infra/hosts/nachtigall/apps/mailman.nix

{
  flake,
  config,
  lib,
  pkgs,
  ...
}:
{
  networking.firewall.allowedTCPPorts = [25];

  services.postfix = {
    enable = true;
    relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
    # get TLS certs for list.pub.solar from acme
    sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem";
    sslKey = "/var/lib/acme/list.pub.solar/key.pem";
    config = {
      transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
      local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
    };
    rootAlias = "admins@pub.solar";
    postmasterAlias = "admins@pub.solar";
    hostname = "list.pub.solar";
  };

  systemd.paths.watcher-acme-ssl-file = {
    description = "Watches for changes in acme's TLS cert file (after renewals) to reload postfix";
    documentation = ["systemd.path(5)"];
    partOf = ["postfix-reload.service"];
    pathConfig = {
      PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem";
      Unit = "postfix-reload.service";
    };
    wantedBy = ["multi-user.target"];
  };

  systemd.services."postfix-reload" = {
    description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-acme-ssl-file.path";
    documentation = ["systemd.path(5)"];
    requires = ["postfix.service"];
    after = ["postfix.service"];
    startLimitIntervalSec = 10;
    startLimitBurst = 5;
    serviceConfig.Type = "oneshot";
    script = ''
      ${pkgs.systemd}/bin/systemctl reload postfix
    '';
    wantedBy = ["multi-user.target"];
  };

  services.mailman = {
    enable = true;
    serve.enable = true;
    hyperkitty.enable = true;
    webHosts = ["list.pub.solar"];
    siteOwner = "admins@pub.solar";
  };

  # TODO add django-keycloak as auth provider
  # https://django-keycloak.readthedocs.io/en/latest/
  ## Extend settings.py directly since this can't be done via JSON
  ## settings (services.mailman.webSettings)
  #environment.etc."mailman3/settings.py".text = ''
  #  INSTALLED_APPS.extend([
  #    "allauth.socialaccount.providers.github",
  #    "allauth.socialaccount.providers.gitlab"
  #  ])
  #'';
}
feat: mailman initial commit 2023-10-28 22:31:09 +00:00			`{`
			`flake,`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
			`{`
			`networking.firewall.allowedTCPPorts = [25];`

			`services.postfix = {`
			`enable = true;`
			`relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];`
			`# get TLS certs for list.pub.solar from acme`
			`sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem";`
			`sslKey = "/var/lib/acme/list.pub.solar/key.pem";`
			`config = {`
			`transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];`
			`local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];`
			`};`
			`rootAlias = "admins@pub.solar";`
			`postmasterAlias = "admins@pub.solar";`
			`hostname = "list.pub.solar";`
			`};`

			`systemd.paths.watcher-acme-ssl-file = {`
			`description = "Watches for changes in acme's TLS cert file (after renewals) to reload postfix";`
			`documentation = ["systemd.path(5)"];`
			`partOf = ["postfix-reload.service"];`
			`pathConfig = {`
			`PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem";`
			`Unit = "postfix-reload.service";`
			`};`
			`wantedBy = ["multi-user.target"];`
			`};`

			`systemd.services."postfix-reload" = {`
			`description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-acme-ssl-file.path";`
			`documentation = ["systemd.path(5)"];`
			`requires = ["postfix.service"];`
			`after = ["postfix.service"];`
			`startLimitIntervalSec = 10;`
			`startLimitBurst = 5;`
			`serviceConfig.Type = "oneshot";`
			`script = ''`
			`${pkgs.systemd}/bin/systemctl reload postfix`
			`'';`
			`wantedBy = ["multi-user.target"];`
			`};`

			`services.mailman = {`
			`enable = true;`
			`serve.enable = true;`
			`hyperkitty.enable = true;`
			`webHosts = ["list.pub.solar"];`
			`siteOwner = "admins@pub.solar";`
			`};`

			`# TODO add django-keycloak as auth provider`
			`# https://django-keycloak.readthedocs.io/en/latest/`
			`## Extend settings.py directly since this can't be done via JSON`
			`## settings (services.mailman.webSettings)`
			`#environment.etc."mailman3/settings.py".text = ''`
			`# INSTALLED_APPS.extend([`
			`# "allauth.socialaccount.providers.github",`
			`# "allauth.socialaccount.providers.gitlab"`
			`# ])`
			`#'';`
			`}`