hosts/mermet/postfix/autogeree.net.nix

   1 { pkgs, config, ... }:
   2 let
   3   domain = "autogeree.net";
   4   domainSuffix = "dc=autogeree,dc=net";
   5 in
   6 {
   7   services.postfix = {
   8     extraAliases = ''
   9   '';
  10     virtual = ''
  11       root@${domain} julm+root@${domain}
  12     '';
  13     tls_server_sni_maps =
  14       let
  15         chain = [
  16           "/var/lib/acme/${domain}/key.pem"
  17           "/var/lib/acme/${domain}/fullchain.pem"
  18         ];
  19       in
  20       {
  21         "smtp.${domain}" = chain;
  22         "mail.${domain}" = chain;
  23       };
  24     config = {
  25       virtual_mailbox_domains = [ domain ];
  26       virtual_mailbox_maps = [
  27         # Map the main address and aliases to the main mail address.
  28         # This is checked by permit_auth_recipient
  29         ("ldap:" + pkgs.writeText "ldap-mail-${domain}.cf" ''
  30           domain           = ${domain}
  31           version          = 3
  32           debuglevel       = 0
  33           server_host      = ldapi://
  34           bind             = sasl
  35           sasl_mechs       = EXTERNAL
  36           search_base      = ou=posix,${domainSuffix}
  37           scope            = sub
  38           dereference      = 0
  39           query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  40           result_format    = %s
  41           result_attribute = mail
  42         '')
  43       ];
  44       # Map MAIL FROM addresses to the SASL login names allowed to use it.
  45       smtpd_sender_login_maps = [
  46         ("ldap:" + pkgs.writeText "ldap-senders-${domain}.cf" ''
  47           domain           = ${domain}
  48           version          = 3
  49           debuglevel       = 0
  50           server_host      = ldapi://
  51           bind             = sasl
  52           sasl_mechs       = EXTERNAL
  53           search_base      = ou=posix,${domainSuffix}
  54           scope            = sub
  55           dereference      = 0
  56           query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  57           result_format    = %s@${domain}
  58           result_attribute = uid
  59         '')
  60       ];
  61     };
  62   };
  63   security.acme.certs."${domain}" = {
  64     postRun = "systemctl try-restart postfix";
  65   };
  66   systemd.services.postfix = {
  67     wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
  68     after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
  69   };
  70 }