hosts/mermet/postfix/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   domainSuffix = "dc=sourcephile,dc=fr";
   5 in
   6 {
   7 services.postfix = {
   8   extraAliases = ''
   9   '';
  10   virtual = ''
  11     root@${domain} julm+root@${domain}
  12     atelier@${domain}       public-inbox@localhost
  13     bar@${domain}           public-inbox@localhost
  14     contact@${domain}       public-inbox@localhost
  15     ecole@${domain}         public-inbox@localhost
  16     environnement@${domain} public-inbox@localhost
  17     labo@${domain}          public-inbox@localhost
  18     hosts@${domain}         public-inbox@localhost
  19     pont@${domain}          public-inbox@localhost
  20     test@${domain}          public-inbox@localhost
  21   '';
  22   tls_server_sni_maps =
  23     let chain = [
  24       "/var/lib/acme/${domain}/key.pem"
  25       "/var/lib/acme/${domain}/fullchain.pem"
  26     ]; in {
  27     "smtp.${domain}" = chain;
  28     "mail.${domain}" = chain;
  29   };
  30   config = {
  31     virtual_mailbox_domains = [
  32       domain
  33     ];
  34     virtual_mailbox_maps = [
  35       # Map the main address and aliases to the main mail address.
  36       # This is checked by permit_auth_recipient
  37       ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
  38         domain           = ${domain}
  39         version          = 3
  40         debuglevel       = 0
  41         server_host      = ldapi://
  42         bind             = sasl
  43         sasl_mechs       = EXTERNAL
  44         search_base      = ou=posix,${domainSuffix}
  45         scope            = sub
  46         dereference      = 0
  47         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  48         result_format    = %s
  49         result_attribute = mail
  50       '')
  51     ];
  52     # Map MAIL FROM addresses to the SASL login names allowed to use it.
  53     smtpd_sender_login_maps = [
  54       ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
  55         domain           = ${domain}
  56         version          = 3
  57         debuglevel       = 0
  58         server_host      = ldapi://
  59         bind             = sasl
  60         sasl_mechs       = EXTERNAL
  61         search_base      = ou=posix,${domainSuffix}
  62         scope            = sub
  63         dereference      = 0
  64         query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
  65         result_format    = %s@${domain}
  66         result_attribute = uid
  67       '')
  68     ];
  69   };
  70 };
  71 security.acme.certs."${domain}" = {
  72   postRun = "systemctl reload postfix";
  73 };
  74 systemd.services.postfix = {
  75   wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  76   after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
  77 };
  78 }