]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/postfix/autogeree.net.nix
mermet: knot: change dnssec-policy to ed25519
[sourcephile-nix.git] / hosts / mermet / postfix / autogeree.net.nix
1 { pkgs, config, ... }:
2 let
3 domain = "autogeree.net";
4 domainSuffix = "dc=autogeree,dc=net";
5 in
6 {
7 services.postfix = {
8 extraAliases = ''
9 '';
10 virtual = ''
11 root@${domain} julm+root@${domain}
12 '';
13 tls_server_sni_maps =
14 let
15 chain = [
16 "/var/lib/acme/${domain}/key.pem"
17 "/var/lib/acme/${domain}/fullchain.pem"
18 ];
19 in
20 {
21 "smtp.${domain}" = chain;
22 "mail.${domain}" = chain;
23 };
24 config = {
25 virtual_mailbox_domains = [ domain ];
26 virtual_mailbox_maps = [
27 # Map the main address and aliases to the main mail address.
28 # This is checked by permit_auth_recipient
29 ("ldap:" + pkgs.writeText "ldap-mail-${domain}.cf" ''
30 domain = ${domain}
31 version = 3
32 debuglevel = 0
33 server_host = ldapi://
34 bind = sasl
35 sasl_mechs = EXTERNAL
36 search_base = ou=posix,${domainSuffix}
37 scope = sub
38 dereference = 0
39 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
40 result_format = %s
41 result_attribute = mail
42 '')
43 ];
44 # Map MAIL FROM addresses to the SASL login names allowed to use it.
45 smtpd_sender_login_maps = [
46 ("ldap:" + pkgs.writeText "ldap-senders-${domain}.cf" ''
47 domain = ${domain}
48 version = 3
49 debuglevel = 0
50 server_host = ldapi://
51 bind = sasl
52 sasl_mechs = EXTERNAL
53 search_base = ou=posix,${domainSuffix}
54 scope = sub
55 dereference = 0
56 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
57 result_format = %s@${domain}
58 result_attribute = uid
59 '')
60 ];
61 };
62 };
63 security.acme.certs."${domain}" = {
64 postRun = "systemctl try-restart postfix";
65 };
66 systemd.services.postfix = {
67 wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
68 after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
69 };
70 }