eb62cb1421
Change-Id: Ib7d9089b63bba7ebc44d3438ed284e752f0595e9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7638 Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
139 lines
3.8 KiB
Nix
139 lines
3.8 KiB
Nix
# public-inbox configuration for depot@tvl.su
|
|
#
|
|
# The account itself is a Yandex 360 account in the tvl.su organisation, which
|
|
# is accessed via IMAP. Yandex takes care of spam filtering for us, so there is
|
|
# no particular SpamAssassin or other configuration.
|
|
{ config, depot, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.services.depot.inbox;
|
|
|
|
imapConfig = pkgs.writeText "offlineimaprc" ''
|
|
[general]
|
|
accounts = depot
|
|
|
|
[Account depot]
|
|
localrepository = Local
|
|
remoterepository = Remote
|
|
|
|
[Repository Local]
|
|
type = Maildir
|
|
localfolders = /var/lib/public-inbox/depot-imap
|
|
|
|
[Repository Remote]
|
|
type = IMAP
|
|
ssl = yes
|
|
sslcacertfile = /etc/ssl/certs/ca-bundle.crt
|
|
remotehost = imap.yandex.ru
|
|
remoteuser = depot@tvl.su
|
|
remotepassfile = /var/run/agenix/depot-inbox-imap
|
|
'';
|
|
in
|
|
{
|
|
options.services.depot.inbox = with lib; {
|
|
enable = mkEnableOption "Enable public-inbox for depot@tvl.su";
|
|
|
|
depotPath = mkOption {
|
|
description = "path to local depot replica";
|
|
type = types.str;
|
|
default = "/var/lib/depot";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# Having nginx *and* other services use ACME certificates for the
|
|
# same hostname is unsupported in NixOS without resorting to doing
|
|
# all ACME configuration manually.
|
|
#
|
|
# To work around this, we duplicate the TLS certificate used by
|
|
# nginx to a location that is readable by public-inbox daemons.
|
|
systemd.services.inbox-cert-sync = {
|
|
startAt = "daily";
|
|
|
|
script = ''
|
|
${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
|
|
/var/lib/acme/inbox.tvl.su/fullchain.pem /var/lib/public-inbox/tls/fullchain.pem
|
|
|
|
${pkgs.coreutils}/bin/install -D -g ${config.users.groups."public-inbox".name} -m 0440 \
|
|
/var/lib/acme/inbox.tvl.su/key.pem /var/lib/public-inbox/tls/key.pem
|
|
'';
|
|
};
|
|
|
|
services.public-inbox = {
|
|
enable = true;
|
|
|
|
http.enable = true;
|
|
http.port = 8053;
|
|
|
|
imap = {
|
|
enable = true;
|
|
port = 993;
|
|
cert = "/var/lib/public-inbox/tls/fullchain.pem";
|
|
key = "/var/lib/public-inbox/tls/key.pem";
|
|
};
|
|
|
|
nntp = {
|
|
enable = true;
|
|
port = 563;
|
|
cert = "/var/lib/public-inbox/tls/fullchain.pem";
|
|
key = "/var/lib/public-inbox/tls/key.pem";
|
|
};
|
|
|
|
inboxes.depot = rec {
|
|
address = [
|
|
"depot@tvl.su" # primary address
|
|
"depot@tazj.in" # legacy address
|
|
];
|
|
|
|
description = "TVL depot development (mail to depot@tvl.su)";
|
|
coderepo = [ "depot" ];
|
|
url = "https://inbox.tvl.su/depot";
|
|
|
|
watch = [
|
|
"maildir:/var/lib/public-inbox/depot-imap/INBOX/"
|
|
];
|
|
|
|
newsgroup = "su.tvl.depot";
|
|
};
|
|
|
|
settings.coderepo.depot = {
|
|
dir = cfg.depotPath;
|
|
cgitUrl = "https://code.tvl.fyi";
|
|
};
|
|
|
|
settings.publicinbox.wwwlisting = "all";
|
|
settings.publicinbox.nntpserver = [ "inbox.tvl.su" ];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
993 # imap
|
|
563 # nntp
|
|
];
|
|
|
|
age.secrets.depot-inbox-imap = {
|
|
file = depot.ops.secrets."depot-inbox-imap.age";
|
|
mode = "0440";
|
|
group = config.users.groups."public-inbox".name;
|
|
};
|
|
|
|
systemd.services.offlineimap-depot = {
|
|
description = "download mail for depot@tvl.su";
|
|
wantedBy = [ "multi-user.target" ];
|
|
startAt = "minutely";
|
|
|
|
script = ''
|
|
mkdir -p /var/lib/public-inbox/depot-imap
|
|
${pkgs.offlineimap}/bin/offlineimap -c ${imapConfig}
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
|
|
# Run in the same user context as public-inbox itself to avoid
|
|
# permissions trouble.
|
|
User = config.users.users."public-inbox".name;
|
|
Group = config.users.groups."public-inbox".name;
|
|
};
|
|
};
|
|
};
|
|
}
|