From 31d99b750fca57c660f98e23e12053eaf42d4929 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sat, 30 Jan 2021 00:16:27 +0100
Subject: [PATCH] Move postscript scripts sensible values out of the store

---
 flakes/myuids/flake.nix          |  1 +
 modules/private/mail/postfix.nix | 22 ++++++++++++++++++----
 nixops/secrets                   |  2 +-
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/flakes/myuids/flake.nix b/flakes/myuids/flake.nix
index 1a3a9b4..4068ba3 100644
--- a/flakes/myuids/flake.nix
+++ b/flakes/myuids/flake.nix
@@ -5,6 +5,7 @@
     lib = {
       # Check that there is no clash with nixos/modules/misc/ids.nix
       uids = {
+        postfixscripts = 387;
         acme = 388;
         backup = 389;
         vhost = 390;
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index f6c4362..70c3f46 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -160,10 +160,21 @@
           version = 3
           '';
       }
-    ];
+    ] ++ (lib.mapAttrsToList (name: v: {
+      dest = "postfix/scripts/${name}-env";
+      user = "postfixscripts";
+      group = "root";
+      permissions = "0400";
+      text = builtins.toJSON v.env;
+    }) config.myEnv.mail.scripts);
 
     networking.firewall.allowedTCPPorts = [ 25 465 587 ];
 
+    users.users.postfixscripts = {
+      group = "keys";
+      uid = config.ids.uids.postfixscripts;
+      description = "Postfix scripts user";
+    };
     users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
     services.filesWatcher.postfix = {
       restart = true;
@@ -209,7 +220,7 @@
           fi
           '';
         scripts = lib.attrsets.mapAttrs (n: v:
-          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; })
         ) config.myEnv.mail.scripts // {
           testmail = pkgs.writeScript "testmail" ''
             #! ${pkgs.stdenv.shell}
@@ -277,6 +288,9 @@
         mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
         alias_database = "\$alias_maps";
 
+        ### Aliases scripts user
+        default_privs = "postfixscripts";
+
         ### Virtual mailboxes config
         virtual_alias_maps = [
           "hash:/etc/postfix/virtual"
@@ -454,10 +468,10 @@
           in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
         mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
       in ''
-        install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email
+        install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
         for f in ${mails_to_receive}; do
           if [ ! -f /var/lib/naemon/checks/email/$f ]; then
-            install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f
+            install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
             touch -m -d @0 /var/lib/naemon/checks/email/$f
           fi
         done
diff --git a/nixops/secrets b/nixops/secrets
index 3c9ed73..1b3be53 160000
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit 3c9ed734ef4d9bc58d7f0b79d86253a8163d06f0
+Subproject commit 1b3be53dd5e79ba1af9207aff17486a0558a40a5
-- 
2.41.0