aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/private/environment.nix22
-rw-r--r--modules/private/mail/default.nix1
-rw-r--r--modules/private/mail/postfix.nix15
-rw-r--r--modules/private/mail/relay.nix2
-rw-r--r--modules/private/mail/sympa.nix183
-rw-r--r--modules/private/websites/tools/tools/landing/config.yml2
-rw-r--r--overlays/default.nix1
-rw-r--r--overlays/sympa/default.nix12
8 files changed, 233 insertions, 5 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 969c9c7..22217b1 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -698,6 +698,28 @@ in
698 }; 698 };
699 }); 699 });
700 }; 700 };
701 sympa = mkOption {
702 description = "Sympa configuration";
703 type = submodule {
704 options = {
705 listmasters = mkOption {
706 type = listOf str;
707 description = "Listmasters";
708 };
709 postgresql = mkPsqlOptions "Sympa";
710 data_sources = mkOption {
711 type = attrsOf str;
712 default = {};
713 description = "Data sources to make available to sympa";
714 };
715 scenari = mkOption {
716 type = attrsOf str;
717 default = {};
718 description = "Scenari to make available to sympa";
719 };
720 };
721 };
722 };
701 }; 723 };
702 }; 724 };
703 }; 725 };
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index d893ec4..57fc75c 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -7,6 +7,7 @@
7 ./relay.nix 7 ./relay.nix
8 ./rspamd.nix 8 ./rspamd.nix
9 ./opensmtpd.nix 9 ./opensmtpd.nix
10 ./sympa.nix
10 ]; 11 ];
11 options.myServices.mail.enable = lib.mkEnableOption "enable Mail services"; 12 options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";
12 options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services"; 13 options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services";
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 52cd77d..46d45c1 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -18,7 +18,7 @@
18 hosts = unix:${config.myEnv.mail.postfix.mysql.socket} 18 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
19 dbname = ${config.myEnv.mail.postfix.mysql.database} 19 dbname = ${config.myEnv.mail.postfix.mysql.database}
20 query = SELECT DISTINCT destination 20 query = SELECT DISTINCT destination
21 FROM forwardings_merge 21 FROM forwardings
22 WHERE 22 WHERE
23 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) 23 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
24 AND active = 1 24 AND active = 1
@@ -73,7 +73,7 @@
73 hosts = unix:${config.myEnv.mail.postfix.mysql.socket} 73 hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
74 dbname = ${config.myEnv.mail.postfix.mysql.database} 74 dbname = ${config.myEnv.mail.postfix.mysql.database}
75 query = SELECT DISTINCT destination 75 query = SELECT DISTINCT destination
76 FROM forwardings_merge 76 FROM forwardings
77 WHERE 77 WHERE
78 ( 78 (
79 (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') ) 79 (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') )
@@ -291,7 +291,11 @@
291 alias_database = "\$alias_maps"; 291 alias_database = "\$alias_maps";
292 292
293 ### Virtual mailboxes config 293 ### Virtual mailboxes config
294 virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"; 294 virtual_alias_maps = [
295 "hash:/etc/postfix/virtual"
296 "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"
297 "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"
298 ];
295 virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains 299 virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
296 ++ lib.remove null (lib.flatten (map 300 ++ lib.remove null (lib.flatten (map
297 (zone: map 301 (zone: map
@@ -303,7 +307,10 @@
303 ) 307 )
304 config.myEnv.dns.masterZones 308 config.myEnv.dns.masterZones
305 )); 309 ));
306 virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; 310 virtual_mailbox_maps = [
311 "hash:/etc/postfix/host_dummy_mailboxes"
312 "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"
313 ];
307 dovecot_destination_recipient_limit = "1"; 314 dovecot_destination_recipient_limit = "1";
308 virtual_transport = "dovecot"; 315 virtual_transport = "dovecot";
309 316
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix
index d29ae75..ae74112 100644
--- a/modules/private/mail/relay.nix
+++ b/modules/private/mail/relay.nix
@@ -27,7 +27,7 @@
27 hosts = ${config.myEnv.mail.postfix.mysql.remoteHost} 27 hosts = ${config.myEnv.mail.postfix.mysql.remoteHost}
28 dbname = ${config.myEnv.mail.postfix.mysql.database} 28 dbname = ${config.myEnv.mail.postfix.mysql.database}
29 query = SELECT DISTINCT 1 29 query = SELECT DISTINCT 1
30 FROM forwardings_merge 30 FROM forwardings
31 WHERE 31 WHERE
32 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) 32 ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s'))
33 AND active = 1 33 AND active = 1
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix
new file mode 100644
index 0000000..ed7e598
--- /dev/null
+++ b/modules/private/mail/sympa.nix
@@ -0,0 +1,183 @@
1{ lib, pkgs, config, ... }:
2let
3 domain = "lists.immae.eu";
4 sympaConfig = config.myEnv.mail.sympa;
5in
6{
7 config = lib.mkIf config.myServices.mail.enable {
8 services.duplyBackup.profiles.sympa = {
9 rootDir = "/var/lib/sympa";
10 };
11 services.websites.env.tools.vhostConfs.mail = {
12 extraConfig = lib.mkAfter [
13 ''
14 Alias /static-sympa/ /var/lib/sympa/static_content/
15 <Directory /var/lib/sympa/static_content/>
16 Require all granted
17 AllowOverride none
18 </Directory>
19 <Location /sympa>
20 SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://"
21 Require all granted
22 </Location>
23 ''
24 ];
25 };
26
27 secrets.keys = [
28 {
29 dest = "sympa/db_password";
30 permissions = "0400";
31 group = "sympa";
32 user = "sympa";
33 text = sympaConfig.postgresql.password;
34 }
35 ]
36 ++ lib.mapAttrsToList (n: v: {
37 dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
38 }) sympaConfig.data_sources
39 ++ lib.mapAttrsToList (n: v: {
40 dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
41 }) sympaConfig.scenari;
42 users.users.sympa.extraGroups = [ "keys" ];
43 systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ];
44 systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ];
45 systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ];
46 systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ];
47 systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ];
48
49 # https://github.com/NixOS/nixpkgs/pull/84202
50 systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false;
51 systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false;
52 systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false;
53 systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false;
54 systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false;
55 systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false;
56 systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false;
57 systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false;
58 systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false;
59 systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false;
60
61 systemd.services.wwsympa = {
62 wantedBy = [ "multi-user.target" ];
63 after = [ "sympa.service" ];
64 serviceConfig = {
65 Type = "forking";
66 PIDFile = "/run/sympa/wwsympa.pid";
67 Restart = "always";
68 ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \
69 -u sympa \
70 -g sympa \
71 -U wwwrun \
72 -M 0600 \
73 -F 2 \
74 -P /run/sympa/wwsympa.pid \
75 -s /run/sympa/wwsympa.socket \
76 -- ${pkgs.sympa}/bin/wwsympa.fcgi
77 '';
78 StateDirectory = "sympa";
79 ProtectHome = true;
80 ProtectSystem = "full";
81 ProtectControlGroups = true;
82 };
83 };
84
85 services.postfix = {
86 mapFiles = {
87 sympa_virtual = pkgs.writeText "virtual.sympa" ''
88 sympa-request@${domain} postmaster@immae.eu
89 sympa-owner@${domain} postmaster@immae.eu
90 '';
91 sympa_transport = pkgs.writeText "transport.sympa" ''
92 ${domain} error:User unknown in recipient table
93 sympa@${domain} sympa:sympa@${domain}
94 listmaster@${domain} sympa:listmaster@${domain}
95 bounce@${domain} sympabounce:sympa@${domain}
96 abuse-feedback-report@${domain} sympabounce:sympa@${domain}
97 '';
98 };
99 config = {
100 transport_maps = lib.mkAfter [
101 "hash:/etc/postfix/sympa_transport"
102 "hash:/var/lib/sympa/sympa_transport"
103 ];
104 virtual_alias_maps = lib.mkAfter [
105 "hash:/etc/postfix/sympa_virtual"
106 ];
107 virtual_mailbox_maps = lib.mkAfter [
108 "hash:/etc/postfix/sympa_transport"
109 "hash:/var/lib/sympa/sympa_transport"
110 "hash:/etc/postfix/sympa_virtual"
111 ];
112 };
113 masterConfig = {
114 sympa = {
115 type = "unix";
116 privileged = true;
117 chroot = false;
118 command = "pipe";
119 args = [
120 "flags=hqRu"
121 "user=sympa"
122 "argv=${pkgs.sympa}/bin/queue"
123 "\${nexthop}"
124 ];
125 };
126 sympabounce = {
127 type = "unix";
128 privileged = true;
129 chroot = false;
130 command = "pipe";
131 args = [
132 "flags=hqRu"
133 "user=sympa"
134 "argv=${pkgs.sympa}/bin/bouncequeue"
135 "\${nexthop}"
136 ];
137 };
138 };
139 };
140 services.sympa = {
141 enable = true;
142 listMasters = sympaConfig.listmasters;
143 mainDomain = domain;
144 domains = {
145 "${domain}" = {
146 webHost = "mail.immae.eu";
147 webLocation = "/sympa";
148 };
149 };
150
151 database = {
152 type = "PostgreSQL";
153 user = sympaConfig.postgresql.user;
154 host = sympaConfig.postgresql.socket;
155 name = sympaConfig.postgresql.database;
156 passwordFile = config.secrets.fullPaths."sympa/db_password";
157 createLocally = false;
158 };
159 settings = {
160 sendmail = "/run/wrappers/bin/sendmail";
161 log_smtp = "on";
162 sendmail_aliases = "/var/lib/sympa/sympa_transport";
163 aliases_program = "${pkgs.postfix}/bin/postmap";
164 };
165 settingsFile = {
166 "virtual.sympa".enable = false;
167 "transport.sympa".enable = false;
168 } // lib.mapAttrs' (n: v: lib.nameValuePair
169 "etc/${domain}/data_sources/${n}.incl"
170 { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources
171 // lib.mapAttrs' (n: v: lib.nameValuePair
172 "etc/${domain}/scenari/${n}"
173 { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari;
174 web = {
175 server = "none";
176 };
177
178 mta = {
179 type = "none";
180 };
181 };
182 };
183}
diff --git a/modules/private/websites/tools/tools/landing/config.yml b/modules/private/websites/tools/tools/landing/config.yml
index 20995a9..4f3a51d 100644
--- a/modules/private/websites/tools/tools/landing/config.yml
+++ b/modules/private/websites/tools/tools/landing/config.yml
@@ -154,6 +154,8 @@ services:
154 url: "https://im.immae.fr" 154 url: "https://im.immae.fr"
155 - name: "E-mail" 155 - name: "E-mail"
156 url: "https://mail.immae.eu" 156 url: "https://mail.immae.eu"
157 - name: "Sympa"
158 url: "https://mail.immae.eu/sympa"
157 - name: "VPN" 159 - name: "VPN"
158 url: "https://vpn.immae.eu" 160 url: "https://vpn.immae.eu"
159 - name: "Taskwarrior" 161 - name: "Taskwarrior"
diff --git a/overlays/default.nix b/overlays/default.nix
index 0cefc17..5639c94 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -22,6 +22,7 @@
22 sc-im = import ./sc-im; 22 sc-im = import ./sc-im;
23 shaarli = import ./shaarli; 23 shaarli = import ./shaarli;
24 slrn = import ./slrn; 24 slrn = import ./slrn;
25 sympa = import ./sympa;
25 taskwarrior = import ./taskwarrior; 26 taskwarrior = import ./taskwarrior;
26 vcsh = import ./vcsh; 27 vcsh = import ./vcsh;
27 weboob = import ./weboob; 28 weboob = import ./weboob;
diff --git a/overlays/sympa/default.nix b/overlays/sympa/default.nix
new file mode 100644
index 0000000..9337298
--- /dev/null
+++ b/overlays/sympa/default.nix
@@ -0,0 +1,12 @@
1self: super: {
2 sympa = super.sympa.overrideAttrs(old: {
3 # https://github.com/NixOS/nixpkgs/pull/83258/files
4 src = self.fetchFromGitHub {
5 owner = "sympa-community";
6 repo = "sympa";
7 rev = "6.2.54";
8 sha256 = "07wfvr8rrg7pwkl2zglrdri7n42rl9gwrjbaffb8m37wq67s7fca";
9 };
10 #configureFlags = ["--enable-fhs"] ++ old.configureFlags;
11 });
12}