Remove duply-backup

[perso/Immae/Config/Nix.git] / modules / private / mail / postfix.nix

diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 0c95df57eb68e826aff10f2dd8d0f4af85de2191..ae98a8a8c82e0d5d0ba2f20b4eae4cc442a0ee93 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -1,12 +1,8 @@
 { lib, pkgs, config, nodes, ... }:
 {
   config = lib.mkIf config.myServices.mail.enable {
-    services.duplyBackup.profiles.mail.excludeFile = ''
-      + /var/lib/postfix
-      '';
-    secrets.keys = [
-      {
-        dest = "postfix/mysql_alias_maps";
+    secrets.keys = {
+      "postfix/mysql_alias_maps" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -32,9 +28,8 @@
               FROM forwardings_blacklisted
               WHERE source = '%s'
           '';
-      }
-      {
-        dest = "postfix/ldap_mailboxes";
+      };
+      "postfix/ldap_mailboxes" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -48,9 +43,8 @@
           result_format = dummy
           version = 3
         '';
-      }
-      {
-        dest = "postfix/mysql_sender_login_maps";
+      };
+      "postfix/mysql_sender_login_maps" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -72,9 +66,8 @@
               AND active = 1
             UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
           '';
-      }
-      {
-        dest = "postfix/mysql_sender_relays_maps";
+      };
+      "postfix/mysql_sender_relays_maps" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -102,9 +95,8 @@
               ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
               AND active = 1
           '';
-      }
-      {
-        dest = "postfix/mysql_sender_relays_hosts";
+      };
+      "postfix/mysql_sender_relays_hosts" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -122,9 +114,8 @@
               ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
               AND active = 1
           '';
-      }
-      {
-        dest = "postfix/mysql_sender_relays_creds";
+      };
+      "postfix/mysql_sender_relays_creds" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -142,9 +133,8 @@
               ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
               AND active = 1
           '';
-      }
-      {
-        dest = "postfix/ldap_ejabberd_users_immae_fr";
+      };
+      "postfix/ldap_ejabberd_users_immae_fr" = {
         user = config.services.postfix.user;
         group = config.services.postfix.group;
         permissions = "0440";
@@ -159,11 +149,21 @@
           result_format = ejabberd@localhost
           version = 3
           '';
-      }
-    ];
+      };
+    } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
+      user = "postfixscripts";
+      group = "root";
+      permissions = "0400";
+      text = builtins.toJSON v.env;
+    }) config.myEnv.mail.scripts;
 
     networking.firewall.allowedTCPPorts = [ 25 465 587 ];
 
+    users.users.postfixscripts = {
+      group = "keys";
+      uid = config.ids.uids.postfixscripts;
+      description = "Postfix scripts user";
+    };
     users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
     services.filesWatcher.postfix = {
       restart = true;
@@ -209,7 +209,7 @@
           fi
           '';
         scripts = lib.attrsets.mapAttrs (n: v:
-          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; })
         ) config.myEnv.mail.scripts // {
           testmail = pkgs.writeScript "testmail" ''
             #! ${pkgs.stdenv.shell}
@@ -277,6 +277,9 @@
         mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
         alias_database = "\$alias_maps";
 
+        ### Aliases scripts user
+        default_privs = "postfixscripts";
+
         ### Virtual mailboxes config
         virtual_alias_maps = [
           "hash:/etc/postfix/virtual"
@@ -421,7 +424,7 @@
                 ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -f "$sender" -a "$original_recipient" -d "$user"
               '';
           in [
-            "flags=DRhu" "user=vhost:vhost"
+            "flags=ODRhu" "user=vhost:vhost"
             "argv=${rspamc_dovecot}/bin/rspamc_dovecot \${sender} \${original_recipient} \${user}@\${nexthop}"
           ];
         };
@@ -454,14 +457,15 @@
           in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
         mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
       in ''
-        install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email
+        install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
         for f in ${mails_to_receive}; do
           if [ ! -f /var/lib/naemon/checks/email/$f ]; then
-            install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f
+            install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
             touch -m -d @0 /var/lib/naemon/checks/email/$f
           fi
         done
         '';
     };
+    systemd.services.postfix.serviceConfig.Slice = "mail.slice";
   };
 }