]> git.immae.eu Git - perso/Immae/Config/Nix.git/commitdiff
projects / perso / Immae / Config / Nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c67c58)
Move postscript scripts sensible values out of the store
authorIsmaël Bouya <ismael.bouya@normalesup.org>
Fri, 29 Jan 2021 23:16:27 +0000 (00:16 +0100)
committerIsmaël Bouya <ismael.bouya@normalesup.org>
Fri, 29 Jan 2021 23:16:27 +0000 (00:16 +0100)
flakes/myuids/flake.nix patch | blob | blame | history
modules/private/mail/postfix.nix patch | blob | blame | history
nixops/secrets patch | blob | blame | history

diff --git a/flakes/myuids/flake.nix b/flakes/myuids/flake.nix
index 1a3a9b45ea681865c4967d691d77f8810b2ab858..4068ba3e67ae72805eb7506cd5a41b8d8e5308e1 100644 (file)
--- a/flakes/myuids/flake.nix
+++ b/flakes/myuids/flake.nix
@@ -5,6 +5,7 @@
     lib = {
       # Check that there is no clash with nixos/modules/misc/ids.nix
       uids = {
     lib = {
       # Check that there is no clash with nixos/modules/misc/ids.nix
       uids = {
+        postfixscripts = 387;
         acme = 388;
         backup = 389;
         vhost = 390;
         acme = 388;
         backup = 389;
         vhost = 390;
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index f6c4362b4e4ea960867d9e5061a62e34182d8dda..70c3f466f7376b204e62f32319bd008c3d4a255c 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -160,10 +160,21 @@
           version = 3
           '';
       }
           version = 3
           '';
       }
-    ];
+    ] ++ (lib.mapAttrsToList (name: v: {
+      dest = "postfix/scripts/${name}-env";
+      user = "postfixscripts";
+      group = "root";
+      permissions = "0400";
+      text = builtins.toJSON v.env;
+    }) config.myEnv.mail.scripts);
 
     networking.firewall.allowedTCPPorts = [ 25 465 587 ];
 
 
     networking.firewall.allowedTCPPorts = [ 25 465 587 ];
 
+    users.users.postfixscripts = {
+      group = "keys";
+      uid = config.ids.uids.postfixscripts;
+      description = "Postfix scripts user";
+    };
     users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
     services.filesWatcher.postfix = {
       restart = true;
     users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
     services.filesWatcher.postfix = {
       restart = true;
@@ -209,7 +220,7 @@
           fi
           '';
         scripts = lib.attrsets.mapAttrs (n: v:
           fi
           '';
         scripts = lib.attrsets.mapAttrs (n: v:
-          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; })
         ) config.myEnv.mail.scripts // {
           testmail = pkgs.writeScript "testmail" ''
             #! ${pkgs.stdenv.shell}
         ) config.myEnv.mail.scripts // {
           testmail = pkgs.writeScript "testmail" ''
             #! ${pkgs.stdenv.shell}
@@ -277,6 +288,9 @@
         mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
         alias_database = "\$alias_maps";
 
         mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
         alias_database = "\$alias_maps";
 
+        ### Aliases scripts user
+        default_privs = "postfixscripts";
+
         ### Virtual mailboxes config
         virtual_alias_maps = [
           "hash:/etc/postfix/virtual"
         ### Virtual mailboxes config
         virtual_alias_maps = [
           "hash:/etc/postfix/virtual"
@@ -454,10 +468,10 @@
           in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
         mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
       in ''
           in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
         mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
       in ''
-        install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email
+        install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
         for f in ${mails_to_receive}; do
           if [ ! -f /var/lib/naemon/checks/email/$f ]; then
         for f in ${mails_to_receive}; do
           if [ ! -f /var/lib/naemon/checks/email/$f ]; then
-            install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f
+            install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
             touch -m -d @0 /var/lib/naemon/checks/email/$f
           fi
         done
             touch -m -d @0 /var/lib/naemon/checks/email/$f
           fi
         done
diff --git a/nixops/secrets b/nixops/secrets
index 3c9ed734ef4d9bc58d7f0b79d86253a8163d06f0..1b3be53dd5e79ba1af9207aff17486a0558a40a5 160000 (submodule)
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit 3c9ed734ef4d9bc58d7f0b79d86253a8163d06f0
+Subproject commit 1b3be53dd5e79ba1af9207aff17486a0558a40a5
My infrastructure configuration