]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/postfix/sourcephile.fr.nix
carotte: apply git-crypt
[sourcephile-nix.git] / hosts / mermet / postfix / sourcephile.fr.nix
1 { pkgs, config, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainSuffix = "dc=sourcephile,dc=fr";
5 in
6 {
7 services.postfix = {
8 extraAliases = ''
9 '';
10 virtual = ''
11 root@${domain} julm+root@${domain}
12 '';
13 transport = ''
14 '';
15 tls_server_sni_maps =
16 let
17 chain = [
18 "/var/lib/acme/${domain}/key.pem"
19 "/var/lib/acme/${domain}/fullchain.pem"
20 ];
21 in
22 {
23 "smtp.${domain}" = chain;
24 "mail.${domain}" = chain;
25 };
26 config = {
27 virtual_mailbox_domains = [
28 domain
29 ];
30 virtual_mailbox_maps = [
31 # Map the main address and aliases to the main mail address.
32 # This is checked by permit_auth_recipient
33 ("ldap:" + pkgs.writeText "ldap-mail-${domain}.cf" ''
34 domain = ${domain}
35 version = 3
36 debuglevel = 0
37 server_host = ldapi://
38 bind = sasl
39 sasl_mechs = EXTERNAL
40 search_base = ou=posix,${domainSuffix}
41 scope = sub
42 dereference = 0
43 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
44 result_format = %s
45 result_attribute = mail
46 '')
47 ];
48 # Map MAIL FROM addresses to the SASL login names allowed to use it.
49 smtpd_sender_login_maps = [
50 ("ldap:" + pkgs.writeText "ldap-senders-${domain}.cf" ''
51 domain = ${domain}
52 version = 3
53 debuglevel = 0
54 server_host = ldapi://
55 bind = sasl
56 sasl_mechs = EXTERNAL
57 search_base = ou=posix,${domainSuffix}
58 scope = sub
59 dereference = 0
60 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
61 result_format = %s@${domain}
62 result_attribute = uid
63 '')
64 ];
65 };
66 };
67 security.acme.certs."${domain}" = {
68 postRun = "systemctl try-restart postfix";
69 };
70 systemd.services.postfix = {
71 wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
72 after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
73 };
74 }