diff options
-rw-r--r-- | modules/private/environment.nix | 22 | ||||
-rw-r--r-- | modules/private/mail/default.nix | 1 | ||||
-rw-r--r-- | modules/private/mail/postfix.nix | 15 | ||||
-rw-r--r-- | modules/private/mail/relay.nix | 2 | ||||
-rw-r--r-- | modules/private/mail/sympa.nix | 183 | ||||
-rw-r--r-- | modules/private/websites/tools/tools/landing/config.yml | 2 | ||||
-rw-r--r-- | overlays/default.nix | 1 | ||||
-rw-r--r-- | overlays/sympa/default.nix | 12 |
8 files changed, 233 insertions, 5 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 969c9c7..22217b1 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -698,6 +698,28 @@ in | |||
698 | }; | 698 | }; |
699 | }); | 699 | }); |
700 | }; | 700 | }; |
701 | sympa = mkOption { | ||
702 | description = "Sympa configuration"; | ||
703 | type = submodule { | ||
704 | options = { | ||
705 | listmasters = mkOption { | ||
706 | type = listOf str; | ||
707 | description = "Listmasters"; | ||
708 | }; | ||
709 | postgresql = mkPsqlOptions "Sympa"; | ||
710 | data_sources = mkOption { | ||
711 | type = attrsOf str; | ||
712 | default = {}; | ||
713 | description = "Data sources to make available to sympa"; | ||
714 | }; | ||
715 | scenari = mkOption { | ||
716 | type = attrsOf str; | ||
717 | default = {}; | ||
718 | description = "Scenari to make available to sympa"; | ||
719 | }; | ||
720 | }; | ||
721 | }; | ||
722 | }; | ||
701 | }; | 723 | }; |
702 | }; | 724 | }; |
703 | }; | 725 | }; |
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index d893ec4..57fc75c 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix | |||
@@ -7,6 +7,7 @@ | |||
7 | ./relay.nix | 7 | ./relay.nix |
8 | ./rspamd.nix | 8 | ./rspamd.nix |
9 | ./opensmtpd.nix | 9 | ./opensmtpd.nix |
10 | ./sympa.nix | ||
10 | ]; | 11 | ]; |
11 | options.myServices.mail.enable = lib.mkEnableOption "enable Mail services"; | 12 | options.myServices.mail.enable = lib.mkEnableOption "enable Mail services"; |
12 | options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services"; | 13 | options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services"; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 52cd77d..46d45c1 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -18,7 +18,7 @@ | |||
18 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | 18 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} |
19 | dbname = ${config.myEnv.mail.postfix.mysql.database} | 19 | dbname = ${config.myEnv.mail.postfix.mysql.database} |
20 | query = SELECT DISTINCT destination | 20 | query = SELECT DISTINCT destination |
21 | FROM forwardings_merge | 21 | FROM forwardings |
22 | WHERE | 22 | WHERE |
23 | ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) | 23 | ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) |
24 | AND active = 1 | 24 | AND active = 1 |
@@ -73,7 +73,7 @@ | |||
73 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} | 73 | hosts = unix:${config.myEnv.mail.postfix.mysql.socket} |
74 | dbname = ${config.myEnv.mail.postfix.mysql.database} | 74 | dbname = ${config.myEnv.mail.postfix.mysql.database} |
75 | query = SELECT DISTINCT destination | 75 | query = SELECT DISTINCT destination |
76 | FROM forwardings_merge | 76 | FROM forwardings |
77 | WHERE | 77 | WHERE |
78 | ( | 78 | ( |
79 | (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') ) | 79 | (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') ) |
@@ -291,7 +291,11 @@ | |||
291 | alias_database = "\$alias_maps"; | 291 | alias_database = "\$alias_maps"; |
292 | 292 | ||
293 | ### Virtual mailboxes config | 293 | ### Virtual mailboxes config |
294 | virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"; | 294 | virtual_alias_maps = [ |
295 | "hash:/etc/postfix/virtual" | ||
296 | "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}" | ||
297 | "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}" | ||
298 | ]; | ||
295 | virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains | 299 | virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains |
296 | ++ lib.remove null (lib.flatten (map | 300 | ++ lib.remove null (lib.flatten (map |
297 | (zone: map | 301 | (zone: map |
@@ -303,7 +307,10 @@ | |||
303 | ) | 307 | ) |
304 | config.myEnv.dns.masterZones | 308 | config.myEnv.dns.masterZones |
305 | )); | 309 | )); |
306 | virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; | 310 | virtual_mailbox_maps = [ |
311 | "hash:/etc/postfix/host_dummy_mailboxes" | ||
312 | "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}" | ||
313 | ]; | ||
307 | dovecot_destination_recipient_limit = "1"; | 314 | dovecot_destination_recipient_limit = "1"; |
308 | virtual_transport = "dovecot"; | 315 | virtual_transport = "dovecot"; |
309 | 316 | ||
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index d29ae75..ae74112 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix | |||
@@ -27,7 +27,7 @@ | |||
27 | hosts = ${config.myEnv.mail.postfix.mysql.remoteHost} | 27 | hosts = ${config.myEnv.mail.postfix.mysql.remoteHost} |
28 | dbname = ${config.myEnv.mail.postfix.mysql.database} | 28 | dbname = ${config.myEnv.mail.postfix.mysql.database} |
29 | query = SELECT DISTINCT 1 | 29 | query = SELECT DISTINCT 1 |
30 | FROM forwardings_merge | 30 | FROM forwardings |
31 | WHERE | 31 | WHERE |
32 | ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) | 32 | ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) |
33 | AND active = 1 | 33 | AND active = 1 |
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix new file mode 100644 index 0000000..ed7e598 --- /dev/null +++ b/modules/private/mail/sympa.nix | |||
@@ -0,0 +1,183 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | domain = "lists.immae.eu"; | ||
4 | sympaConfig = config.myEnv.mail.sympa; | ||
5 | in | ||
6 | { | ||
7 | config = lib.mkIf config.myServices.mail.enable { | ||
8 | services.duplyBackup.profiles.sympa = { | ||
9 | rootDir = "/var/lib/sympa"; | ||
10 | }; | ||
11 | services.websites.env.tools.vhostConfs.mail = { | ||
12 | extraConfig = lib.mkAfter [ | ||
13 | '' | ||
14 | Alias /static-sympa/ /var/lib/sympa/static_content/ | ||
15 | <Directory /var/lib/sympa/static_content/> | ||
16 | Require all granted | ||
17 | AllowOverride none | ||
18 | </Directory> | ||
19 | <Location /sympa> | ||
20 | SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" | ||
21 | Require all granted | ||
22 | </Location> | ||
23 | '' | ||
24 | ]; | ||
25 | }; | ||
26 | |||
27 | secrets.keys = [ | ||
28 | { | ||
29 | dest = "sympa/db_password"; | ||
30 | permissions = "0400"; | ||
31 | group = "sympa"; | ||
32 | user = "sympa"; | ||
33 | text = sympaConfig.postgresql.password; | ||
34 | } | ||
35 | ] | ||
36 | ++ lib.mapAttrsToList (n: v: { | ||
37 | dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
38 | }) sympaConfig.data_sources | ||
39 | ++ lib.mapAttrsToList (n: v: { | ||
40 | dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
41 | }) sympaConfig.scenari; | ||
42 | users.users.sympa.extraGroups = [ "keys" ]; | ||
43 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
44 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
45 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
46 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
47 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
48 | |||
49 | # https://github.com/NixOS/nixpkgs/pull/84202 | ||
50 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
51 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
52 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
53 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
54 | systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
55 | systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
56 | systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
57 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
58 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
59 | systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
60 | |||
61 | systemd.services.wwsympa = { | ||
62 | wantedBy = [ "multi-user.target" ]; | ||
63 | after = [ "sympa.service" ]; | ||
64 | serviceConfig = { | ||
65 | Type = "forking"; | ||
66 | PIDFile = "/run/sympa/wwsympa.pid"; | ||
67 | Restart = "always"; | ||
68 | ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ | ||
69 | -u sympa \ | ||
70 | -g sympa \ | ||
71 | -U wwwrun \ | ||
72 | -M 0600 \ | ||
73 | -F 2 \ | ||
74 | -P /run/sympa/wwsympa.pid \ | ||
75 | -s /run/sympa/wwsympa.socket \ | ||
76 | -- ${pkgs.sympa}/bin/wwsympa.fcgi | ||
77 | ''; | ||
78 | StateDirectory = "sympa"; | ||
79 | ProtectHome = true; | ||
80 | ProtectSystem = "full"; | ||
81 | ProtectControlGroups = true; | ||
82 | }; | ||
83 | }; | ||
84 | |||
85 | services.postfix = { | ||
86 | mapFiles = { | ||
87 | sympa_virtual = pkgs.writeText "virtual.sympa" '' | ||
88 | sympa-request@${domain} postmaster@immae.eu | ||
89 | sympa-owner@${domain} postmaster@immae.eu | ||
90 | ''; | ||
91 | sympa_transport = pkgs.writeText "transport.sympa" '' | ||
92 | ${domain} error:User unknown in recipient table | ||
93 | sympa@${domain} sympa:sympa@${domain} | ||
94 | listmaster@${domain} sympa:listmaster@${domain} | ||
95 | bounce@${domain} sympabounce:sympa@${domain} | ||
96 | abuse-feedback-report@${domain} sympabounce:sympa@${domain} | ||
97 | ''; | ||
98 | }; | ||
99 | config = { | ||
100 | transport_maps = lib.mkAfter [ | ||
101 | "hash:/etc/postfix/sympa_transport" | ||
102 | "hash:/var/lib/sympa/sympa_transport" | ||
103 | ]; | ||
104 | virtual_alias_maps = lib.mkAfter [ | ||
105 | "hash:/etc/postfix/sympa_virtual" | ||
106 | ]; | ||
107 | virtual_mailbox_maps = lib.mkAfter [ | ||
108 | "hash:/etc/postfix/sympa_transport" | ||
109 | "hash:/var/lib/sympa/sympa_transport" | ||
110 | "hash:/etc/postfix/sympa_virtual" | ||
111 | ]; | ||
112 | }; | ||
113 | masterConfig = { | ||
114 | sympa = { | ||
115 | type = "unix"; | ||
116 | privileged = true; | ||
117 | chroot = false; | ||
118 | command = "pipe"; | ||
119 | args = [ | ||
120 | "flags=hqRu" | ||
121 | "user=sympa" | ||
122 | "argv=${pkgs.sympa}/bin/queue" | ||
123 | "\${nexthop}" | ||
124 | ]; | ||
125 | }; | ||
126 | sympabounce = { | ||
127 | type = "unix"; | ||
128 | privileged = true; | ||
129 | chroot = false; | ||
130 | command = "pipe"; | ||
131 | args = [ | ||
132 | "flags=hqRu" | ||
133 | "user=sympa" | ||
134 | "argv=${pkgs.sympa}/bin/bouncequeue" | ||
135 | "\${nexthop}" | ||
136 | ]; | ||
137 | }; | ||
138 | }; | ||
139 | }; | ||
140 | services.sympa = { | ||
141 | enable = true; | ||
142 | listMasters = sympaConfig.listmasters; | ||
143 | mainDomain = domain; | ||
144 | domains = { | ||
145 | "${domain}" = { | ||
146 | webHost = "mail.immae.eu"; | ||
147 | webLocation = "/sympa"; | ||
148 | }; | ||
149 | }; | ||
150 | |||
151 | database = { | ||
152 | type = "PostgreSQL"; | ||
153 | user = sympaConfig.postgresql.user; | ||
154 | host = sympaConfig.postgresql.socket; | ||
155 | name = sympaConfig.postgresql.database; | ||
156 | passwordFile = config.secrets.fullPaths."sympa/db_password"; | ||
157 | createLocally = false; | ||
158 | }; | ||
159 | settings = { | ||
160 | sendmail = "/run/wrappers/bin/sendmail"; | ||
161 | log_smtp = "on"; | ||
162 | sendmail_aliases = "/var/lib/sympa/sympa_transport"; | ||
163 | aliases_program = "${pkgs.postfix}/bin/postmap"; | ||
164 | }; | ||
165 | settingsFile = { | ||
166 | "virtual.sympa".enable = false; | ||
167 | "transport.sympa".enable = false; | ||
168 | } // lib.mapAttrs' (n: v: lib.nameValuePair | ||
169 | "etc/${domain}/data_sources/${n}.incl" | ||
170 | { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources | ||
171 | // lib.mapAttrs' (n: v: lib.nameValuePair | ||
172 | "etc/${domain}/scenari/${n}" | ||
173 | { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; | ||
174 | web = { | ||
175 | server = "none"; | ||
176 | }; | ||
177 | |||
178 | mta = { | ||
179 | type = "none"; | ||
180 | }; | ||
181 | }; | ||
182 | }; | ||
183 | } | ||
diff --git a/modules/private/websites/tools/tools/landing/config.yml b/modules/private/websites/tools/tools/landing/config.yml index 20995a9..4f3a51d 100644 --- a/modules/private/websites/tools/tools/landing/config.yml +++ b/modules/private/websites/tools/tools/landing/config.yml | |||
@@ -154,6 +154,8 @@ services: | |||
154 | url: "https://im.immae.fr" | 154 | url: "https://im.immae.fr" |
155 | - name: "E-mail" | 155 | - name: "E-mail" |
156 | url: "https://mail.immae.eu" | 156 | url: "https://mail.immae.eu" |
157 | - name: "Sympa" | ||
158 | url: "https://mail.immae.eu/sympa" | ||
157 | - name: "VPN" | 159 | - name: "VPN" |
158 | url: "https://vpn.immae.eu" | 160 | url: "https://vpn.immae.eu" |
159 | - name: "Taskwarrior" | 161 | - name: "Taskwarrior" |
diff --git a/overlays/default.nix b/overlays/default.nix index 0cefc17..5639c94 100644 --- a/overlays/default.nix +++ b/overlays/default.nix | |||
@@ -22,6 +22,7 @@ | |||
22 | sc-im = import ./sc-im; | 22 | sc-im = import ./sc-im; |
23 | shaarli = import ./shaarli; | 23 | shaarli = import ./shaarli; |
24 | slrn = import ./slrn; | 24 | slrn = import ./slrn; |
25 | sympa = import ./sympa; | ||
25 | taskwarrior = import ./taskwarrior; | 26 | taskwarrior = import ./taskwarrior; |
26 | vcsh = import ./vcsh; | 27 | vcsh = import ./vcsh; |
27 | weboob = import ./weboob; | 28 | weboob = import ./weboob; |
diff --git a/overlays/sympa/default.nix b/overlays/sympa/default.nix new file mode 100644 index 0000000..9337298 --- /dev/null +++ b/overlays/sympa/default.nix | |||
@@ -0,0 +1,12 @@ | |||
1 | self: super: { | ||
2 | sympa = super.sympa.overrideAttrs(old: { | ||
3 | # https://github.com/NixOS/nixpkgs/pull/83258/files | ||
4 | src = self.fetchFromGitHub { | ||
5 | owner = "sympa-community"; | ||
6 | repo = "sympa"; | ||
7 | rev = "6.2.54"; | ||
8 | sha256 = "07wfvr8rrg7pwkl2zglrdri7n42rl9gwrjbaffb8m37wq67s7fca"; | ||
9 | }; | ||
10 | #configureFlags = ["--enable-fhs"] ++ old.configureFlags; | ||
11 | }); | ||
12 | } | ||