servers/mermet/postfix/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (pkgs.lib) loadFile;
   4   domain = "sourcephile.fr";
   5   domainSuffix = "dc=sourcephile,dc=fr";
   6 in
   7 {
   8 services.postfix = {
   9   extraAliases = ''
  10   '';
  11   virtual = ''
  12     root@${domain} julm+root@${domain}
  13     equipage@${domain} public-inbox
  14   '';
  15   tls_server_sni_maps =
  16     let chain = [
  17       "/var/lib/acme/${domain}/key.pem"
  18       "/var/lib/acme/${domain}/fullchain.pem"
  19     ]; in {
  20     "smtp.${domain}" = chain;
  21     "mail.${domain}" = chain;
  22   };
  23   config = {
  24     virtual_mailbox_domains = [ domain ];
  25     virtual_mailbox_maps = [
  26       # Map the main address and aliases to the main mail address.
  27       # This is checked by permit_auth_recipient
  28       ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
  29         domain           = ${domain}
  30         version          = 3
  31         debuglevel       = 0
  32         server_host      = ldapi://
  33         bind             = sasl
  34         sasl_mechs       = EXTERNAL
  35         search_base      = ou=posix,${domainSuffix}
  36         scope            = sub
  37         dereference      = 0
  38         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  39         result_format    = %s
  40         result_attribute = mail
  41       '')
  42     ];
  43     # Map MAIL FROM addresses to the SASL login names allowed to use it.
  44     smtpd_sender_login_maps = [
  45       ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
  46         domain           = ${domain}
  47         version          = 3
  48         debuglevel       = 0
  49         server_host      = ldapi://
  50         bind             = sasl
  51         sasl_mechs       = EXTERNAL
  52         search_base      = ou=posix,${domainSuffix}
  53         scope            = sub
  54         dereference      = 0
  55         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  56         result_format    = %s@${domain}
  57         result_attribute = uid
  58       '')
  59     ];
  60   };
  61 };
  62 security.acme.certs."${domain}" = {
  63   postRun = "systemctl reload postfix";
  64 };
  65 systemd.services.postfix = {
  66   wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  67   after = [ "acme-selfsigned-${domain}.service" ];
  68 };
  69 }