]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/postfix/autogeree.net.nix
nix: deploy security.pass to mermet too
[sourcephile-nix.git] / servers / mermet / postfix / autogeree.net.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (pkgs.lib) loadFile;
4 domain = "autogeree.net";
5 domainSuffix = "dc=autogeree,dc=net";
6 in
7 {
8 services.postfix = {
9 extraAliases = ''
10 '';
11 virtual = ''
12 root@${domain} julm+root@${domain}
13 '';
14 tls_server_sni_maps =
15 let chain = [
16 "/var/lib/acme/${domain}/key.pem"
17 "/var/lib/acme/${domain}/fullchain.pem"
18 ]; in {
19 "smtp.${domain}" = chain;
20 "mail.${domain}" = chain;
21 };
22 config = {
23 virtual_mailbox_domains = [ domain ];
24 virtual_mailbox_maps = [
25 # Map the main address and aliases to the main mail address.
26 # This is checked by permit_auth_recipient
27 ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
28 domain = ${domain}
29 version = 3
30 debuglevel = 0
31 server_host = ldapi://
32 bind = sasl
33 sasl_mechs = EXTERNAL
34 search_base = ou=posix,${domainSuffix}
35 scope = sub
36 dereference = 0
37 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
38 result_format = %s
39 result_attribute = mail
40 '')
41 ];
42 # Map MAIL FROM addresses to the SASL login names allowed to use it.
43 smtpd_sender_login_maps = [
44 ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
45 domain = ${domain}
46 version = 3
47 debuglevel = 0
48 server_host = ldapi://
49 bind = sasl
50 sasl_mechs = EXTERNAL
51 search_base = ou=posix,${domainSuffix}
52 scope = sub
53 dereference = 0
54 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
55 result_format = %s@${domain}
56 result_attribute = uid
57 '')
58 ];
59 };
60 };
61 security.acme.certs."${domain}" = {
62 postRun = "systemctl try-reload postfix";
63 };
64 systemd.services.postfix = {
65 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
66 after = [ "acme-selfsigned-${domain}.service" ];
67 };
68 }