2024-02-05 20:36:51 +00:00
|
|
|
# Adapted and simplified from https://nixos.wiki/wiki/Mailman
|
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
2024-03-31 14:26:11 +00:00
|
|
|
pkgs,
|
2024-02-05 20:36:51 +00:00
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
|
|
|
mkIf
|
|
|
|
mkEnableOption
|
|
|
|
mkOption
|
|
|
|
;
|
|
|
|
inherit (lib.types) str;
|
|
|
|
cfg = config.services.mathebau-mailman;
|
|
|
|
in {
|
|
|
|
options.services.mathebau-mailman = {
|
|
|
|
enable = mkEnableOption "mathebau mailman service";
|
|
|
|
hostName = mkOption {
|
|
|
|
type = str;
|
|
|
|
};
|
|
|
|
siteOwner = mkOption {
|
|
|
|
type = str;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
services = {
|
|
|
|
postfix = {
|
|
|
|
enable = true;
|
|
|
|
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
|
|
|
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
|
|
|
|
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
|
|
|
|
config = {
|
|
|
|
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
|
|
|
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
|
|
|
proxy_interfaces = "130.83.2.184";
|
|
|
|
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
|
|
|
};
|
|
|
|
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
|
|
|
|
};
|
|
|
|
mailman = {
|
|
|
|
enable = true;
|
|
|
|
inherit (cfg) siteOwner;
|
|
|
|
hyperkitty.enable = true;
|
|
|
|
webHosts = [cfg.hostName];
|
|
|
|
serve.enable = true; #
|
|
|
|
};
|
|
|
|
nginx.virtualHosts.${cfg.hostName} = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.persistence.${config.impermanence.name} = {
|
|
|
|
directories = [
|
|
|
|
"/var/lib/acme" # Persist TLS keys and account
|
|
|
|
"/var/lib/mailman"
|
|
|
|
"/var/lib/mailman-web"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
security.acme.defaults.email = cfg.siteOwner;
|
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [25 80 443];
|
2024-03-31 14:26:11 +00:00
|
|
|
|
|
|
|
# Update HRZ allowlist
|
|
|
|
#
|
|
|
|
systemd.timers."mailAllowlist" = {
|
|
|
|
wantedBy = ["timers.target"];
|
|
|
|
timerConfig = {
|
|
|
|
OnBootSec = "5m"; # Run every 5 minutes
|
|
|
|
OnUnitActiveSec = "5m";
|
|
|
|
RandomizedDelaySec = "1m"; # Randomized delay
|
|
|
|
Unit = "mailAllowlist.service";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
systemd.services."mailAllowlist" = {
|
|
|
|
description = "Post the mail addresses used by mailman to the HRZ allow list";
|
|
|
|
script = ''
|
|
|
|
# Parse addresses
|
|
|
|
cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
|
|
|
|
# Post addresses to HRZ
|
|
|
|
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
|
|
|
|
# Cleanup
|
|
|
|
rm /tmp/addresses
|
|
|
|
'';
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
User = "mailman";
|
|
|
|
PrivateTmp = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
sops.secrets.allowlistPass = {
|
|
|
|
sopsFile = ../machines/lobon/allowlistPass.yaml;
|
|
|
|
owner = "mailman";
|
|
|
|
group = "mailman";
|
|
|
|
mode = "0400";
|
|
|
|
};
|
2024-02-05 20:36:51 +00:00
|
|
|
};
|
|
|
|
}
|