servers/mermet/postfix/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (pkgs.lib) loadFile;
   4   domain = "sourcephile.fr";
   5   domainSuffix = "dc=sourcephile,dc=fr";
   6 in
   7 {
   8 services.postfix = {
   9   extraAliases = ''
  10   '';
  11   virtual = ''
  12     root@${domain} julm+root@${domain}
  13     bistrot@${domain}       public-inbox@localhost
  14     entraide@${domain}      public-inbox@localhost
  15     environnement@${domain} public-inbox@localhost
  16     infra@${domain}         public-inbox@localhost
  17     labo@${domain}          public-inbox@localhost
  18     membres@${domain}       public-inbox@localhost
  19   '';
  20   tls_server_sni_maps =
  21     let chain = [
  22       "/var/lib/acme/${domain}/key.pem"
  23       "/var/lib/acme/${domain}/fullchain.pem"
  24     ]; in {
  25     "smtp.${domain}" = chain;
  26     "mail.${domain}" = chain;
  27   };
  28   config = {
  29     virtual_mailbox_domains = [
  30       domain
  31     ];
  32     virtual_mailbox_maps = [
  33       # Map the main address and aliases to the main mail address.
  34       # This is checked by permit_auth_recipient
  35       ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
  36         domain           = ${domain}
  37         version          = 3
  38         debuglevel       = 0
  39         server_host      = ldapi://
  40         bind             = sasl
  41         sasl_mechs       = EXTERNAL
  42         search_base      = ou=posix,${domainSuffix}
  43         scope            = sub
  44         dereference      = 0
  45         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  46         result_format    = %s
  47         result_attribute = mail
  48       '')
  49     ];
  50     # Map MAIL FROM addresses to the SASL login names allowed to use it.
  51     smtpd_sender_login_maps = [
  52       ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
  53         domain           = ${domain}
  54         version          = 3
  55         debuglevel       = 0
  56         server_host      = ldapi://
  57         bind             = sasl
  58         sasl_mechs       = EXTERNAL
  59         search_base      = ou=posix,${domainSuffix}
  60         scope            = sub
  61         dereference      = 0
  62         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  63         result_format    = %s@${domain}
  64         result_attribute = uid
  65       '')
  66     ];
  67   };
  68 };
  69 security.acme.certs."${domain}" = {
  70   postRun = "systemctl reload postfix";
  71 };
  72 systemd.services.postfix = {
  73   wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  74   after = [ "acme-selfsigned-${domain}.service" ];
  75 };
  76 }