servers/mermet/postfix/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (pkgs.lib) loadFile;
   4   domain = "sourcephile.fr";
   5   domainSuffix = "dc=sourcephile,dc=fr";
   6 in
   7 {
   8 services.postfix = {
   9   extraAliases = ''
  10   '';
  11   virtual = ''
  12     root@${domain} julm+root@${domain}
  13     bistrot@${domain}       public-inbox@localhost
  14     entraide@${domain}      public-inbox@localhost
  15     environnement@${domain} public-inbox@localhost
  16     infra@${domain}         public-inbox@localhost
  17     labo@${domain}          public-inbox@localhost
  18     membres@${domain}       public-inbox@localhost
  19     test@${domain}          public-inbox@localhost
  20   '';
  21   tls_server_sni_maps =
  22     let chain = [
  23       "/var/lib/acme/${domain}/key.pem"
  24       "/var/lib/acme/${domain}/fullchain.pem"
  25     ]; in {
  26     "smtp.${domain}" = chain;
  27     "mail.${domain}" = chain;
  28   };
  29   config = {
  30     virtual_mailbox_domains = [
  31       domain
  32     ];
  33     virtual_mailbox_maps = [
  34       # Map the main address and aliases to the main mail address.
  35       # This is checked by permit_auth_recipient
  36       ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
  37         domain           = ${domain}
  38         version          = 3
  39         debuglevel       = 0
  40         server_host      = ldapi://
  41         bind             = sasl
  42         sasl_mechs       = EXTERNAL
  43         search_base      = ou=posix,${domainSuffix}
  44         scope            = sub
  45         dereference      = 0
  46         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  47         result_format    = %s
  48         result_attribute = mail
  49       '')
  50     ];
  51     # Map MAIL FROM addresses to the SASL login names allowed to use it.
  52     smtpd_sender_login_maps = [
  53       ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
  54         domain           = ${domain}
  55         version          = 3
  56         debuglevel       = 0
  57         server_host      = ldapi://
  58         bind             = sasl
  59         sasl_mechs       = EXTERNAL
  60         search_base      = ou=posix,${domainSuffix}
  61         scope            = sub
  62         dereference      = 0
  63         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  64         result_format    = %s@${domain}
  65         result_attribute = uid
  66       '')
  67     ];
  68   };
  69 };
  70 security.acme.certs."${domain}" = {
  71   postRun = "systemctl reload postfix";
  72 };
  73 systemd.services.postfix = {
  74   wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  75   after = [ "acme-selfsigned-${domain}.service" ];
  76 };
  77 }