diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-01-30 00:16:27 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-01-30 00:16:27 +0100 |
| commit | 31d99b750fca57c660f98e23e12053eaf42d4929 (patch) | |
| tree | 64df11201adf13ece3b8407c6768cd3aa04928f0 | |
| parent | 0c67c58418d0b69135109765226e31137bd13c0a (diff) | |
| download | Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.gz Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.zst Nix-31d99b750fca57c660f98e23e12053eaf42d4929.zip | |
Move postscript scripts sensible values out of the store
| -rw-r--r-- | flakes/myuids/flake.nix | 1 | ||||
| -rw-r--r-- | modules/private/mail/postfix.nix | 22 | ||||
| m--------- | nixops/secrets | 0 |
3 files changed, 19 insertions, 4 deletions
diff --git a/flakes/myuids/flake.nix b/flakes/myuids/flake.nix index 1a3a9b4..4068ba3 100644 --- a/flakes/myuids/flake.nix +++ b/flakes/myuids/flake.nix | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | lib = { | 5 | lib = { |
| 6 | # Check that there is no clash with nixos/modules/misc/ids.nix | 6 | # Check that there is no clash with nixos/modules/misc/ids.nix |
| 7 | uids = { | 7 | uids = { |
| 8 | postfixscripts = 387; | ||
| 8 | acme = 388; | 9 | acme = 388; |
| 9 | backup = 389; | 10 | backup = 389; |
| 10 | vhost = 390; | 11 | vhost = 390; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index f6c4362..70c3f46 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
| @@ -160,10 +160,21 @@ | |||
| 160 | version = 3 | 160 | version = 3 |
| 161 | ''; | 161 | ''; |
| 162 | } | 162 | } |
| 163 | ]; | 163 | ] ++ (lib.mapAttrsToList (name: v: { |
| 164 | dest = "postfix/scripts/${name}-env"; | ||
| 165 | user = "postfixscripts"; | ||
| 166 | group = "root"; | ||
| 167 | permissions = "0400"; | ||
| 168 | text = builtins.toJSON v.env; | ||
| 169 | }) config.myEnv.mail.scripts); | ||
| 164 | 170 | ||
| 165 | networking.firewall.allowedTCPPorts = [ 25 465 587 ]; | 171 | networking.firewall.allowedTCPPorts = [ 25 465 587 ]; |
| 166 | 172 | ||
| 173 | users.users.postfixscripts = { | ||
| 174 | group = "keys"; | ||
| 175 | uid = config.ids.uids.postfixscripts; | ||
| 176 | description = "Postfix scripts user"; | ||
| 177 | }; | ||
| 167 | users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; | 178 | users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; |
| 168 | services.filesWatcher.postfix = { | 179 | services.filesWatcher.postfix = { |
| 169 | restart = true; | 180 | restart = true; |
| @@ -209,7 +220,7 @@ | |||
| 209 | fi | 220 | fi |
| 210 | ''; | 221 | ''; |
| 211 | scripts = lib.attrsets.mapAttrs (n: v: | 222 | scripts = lib.attrsets.mapAttrs (n: v: |
| 212 | toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; }) | 223 | toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; }) |
| 213 | ) config.myEnv.mail.scripts // { | 224 | ) config.myEnv.mail.scripts // { |
| 214 | testmail = pkgs.writeScript "testmail" '' | 225 | testmail = pkgs.writeScript "testmail" '' |
| 215 | #! ${pkgs.stdenv.shell} | 226 | #! ${pkgs.stdenv.shell} |
| @@ -277,6 +288,9 @@ | |||
| 277 | mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts | 288 | mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts |
| 278 | alias_database = "\$alias_maps"; | 289 | alias_database = "\$alias_maps"; |
| 279 | 290 | ||
| 291 | ### Aliases scripts user | ||
| 292 | default_privs = "postfixscripts"; | ||
| 293 | |||
| 280 | ### Virtual mailboxes config | 294 | ### Virtual mailboxes config |
| 281 | virtual_alias_maps = [ | 295 | virtual_alias_maps = [ |
| 282 | "hash:/etc/postfix/virtual" | 296 | "hash:/etc/postfix/virtual" |
| @@ -454,10 +468,10 @@ | |||
| 454 | in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; | 468 | in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; |
| 455 | mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); | 469 | mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); |
| 456 | in '' | 470 | in '' |
| 457 | install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email | 471 | install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email |
| 458 | for f in ${mails_to_receive}; do | 472 | for f in ${mails_to_receive}; do |
| 459 | if [ ! -f /var/lib/naemon/checks/email/$f ]; then | 473 | if [ ! -f /var/lib/naemon/checks/email/$f ]; then |
| 460 | install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f | 474 | install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f |
| 461 | touch -m -d @0 /var/lib/naemon/checks/email/$f | 475 | touch -m -d @0 /var/lib/naemon/checks/email/$f |
| 462 | fi | 476 | fi |
| 463 | done | 477 | done |
diff --git a/nixops/secrets b/nixops/secrets | |||
| Subproject 3c9ed734ef4d9bc58d7f0b79d86253a8163d06f | Subproject 1b3be53dd5e79ba1af9207aff17486a0558a40a | ||