]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/postfix/sourcephile.fr.nix
losurdo: firewall: open fw2net for Mosh
[sourcephile-nix.git] / hosts / mermet / postfix / sourcephile.fr.nix
1 { pkgs, lib, config, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainSuffix = "dc=sourcephile,dc=fr";
5 in
6 {
7 services.postfix = {
8 extraAliases = ''
9 '';
10 virtual = ''
11 root@${domain} julm+root@${domain}
12 atelier@${domain} public-inbox@localhost
13 bar@${domain} public-inbox@localhost
14 contact@${domain} public-inbox@localhost
15 ecole@${domain} public-inbox@localhost
16 environnement@${domain} public-inbox@localhost
17 labo@${domain} public-inbox@localhost
18 hosts@${domain} public-inbox@localhost
19 pont@${domain} public-inbox@localhost
20 test@${domain} public-inbox@localhost
21 '';
22 tls_server_sni_maps =
23 let chain = [
24 "/var/lib/acme/${domain}/key.pem"
25 "/var/lib/acme/${domain}/fullchain.pem"
26 ]; in {
27 "smtp.${domain}" = chain;
28 "mail.${domain}" = chain;
29 };
30 config = {
31 virtual_mailbox_domains = [
32 domain
33 ];
34 virtual_mailbox_maps = [
35 # Map the main address and aliases to the main mail address.
36 # This is checked by permit_auth_recipient
37 ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
38 domain = ${domain}
39 version = 3
40 debuglevel = 0
41 server_host = ldapi://
42 bind = sasl
43 sasl_mechs = EXTERNAL
44 search_base = ou=posix,${domainSuffix}
45 scope = sub
46 dereference = 0
47 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
48 result_format = %s
49 result_attribute = mail
50 '')
51 ];
52 # Map MAIL FROM addresses to the SASL login names allowed to use it.
53 smtpd_sender_login_maps = [
54 ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
55 domain = ${domain}
56 version = 3
57 debuglevel = 0
58 server_host = ldapi://
59 bind = sasl
60 sasl_mechs = EXTERNAL
61 search_base = ou=posix,${domainSuffix}
62 scope = sub
63 dereference = 0
64 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
65 result_format = %s@${domain}
66 result_attribute = uid
67 '')
68 ];
69 };
70 };
71 security.acme.certs."${domain}" = {
72 postRun = "systemctl reload postfix";
73 };
74 systemd.services.postfix = {
75 wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
76 after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
77 };
78 }