diff options
Diffstat (limited to 'modules/private/mail/sympa.nix')
-rw-r--r-- | modules/private/mail/sympa.nix | 213 |
1 files changed, 0 insertions, 213 deletions
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix deleted file mode 100644 index 0626ac0..0000000 --- a/modules/private/mail/sympa.nix +++ /dev/null | |||
@@ -1,213 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | domain = "lists.immae.eu"; | ||
4 | sympaConfig = config.myEnv.mail.sympa; | ||
5 | in | ||
6 | { | ||
7 | config = lib.mkIf config.myServices.mail.enable { | ||
8 | myServices.databases.postgresql.authorizedHosts = { | ||
9 | backup-2 = [ | ||
10 | { | ||
11 | username = "sympa"; | ||
12 | database = "sympa"; | ||
13 | ip4 = [config.myEnv.servers.backup-2.ips.main.ip4]; | ||
14 | ip6 = config.myEnv.servers.backup-2.ips.main.ip6; | ||
15 | } | ||
16 | ]; | ||
17 | }; | ||
18 | services.websites.env.tools.vhostConfs.mail = { | ||
19 | extraConfig = lib.mkAfter [ | ||
20 | '' | ||
21 | Alias /static-sympa/ /var/lib/sympa/static_content/ | ||
22 | <Directory /var/lib/sympa/static_content/> | ||
23 | Require all granted | ||
24 | AllowOverride none | ||
25 | </Directory> | ||
26 | <Location /sympa> | ||
27 | SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" | ||
28 | Require all granted | ||
29 | </Location> | ||
30 | '' | ||
31 | ]; | ||
32 | }; | ||
33 | |||
34 | secrets.keys = { | ||
35 | "sympa/db_password" = { | ||
36 | permissions = "0400"; | ||
37 | group = "sympa"; | ||
38 | user = "sympa"; | ||
39 | text = sympaConfig.postgresql.password; | ||
40 | }; | ||
41 | } | ||
42 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" { | ||
43 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
44 | }) sympaConfig.data_sources | ||
45 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" { | ||
46 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
47 | }) sympaConfig.scenari; | ||
48 | users.users.sympa.extraGroups = [ "keys" ]; | ||
49 | systemd.slices.mail-sympa = { | ||
50 | description = "Sympa slice"; | ||
51 | }; | ||
52 | |||
53 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
54 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
55 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
56 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
57 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
58 | |||
59 | systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice"; | ||
60 | systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice"; | ||
61 | systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice"; | ||
62 | systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice"; | ||
63 | systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice"; | ||
64 | |||
65 | # https://github.com/NixOS/nixpkgs/pull/84202 | ||
66 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
67 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
68 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
69 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
70 | systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
71 | systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
72 | systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
73 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
74 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
75 | systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
76 | |||
77 | systemd.services.wwsympa = { | ||
78 | wantedBy = [ "multi-user.target" ]; | ||
79 | after = [ "sympa.service" ]; | ||
80 | serviceConfig = { | ||
81 | Slice = "mail-sympa.slice"; | ||
82 | Type = "forking"; | ||
83 | PIDFile = "/run/sympa/wwsympa.pid"; | ||
84 | Restart = "always"; | ||
85 | ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ | ||
86 | -u sympa \ | ||
87 | -g sympa \ | ||
88 | -U wwwrun \ | ||
89 | -M 0600 \ | ||
90 | -F 2 \ | ||
91 | -P /run/sympa/wwsympa.pid \ | ||
92 | -s /run/sympa/wwsympa.socket \ | ||
93 | -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi | ||
94 | ''; | ||
95 | StateDirectory = "sympa"; | ||
96 | ProtectHome = true; | ||
97 | ProtectSystem = "full"; | ||
98 | ProtectControlGroups = true; | ||
99 | }; | ||
100 | }; | ||
101 | |||
102 | services.postfix = { | ||
103 | mapFiles = { | ||
104 | # Update relay list when changing one of those | ||
105 | sympa_virtual = pkgs.writeText "virtual.sympa" '' | ||
106 | sympa-request@${domain} postmaster@immae.eu | ||
107 | sympa-owner@${domain} postmaster@immae.eu | ||
108 | |||
109 | sympa-request@cip-ca.fr postmaster@immae.eu | ||
110 | sympa-owner@cip-ca.fr postmaster@immae.eu | ||
111 | ''; | ||
112 | sympa_transport = pkgs.writeText "transport.sympa" '' | ||
113 | ${domain} error:User unknown in recipient table | ||
114 | sympa@${domain} sympa:sympa@${domain} | ||
115 | listmaster@${domain} sympa:listmaster@${domain} | ||
116 | bounce@${domain} sympabounce:sympa@${domain} | ||
117 | abuse-feedback-report@${domain} sympabounce:sympa@${domain} | ||
118 | |||
119 | sympa@cip-ca.fr sympa:sympa@cip-ca.fr | ||
120 | listmaster@cip-ca.fr sympa:listmaster@cip-ca.fr | ||
121 | bounce@cip-ca.fr sympabounce:sympa@cip-ca.fr | ||
122 | abuse-feedback-report@cip-ca.fr sympabounce:sympa@cip-ca.fr | ||
123 | ''; | ||
124 | }; | ||
125 | config = { | ||
126 | transport_maps = lib.mkAfter [ | ||
127 | "hash:/etc/postfix/sympa_transport" | ||
128 | "hash:/var/lib/sympa/sympa_transport" | ||
129 | ]; | ||
130 | virtual_alias_maps = lib.mkAfter [ | ||
131 | "hash:/etc/postfix/sympa_virtual" | ||
132 | ]; | ||
133 | virtual_mailbox_maps = lib.mkAfter [ | ||
134 | "hash:/etc/postfix/sympa_transport" | ||
135 | "hash:/var/lib/sympa/sympa_transport" | ||
136 | "hash:/etc/postfix/sympa_virtual" | ||
137 | ]; | ||
138 | }; | ||
139 | masterConfig = { | ||
140 | sympa = { | ||
141 | type = "unix"; | ||
142 | privileged = true; | ||
143 | chroot = false; | ||
144 | command = "pipe"; | ||
145 | args = [ | ||
146 | "flags=hqRu" | ||
147 | "user=sympa" | ||
148 | "argv=${pkgs.sympa}/libexec/queue" | ||
149 | "\${nexthop}" | ||
150 | ]; | ||
151 | }; | ||
152 | sympabounce = { | ||
153 | type = "unix"; | ||
154 | privileged = true; | ||
155 | chroot = false; | ||
156 | command = "pipe"; | ||
157 | args = [ | ||
158 | "flags=hqRu" | ||
159 | "user=sympa" | ||
160 | "argv=${pkgs.sympa}/libexec/bouncequeue" | ||
161 | "\${nexthop}" | ||
162 | ]; | ||
163 | }; | ||
164 | }; | ||
165 | }; | ||
166 | services.sympa = { | ||
167 | enable = true; | ||
168 | listMasters = sympaConfig.listmasters; | ||
169 | mainDomain = domain; | ||
170 | domains = { | ||
171 | "${domain}" = { | ||
172 | webHost = "mail.immae.eu"; | ||
173 | webLocation = "/sympa"; | ||
174 | }; | ||
175 | "cip-ca.fr" = { | ||
176 | webHost = "mail.cip-ca.fr"; | ||
177 | webLocation = "/sympa"; | ||
178 | }; | ||
179 | }; | ||
180 | |||
181 | database = { | ||
182 | type = "PostgreSQL"; | ||
183 | user = sympaConfig.postgresql.user; | ||
184 | host = sympaConfig.postgresql.socket; | ||
185 | name = sympaConfig.postgresql.database; | ||
186 | passwordFile = config.secrets.fullPaths."sympa/db_password"; | ||
187 | createLocally = false; | ||
188 | }; | ||
189 | settings = { | ||
190 | sendmail = "/run/wrappers/bin/sendmail"; | ||
191 | log_smtp = "on"; | ||
192 | sendmail_aliases = "/var/lib/sympa/sympa_transport"; | ||
193 | aliases_program = "${pkgs.postfix}/bin/postmap"; | ||
194 | }; | ||
195 | settingsFile = { | ||
196 | "virtual.sympa".enable = false; | ||
197 | "transport.sympa".enable = false; | ||
198 | } // lib.mapAttrs' (n: v: lib.nameValuePair | ||
199 | "etc/${domain}/data_sources/${n}.incl" | ||
200 | { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources | ||
201 | // lib.mapAttrs' (n: v: lib.nameValuePair | ||
202 | "etc/${domain}/scenari/${n}" | ||
203 | { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; | ||
204 | web = { | ||
205 | server = "none"; | ||
206 | }; | ||
207 | |||
208 | mta = { | ||
209 | type = "none"; | ||
210 | }; | ||
211 | }; | ||
212 | }; | ||
213 | } | ||