diff options
Diffstat (limited to 'modules/private/mail/sympa.nix')
-rw-r--r-- | modules/private/mail/sympa.nix | 183 |
1 files changed, 183 insertions, 0 deletions
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix new file mode 100644 index 0000000..ed7e598 --- /dev/null +++ b/modules/private/mail/sympa.nix | |||
@@ -0,0 +1,183 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | domain = "lists.immae.eu"; | ||
4 | sympaConfig = config.myEnv.mail.sympa; | ||
5 | in | ||
6 | { | ||
7 | config = lib.mkIf config.myServices.mail.enable { | ||
8 | services.duplyBackup.profiles.sympa = { | ||
9 | rootDir = "/var/lib/sympa"; | ||
10 | }; | ||
11 | services.websites.env.tools.vhostConfs.mail = { | ||
12 | extraConfig = lib.mkAfter [ | ||
13 | '' | ||
14 | Alias /static-sympa/ /var/lib/sympa/static_content/ | ||
15 | <Directory /var/lib/sympa/static_content/> | ||
16 | Require all granted | ||
17 | AllowOverride none | ||
18 | </Directory> | ||
19 | <Location /sympa> | ||
20 | SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" | ||
21 | Require all granted | ||
22 | </Location> | ||
23 | '' | ||
24 | ]; | ||
25 | }; | ||
26 | |||
27 | secrets.keys = [ | ||
28 | { | ||
29 | dest = "sympa/db_password"; | ||
30 | permissions = "0400"; | ||
31 | group = "sympa"; | ||
32 | user = "sympa"; | ||
33 | text = sympaConfig.postgresql.password; | ||
34 | } | ||
35 | ] | ||
36 | ++ lib.mapAttrsToList (n: v: { | ||
37 | dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
38 | }) sympaConfig.data_sources | ||
39 | ++ lib.mapAttrsToList (n: v: { | ||
40 | dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
41 | }) sympaConfig.scenari; | ||
42 | users.users.sympa.extraGroups = [ "keys" ]; | ||
43 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
44 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
45 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
46 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
47 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
48 | |||
49 | # https://github.com/NixOS/nixpkgs/pull/84202 | ||
50 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
51 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
52 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
53 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
54 | systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
55 | systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
56 | systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
57 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
58 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
59 | systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
60 | |||
61 | systemd.services.wwsympa = { | ||
62 | wantedBy = [ "multi-user.target" ]; | ||
63 | after = [ "sympa.service" ]; | ||
64 | serviceConfig = { | ||
65 | Type = "forking"; | ||
66 | PIDFile = "/run/sympa/wwsympa.pid"; | ||
67 | Restart = "always"; | ||
68 | ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ | ||
69 | -u sympa \ | ||
70 | -g sympa \ | ||
71 | -U wwwrun \ | ||
72 | -M 0600 \ | ||
73 | -F 2 \ | ||
74 | -P /run/sympa/wwsympa.pid \ | ||
75 | -s /run/sympa/wwsympa.socket \ | ||
76 | -- ${pkgs.sympa}/bin/wwsympa.fcgi | ||
77 | ''; | ||
78 | StateDirectory = "sympa"; | ||
79 | ProtectHome = true; | ||
80 | ProtectSystem = "full"; | ||
81 | ProtectControlGroups = true; | ||
82 | }; | ||
83 | }; | ||
84 | |||
85 | services.postfix = { | ||
86 | mapFiles = { | ||
87 | sympa_virtual = pkgs.writeText "virtual.sympa" '' | ||
88 | sympa-request@${domain} postmaster@immae.eu | ||
89 | sympa-owner@${domain} postmaster@immae.eu | ||
90 | ''; | ||
91 | sympa_transport = pkgs.writeText "transport.sympa" '' | ||
92 | ${domain} error:User unknown in recipient table | ||
93 | sympa@${domain} sympa:sympa@${domain} | ||
94 | listmaster@${domain} sympa:listmaster@${domain} | ||
95 | bounce@${domain} sympabounce:sympa@${domain} | ||
96 | abuse-feedback-report@${domain} sympabounce:sympa@${domain} | ||
97 | ''; | ||
98 | }; | ||
99 | config = { | ||
100 | transport_maps = lib.mkAfter [ | ||
101 | "hash:/etc/postfix/sympa_transport" | ||
102 | "hash:/var/lib/sympa/sympa_transport" | ||
103 | ]; | ||
104 | virtual_alias_maps = lib.mkAfter [ | ||
105 | "hash:/etc/postfix/sympa_virtual" | ||
106 | ]; | ||
107 | virtual_mailbox_maps = lib.mkAfter [ | ||
108 | "hash:/etc/postfix/sympa_transport" | ||
109 | "hash:/var/lib/sympa/sympa_transport" | ||
110 | "hash:/etc/postfix/sympa_virtual" | ||
111 | ]; | ||
112 | }; | ||
113 | masterConfig = { | ||
114 | sympa = { | ||
115 | type = "unix"; | ||
116 | privileged = true; | ||
117 | chroot = false; | ||
118 | command = "pipe"; | ||
119 | args = [ | ||
120 | "flags=hqRu" | ||
121 | "user=sympa" | ||
122 | "argv=${pkgs.sympa}/bin/queue" | ||
123 | "\${nexthop}" | ||
124 | ]; | ||
125 | }; | ||
126 | sympabounce = { | ||
127 | type = "unix"; | ||
128 | privileged = true; | ||
129 | chroot = false; | ||
130 | command = "pipe"; | ||
131 | args = [ | ||
132 | "flags=hqRu" | ||
133 | "user=sympa" | ||
134 | "argv=${pkgs.sympa}/bin/bouncequeue" | ||
135 | "\${nexthop}" | ||
136 | ]; | ||
137 | }; | ||
138 | }; | ||
139 | }; | ||
140 | services.sympa = { | ||
141 | enable = true; | ||
142 | listMasters = sympaConfig.listmasters; | ||
143 | mainDomain = domain; | ||
144 | domains = { | ||
145 | "${domain}" = { | ||
146 | webHost = "mail.immae.eu"; | ||
147 | webLocation = "/sympa"; | ||
148 | }; | ||
149 | }; | ||
150 | |||
151 | database = { | ||
152 | type = "PostgreSQL"; | ||
153 | user = sympaConfig.postgresql.user; | ||
154 | host = sympaConfig.postgresql.socket; | ||
155 | name = sympaConfig.postgresql.database; | ||
156 | passwordFile = config.secrets.fullPaths."sympa/db_password"; | ||
157 | createLocally = false; | ||
158 | }; | ||
159 | settings = { | ||
160 | sendmail = "/run/wrappers/bin/sendmail"; | ||
161 | log_smtp = "on"; | ||
162 | sendmail_aliases = "/var/lib/sympa/sympa_transport"; | ||
163 | aliases_program = "${pkgs.postfix}/bin/postmap"; | ||
164 | }; | ||
165 | settingsFile = { | ||
166 | "virtual.sympa".enable = false; | ||
167 | "transport.sympa".enable = false; | ||
168 | } // lib.mapAttrs' (n: v: lib.nameValuePair | ||
169 | "etc/${domain}/data_sources/${n}.incl" | ||
170 | { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources | ||
171 | // lib.mapAttrs' (n: v: lib.nameValuePair | ||
172 | "etc/${domain}/scenari/${n}" | ||
173 | { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; | ||
174 | web = { | ||
175 | server = "none"; | ||
176 | }; | ||
177 | |||
178 | mta = { | ||
179 | type = "none"; | ||
180 | }; | ||
181 | }; | ||
182 | }; | ||
183 | } | ||