]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - systems/eldiron/mail/sympa.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Squash changes containing private information
[perso/Immae/Config/Nix.git] / systems / eldiron / mail / sympa.nix
1 { lib, pkgs, config, ... }:
2 let
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
5 in
6 {
7 config = lib.mkIf config.myServices.mail.enable {
8 myServices.dns.zones."immae.eu".emailPolicies."lists".receive = true;
9 myServices.dns.zones."immae.eu".subdomains.lists =
10 with config.myServices.dns.helpers; lib.mkMerge [
11 (ips servers.eldiron.ips.main)
12 (mailCommon "immae.eu")
13 mailSend
14 ];
15
16 myServices.chatonsProperties.services.sympa = {
17 file.datetime = "2022-08-22T00:50:00";
18 service = {
19 name = "Sympa";
20 description = "Mailing lists service";
21 website = "https://mail.immae.eu/sympa";
22 logo = "https://mail.immae.eu/static-sympa/icons/favicon_sympa.png";
23 status.level = "OK";
24 status.description = "OK";
25 registration."" = ["MEMBER" "CLIENT"];
26 registration.load = "OPEN";
27 install.type = "PACKAGE";
28 };
29 software = {
30 name = "Sympa";
31 website = "https://www.sympa.org/";
32 license.url = "https://github.com/sympa-community/sympa/blob/sympa-6.2/COPYING";
33 license.name = "GNU General Public License v2.0";
34 version = pkgs.sympa.version;
35 source.url = "https://github.com/sympa-community/sympa/";
36 };
37 };
38 myServices.databases.postgresql.authorizedHosts = {
39 backup-2 = [
40 {
41 username = "sympa";
42 database = "sympa";
43 ip4 = config.myEnv.servers.backup-2.ips.main.ip4;
44 ip6 = map (v: "${v}/128") config.myEnv.servers.backup-2.ips.main.ip6;
45 }
46 ];
47 };
48 services.websites.env.tools.vhostConfs.mail = {
49 extraConfig = lib.mkAfter [
50 ''
51 Alias /static-sympa/ /var/lib/sympa/static_content/
52 <Directory /var/lib/sympa/static_content/>
53 Require all granted
54 AllowOverride none
55 </Directory>
56 <Location /sympa>
57 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
58 Require all granted
59 </Location>
60 ''
61 ];
62 };
63
64 secrets.keys = {
65 "sympa/db_password" = {
66 permissions = "0400";
67 group = "sympa";
68 user = "sympa";
69 text = sympaConfig.postgresql.password;
70 };
71 }
72 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
73 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
74 }) sympaConfig.data_sources
75 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
76 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
77 }) sympaConfig.scenari;
78 users.users.sympa.extraGroups = [ "keys" ];
79 systemd.slices.mail-sympa = {
80 description = "Sympa slice";
81 };
82
83 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
84 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
85 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
86 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
87 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
88
89 systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
90 systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
91 systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
92 systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
93 systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
94
95 # https://github.com/NixOS/nixpkgs/pull/84202
96 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
97 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
98 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
99 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
100 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
101 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
102 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
103 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
104 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
105 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
106
107 systemd.services.wwsympa = {
108 wantedBy = [ "multi-user.target" ];
109 after = [ "sympa.service" ];
110 serviceConfig = {
111 Slice = "mail-sympa.slice";
112 Type = "forking";
113 PIDFile = "/run/sympa/wwsympa.pid";
114 Restart = "always";
115 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
116 -u sympa \
117 -g sympa \
118 -U wwwrun \
119 -M 0600 \
120 -F 2 \
121 -P /run/sympa/wwsympa.pid \
122 -s /run/sympa/wwsympa.socket \
123 -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
124 '';
125 StateDirectory = "sympa";
126 ProtectHome = true;
127 ProtectSystem = "full";
128 ProtectControlGroups = true;
129 };
130 };
131
132 services.postfix = {
133 mapFiles = {
134 # Update relay list when changing one of those
135 sympa_virtual = pkgs.writeText "virtual.sympa" ''
136 sympa-request@${domain} postmaster@immae.eu
137 sympa-owner@${domain} postmaster@immae.eu
138 '';
139 sympa_transport = pkgs.writeText "transport.sympa" ''
140 ${domain} error:User unknown in recipient table
141 sympa@${domain} sympa:sympa@${domain}
142 listmaster@${domain} sympa:listmaster@${domain}
143 bounce@${domain} sympabounce:sympa@${domain}
144 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
145 '';
146 };
147 config = {
148 transport_maps = lib.mkAfter [
149 "hash:/etc/postfix/sympa_transport"
150 "hash:/var/lib/sympa/sympa_transport"
151 ];
152 virtual_alias_maps = lib.mkAfter [
153 "hash:/etc/postfix/sympa_virtual"
154 ];
155 virtual_mailbox_maps = lib.mkAfter [
156 "hash:/etc/postfix/sympa_transport"
157 "hash:/var/lib/sympa/sympa_transport"
158 "hash:/etc/postfix/sympa_virtual"
159 ];
160 };
161 masterConfig = {
162 sympa = {
163 type = "unix";
164 privileged = true;
165 chroot = false;
166 command = "pipe";
167 args = [
168 "flags=hqRu"
169 "user=sympa"
170 "argv=${pkgs.sympa}/libexec/queue"
171 "\${nexthop}"
172 ];
173 };
174 sympabounce = {
175 type = "unix";
176 privileged = true;
177 chroot = false;
178 command = "pipe";
179 args = [
180 "flags=hqRu"
181 "user=sympa"
182 "argv=${pkgs.sympa}/libexec/bouncequeue"
183 "\${nexthop}"
184 ];
185 };
186 };
187 };
188 services.sympa = {
189 enable = true;
190 listMasters = sympaConfig.listmasters;
191 mainDomain = domain;
192 domains = {
193 "${domain}" = {
194 webHost = "mail.immae.eu";
195 webLocation = "/sympa";
196 };
197 };
198
199 database = {
200 type = "PostgreSQL";
201 user = sympaConfig.postgresql.user;
202 host = sympaConfig.postgresql.socket;
203 name = sympaConfig.postgresql.database;
204 passwordFile = config.secrets.fullPaths."sympa/db_password";
205 createLocally = false;
206 };
207 settings = {
208 sendmail = "/run/wrappers/bin/sendmail";
209 log_smtp = "on";
210 sendmail_aliases = "/var/lib/sympa/sympa_transport";
211 aliases_program = "${pkgs.postfix}/bin/postmap";
212 create_list = "listmaster";
213 };
214 settingsFile = {
215 "virtual.sympa".enable = false;
216 "transport.sympa".enable = false;
217 } // lib.mapAttrs' (n: v: lib.nameValuePair
218 "etc/${domain}/data_sources/${n}.incl"
219 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
220 // lib.mapAttrs' (n: v: lib.nameValuePair
221 "etc/${domain}/scenari/${n}"
222 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
223 web = {
224 server = "none";
225 };
226
227 mta = {
228 type = "none";
229 };
230 };
231 };
232 }
My infrastructure configuration