mermet: radicle: update
[sourcephile-nix.git] / hosts / mermet / postfix / autogeree.net.nix
index 96094042f192c979bce02aaef16762500437c1f7..64a352bf065d0974c6c701fd6a83753c152e175f 100644 (file)
@@ -1,68 +1,70 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, config, ... }:
 let
-  inherit (pkgs.lib) loadFile;
   domain = "autogeree.net";
   domainSuffix = "dc=autogeree,dc=net";
 in
 {
-services.postfix = {
-  extraAliases = ''
+  services.postfix = {
+    extraAliases = ''
   '';
-  virtual = ''
-    root@${domain} julm+root@${domain}
-  '';
-  tls_server_sni_maps =
-    let chain = [
-      "/var/lib/acme/${domain}/key.pem"
-      "/var/lib/acme/${domain}/fullchain.pem"
-    ]; in {
-    "smtp.${domain}" = chain;
-    "mail.${domain}" = chain;
+    virtual = ''
+      root@${domain} julm+root@${domain}
+    '';
+    tls_server_sni_maps =
+      let
+        chain = [
+          "/var/lib/acme/${domain}/key.pem"
+          "/var/lib/acme/${domain}/fullchain.pem"
+        ];
+      in
+      {
+        "smtp.${domain}" = chain;
+        "mail.${domain}" = chain;
+      };
+    config = {
+      virtual_mailbox_domains = [ domain ];
+      virtual_mailbox_maps = [
+        # Map the main address and aliases to the main mail address.
+        # This is checked by permit_auth_recipient
+        ("ldap:" + pkgs.writeText "ldap-mail-${domain}.cf" ''
+          domain           = ${domain}
+          version          = 3
+          debuglevel       = 0
+          server_host      = ldapi://
+          bind             = sasl
+          sasl_mechs       = EXTERNAL
+          search_base      = ou=posix,${domainSuffix}
+          scope            = sub
+          dereference      = 0
+          query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
+          result_format    = %s
+          result_attribute = mail
+        '')
+      ];
+      # Map MAIL FROM addresses to the SASL login names allowed to use it.
+      smtpd_sender_login_maps = [
+        ("ldap:" + pkgs.writeText "ldap-senders-${domain}.cf" ''
+          domain           = ${domain}
+          version          = 3
+          debuglevel       = 0
+          server_host      = ldapi://
+          bind             = sasl
+          sasl_mechs       = EXTERNAL
+          search_base      = ou=posix,${domainSuffix}
+          scope            = sub
+          dereference      = 0
+          query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
+          result_format    = %s@${domain}
+          result_attribute = uid
+        '')
+      ];
+    };
+  };
+  security.acme.certs."${domain}" = {
+    postRun = "systemctl try-restart postfix";
   };
-  config = {
-    virtual_mailbox_domains = [ domain ];
-    virtual_mailbox_maps = [
-      # Map the main address and aliases to the main mail address.
-      # This is checked by permit_auth_recipient
-      ("ldap:"+pkgs.writeText "ldap-mail-${domain}.cf" ''
-        domain           = ${domain}
-        version          = 3
-        debuglevel       = 0
-        server_host      = ldapi://
-        bind             = sasl
-        sasl_mechs       = EXTERNAL
-        search_base      = ou=posix,${domainSuffix}
-        scope            = sub
-        dereference      = 0
-        query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
-        result_format    = %s
-        result_attribute = mail
-      '')
-    ];
-    # Map MAIL FROM addresses to the SASL login names allowed to use it.
-    smtpd_sender_login_maps = [
-      ("ldap:"+pkgs.writeText "ldap-senders-${domain}.cf" ''
-        domain           = ${domain}
-        version          = 3
-        debuglevel       = 0
-        server_host      = ldapi://
-        bind             = sasl
-        sasl_mechs       = EXTERNAL
-        search_base      = ou=posix,${domainSuffix}
-        scope            = sub
-        dereference      = 0
-        query_filter     = (&(|(mail=%s)(mailAlias=%s))(mailEnabled=TRUE))
-        result_format    = %s@${domain}
-        result_attribute = uid
-      '')
-    ];
+  systemd.services.postfix = {
+    wants = [ "openldap.service" "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
+    after = [ "openldap.service" "acme-selfsigned-${domain}.service" ];
   };
-};
-security.acme.certs."${domain}" = {
-  postRun = "systemctl reload postfix";
-};
-systemd.services.postfix = {
-  wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
-  after = [ "acme-selfsigned-${domain}.service" ];
-};
 }