nixConfig/nixos/modules/mailman.nix

# Adapted and simplified from https://nixos.wiki/wiki/Mailman
{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit
    (lib)
    mkIf
    mkEnableOption
    mkOption
    ;
  inherit (lib.types) nonEmptyStr;
  cfg = config.services.mathebau-mailman;
in {
  options.services.mathebau-mailman = {
    enable = mkEnableOption "mathebau mailman service";
    hostName = mkOption {
      type = nonEmptyStr;
    };
    siteOwner = mkOption {
      type = nonEmptyStr;
    };
  };

  config = mkIf cfg.enable {
    services = {
      postfix = {
        enable = true;
        relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
        sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
        sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
        config = {
          transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
          local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
          proxy_interfaces = "130.83.2.184";
          smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
        };
        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
      };
      mailman = {
        enable = true;
        inherit (cfg) siteOwner;
        hyperkitty.enable = true;
        webHosts = [cfg.hostName];
        serve.enable = true; #
        # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
        settings.mta.verp_confirmations = "no";
      };
      nginx.virtualHosts.${cfg.hostName} = {
        enableACME = true; # Get certificates (primarily for postfix)
        forceSSL = false; # Don't use HTTPS behind the proxy
      };
    };

    environment.persistence.${config.impermanence.name} = {
      directories = [
        "/var/lib/acme" # Persist TLS keys and account
        "/var/lib/mailman"
        "/var/lib/mailman-web"
      ];
    };

    security.acme.defaults.email = cfg.siteOwner;
    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [25 80 443];

    # Update HRZ allowlist
    # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
    # will stop working if no valid TUIDs are associated to our domain.
    systemd.timers."mailAllowlist" = {
      wantedBy = ["timers.target"];
      timerConfig = {
        OnBootSec = "5m"; # Run every 5 minutes
        OnUnitActiveSec = "5m";
        RandomizedDelaySec = "2m"; # prevent overload on regular intervals
        Unit = "mailAllowlist.service";
      };
    };
    systemd.services."mailAllowlist" = {
      description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
      script = ''
        # Get the mail addresses' local-part
        cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
        # Post local-parts to HRZ
        ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
        # Cleanup
        rm /tmp/addresses
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "mailman";
        PrivateTmp = true;
      };
    };
    sops.secrets.allowlistPass = {
      sopsFile = ../machines/lobon/allowlistPass.yaml;
      owner = "mailman";
      group = "mailman";
      mode = "0400";
    };
  };
}
Setze Mailman-Maschine auf 2024-02-05 20:36:51 +00:00			`# Adapted and simplified from https://nixos.wiki/wiki/Mailman`
			`{`
			`config,`
			`lib,`
Add pushing to hrz allowlist 2024-03-31 14:26:11 +00:00			`pkgs,`
Setze Mailman-Maschine auf 2024-02-05 20:36:51 +00:00			`...`
			`}: let`
			`inherit`
			`(lib)`
			`mkIf`
			`mkEnableOption`
			`mkOption`
			`;`
			`inherit (lib.types) nonEmptyStr;`
			`cfg = config.services.mathebau-mailman;`
			`in {`
			`options.services.mathebau-mailman = {`
			`enable = mkEnableOption "mathebau mailman service";`
			`hostName = mkOption {`
			`type = nonEmptyStr;`
			`};`
			`siteOwner = mkOption {`
			`type = nonEmptyStr;`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`services = {`
			`postfix = {`
			`enable = true;`
			`relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];`
			`sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";`
			`sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";`
			`config = {`
			`transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];`
			`local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];`
			`proxy_interfaces = "130.83.2.184";`
			`smtputf8_enable = "no"; # HRZ does not know SMTPUTF8`
			`};`
Add pushing to hrz allowlist 2024-03-31 14:26:11 +00:00			`relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)`
Setze Mailman-Maschine auf 2024-02-05 20:36:51 +00:00			`};`
			`mailman = {`
			`enable = true;`
			`inherit (cfg) siteOwner;`
			`hyperkitty.enable = true;`
			`webHosts = [cfg.hostName];`
			`serve.enable = true; #`
Add pushing to hrz allowlist 2024-03-31 14:26:11 +00:00			`# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.`
			`settings.mta.verp_confirmations = "no";`
Setze Mailman-Maschine auf 2024-02-05 20:36:51 +00:00			`};`
			`nginx.virtualHosts.${cfg.hostName} = {`
Add pushing to hrz allowlist 2024-03-31 14:26:11 +00:00			`enableACME = true; # Get certificates (primarily for postfix)`
			`forceSSL = false; # Don't use HTTPS behind the proxy`
Setze Mailman-Maschine auf 2024-02-05 20:36:51 +00:00			`};`
			`};`

			`environment.persistence.${config.impermanence.name} = {`
			`directories = [`
			`"/var/lib/acme" # Persist TLS keys and account`
			`"/var/lib/mailman"`
			`"/var/lib/mailman-web"`
			`];`
			`};`

			`security.acme.defaults.email = cfg.siteOwner;`
			`security.acme.acceptTerms = true;`

			`networking.firewall.allowedTCPPorts = [25 80 443];`
Add pushing to hrz allowlist 2024-03-31 14:26:11 +00:00
			`# Update HRZ allowlist`
			`# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/`
			`# will stop working if no valid TUIDs are associated to our domain.`
			`systemd.timers."mailAllowlist" = {`
			`wantedBy = ["timers.target"];`
			`timerConfig = {`
			`OnBootSec = "5m"; # Run every 5 minutes`
			`OnUnitActiveSec = "5m";`
			`RandomizedDelaySec = "2m"; # prevent overload on regular intervals`
			`Unit = "mailAllowlist.service";`
			`};`
			`};`
			`systemd.services."mailAllowlist" = {`
			`description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";`
			`script = ''`
			`# Get the mail addresses' local-part`
			`cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp \| grep -v '#' \| grep "\S" > /tmp/addresses`
			`# Post local-parts to HRZ`
			`${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll`
			`# Cleanup`
			`rm /tmp/addresses`
			`'';`
			`serviceConfig = {`
			`Type = "oneshot";`
			`User = "mailman";`
			`PrivateTmp = true;`
			`};`
			`};`
			`sops.secrets.allowlistPass = {`
			`sopsFile = ../machines/lobon/allowlistPass.yaml;`
			`owner = "mailman";`
			`group = "mailman";`
			`mode = "0400";`
			`};`
Setze Mailman-Maschine auf 2024-02-05 20:36:51 +00:00			`};`
			`}`