From 418a4ed7da43fab53c18f99237bc296e37f47d2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 4 May 2020 01:03:37 +0200 Subject: Add sympa mailing-list --- modules/private/environment.nix | 22 +++ modules/private/mail/default.nix | 1 + modules/private/mail/postfix.nix | 15 +- modules/private/mail/relay.nix | 2 +- modules/private/mail/sympa.nix | 183 +++++++++++++++++++++ .../websites/tools/tools/landing/config.yml | 2 + overlays/default.nix | 1 + overlays/sympa/default.nix | 12 ++ 8 files changed, 233 insertions(+), 5 deletions(-) create mode 100644 modules/private/mail/sympa.nix create mode 100644 overlays/sympa/default.nix diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 969c9c7..22217b1 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix @@ -698,6 +698,28 @@ in }; }); }; + sympa = mkOption { + description = "Sympa configuration"; + type = submodule { + options = { + listmasters = mkOption { + type = listOf str; + description = "Listmasters"; + }; + postgresql = mkPsqlOptions "Sympa"; + data_sources = mkOption { + type = attrsOf str; + default = {}; + description = "Data sources to make available to sympa"; + }; + scenari = mkOption { + type = attrsOf str; + default = {}; + description = "Scenari to make available to sympa"; + }; + }; + }; + }; }; }; }; diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index d893ec4..57fc75c 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix @@ -7,6 +7,7 @@ ./relay.nix ./rspamd.nix ./opensmtpd.nix + ./sympa.nix ]; options.myServices.mail.enable = lib.mkEnableOption "enable Mail services"; options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services"; diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 52cd77d..46d45c1 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -18,7 +18,7 @@ hosts = unix:${config.myEnv.mail.postfix.mysql.socket} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination - FROM forwardings_merge + FROM forwardings WHERE ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) AND active = 1 @@ -73,7 +73,7 @@ hosts = unix:${config.myEnv.mail.postfix.mysql.socket} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination - FROM forwardings_merge + FROM forwardings WHERE ( (regex = 1 AND CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') REGEXP CONCAT('^',source,'$') ) @@ -291,7 +291,11 @@ alias_database = "\$alias_maps"; ### Virtual mailboxes config - virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"} ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}"; + virtual_alias_maps = [ + "hash:/etc/postfix/virtual" + "mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}" + "ldap:${config.secrets.fullPaths."postfix/ldap_ejabberd_users_immae_fr"}" + ]; virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains ++ lib.remove null (lib.flatten (map (zone: map @@ -303,7 +307,10 @@ ) config.myEnv.dns.masterZones )); - virtual_mailbox_maps = "hash:/etc/postfix/host_dummy_mailboxes mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; + virtual_mailbox_maps = [ + "hash:/etc/postfix/host_dummy_mailboxes" + "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}" + ]; dovecot_destination_recipient_limit = "1"; virtual_transport = "dovecot"; diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index d29ae75..ae74112 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix @@ -27,7 +27,7 @@ hosts = ${config.myEnv.mail.postfix.mysql.remoteHost} dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT 1 - FROM forwardings_merge + FROM forwardings WHERE ((regex = 1 AND '%s' REGEXP CONCAT('^',source,'$') ) OR (regex = 0 AND source = '%s')) AND active = 1 diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix new file mode 100644 index 0000000..ed7e598 --- /dev/null +++ b/modules/private/mail/sympa.nix @@ -0,0 +1,183 @@ +{ lib, pkgs, config, ... }: +let + domain = "lists.immae.eu"; + sympaConfig = config.myEnv.mail.sympa; +in +{ + config = lib.mkIf config.myServices.mail.enable { + services.duplyBackup.profiles.sympa = { + rootDir = "/var/lib/sympa"; + }; + services.websites.env.tools.vhostConfs.mail = { + extraConfig = lib.mkAfter [ + '' + Alias /static-sympa/ /var/lib/sympa/static_content/ + + Require all granted + AllowOverride none + + + SetHandler "proxy:unix:/run/sympa/wwsympa.socket|fcgi://" + Require all granted + + '' + ]; + }; + + secrets.keys = [ + { + dest = "sympa/db_password"; + permissions = "0400"; + group = "sympa"; + user = "sympa"; + text = sympaConfig.postgresql.password; + } + ] + ++ lib.mapAttrsToList (n: v: { + dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; + }) sympaConfig.data_sources + ++ lib.mapAttrsToList (n: v: { + dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; + }) sympaConfig.scenari; + users.users.sympa.extraGroups = [ "keys" ]; + systemd.services.sympa.serviceConfig.SupplementaryGroups = [ "keys" ]; + systemd.services.sympa-archive.serviceConfig.SupplementaryGroups = [ "keys" ]; + systemd.services.sympa-bounce.serviceConfig.SupplementaryGroups = [ "keys" ]; + systemd.services.sympa-bulk.serviceConfig.SupplementaryGroups = [ "keys" ]; + systemd.services.sympa-task.serviceConfig.SupplementaryGroups = [ "keys" ]; + + # https://github.com/NixOS/nixpkgs/pull/84202 + systemd.services.sympa.serviceConfig.ProtectKernelModules = lib.mkForce false; + systemd.services.sympa-archive.serviceConfig.ProtectKernelModules = lib.mkForce false; + systemd.services.sympa-bounce.serviceConfig.ProtectKernelModules = lib.mkForce false; + systemd.services.sympa-bulk.serviceConfig.ProtectKernelModules = lib.mkForce false; + systemd.services.sympa-task.serviceConfig.ProtectKernelModules = lib.mkForce false; + systemd.services.sympa.serviceConfig.ProtectKernelTunables = lib.mkForce false; + systemd.services.sympa-archive.serviceConfig.ProtectKernelTunables = lib.mkForce false; + systemd.services.sympa-bounce.serviceConfig.ProtectKernelTunables = lib.mkForce false; + systemd.services.sympa-bulk.serviceConfig.ProtectKernelTunables = lib.mkForce false; + systemd.services.sympa-task.serviceConfig.ProtectKernelTunables = lib.mkForce false; + + systemd.services.wwsympa = { + wantedBy = [ "multi-user.target" ]; + after = [ "sympa.service" ]; + serviceConfig = { + Type = "forking"; + PIDFile = "/run/sympa/wwsympa.pid"; + Restart = "always"; + ExecStart = ''${pkgs.spawn_fcgi}/bin/spawn-fcgi \ + -u sympa \ + -g sympa \ + -U wwwrun \ + -M 0600 \ + -F 2 \ + -P /run/sympa/wwsympa.pid \ + -s /run/sympa/wwsympa.socket \ + -- ${pkgs.sympa}/bin/wwsympa.fcgi + ''; + StateDirectory = "sympa"; + ProtectHome = true; + ProtectSystem = "full"; + ProtectControlGroups = true; + }; + }; + + services.postfix = { + mapFiles = { + sympa_virtual = pkgs.writeText "virtual.sympa" '' + sympa-request@${domain} postmaster@immae.eu + sympa-owner@${domain} postmaster@immae.eu + ''; + sympa_transport = pkgs.writeText "transport.sympa" '' + ${domain} error:User unknown in recipient table + sympa@${domain} sympa:sympa@${domain} + listmaster@${domain} sympa:listmaster@${domain} + bounce@${domain} sympabounce:sympa@${domain} + abuse-feedback-report@${domain} sympabounce:sympa@${domain} + ''; + }; + config = { + transport_maps = lib.mkAfter [ + "hash:/etc/postfix/sympa_transport" + "hash:/var/lib/sympa/sympa_transport" + ]; + virtual_alias_maps = lib.mkAfter [ + "hash:/etc/postfix/sympa_virtual" + ]; + virtual_mailbox_maps = lib.mkAfter [ + "hash:/etc/postfix/sympa_transport" + "hash:/var/lib/sympa/sympa_transport" + "hash:/etc/postfix/sympa_virtual" + ]; + }; + masterConfig = { + sympa = { + type = "unix"; + privileged = true; + chroot = false; + command = "pipe"; + args = [ + "flags=hqRu" + "user=sympa" + "argv=${pkgs.sympa}/bin/queue" + "\${nexthop}" + ]; + }; + sympabounce = { + type = "unix"; + privileged = true; + chroot = false; + command = "pipe"; + args = [ + "flags=hqRu" + "user=sympa" + "argv=${pkgs.sympa}/bin/bouncequeue" + "\${nexthop}" + ]; + }; + }; + }; + services.sympa = { + enable = true; + listMasters = sympaConfig.listmasters; + mainDomain = domain; + domains = { + "${domain}" = { + webHost = "mail.immae.eu"; + webLocation = "/sympa"; + }; + }; + + database = { + type = "PostgreSQL"; + user = sympaConfig.postgresql.user; + host = sympaConfig.postgresql.socket; + name = sympaConfig.postgresql.database; + passwordFile = config.secrets.fullPaths."sympa/db_password"; + createLocally = false; + }; + settings = { + sendmail = "/run/wrappers/bin/sendmail"; + log_smtp = "on"; + sendmail_aliases = "/var/lib/sympa/sympa_transport"; + aliases_program = "${pkgs.postfix}/bin/postmap"; + }; + settingsFile = { + "virtual.sympa".enable = false; + "transport.sympa".enable = false; + } // lib.mapAttrs' (n: v: lib.nameValuePair + "etc/${domain}/data_sources/${n}.incl" + { source = config.secrets.fullPaths."sympa/data_sources/${n}.incl"; }) sympaConfig.data_sources + // lib.mapAttrs' (n: v: lib.nameValuePair + "etc/${domain}/scenari/${n}" + { source = config.secrets.fullPaths."sympa/scenari/${n}"; }) sympaConfig.scenari; + web = { + server = "none"; + }; + + mta = { + type = "none"; + }; + }; + }; +} diff --git a/modules/private/websites/tools/tools/landing/config.yml b/modules/private/websites/tools/tools/landing/config.yml index 20995a9..4f3a51d 100644 --- a/modules/private/websites/tools/tools/landing/config.yml +++ b/modules/private/websites/tools/tools/landing/config.yml @@ -154,6 +154,8 @@ services: url: "https://im.immae.fr" - name: "E-mail" url: "https://mail.immae.eu" + - name: "Sympa" + url: "https://mail.immae.eu/sympa" - name: "VPN" url: "https://vpn.immae.eu" - name: "Taskwarrior" diff --git a/overlays/default.nix b/overlays/default.nix index 0cefc17..5639c94 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -22,6 +22,7 @@ sc-im = import ./sc-im; shaarli = import ./shaarli; slrn = import ./slrn; + sympa = import ./sympa; taskwarrior = import ./taskwarrior; vcsh = import ./vcsh; weboob = import ./weboob; diff --git a/overlays/sympa/default.nix b/overlays/sympa/default.nix new file mode 100644 index 0000000..9337298 --- /dev/null +++ b/overlays/sympa/default.nix @@ -0,0 +1,12 @@ +self: super: { + sympa = super.sympa.overrideAttrs(old: { + # https://github.com/NixOS/nixpkgs/pull/83258/files + src = self.fetchFromGitHub { + owner = "sympa-community"; + repo = "sympa"; + rev = "6.2.54"; + sha256 = "07wfvr8rrg7pwkl2zglrdri7n42rl9gwrjbaffb8m37wq67s7fca"; + }; + #configureFlags = ["--enable-fhs"] ++ old.configureFlags; + }); +} -- cgit v1.2.3