{ lib, pkgs, config, ... }:
let
domain = "lists.immae.eu";
sympaConfig = config.myEnv.mail.sympa;
in
{
config = lib.mkIf config.myServices.mail.enable {
myServices.dns.zones."immae.eu".emailPolicies."lists".receive = true;
myServices.dns.zones."immae.eu".subdomains.lists =
with config.myServices.dns.helpers; lib.mkMerge [
(ips servers.eldiron.ips.main)
(mailCommon "immae.eu")
mailSend
];
myServices.chatonsProperties.services.sympa = {
file.datetime = "2022-08-22T00:50:00";
service = {
name = "Sympa";
description = "Mailing lists service";
website = "https://mail.immae.eu/sympa";
logo = "https://mail.immae.eu/static-sympa/icons/favicon_sympa.png";
status.level = "OK";
status.description = "OK";
registration."" = ["MEMBER" "CLIENT"];
registration.load = "OPEN";
install.type = "PACKAGE";
};
software = {
name = "Sympa";
website = "https://www.sympa.org/";
license.url = "https://github.com/sympa-community/sympa/blob/sympa-6.2/COPYING";
license.name = "GNU General Public License v2.0";
version = pkgs.sympa.version;
source.url = "https://github.com/sympa-community/sympa/";
};
};
myServices.databases.postgresql.authorizedHosts = {
backup-2 = [
{
username = "sympa";
database = "sympa";
ip4 = config.myEnv.servers.backup-2.ips.main.ip4;
ip6 = map (v: "${v}/128") config.myEnv.servers.backup-2.ips.main.ip6;
}
];
};
services.websites.env.tools.vhostConfs.mail = {
extraConfig = lib.mkAfter [
''
Alias /static-sympa/ /var/lib/sympa/static_content/
Require all granted
AllowOverride none
SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
Require all granted
''
];
};
secrets.keys = {
"sympa/db_password" = {
permissions = "0400";
group = "sympa";
user = "sympa";
text = sympaConfig.postgresql.password;
};
}
// lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
}) sympaConfig.data_sources
// lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
}) sympaConfig.scenari;
users.users.sympa.extraGroups = [ "keys" ];
systemd.slices.mail-sympa = {
description = "Sympa slice";
};
systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice";
systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice";
systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice";
systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice";
systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice";
# https://github.com/NixOS/nixpkgs/pull/84202
systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
systemd.services.wwsympa = {
wantedBy = [ "multi-user.target" ];
after = [ "sympa.service" ];
serviceConfig = {
Slice = "mail-sympa.slice";
Type = "forking";
PIDFile = "/run/sympa/wwsympa.pid";
Restart = "always";
ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
-u sympa \
-g sympa \
-U wwwrun \
-M 0600 \
-F 2 \
-P /run/sympa/wwsympa.pid \
-s /run/sympa/wwsympa.socket \
-- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi
'';
StateDirectory = "sympa";
ProtectHome = true;
ProtectSystem = "full";
ProtectControlGroups = true;
};
};
services.postfix = {
mapFiles = {
# Update relay list when changing one of those
sympa_virtual = pkgs.writeText "virtual.sympa" ''
sympa-request@${domain} postmaster@immae.eu
sympa-owner@${domain} postmaster@immae.eu
'';
sympa_transport = pkgs.writeText "transport.sympa" ''
${domain} error:User unknown in recipient table
sympa@${domain} sympa:sympa@${domain}
listmaster@${domain} sympa:listmaster@${domain}
bounce@${domain} sympabounce:sympa@${domain}
abuse-feedback-report@${domain} sympabounce:sympa@${domain}
'';
};
config = {
transport_maps = lib.mkAfter [
"hash:/etc/postfix/sympa_transport"
"hash:/var/lib/sympa/sympa_transport"
];
virtual_alias_maps = lib.mkAfter [
"hash:/etc/postfix/sympa_virtual"
];
virtual_mailbox_maps = lib.mkAfter [
"hash:/etc/postfix/sympa_transport"
"hash:/var/lib/sympa/sympa_transport"
"hash:/etc/postfix/sympa_virtual"
];
};
masterConfig = {
sympa = {
type = "unix";
privileged = true;
chroot = false;
command = "pipe";
args = [
"flags=hqRu"
"user=sympa"
"argv=${pkgs.sympa}/libexec/queue"
"\${nexthop}"
];
};
sympabounce = {
type = "unix";
privileged = true;
chroot = false;
command = "pipe";
args = [
"flags=hqRu"
"user=sympa"
"argv=${pkgs.sympa}/libexec/bouncequeue"
"\${nexthop}"
];
};
};
};
services.sympa = {
enable = true;
listMasters = sympaConfig.listmasters;
mainDomain = domain;
domains = {
"${domain}" = {
webHost = "mail.immae.eu";
webLocation = "/sympa";
};
};
database = {
type = "PostgreSQL";
user = sympaConfig.postgresql.user;
host = sympaConfig.postgresql.socket;
name = sympaConfig.postgresql.database;
passwordFile = config.secrets.fullPaths."sympa/db_password";
createLocally = false;
};
settings = {
sendmail = "/run/wrappers/bin/sendmail";
log_smtp = "on";
sendmail_aliases = "/var/lib/sympa/sympa_transport";
aliases_program = "${pkgs.postfix}/bin/postmap";
create_list = "listmaster";
};
settingsFile = {
"virtual.sympa".enable = false;
"transport.sympa".enable = false;
} // lib.mapAttrs' (n: v: lib.nameValuePair
"etc/${domain}/data_sources/${n}.incl"
{ source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
// lib.mapAttrs' (n: v: lib.nameValuePair
"etc/${domain}/scenari/${n}"
{ source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
web = {
server = "none";
};
mta = {
type = "none";
};
};
};
}