-{ pkgs, lib, config, ... }:
+{ pkgs, config, ... }:
let
- inherit (pkgs.lib) loadFile;
domain = "autogeree.net";
domainSuffix = "dc=autogeree,dc=net";
in
{
-services.postfix = {
- extraAliases = ''
+ services.postfix = {
+ extraAliases = ''
'';
- virtual = ''
- root@${domain} julm+root@${domain}
- '';
- tls_server_sni_maps =
- let chain = [
- "/var/lib/acme/${domain}/key.pem"
- "/var/lib/acme/${domain}/fullchain.pem"
- ]; in {
- "smtp.${domain}" = chain;
- "mail.${domain}" = chain;
+ virtual = ''
+ root@${domain} julm+root@${domain}
+ '';
+ tls_server_sni_maps =
+ let
+ chain = [
+ "/var/lib/acme/${domain}/key.pem"
+ "/var/lib/acme/${domain}/fullchain.pem"
+ ];
+ in
+ {
+ "smtp.${domain}" = chain;
+ "mail.${domain}" = chain;
+ };
+ config = {
+ virtual_mailbox_domains = [ domain ];
+ virtual_mailbox_maps = [
+ # Map the main address and aliases to the main mail address.
+ # This is checked by permit_auth_recipient
+ ("ldap:" + pkgs.writeText "ldap-mail-${domain}.cf" ''
+ domain = ${domain}
+ version = 3
+ debuglevel = 0
+ server_host = ldapi://
+ bind = sasl
+ sasl_mechs = EXTERNAL
+ search_base = ou=posix,${domainSuffix}
+ scope = sub
+ dereference = 0
+ query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
+ result_format = %s
+ result_attribute = mail
+ '')
+ ];
+ # Map MAIL FROM addresses to the SASL login names allowed to use it.
+ smtpd_sender_login_maps = [
+ ("ldap:" + pkgs.writeText "ldap-senders-${domain}.cf" ''
+ domain = ${domain}
+ version = 3
+ debuglevel = 0
+ server_host = ldapi://
+ bind = sasl
+ sasl_mechs = EXTERNAL
+ search_base = ou=posix,${domainSuffix}
+ scope = sub
+ dereference = 0
+ query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
+ result_format = %s@${domain}
+ result_attribute = uid
+ '')
+ ];
+ };
+ };
+ security.acme.certs."${domain}" = {
+ postRun = "systemctl try-restart postfix";
};
- config = {
- virtual_mailbox_domains = [ domain ];
- virtual_mailbox_maps = [
- # Map the main address and aliases to the main mail address.
- # This is checked by permit_auth_recipient
- ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
- domain = ${domain}
- version = 3
- debuglevel = 0
- server_host = ldapi://
- bind = sasl
- sasl_mechs = EXTERNAL
- search_base = ou=posix,${domainSuffix}
- scope = sub
- dereference = 0
- query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
- result_format = %s
- result_attribute = mail
- '')
- ];
- # Map MAIL FROM addresses to the SASL login names allowed to use it.
- smtpd_sender_login_maps = [
- ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
- domain = ${domain}
- version = 3
- debuglevel = 0
- server_host = ldapi://
- bind = sasl
- sasl_mechs = EXTERNAL
- search_base = ou=posix,${domainSuffix}
- scope = sub
- dereference = 0
- query_filter = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
- result_format = %s@${domain}
- result_attribute = uid
- '')
- ];
+ systemd.services.postfix = {
+ wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
+ after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
};
-};
-security.acme.certs."${domain}" = {
- postRun = "systemctl reload postfix";
-};
-systemd.services.postfix = {
- wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
- after = [ "acme-selfsigned-${domain}.service" ];
-};
}