servers/mermet/postfix/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (pkgs.lib) loadFile;
   4   domain = "sourcephile.fr";
   5   domainSuffix = "dc=sourcephile,dc=fr";
   6 in
   7 {
   8 services.postfix = {
   9   extraAliases = ''
  10   '';
  11   virtual = ''
  12     root@${domain} julm+root@${domain}
  13     equipage@${domain} public-inbox
  14     linky@public-inbox.${domain} public-inbox@${domain}
  15   '';
  16   tls_server_sni_maps =
  17     let chain = [
  18       "/var/lib/acme/${domain}/key.pem"
  19       "/var/lib/acme/${domain}/fullchain.pem"
  20     ]; in {
  21     "smtp.${domain}" = chain;
  22     "mail.${domain}" = chain;
  23   };
  24   config = {
  25     virtual_mailbox_domains = [
  26       domain
  27       "public-inbox.${domain}"
  28     ];
  29     virtual_mailbox_maps = [
  30       # Map the main address and aliases to the main mail address.
  31       # This is checked by permit_auth_recipient
  32       ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
  33         domain           = ${domain}
  34         version          = 3
  35         debuglevel       = 0
  36         server_host      = ldapi://
  37         bind             = sasl
  38         sasl_mechs       = EXTERNAL
  39         search_base      = ou=posix,${domainSuffix}
  40         scope            = sub
  41         dereference      = 0
  42         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  43         result_format    = %s
  44         result_attribute = mail
  45       '')
  46     ];
  47     # Map MAIL FROM addresses to the SASL login names allowed to use it.
  48     smtpd_sender_login_maps = [
  49       ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
  50         domain           = ${domain}
  51         version          = 3
  52         debuglevel       = 0
  53         server_host      = ldapi://
  54         bind             = sasl
  55         sasl_mechs       = EXTERNAL
  56         search_base      = ou=posix,${domainSuffix}
  57         scope            = sub
  58         dereference      = 0
  59         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  60         result_format    = %s@${domain}
  61         result_attribute = uid
  62       '')
  63     ];
  64   };
  65 };
  66 security.acme.certs."${domain}" = {
  67   postRun = "systemctl reload postfix";
  68 };
  69 systemd.services.postfix = {
  70   wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  71   after = [ "acme-selfsigned-${domain}.service" ];
  72 };
  73 }