]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/postfix/sourcephile.fr.nix
losurdo: acme: move to LoadCredentialEncrypted=
[sourcephile-nix.git] / hosts / mermet / postfix / sourcephile.fr.nix
1 { pkgs, lib, config, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainSuffix = "dc=sourcephile,dc=fr";
5 in
6 {
7 services.postfix = {
8 extraAliases = ''
9 '';
10 virtual = ''
11 root@${domain} julm+root@${domain}
12 '';
13 transport = ''
14 '';
15 tls_server_sni_maps =
16 let chain = [
17 "/var/lib/acme/${domain}/key.pem"
18 "/var/lib/acme/${domain}/fullchain.pem"
19 ]; in {
20 "smtp.${domain}" = chain;
21 "mail.${domain}" = chain;
22 };
23 config = {
24 virtual_mailbox_domains = [
25 domain
26 ];
27 virtual_mailbox_maps = [
28 # Map the main address and aliases to the main mail address.
29 # This is checked by permit_auth_recipient
30 ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
31 domain = ${domain}
32 version = 3
33 debuglevel = 0
34 server_host = ldapi://
35 bind = sasl
36 sasl_mechs = EXTERNAL
37 search_base = ou=posix,${domainSuffix}
38 scope = sub
39 dereference = 0
40 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
41 result_format = %s
42 result_attribute = mail
43 '')
44 ];
45 # Map MAIL FROM addresses to the SASL login names allowed to use it.
46 smtpd_sender_login_maps = [
47 ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
48 domain = ${domain}
49 version = 3
50 debuglevel = 0
51 server_host = ldapi://
52 bind = sasl
53 sasl_mechs = EXTERNAL
54 search_base = ou=posix,${domainSuffix}
55 scope = sub
56 dereference = 0
57 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
58 result_format = %s@${domain}
59 result_attribute = uid
60 '')
61 ];
62 };
63 };
64 security.acme.certs."${domain}" = {
65 postRun = "systemctl reload postfix";
66 };
67 systemd.services.postfix = {
68 wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
69 after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
70 };
71 }