diff options
Diffstat (limited to 'systems/eldiron/mail/sympa.nix')
-rw-r--r-- | systems/eldiron/mail/sympa.nix | 232 |
1 files changed, 232 insertions, 0 deletions
diff --git a/systems/eldiron/mail/sympa.nix b/systems/eldiron/mail/sympa.nix new file mode 100644 index 0000000..8e801dd --- /dev/null +++ b/systems/eldiron/mail/sympa.nix | |||
@@ -0,0 +1,232 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | domain = "lists.immae.eu"; | ||
4 | sympaConfig = config.myEnv.mail.sympa; | ||
5 | in | ||
6 | { | ||
7 | config = lib.mkIf config.myServices.mail.enable { | ||
8 | myServices.dns.zones."immae.eu".emailPolicies."lists".receive = true; | ||
9 | myServices.dns.zones."immae.eu".subdomains.lists = | ||
10 | with config.myServices.dns.helpers; lib.mkMerge [ | ||
11 | (ips servers.eldiron.ips.main) | ||
12 | (mailCommon "immae.eu") | ||
13 | mailSend | ||
14 | ]; | ||
15 | |||
16 | myServices.chatonsProperties.services.sympa = { | ||
17 | file.datetime = "2022-08-22T00:50:00"; | ||
18 | service = { | ||
19 | name = "Sympa"; | ||
20 | description = "Mailing lists service"; | ||
21 | website = "https://mail.immae.eu/sympa"; | ||
22 | logo = "https://mail.immae.eu/static-sympa/icons/favicon_sympa.png"; | ||
23 | status.level = "OK"; | ||
24 | status.description = "OK"; | ||
25 | registration."" = ["MEMBER" "CLIENT"]; | ||
26 | registration.load = "OPEN"; | ||
27 | install.type = "PACKAGE"; | ||
28 | }; | ||
29 | software = { | ||
30 | name = "Sympa"; | ||
31 | website = "https://www.sympa.org/"; | ||
32 | license.url = "https://github.com/sympa-community/sympa/blob/sympa-6.2/COPYING"; | ||
33 | license.name = "GNU General Public License v2.0"; | ||
34 | version = pkgs.sympa.version; | ||
35 | source.url = "https://github.com/sympa-community/sympa/"; | ||
36 | }; | ||
37 | }; | ||
38 | myServices.databases.postgresql.authorizedHosts = { | ||
39 | backup-2 = [ | ||
40 | { | ||
41 | username = "sympa"; | ||
42 | database = "sympa"; | ||
43 | ip4 = config.myEnv.servers.backup-2.ips.main.ip4; | ||
44 | ip6 = map (v: "${v}/128") config.myEnv.servers.backup-2.ips.main.ip6; | ||
45 | } | ||
46 | ]; | ||
47 | }; | ||
48 | services.websites.env.tools.vhostConfs.mail = { | ||
49 | extraConfig = lib.mkAfter [ | ||
50 | '' | ||
51 | Alias /static-sympa/ /var/lib/sympa/static_content/ | ||
52 | <Directory /var/lib/sympa/static_content/> | ||
53 | Require all granted | ||
54 | AllowOverride none | ||
55 | </Directory> | ||
56 | <Location /sympa> | ||
57 | SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" | ||
58 | Require all granted | ||
59 | </Location> | ||
60 | '' | ||
61 | ]; | ||
62 | }; | ||
63 | |||
64 | secrets.keys = { | ||
65 | "sympa/db_password" = { | ||
66 | permissions = "0400"; | ||
67 | group = "sympa"; | ||
68 | user = "sympa"; | ||
69 | text = sympaConfig.postgresql.password; | ||
70 | }; | ||
71 | } | ||
72 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" { | ||
73 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
74 | }) sympaConfig.data_sources | ||
75 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" { | ||
76 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | ||
77 | }) sympaConfig.scenari; | ||
78 | users.users.sympa.extraGroups = [ "keys" ]; | ||
79 | systemd.slices.mail-sympa = { | ||
80 | description = "Sympa slice"; | ||
81 | }; | ||
82 | |||
83 | systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
84 | systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
85 | systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
86 | systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
87 | systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
88 | |||
89 | systemd.services.sympa.serviceConfig.Slice = "mail-sympa.slice"; | ||
90 | systemd.services.sympa-archive.serviceConfig.Slice = "mail-sympa.slice"; | ||
91 | systemd.services.sympa-bounce.serviceConfig.Slice = "mail-sympa.slice"; | ||
92 | systemd.services.sympa-bulk.serviceConfig.Slice = "mail-sympa.slice"; | ||
93 | systemd.services.sympa-task.serviceConfig.Slice = "mail-sympa.slice"; | ||
94 | |||
95 | # https://github.com/NixOS/nixpkgs/pull/84202 | ||
96 | systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
97 | systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
98 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
99 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
100 | systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; | ||
101 | systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
102 | systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
103 | systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
104 | systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
105 | systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; | ||
106 | |||
107 | systemd.services.wwsympa = { | ||
108 | wantedBy = [ "multi-user.target" ]; | ||
109 | after = [ "sympa.service" ]; | ||
110 | serviceConfig = { | ||
111 | Slice = "mail-sympa.slice"; | ||
112 | Type = "forking"; | ||
113 | PIDFile = "/run/sympa/wwsympa.pid"; | ||
114 | Restart = "always"; | ||
115 | ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ | ||
116 | -u sympa \ | ||
117 | -g sympa \ | ||
118 | -U wwwrun \ | ||
119 | -M 0600 \ | ||
120 | -F 2 \ | ||
121 | -P /run/sympa/wwsympa.pid \ | ||
122 | -s /run/sympa/wwsympa.socket \ | ||
123 | -- ${pkgs.sympa}/lib/sympa/cgi/wwsympa.fcgi | ||
124 | ''; | ||
125 | StateDirectory = "sympa"; | ||
126 | ProtectHome = true; | ||
127 | ProtectSystem = "full"; | ||
128 | ProtectControlGroups = true; | ||
129 | }; | ||
130 | }; | ||
131 | |||
132 | services.postfix = { | ||
133 | mapFiles = { | ||
134 | # Update relay list when changing one of those | ||
135 | sympa_virtual = pkgs.writeText "virtual.sympa" '' | ||
136 | sympa-request@${domain} postmaster@immae.eu | ||
137 | sympa-owner@${domain} postmaster@immae.eu | ||
138 | ''; | ||
139 | sympa_transport = pkgs.writeText "transport.sympa" '' | ||
140 | ${domain} error:User unknown in recipient table | ||
141 | sympa@${domain} sympa:sympa@${domain} | ||
142 | listmaster@${domain} sympa:listmaster@${domain} | ||
143 | bounce@${domain} sympabounce:sympa@${domain} | ||
144 | abuse-feedback-report@${domain} sympabounce:sympa@${domain} | ||
145 | ''; | ||
146 | }; | ||
147 | config = { | ||
148 | transport_maps = lib.mkAfter [ | ||
149 | "hash:/etc/postfix/sympa_transport" | ||
150 | "hash:/var/lib/sympa/sympa_transport" | ||
151 | ]; | ||
152 | virtual_alias_maps = lib.mkAfter [ | ||
153 | "hash:/etc/postfix/sympa_virtual" | ||
154 | ]; | ||
155 | virtual_mailbox_maps = lib.mkAfter [ | ||
156 | "hash:/etc/postfix/sympa_transport" | ||
157 | "hash:/var/lib/sympa/sympa_transport" | ||
158 | "hash:/etc/postfix/sympa_virtual" | ||
159 | ]; | ||
160 | }; | ||
161 | masterConfig = { | ||
162 | sympa = { | ||
163 | type = "unix"; | ||
164 | privileged = true; | ||
165 | chroot = false; | ||
166 | command = "pipe"; | ||
167 | args = [ | ||
168 | "flags=hqRu" | ||
169 | "user=sympa" | ||
170 | "argv=${pkgs.sympa}/libexec/queue" | ||
171 | "\${nexthop}" | ||
172 | ]; | ||
173 | }; | ||
174 | sympabounce = { | ||
175 | type = "unix"; | ||
176 | privileged = true; | ||
177 | chroot = false; | ||
178 | command = "pipe"; | ||
179 | args = [ | ||
180 | "flags=hqRu" | ||
181 | "user=sympa" | ||
182 | "argv=${pkgs.sympa}/libexec/bouncequeue" | ||
183 | "\${nexthop}" | ||
184 | ]; | ||
185 | }; | ||
186 | }; | ||
187 | }; | ||
188 | services.sympa = { | ||
189 | enable = true; | ||
190 | listMasters = sympaConfig.listmasters; | ||
191 | mainDomain = domain; | ||
192 | domains = { | ||
193 | "${domain}" = { | ||
194 | webHost = "mail.immae.eu"; | ||
195 | webLocation = "/sympa"; | ||
196 | }; | ||
197 | }; | ||
198 | |||
199 | database = { | ||
200 | type = "PostgreSQL"; | ||
201 | user = sympaConfig.postgresql.user; | ||
202 | host = sympaConfig.postgresql.socket; | ||
203 | name = sympaConfig.postgresql.database; | ||
204 | passwordFile = config.secrets.fullPaths."sympa/db_password"; | ||
205 | createLocally = false; | ||
206 | }; | ||
207 | settings = { | ||
208 | sendmail = "/run/wrappers/bin/sendmail"; | ||
209 | log_smtp = "on"; | ||
210 | sendmail_aliases = "/var/lib/sympa/sympa_transport"; | ||
211 | aliases_program = "${pkgs.postfix}/bin/postmap"; | ||
212 | create_list = "listmaster"; | ||
213 | }; | ||
214 | settingsFile = { | ||
215 | "virtual.sympa".enable = false; | ||
216 | "transport.sympa".enable = false; | ||
217 | } // lib.mapAttrs' (n: v: lib.nameValuePair | ||
218 | "etc/${domain}/data_sources/${n}.incl" | ||
219 | { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources | ||
220 | // lib.mapAttrs' (n: v: lib.nameValuePair | ||
221 | "etc/${domain}/scenari/${n}" | ||
222 | { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; | ||
223 | web = { | ||
224 | server = "none"; | ||
225 | }; | ||
226 | |||
227 | mta = { | ||
228 | type = "none"; | ||
229 | }; | ||
230 | }; | ||
231 | }; | ||
232 | } | ||