hosts/mermet/public-inbox.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config.services) public-inbox;
   4   inherit (config.users) groups;
   5   orga = "sourcephile";
   6   domain = "${orga}.fr";
   7   repositories = [
   8     "doclang"
   9     "majurity"
  10     "reloto"
  11     "haskell/symantic"
  12     "haskell/symantic-atom"
  13     "haskell/symantic-base"
  14     "haskell/symantic-cli"
  15     "haskell/symantic-compta"
  16     "haskell/symantic-document"
  17     "haskell/symantic-http"
  18     "haskell/symantic-parser"
  19     "haskell/symantic-xml"
  20   ];
  21 in
  22 # Pour supprimer un message :
  23 # curl https://mails.sourcephile.fr/inbox/environnement/8ea699887ca47797b4460053588cbef2d115829ab4@vieber.ru/raw |
  24 # sudo -u public-inbox public-inbox-learn rm
  25 {
  26 security.acme.certs."${domain}" = {
  27   postRun = "systemctl try-restart public-inbox-nntpd public-inbox-imapd";
  28 };
  29 networking.nftables.ruleset = ''
  30   add rule inet filter net2fw tcp dport ${toString public-inbox.nntp.port} counter accept comment "NNTPS"
  31   add rule inet filter net2fw tcp dport 1993 counter accept comment "IMAPS"
  32 '';
  33 fileSystems."/var/lib/public-inbox" = {
  34   device = "rpool/var/public-inbox";
  35   fsType = "zfs";
  36 };
  37 systemd.services = {
  38   public-inbox-httpd = {
  39     confinement.enable = true;
  40     serviceConfig = {
  41       SupplementaryGroups = [ groups."git-daemon".name ];
  42       #BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
  43     };
  44   };
  45   public-inbox-imapd = {
  46     confinement.enable = true;
  47     wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  48     after = [ "acme-selfsigned-${domain}.service" ];
  49     serviceConfig = {
  50       SupplementaryGroups = [ groups."acme".name ];
  51       BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
  52     };
  53   };
  54   public-inbox-init = {
  55     confinement.enable = true;
  56   };
  57   public-inbox-nntpd = {
  58     confinement.enable = true;
  59     wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  60     after = [ "acme-selfsigned-${domain}.service" ];
  61     serviceConfig = {
  62       SupplementaryGroups = [ groups."acme".name ];
  63       BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
  64     };
  65   };
  66 };
  67 services.public-inbox = {
  68   enable = true;
  69   postfix.enable = true;
  70   settings.publicinbox = {
  71     css = [ "href=https://mails.${domain}/style/light.css" ];
  72     nntpserver = [ "nntps://news.${domain}" ];
  73     wwwlisting = "match=domain";
  74   };
  75   mda = {
  76     enable = true;
  77     args = [ "--no-precheck" ]; # Allow Bcc:
  78   };
  79   http = {
  80     enable = true;
  81     port = "/run/public-inbox-http.sock";
  82     #port = 8080;
  83     args = ["-W0"];
  84     mounts = [
  85       "https://mails.${domain}/inbox"
  86       "https://public-inbox.${domain}/inbox"
  87     ];
  88   };
  89   nntp = {
  90     enable = true;
  91     #port = 563;
  92     args = ["-W0"];
  93     cert = "/var/lib/acme/${domain}/fullchain.pem";
  94     key = "/var/lib/acme/${domain}/key.pem";
  95   };
  96   imap = {
  97     enable = true;
  98     # FIXME: find an IP or .onion to put 993
  99     port = null;
 100     args = [ "-W0" "--listen" "imaps://0.0.0.0:1993" ];
 101     #args = ["-W0"];
 102     cert = "/var/lib/acme/${domain}/fullchain.pem";
 103     key = "/var/lib/acme/${domain}/key.pem";
 104   };
 105   inboxes = {
 106     news = {
 107       address = [
 108         "news@${domain}"
 109       ];
 110       description = ''
 111         news@${domain} :
 112         annonces d'informations concernant importantes
 113       '';
 114       url = "https://mails.${domain}/inbox/news";
 115       newsgroup = "inbox.comp.${orga}.news";
 116       #coderepo = [ "sourcephile-txt" ];
 117     };
 118     chat = {
 119       address = [
 120         "chat@${domain}"
 121       ];
 122       description = ''
 123         chat@${domain} :
 124         discussions concernant l'informatique en général.
 125       '';
 126       url = "https://mails.${domain}/inbox/chat";
 127       newsgroup = "inbox.comp.${orga}.chat";
 128     };
 129     contact = {
 130       address = [
 131         "contact@${domain}"
 132       ];
 133       description = ''
 134         contact@${domain} :
 135         discussions avec le grand public.
 136       '';
 137       url = "https://mails.${domain}/inbox/contact";
 138       newsgroup = "inbox.comp.${orga}.contact";
 139       #coderepo = [ "${orga}" ];
 140     };
 141     environnement = {
 142       address = [
 143         "environnement@${domain}"
 144       ];
 145       description = ''
 146         environnement@${domain} :
 147         discussions sur les impacts environnementaux de l'informatique.
 148       '';
 149       url = "https://mails.${domain}/inbox/environnement";
 150       newsgroup = "inbox.comp.${orga}.environnement";
 151       #coderepo = [ "sourcephile-txt" ];
 152     };
 153     labo = {
 154       address = [
 155         "labo@${domain}"
 156       ];
 157       description = ''
 158         labo@${domain} :
 159         discussions concernant la science de l'informatique.
 160       '';
 161       url = "https://mails.${domain}/inbox/labo";
 162       newsgroup = "inbox.comp.${orga}.labo";
 163       # TODO: list many source code repositories
 164       #coderepo = [ "sourcephile-txt" ];
 165     };
 166     prod = {
 167       address = [
 168         "prod@${domain}"
 169       ];
 170       description = ''
 171         prod@${domain} :
 172         discussions concernant l'administration technique de l'infrastructure informatique.
 173       '';
 174       url = "https://mails.${domain}/inbox/prod";
 175       newsgroup = "inbox.comp.${orga}.prod";
 176       #coderepo = [ "sourcephile-txt" "sourcephile-nix" ];
 177     };
 178     orga = {
 179       address = [
 180         "orga@${domain}"
 181       ];
 182       description = ''
 183         orga@${domain} :
 184         discussions à l'attention de l'ensemble des personnes à bord.
 185       '';
 186       url = "https://mails.${domain}/inbox/orga";
 187       newsgroup = "inbox.comp.${orga}.orga";
 188       #coderepo = [ "sourcephile-txt" ];
 189     };
 190     test = {
 191       address = [
 192         "test@${domain}"
 193       ];
 194       description = ''
 195         test@${domain} :
 196         une cible de test pour effectuer des tirs de mails.
 197       '';
 198       url = "https://mails.${domain}/inbox/test";
 199       newsgroup = "inbox.comp.${orga}.test";
 200       hide = [ /* FIXME: doesn't work for IMAP */"imap" "www" "manifest" ];
 201     };
 202   } // lib.genAttrs (map baseNameOf repositories) (name: {
 203     address = [
 204       "${name}@${domain}"
 205     ];
 206     description = ''
 207       ${name}@${domain} :
 208       discussions about ${name}.
 209     '';
 210     url = "https://mails.${domain}/inbox/${name}";
 211     newsgroup = "inbox.comp.${orga}.${name}";
 212     coderepo = [ name ];
 213   });
 214   settings.coderepo = {
 215     sourcephile-txt = {
 216       dir = "/var/lib/gitolite/repositories/sourcephile-txt.git";
 217       cgitUrl = "https://code.${domain}/sourcephile-txt.git";
 218     };
 219     sourcephile-nix = {
 220       dir = "/var/lib/gitolite/repositories/sourcephile-nix.git";
 221       cgitUrl = "https://code.${domain}/sourcephile-nix.git";
 222     };
 223   } // lib.listToAttrs (map (path: lib.nameValuePair (baseNameOf path) {
 224     dir = "/var/lib/gitolite/repositories/${path}.git";
 225     cgitUrl = "https://code.${domain}/${path}.git";
 226   }) repositories);
 227 };
 228 services.sanoid.datasets."rpool/var/public-inbox" = {
 229   use_template = [ "snap" ];
 230   daily = 7;
 231 };
 232 }