benley/configuration.nix Secret

## configuration.nix
{ config, pkgs, ... }:

{
  services.postfix = {
    enable = true;
    relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
    config = {
      transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
      local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
    };
  };

  services.mailman = {
    enable = true;
    siteOwner = "postmaster@example.com";
    webUser = config.services.uwsgi.user;
    hyperkitty.enable = true;
    webHosts = ["mailman.example.com"];
  };

  # Extend settings.py directly since this can't be done via JSON
  # settings (services.mailman.webSettings)
  environment.etc."mailman3/settings.py".text = ''
    INSTALLED_APPS.extend([
      "allauth.socialaccount.providers.github",
      "allauth.socialaccount.providers.gitlab"
    ])
  '';

  # I'm not sure why this isn't covered by the "before" and
  # "requiredBy" settings present in mailman-web.service. Maybe
  # because it's a oneshot and not a daemon?
  systemd.services.uwsgi.restartTriggers = [config.environment.etc."mailman3/settings.py".source];

  services.uwsgi = {
    enable = true;
    plugins = ["python3"];
    instance = {
      type = "normal";
      pythonPackages = (
        # surely there must be a less arcane way of doing this, because ouch
        self: with self.override {
          overrides = self: super: { django = self.django_1_11; };
        }; [ mailman-web ]
      );
      socket = "127.0.0.1:33140";
      wsgi-file = "${config.services.mailman.webRoot}/mailman_web/wsgi.py";
      chdir = "/var/lib/mailman-web";
      static-map = "/static=/var/lib/mailman-web/static";
    };
  };

  security.acme.email = "webmaster@example.com";
  security.acme.acceptTerms = true;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts."mailman.example.com" = {
      enableACME = true;
      forceSSL = true;
      default = true;
      locations."/" = {
        extraConfig = ''
          uwsgi_pass 127.0.0.1:33140;
          include ${config.services.nginx.package}/conf/uwsgi_params;
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}
	{ config, pkgs, ... }:

	{
	services.postfix = {
	enable = true;
	relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
	config = {
	transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
	local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
	};
	};

	services.mailman = {
	enable = true;
	siteOwner = "postmaster@example.com";
	webUser = config.services.uwsgi.user;
	hyperkitty.enable = true;
	webHosts = ["mailman.example.com"];
	};

	# Extend settings.py directly since this can't be done via JSON
	# settings (services.mailman.webSettings)
	environment.etc."mailman3/settings.py".text = ''
	INSTALLED_APPS.extend([
	"allauth.socialaccount.providers.github",
	"allauth.socialaccount.providers.gitlab"
	])
	'';

	# I'm not sure why this isn't covered by the "before" and
	# "requiredBy" settings present in mailman-web.service. Maybe
	# because it's a oneshot and not a daemon?
	systemd.services.uwsgi.restartTriggers = [config.environment.etc."mailman3/settings.py".source];

	services.uwsgi = {
	enable = true;
	plugins = ["python3"];
	instance = {
	type = "normal";
	pythonPackages = (
	# surely there must be a less arcane way of doing this, because ouch
	self: with self.override {
	overrides = self: super: { django = self.django_1_11; };
	}; [ mailman-web ]
	);
	socket = "127.0.0.1:33140";
	wsgi-file = "${config.services.mailman.webRoot}/mailman_web/wsgi.py";
	chdir = "/var/lib/mailman-web";
	static-map = "/static=/var/lib/mailman-web/static";
	};
	};

	security.acme.email = "webmaster@example.com";
	security.acme.acceptTerms = true;

	services.nginx = {
	enable = true;
	recommendedProxySettings = true;
	virtualHosts."mailman.example.com" = {
	enableACME = true;
	forceSSL = true;
	default = true;
	locations."/" = {
	extraConfig = ''
	uwsgi_pass 127.0.0.1:33140;
	include ${config.services.nginx.package}/conf/uwsgi_params;
	'';
	};
	};
	};

	networking.firewall.allowedTCPPorts = [ 80 443 ];
	}