]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/public-inbox.nix
nix: update input secrets
[sourcephile-nix.git] / hosts / mermet / public-inbox.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.services) public-inbox;
4 inherit (config.users) groups;
5 orga = "sourcephile";
6 domain = "${orga}.fr";
7 repositories = [
8 "doclang"
9 "majurity"
10 "reloto"
11 "haskell/symantic"
12 "haskell/symantic-atom"
13 "haskell/symantic-base"
14 "haskell/symantic-cli"
15 "haskell/symantic-compta"
16 "haskell/symantic-document"
17 "haskell/symantic-http"
18 "haskell/symantic-parser"
19 "haskell/symantic-xml"
20 ];
21 in
22 # Pour supprimer un message :
23 # curl https://mails.sourcephile.fr/inbox/environnement/8ea699887ca47797b4460053588cbef2d115829ab4@vieber.ru/raw |
24 # sudo -u public-inbox public-inbox-learn rm
25 {
26 security.acme.certs."${domain}" = {
27 postRun = "systemctl try-restart public-inbox-nntpd public-inbox-imapd";
28 };
29 networking.nftables.ruleset = ''
30 table inet filter {
31 chain input-net {
32 tcp dport ${toString public-inbox.nntp.port} counter accept comment "public-inbox: NNTPS"
33 tcp dport 1993 counter accept comment "public-inbox: IMAPS"
34 }
35 chain output-net {
36 }
37 }
38 '';
39 fileSystems."/var/lib/public-inbox" = {
40 device = "rpool/var/public-inbox";
41 fsType = "zfs";
42 };
43 systemd.services = {
44 public-inbox-httpd = {
45 confinement.enable = true;
46 serviceConfig = {
47 SupplementaryGroups = [ groups."git-daemon".name ];
48 #BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
49 };
50 };
51 public-inbox-imapd = {
52 confinement.enable = true;
53 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
54 after = [ "acme-selfsigned-${domain}.service" ];
55 serviceConfig = {
56 SupplementaryGroups = [ groups."acme".name ];
57 BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
58 };
59 };
60 public-inbox-init = {
61 confinement.enable = true;
62 };
63 public-inbox-nntpd = {
64 confinement.enable = true;
65 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
66 after = [ "acme-selfsigned-${domain}.service" ];
67 serviceConfig = {
68 SupplementaryGroups = [ groups."acme".name ];
69 BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
70 };
71 };
72 };
73 services.public-inbox = {
74 enable = true;
75 postfix.enable = true;
76 settings.publicinbox = {
77 css = [ "href=https://mails.${domain}/style/light.css" ];
78 nntpserver = [ "nntps://news.${domain}" ];
79 wwwlisting = "match=domain";
80 #imapserver = [ "mails.${domain}" ];
81 };
82 mda = {
83 enable = true;
84 args = [ "--no-precheck" ]; # Allow Bcc:
85 };
86 http = {
87 enable = true;
88 port = "/run/public-inbox-http.sock";
89 #port = 8080;
90 args = ["-W0"];
91 mounts = [
92 "https://mails.${domain}/inbox"
93 "https://public-inbox.${domain}/inbox"
94 ];
95 };
96 nntp = {
97 enable = true;
98 #port = 563;
99 args = ["-W0"];
100 cert = "/var/lib/acme/${domain}/fullchain.pem";
101 key = "/var/lib/acme/${domain}/key.pem";
102 };
103 imap = {
104 enable = true;
105 # FIXME: find an IP or .onion to put 993
106 port = null;
107 args = [ "-W0" "--listen" "imaps://0.0.0.0:1993" ];
108 #args = ["-W0"];
109 cert = "/var/lib/acme/${domain}/fullchain.pem";
110 key = "/var/lib/acme/${domain}/key.pem";
111 };
112 inboxes = {
113 news = {
114 address = [
115 "news@${domain}"
116 ];
117 description = ''
118 news@${domain} :
119 annonces d'informations concernant importantes
120 '';
121 url = "https://mails.${domain}/inbox/news";
122 newsgroup = "inbox.comp.${orga}.news";
123 #coderepo = [ "sourcephile-txt" ];
124 };
125 chat = {
126 address = [
127 "chat@${domain}"
128 ];
129 description = ''
130 chat@${domain} :
131 discussions concernant l'informatique en général.
132 '';
133 url = "https://mails.${domain}/inbox/chat";
134 newsgroup = "inbox.comp.${orga}.chat";
135 };
136 contact = {
137 address = [
138 "contact@${domain}"
139 ];
140 description = ''
141 contact@${domain} :
142 discussions avec le grand public.
143 '';
144 url = "https://mails.${domain}/inbox/contact";
145 newsgroup = "inbox.comp.${orga}.contact";
146 #coderepo = [ "${orga}" ];
147 };
148 environnement = {
149 address = [
150 "environnement@${domain}"
151 ];
152 description = ''
153 environnement@${domain} :
154 discussions sur les impacts environnementaux de l'informatique.
155 '';
156 url = "https://mails.${domain}/inbox/environnement";
157 newsgroup = "inbox.comp.${orga}.environnement";
158 #coderepo = [ "sourcephile-txt" ];
159 };
160 labo = {
161 address = [
162 "labo@${domain}"
163 ];
164 description = ''
165 labo@${domain} :
166 discussions concernant la science de l'informatique.
167 '';
168 url = "https://mails.${domain}/inbox/labo";
169 newsgroup = "inbox.comp.${orga}.labo";
170 # TODO: list many source code repositories
171 #coderepo = [ "sourcephile-txt" ];
172 };
173 prod = {
174 address = [
175 "prod@${domain}"
176 ];
177 description = ''
178 prod@${domain} :
179 discussions concernant l'administration technique de l'infrastructure informatique.
180 '';
181 url = "https://mails.${domain}/inbox/prod";
182 newsgroup = "inbox.comp.${orga}.prod";
183 #coderepo = [ "sourcephile-txt" "sourcephile-nix" ];
184 };
185 orga = {
186 address = [
187 "orga@${domain}"
188 ];
189 description = ''
190 orga@${domain} :
191 discussions à l'attention de l'ensemble des personnes à bord.
192 '';
193 url = "https://mails.${domain}/inbox/orga";
194 newsgroup = "inbox.comp.${orga}.orga";
195 #coderepo = [ "sourcephile-txt" ];
196 };
197 test = {
198 address = [
199 "test@${domain}"
200 ];
201 description = ''
202 test@${domain} :
203 une cible de test pour effectuer des tirs de mails.
204 '';
205 url = "https://mails.${domain}/inbox/test";
206 newsgroup = "inbox.comp.${orga}.test";
207 hide = [ /* FIXME: doesn't work for IMAP */"imap" "www" "manifest" ];
208 };
209 } // lib.genAttrs (map baseNameOf repositories) (name: {
210 address = [
211 "${name}@${domain}"
212 ];
213 description = ''
214 ${name}@${domain} :
215 discussions about ${name}.
216 '';
217 url = "https://mails.${domain}/inbox/${name}";
218 newsgroup = "inbox.comp.${orga}.${name}";
219 coderepo = [ name ];
220 });
221 settings.coderepo = {
222 sourcephile-txt = {
223 dir = "/var/lib/gitolite/repositories/sourcephile-txt.git";
224 cgitUrl = "https://code.${domain}/sourcephile-txt.git";
225 };
226 sourcephile-nix = {
227 dir = "/var/lib/gitolite/repositories/sourcephile-nix.git";
228 cgitUrl = "https://code.${domain}/sourcephile-nix.git";
229 };
230 } // lib.listToAttrs (map (path: lib.nameValuePair (baseNameOf path) {
231 dir = "/var/lib/gitolite/repositories/${path}.git";
232 cgitUrl = "https://code.${domain}/${path}.git";
233 }) repositories);
234 };
235 services.sanoid.datasets."rpool/var/public-inbox" = {
236 use_template = [ "snap" ];
237 daily = 7;
238 };
239 }