Benjamin Yule Bädorf
68278ad983
All checks were successful
Flake checks / Check (pull_request) Successful in 5m52s
This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name
124 lines
3.8 KiB
Nix
124 lines
3.8 KiB
Nix
{ flake
|
|
, config
|
|
, lib
|
|
, pkgs
|
|
, ...
|
|
}:
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 25 ];
|
|
|
|
users.users.nginx.extraGroups = [ "mailman" ];
|
|
|
|
services.nginx.virtualHosts."list.${config.pub-solar-os.networking.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
};
|
|
# Tweak permissions so nginx can read and serve the static assets
|
|
# (otherwise /var/lib/mailman-web is mode 0600)
|
|
# https://nixos.wiki/wiki/Mailman
|
|
systemd.services.mailman-settings.script = ''
|
|
chmod o+x /var/lib/mailman-web-static
|
|
'';
|
|
|
|
services.postfix = {
|
|
enable = true;
|
|
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
|
# get TLS certs for list.pub.solar from acme
|
|
sslCert = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
|
|
sslKey = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/key.pem";
|
|
config = {
|
|
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
|
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
|
};
|
|
rootAlias = "admins@pub.solar";
|
|
postmasterAlias = "admins@pub.solar";
|
|
hostname = "list.${config.pub-solar-os.networking.domain}";
|
|
};
|
|
|
|
systemd.paths.watcher-acme-ssl-file = {
|
|
description = "Watches for changes in acme's TLS cert file (after renewals) to reload postfix";
|
|
documentation = [ "systemd.path(5)" ];
|
|
partOf = [ "postfix-reload.service" ];
|
|
pathConfig = {
|
|
PathChanged = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
|
|
Unit = "postfix-reload.service";
|
|
};
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
|
|
systemd.services."postfix-reload" = {
|
|
description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-acme-ssl-file.path";
|
|
documentation = [ "systemd.path(5)" ];
|
|
requires = [ "postfix.service" ];
|
|
after = [ "postfix.service" ];
|
|
startLimitIntervalSec = 10;
|
|
startLimitBurst = 5;
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
${pkgs.systemd}/bin/systemctl reload postfix
|
|
'';
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
|
|
services.mailman = {
|
|
enable = true;
|
|
serve.enable = true;
|
|
hyperkitty.enable = true;
|
|
webHosts = [ "list.${config.pub-solar-os.networking.domain}" ];
|
|
siteOwner = "admins@pub.solar";
|
|
};
|
|
|
|
# TODO add django-keycloak as auth provider
|
|
# https://django-keycloak.readthedocs.io/en/latest/
|
|
## Extend settings.py directly since this can't be done via JSON
|
|
## settings (services.mailman.webSettings)
|
|
#environment.etc."mailman3/settings.py".text = ''
|
|
# INSTALLED_APPS.extend([
|
|
# "allauth.socialaccount.providers.github",
|
|
# "allauth.socialaccount.providers.gitlab"
|
|
# ])
|
|
#'';
|
|
|
|
services.restic.backups.mailman-droppie = {
|
|
paths = [
|
|
"/var/lib/mailman"
|
|
"/var/lib/mailman-web/mailman-web.db"
|
|
"/var/lib/mailman-web/settings_local.json"
|
|
"/var/lib/postfix/conf/aliases.db"
|
|
];
|
|
timerConfig = {
|
|
OnCalendar = "*-*-* 02:00:00 Etc/UTC";
|
|
# droppie will be offline if nachtigall misses the timer
|
|
Persistent = false;
|
|
};
|
|
initialize = true;
|
|
passwordFile = config.age.secrets."restic-repo-droppie".path;
|
|
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
|
|
pruneOpts = [
|
|
"--keep-daily 7"
|
|
"--keep-weekly 4"
|
|
"--keep-monthly 3"
|
|
];
|
|
};
|
|
|
|
services.restic.backups.mailman-storagebox = {
|
|
paths = [
|
|
"/var/lib/mailman"
|
|
"/var/lib/mailman-web/mailman-web.db"
|
|
"/var/lib/mailman-web/settings_local.json"
|
|
"/var/lib/postfix/conf/aliases.db"
|
|
];
|
|
timerConfig = {
|
|
OnCalendar = "*-*-* 04:15:00 Etc/UTC";
|
|
};
|
|
initialize = true;
|
|
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
|
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
|
pruneOpts = [
|
|
"--keep-daily 7"
|
|
"--keep-weekly 4"
|
|
"--keep-monthly 3"
|
|
];
|
|
};
|
|
}
|