diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-01-30 00:16:27 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-01-30 00:16:27 +0100 |
commit | 31d99b750fca57c660f98e23e12053eaf42d4929 (patch) | |
tree | 64df11201adf13ece3b8407c6768cd3aa04928f0 /modules/private/mail | |
parent | 0c67c58418d0b69135109765226e31137bd13c0a (diff) | |
download | Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.gz Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.zst Nix-31d99b750fca57c660f98e23e12053eaf42d4929.zip |
Move postscript scripts sensible values out of the store
Diffstat (limited to 'modules/private/mail')
-rw-r--r-- | modules/private/mail/postfix.nix | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index f6c4362..70c3f46 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -160,10 +160,21 @@ | |||
160 | version = 3 | 160 | version = 3 |
161 | ''; | 161 | ''; |
162 | } | 162 | } |
163 | ]; | 163 | ] ++ (lib.mapAttrsToList (name: v: { |
164 | dest = "postfix/scripts/${name}-env"; | ||
165 | user = "postfixscripts"; | ||
166 | group = "root"; | ||
167 | permissions = "0400"; | ||
168 | text = builtins.toJSON v.env; | ||
169 | }) config.myEnv.mail.scripts); | ||
164 | 170 | ||
165 | networking.firewall.allowedTCPPorts = [ 25 465 587 ]; | 171 | networking.firewall.allowedTCPPorts = [ 25 465 587 ]; |
166 | 172 | ||
173 | users.users.postfixscripts = { | ||
174 | group = "keys"; | ||
175 | uid = config.ids.uids.postfixscripts; | ||
176 | description = "Postfix scripts user"; | ||
177 | }; | ||
167 | users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; | 178 | users.users."${config.services.postfix.user}".extraGroups = [ "keys" ]; |
168 | services.filesWatcher.postfix = { | 179 | services.filesWatcher.postfix = { |
169 | restart = true; | 180 | restart = true; |
@@ -209,7 +220,7 @@ | |||
209 | fi | 220 | fi |
210 | ''; | 221 | ''; |
211 | scripts = lib.attrsets.mapAttrs (n: v: | 222 | scripts = lib.attrsets.mapAttrs (n: v: |
212 | toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; }) | 223 | toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; }) |
213 | ) config.myEnv.mail.scripts // { | 224 | ) config.myEnv.mail.scripts // { |
214 | testmail = pkgs.writeScript "testmail" '' | 225 | testmail = pkgs.writeScript "testmail" '' |
215 | #! ${pkgs.stdenv.shell} | 226 | #! ${pkgs.stdenv.shell} |
@@ -277,6 +288,9 @@ | |||
277 | mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts | 288 | mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts |
278 | alias_database = "\$alias_maps"; | 289 | alias_database = "\$alias_maps"; |
279 | 290 | ||
291 | ### Aliases scripts user | ||
292 | default_privs = "postfixscripts"; | ||
293 | |||
280 | ### Virtual mailboxes config | 294 | ### Virtual mailboxes config |
281 | virtual_alias_maps = [ | 295 | virtual_alias_maps = [ |
282 | "hash:/etc/postfix/virtual" | 296 | "hash:/etc/postfix/virtual" |
@@ -454,10 +468,10 @@ | |||
454 | in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; | 468 | in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}"; |
455 | mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); | 469 | mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets); |
456 | in '' | 470 | in '' |
457 | install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email | 471 | install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email |
458 | for f in ${mails_to_receive}; do | 472 | for f in ${mails_to_receive}; do |
459 | if [ ! -f /var/lib/naemon/checks/email/$f ]; then | 473 | if [ ! -f /var/lib/naemon/checks/email/$f ]; then |
460 | install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f | 474 | install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f |
461 | touch -m -d @0 /var/lib/naemon/checks/email/$f | 475 | touch -m -d @0 /var/lib/naemon/checks/email/$f |
462 | fi | 476 | fi |
463 | done | 477 | done |