${domain} postmaster@immae.eu
89 sympa-owner@${domain} postmaster@immae.eu
90 '';
91 sympa_transport = pkgs.writeText "transport.sympa" ''
92 ${domain} error:User unknown in recipient table
93 sympa@${domain} sympa:sympa@${domain}
94 listmaster@${domain} sympa:listmaster@${domain}
95 bounce@${domain} sympabounce:sympa@${domain}
96 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
97 '';
98 };
99 config = {
100 transport_maps = lib.mkAfter [
101 "hash:/etc/postfix/sympa_transport"
102 "hash:/var/lib/sympa/sympa_transport"
103 ];
104 virtual_alias_maps = lib.mkAfter [
105 "hash:/etc/postfix/sympa_virtual"
106 ];
107 virtual_mailbox_maps = lib.mkAfter [
108 "hash:/etc/postfix/sympa_transport"
109 "hash:/var/lib/sympa/sympa_transport"
110 "hash:/etc/postfix/sympa_virtual"
111 ];
112 };
113 masterConfig = {
114 sympa = {
115 type = "unix";
116 privileged = true;
117 chroot = false;
118 command = "pipe";
119 args = [
120 "flags=hqRu"
121 "user=sympa"
122 "argv=${pkgs.sympa}/bin/queue"
123 "\${nexthop}"
124 ];
125 };
126 sympabounce = {
127 type = "unix";
128 privileged = true;
129 chroot = false;
130 command = "pipe";
131 args = [
132 "flags=hqRu"
133 "user=sympa"
134 "argv=${pkgs.sympa}/bin/bouncequeue"
135 "\${nexthop}"
136 ];
137 };
138 };
139 };
140 services.sympa = {
141 enable = true;
142 listMasters = sympaConfig.listmasters;
143 mainDomain = domain;
144 domains = {
145 "${domain}" = {
146 webHost = "mail.immae.eu";
147 webLocation = "/sympa";
148 };
149 };
150
151 database = {
152 type = "PostgreSQL";
153 user = sympaConfig.postgresql.user;
154 host = sympaConfig.postgresql.socket;
155 name = sympaConfig.postgresql.database;
156 passwordFile = config.secrets.fullPaths."sympa/db_password";
157 createLocally = false;
158 };
159 settings = {
160 sendmail = "/run/wrappers/bin/sendmail";
161 log_smtp = "on";
162 sendmail_aliases = "/var/lib/sympa/sympa_transport";
163 aliases_program = "${pkgs.postfix}/bin/postmap";
164 };
165 settingsFile = {
166 "virtual.sympa".enable = false;
167 "transport.sympa".enable = false;
168 } // lib.mapAttrs' (n: v: lib.nameValuePair
169 "etc/${domain}/data_sources/${n}.incl"
170 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
171 // lib.mapAttrs' (n: v: lib.nameValuePair
172 "etc/${domain}/scenari/${n}"
173 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
174 web = {
175 server = "none";
176 };
177
178 mta = {
179 type = "none";
180 };
181 };
182 };
183 }
My infrastructure configuration