]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/postfix/sourcephile.fr.nix
mermet: update and fix security.gnupg
[sourcephile-nix.git] / machines / mermet / postfix / sourcephile.fr.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (pkgs.lib) loadFile;
4 domain = "sourcephile.fr";
5 domainSuffix = "dc=sourcephile,dc=fr";
6 in
7 {
8 services.postfix = {
9 extraAliases = ''
10 '';
11 virtual = ''
12 root@${domain} julm+root@${domain}
13 atelier@${domain} public-inbox@localhost
14 bar@${domain} public-inbox@localhost
15 contact@${domain} public-inbox@localhost
16 ecole@${domain} public-inbox@localhost
17 environnement@${domain} public-inbox@localhost
18 labo@${domain} public-inbox@localhost
19 machines@${domain} public-inbox@localhost
20 pont@${domain} public-inbox@localhost
21 test@${domain} public-inbox@localhost
22 '';
23 tls_server_sni_maps =
24 let chain = [
25 "/var/lib/acme/${domain}/key.pem"
26 "/var/lib/acme/${domain}/fullchain.pem"
27 ]; in {
28 "smtp.${domain}" = chain;
29 "mail.${domain}" = chain;
30 };
31 config = {
32 virtual_mailbox_domains = [
33 domain
34 ];
35 virtual_mailbox_maps = [
36 # Map the main address and aliases to the main mail address.
37 # This is checked by permit_auth_recipient
38 ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
39 domain = ${domain}
40 version = 3
41 debuglevel = 0
42 server_host = ldapi://
43 bind = sasl
44 sasl_mechs = EXTERNAL
45 search_base = ou=posix,${domainSuffix}
46 scope = sub
47 dereference = 0
48 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
49 result_format = %s
50 result_attribute = mail
51 '')
52 ];
53 # Map MAIL FROM addresses to the SASL login names allowed to use it.
54 smtpd_sender_login_maps = [
55 ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
56 domain = ${domain}
57 version = 3
58 debuglevel = 0
59 server_host = ldapi://
60 bind = sasl
61 sasl_mechs = EXTERNAL
62 search_base = ou=posix,${domainSuffix}
63 scope = sub
64 dereference = 0
65 query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
66 result_format = %s@${domain}
67 result_attribute = uid
68 '')
69 ];
70 };
71 };
72 security.acme.certs."${domain}" = {
73 postRun = "systemctl reload postfix";
74 };
75 systemd.services.postfix = {
76 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
77 after = [ "acme-selfsigned-${domain}.service" ];
78 };
79 }