]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/mail/sympa.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add cip-ca mail website
[perso/Immae/Config/Nix.git] / modules / private / mail / sympa.nix
1 { lib, pkgs, config, ... }:
2 let
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
5 in
6 {
7 config = lib.mkIf config.myServices.mail.enable {
8 myServices.databases.postgresql.authorizedHosts = {
9 backup-2 = [
10 {
11 username = "sympa";
12 database = "sympa";
13 ip4 = [config.myEnv.servers.backup-2.ips.main.ip4];
14 ip6 = config.myEnv.servers.backup-2.ips.main.ip6;
15 }
16 ];
17 };
18 services.duplyBackup.profiles.sympa = {
19 rootDir = "/var/lib/sympa";
20 };
21 services.websites.env.tools.vhostConfs.mail = {
22 extraConfig = lib.mkAfter [
23 ''
24 Alias /static-sympa/ /var/lib/sympa/static_content/
25 <Directory /var/lib/sympa/static_content/>
26 Require all granted
27 AllowOverride none
28 </Directory>
29 <Location /sympa>
30 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
31 Require all granted
32 </Location>
33 ''
34 ];
35 };
36
37 secrets.keys = [
38 {
39 dest = "sympa/db_password";
40 permissions = "0400";
41 group = "sympa";
42 user = "sympa";
43 text = sympaConfig.postgresql.password;
44 }
45 ]
46 ++ lib.mapAttrsToList (n: v: {
47 dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
48 }) sympaConfig.data_sources
49 ++ lib.mapAttrsToList (n: v: {
50 dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
51 }) sympaConfig.scenari;
52 users.users.sympa.extraGroups = [ "keys" ];
53 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
54 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
55 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
56 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
57 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
58
59 # https://github.com/NixOS/nixpkgs/pull/84202
60 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
61 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
62 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
63 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
64 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
65 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
66 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
67 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
68 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
69 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
70
71 systemd.services.wwsympa = {
72 wantedBy = [ "multi-user.target" ];
73 after = [ "sympa.service" ];
74 serviceConfig = {
75 Type = "forking";
76 PIDFile = "/run/sympa/wwsympa.pid";
77 Restart = "always";
78 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
79 -u sympa \
80 -g sympa \
81 -U wwwrun \
82 -M 0600 \
83 -F 2 \
84 -P /run/sympa/wwsympa.pid \
85 -s /run/sympa/wwsympa.socket \
86 -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
87 '';
88 StateDirectory = "sympa";
89 ProtectHome = true;
90 ProtectSystem = "full";
91 ProtectControlGroups = true;
92 };
93 };
94
95 services.postfix = {
96 mapFiles = {
97 # Update relay list when changing one of those
98 sympa_virtual = pkgs.writeText "virtual.sympa" ''
99 sympa-request@${domain} postmaster@immae.eu
100 sympa-owner@${domain} postmaster@immae.eu
101
102 sympa-request@cip-ca.fr postmaster@immae.eu
103 sympa-owner@cip-ca.fr postmaster@immae.eu
104 '';
105 sympa_transport = pkgs.writeText "transport.sympa" ''
106 ${domain} error:User unknown in recipient table
107 sympa@${domain} sympa:sympa@${domain}
108 listmaster@${domain} sympa:listmaster@${domain}
109 bounce@${domain} sympabounce:sympa@${domain}
110 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
111
112 sympa@cip-ca.fr sympa:sympa@cip-ca.fr
113 listmaster@cip-ca.fr sympa:listmaster@cip-ca.fr
114 bounce@cip-ca.fr sympabounce:sympa@cip-ca.fr
115 abuse-feedback-report@cip-ca.fr sympabounce:sympa@cip-ca.fr
116 '';
117 };
118 config = {
119 transport_maps = lib.mkAfter [
120 "hash:/etc/postfix/sympa_transport"
121 "hash:/var/lib/sympa/sympa_transport"
122 ];
123 virtual_alias_maps = lib.mkAfter [
124 "hash:/etc/postfix/sympa_virtual"
125 ];
126 virtual_mailbox_maps = lib.mkAfter [
127 "hash:/etc/postfix/sympa_transport"
128 "hash:/var/lib/sympa/sympa_transport"
129 "hash:/etc/postfix/sympa_virtual"
130 ];
131 };
132 masterConfig = {
133 sympa = {
134 type = "unix";
135 privileged = true;
136 chroot = false;
137 command = "pipe";
138 args = [
139 "flags=hqRu"
140 "user=sympa"
141 "argv=${pkgs.sympa}/libexec/queue"
142 "\${nexthop}"
143 ];
144 };
145 sympabounce = {
146 type = "unix";
147 privileged = true;
148 chroot = false;
149 command = "pipe";
150 args = [
151 "flags=hqRu"
152 "user=sympa"
153 "argv=${pkgs.sympa}/libexec/bouncequeue"
154 "\${nexthop}"
155 ];
156 };
157 };
158 };
159 services.sympa = {
160 enable = true;
161 listMasters = sympaConfig.listmasters;
162 mainDomain = domain;
163 domains = {
164 "${domain}" = {
165 webHost = "mail.immae.eu";
166 webLocation = "/sympa";
167 };
168 "cip-ca.fr" = {
169 webHost = "mail.cip-ca.fr";
170 webLocation = "/sympa";
171 };
172 };
173
174 database = {
175 type = "PostgreSQL";
176 user = sympaConfig.postgresql.user;
177 host = sympaConfig.postgresql.socket;
178 name = sympaConfig.postgresql.database;
179 passwordFile = config.secrets.fullPaths."sympa/db_password";
180 createLocally = false;
181 };
182 settings = {
183 sendmail = "/run/wrappers/bin/sendmail";
184 log_smtp = "on";
185 sendmail_aliases = "/var/lib/sympa/sympa_transport";
186 aliases_program = "${pkgs.postfix}/bin/postmap";
187 };
188 settingsFile = {
189 "virtual.sympa".enable = false;
190 "transport.sympa".enable = false;
191 } // lib.mapAttrs' (n: v: lib.nameValuePair
192 "etc/${domain}/data_sources/${n}.incl"
193 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
194 // lib.mapAttrs' (n: v: lib.nameValuePair
195 "etc/${domain}/scenari/${n}"
196 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
197 web = {
198 server = "none";
199 };
200
201 mta = {
202 type = "none";
203 };
204 };
205 };
206 }
My infrastructure configuration