diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-10-16 17:40:07 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-10-16 20:20:45 +0200 |
commit | 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 (patch) | |
tree | 9a7ede9ac3f1899074e9ef568a447f883191d3b5 /modules/private/mail | |
parent | da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (diff) | |
download | Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.gz Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.zst Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.zip |
Use attrs for secrets instead of lists
Diffstat (limited to 'modules/private/mail')
-rw-r--r-- | modules/private/mail/dovecot.nix | 45 | ||||
-rw-r--r-- | modules/private/mail/milters.nix | 19 | ||||
-rw-r--r-- | modules/private/mail/opensmtpd.nix | 19 | ||||
-rw-r--r-- | modules/private/mail/postfix.nix | 42 | ||||
-rw-r--r-- | modules/private/mail/relay.nix | 24 | ||||
-rw-r--r-- | modules/private/mail/sympa.nix | 17 |
6 files changed, 72 insertions, 94 deletions
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 23e795f..0ef3467 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix | |||
@@ -18,36 +18,33 @@ in | |||
18 | + /var/lib/dhparams | 18 | + /var/lib/dhparams |
19 | + /var/lib/dovecot | 19 | + /var/lib/dovecot |
20 | ''; | 20 | ''; |
21 | secrets.keys = [ | 21 | secrets.keys."dovecot/ldap" = { |
22 | { | 22 | user = config.services.dovecot2.user; |
23 | dest = "dovecot/ldap"; | 23 | group = config.services.dovecot2.group; |
24 | user = config.services.dovecot2.user; | 24 | permissions = "0400"; |
25 | group = config.services.dovecot2.group; | 25 | text = '' |
26 | permissions = "0400"; | 26 | hosts = ${config.myEnv.mail.dovecot.ldap.host} |
27 | text = '' | 27 | tls = yes |
28 | hosts = ${config.myEnv.mail.dovecot.ldap.host} | ||
29 | tls = yes | ||
30 | 28 | ||
31 | dn = ${config.myEnv.mail.dovecot.ldap.dn} | 29 | dn = ${config.myEnv.mail.dovecot.ldap.dn} |
32 | dnpass = ${config.myEnv.mail.dovecot.ldap.password} | 30 | dnpass = ${config.myEnv.mail.dovecot.ldap.password} |
33 | 31 | ||
34 | auth_bind = yes | 32 | auth_bind = yes |
35 | 33 | ||
36 | ldap_version = 3 | 34 | ldap_version = 3 |
37 | 35 | ||
38 | base = ${config.myEnv.mail.dovecot.ldap.base} | 36 | base = ${config.myEnv.mail.dovecot.ldap.base} |
39 | scope = subtree | 37 | scope = subtree |
40 | 38 | ||
41 | pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} | 39 | pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} |
42 | pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} | 40 | pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} |
43 | 41 | ||
44 | user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} | 42 | user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} |
45 | user_filter = ${config.myEnv.mail.dovecot.ldap.filter} | 43 | user_filter = ${config.myEnv.mail.dovecot.ldap.filter} |
46 | iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} | 44 | iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} |
47 | iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} | 45 | iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} |
48 | ''; | 46 | ''; |
49 | } | 47 | }; |
50 | ]; | ||
51 | 48 | ||
52 | users.users.vhost = { | 49 | users.users.vhost = { |
53 | group = "vhost"; | 50 | group = "vhost"; |
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 172e216..4b93a7a 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix | |||
@@ -17,30 +17,27 @@ | |||
17 | ''; | 17 | ''; |
18 | }; | 18 | }; |
19 | config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { | 19 | config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { |
20 | secrets.keys = [ | 20 | secrets.keys = { |
21 | { | 21 | "opendkim" = { |
22 | dest = "opendkim"; | ||
23 | isDir = true; | 22 | isDir = true; |
24 | user = config.services.opendkim.user; | 23 | user = config.services.opendkim.user; |
25 | group = config.services.opendkim.group; | 24 | group = config.services.opendkim.group; |
26 | permissions = "0550"; | 25 | permissions = "0550"; |
27 | } | 26 | }; |
28 | { | 27 | "opendkim/eldiron.private" = { |
29 | dest = "opendkim/eldiron.private"; | ||
30 | user = config.services.opendkim.user; | 28 | user = config.services.opendkim.user; |
31 | group = config.services.opendkim.group; | 29 | group = config.services.opendkim.group; |
32 | permissions = "0400"; | 30 | permissions = "0400"; |
33 | text = config.myEnv.mail.dkim.eldiron.private; | 31 | text = config.myEnv.mail.dkim.eldiron.private; |
34 | } | 32 | }; |
35 | { | 33 | "opendkim/eldiron.txt" = { |
36 | dest = "opendkim/eldiron.txt"; | ||
37 | user = config.services.opendkim.user; | 34 | user = config.services.opendkim.user; |
38 | group = config.services.opendkim.group; | 35 | group = config.services.opendkim.group; |
39 | permissions = "0444"; | 36 | permissions = "0444"; |
40 | text = '' | 37 | text = '' |
41 | eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; | 38 | eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; |
42 | } | 39 | }; |
43 | ]; | 40 | }; |
44 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | 41 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; |
45 | services.opendkim = { | 42 | services.opendkim = { |
46 | enable = true; | 43 | enable = true; |
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix index a7be066..e05bba9 100644 --- a/modules/private/mail/opensmtpd.nix +++ b/modules/private/mail/opensmtpd.nix | |||
@@ -1,17 +1,14 @@ | |||
1 | { lib, pkgs, config, name, ... }: | 1 | { lib, pkgs, config, name, ... }: |
2 | { | 2 | { |
3 | config = lib.mkIf config.myServices.mailRelay.enable { | 3 | config = lib.mkIf config.myServices.mailRelay.enable { |
4 | secrets.keys = [ | 4 | secrets.keys."opensmtpd/creds" = { |
5 | { | 5 | user = "smtpd"; |
6 | dest = "opensmtpd/creds"; | 6 | group = "smtpd"; |
7 | user = "smtpd"; | 7 | permissions = "0400"; |
8 | group = "smtpd"; | 8 | text = '' |
9 | permissions = "0400"; | 9 | eldiron ${name}:${config.hostEnv.ldap.password} |
10 | text = '' | 10 | ''; |
11 | eldiron ${name}:${config.hostEnv.ldap.password} | 11 | }; |
12 | ''; | ||
13 | } | ||
14 | ]; | ||
15 | users.users.smtpd.extraGroups = [ "keys" ]; | 12 | users.users.smtpd.extraGroups = [ "keys" ]; |
16 | services.opensmtpd = { | 13 | services.opensmtpd = { |
17 | enable = true; | 14 | enable = true; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index de5e59d..054b93e 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -4,9 +4,8 @@ | |||
4 | services.duplyBackup.profiles.mail.excludeFile = '' | 4 | services.duplyBackup.profiles.mail.excludeFile = '' |
5 | + /var/lib/postfix | 5 | + /var/lib/postfix |
6 | ''; | 6 | ''; |
7 | secrets.keys = [ | 7 | secrets.keys = { |
8 | { | 8 | "postfix/mysql_alias_maps" = { |
9 | dest = "postfix/mysql_alias_maps"; | ||
10 | user = config.services.postfix.user; | 9 | user = config.services.postfix.user; |
11 | group = config.services.postfix.group; | 10 | group = config.services.postfix.group; |
12 | permissions = "0440"; | 11 | permissions = "0440"; |
@@ -32,9 +31,8 @@ | |||
32 | FROM forwardings_blacklisted | 31 | FROM forwardings_blacklisted |
33 | WHERE source = '%s' | 32 | WHERE source = '%s' |
34 | ''; | 33 | ''; |
35 | } | 34 | }; |
36 | { | 35 | "postfix/ldap_mailboxes" = { |
37 | dest = "postfix/ldap_mailboxes"; | ||
38 | user = config.services.postfix.user; | 36 | user = config.services.postfix.user; |
39 | group = config.services.postfix.group; | 37 | group = config.services.postfix.group; |
40 | permissions = "0440"; | 38 | permissions = "0440"; |
@@ -48,9 +46,8 @@ | |||
48 | result_format = dummy | 46 | result_format = dummy |
49 | version = 3 | 47 | version = 3 |
50 | ''; | 48 | ''; |
51 | } | 49 | }; |
52 | { | 50 | "postfix/mysql_sender_login_maps" = { |
53 | dest = "postfix/mysql_sender_login_maps"; | ||
54 | user = config.services.postfix.user; | 51 | user = config.services.postfix.user; |
55 | group = config.services.postfix.group; | 52 | group = config.services.postfix.group; |
56 | permissions = "0440"; | 53 | permissions = "0440"; |
@@ -72,9 +69,8 @@ | |||
72 | AND active = 1 | 69 | AND active = 1 |
73 | UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination | 70 | UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination |
74 | ''; | 71 | ''; |
75 | } | 72 | }; |
76 | { | 73 | "postfix/mysql_sender_relays_maps" = { |
77 | dest = "postfix/mysql_sender_relays_maps"; | ||
78 | user = config.services.postfix.user; | 74 | user = config.services.postfix.user; |
79 | group = config.services.postfix.group; | 75 | group = config.services.postfix.group; |
80 | permissions = "0440"; | 76 | permissions = "0440"; |
@@ -102,9 +98,8 @@ | |||
102 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | 98 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) |
103 | AND active = 1 | 99 | AND active = 1 |
104 | ''; | 100 | ''; |
105 | } | 101 | }; |
106 | { | 102 | "postfix/mysql_sender_relays_hosts" = { |
107 | dest = "postfix/mysql_sender_relays_hosts"; | ||
108 | user = config.services.postfix.user; | 103 | user = config.services.postfix.user; |
109 | group = config.services.postfix.group; | 104 | group = config.services.postfix.group; |
110 | permissions = "0440"; | 105 | permissions = "0440"; |
@@ -122,9 +117,8 @@ | |||
122 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | 117 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) |
123 | AND active = 1 | 118 | AND active = 1 |
124 | ''; | 119 | ''; |
125 | } | 120 | }; |
126 | { | 121 | "postfix/mysql_sender_relays_creds" = { |
127 | dest = "postfix/mysql_sender_relays_creds"; | ||
128 | user = config.services.postfix.user; | 122 | user = config.services.postfix.user; |
129 | group = config.services.postfix.group; | 123 | group = config.services.postfix.group; |
130 | permissions = "0440"; | 124 | permissions = "0440"; |
@@ -142,9 +136,8 @@ | |||
142 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) | 136 | ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) |
143 | AND active = 1 | 137 | AND active = 1 |
144 | ''; | 138 | ''; |
145 | } | 139 | }; |
146 | { | 140 | "postfix/ldap_ejabberd_users_immae_fr" = { |
147 | dest = "postfix/ldap_ejabberd_users_immae_fr"; | ||
148 | user = config.services.postfix.user; | 141 | user = config.services.postfix.user; |
149 | group = config.services.postfix.group; | 142 | group = config.services.postfix.group; |
150 | permissions = "0440"; | 143 | permissions = "0440"; |
@@ -159,14 +152,13 @@ | |||
159 | result_format = ejabberd@localhost | 152 | result_format = ejabberd@localhost |
160 | version = 3 | 153 | version = 3 |
161 | ''; | 154 | ''; |
162 | } | 155 | }; |
163 | ] ++ (lib.mapAttrsToList (name: v: { | 156 | } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" { |
164 | dest = "postfix/scripts/${name}-env"; | ||
165 | user = "postfixscripts"; | 157 | user = "postfixscripts"; |
166 | group = "root"; | 158 | group = "root"; |
167 | permissions = "0400"; | 159 | permissions = "0400"; |
168 | text = builtins.toJSON v.env; | 160 | text = builtins.toJSON v.env; |
169 | }) config.myEnv.mail.scripts); | 161 | }) config.myEnv.mail.scripts; |
170 | 162 | ||
171 | networking.firewall.allowedTCPPorts = [ 25 465 587 ]; | 163 | networking.firewall.allowedTCPPorts = [ 25 465 587 ]; |
172 | 164 | ||
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 651452c..668d365 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix | |||
@@ -13,9 +13,8 @@ | |||
13 | mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx; | 13 | mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx; |
14 | in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); | 14 | in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); |
15 | }; | 15 | }; |
16 | secrets.keys = [ | 16 | secrets.keys = { |
17 | { | 17 | "postfix/mysql_alias_maps" = { |
18 | dest = "postfix/mysql_alias_maps"; | ||
19 | user = config.services.postfix.user; | 18 | user = config.services.postfix.user; |
20 | group = config.services.postfix.group; | 19 | group = config.services.postfix.group; |
21 | permissions = "0440"; | 20 | permissions = "0440"; |
@@ -41,9 +40,8 @@ | |||
41 | FROM forwardings_blacklisted | 40 | FROM forwardings_blacklisted |
42 | WHERE source = '%s' | 41 | WHERE source = '%s' |
43 | ''; | 42 | ''; |
44 | } | 43 | }; |
45 | { | 44 | "postfix/ldap_mailboxes" = { |
46 | dest = "postfix/ldap_mailboxes"; | ||
47 | user = config.services.postfix.user; | 45 | user = config.services.postfix.user; |
48 | group = config.services.postfix.group; | 46 | group = config.services.postfix.group; |
49 | permissions = "0440"; | 47 | permissions = "0440"; |
@@ -57,9 +55,8 @@ | |||
57 | result_format = dummy | 55 | result_format = dummy |
58 | version = 3 | 56 | version = 3 |
59 | ''; | 57 | ''; |
60 | } | 58 | }; |
61 | { | 59 | "postfix/sympa_mailbox_maps" = { |
62 | dest = "postfix/sympa_mailbox_maps"; | ||
63 | user = config.services.postfix.user; | 60 | user = config.services.postfix.user; |
64 | group = config.services.postfix.group; | 61 | group = config.services.postfix.group; |
65 | permissions = "0440"; | 62 | permissions = "0440"; |
@@ -82,9 +79,8 @@ | |||
82 | CONCAT('abuse-feedback-report@', robot_list) | 79 | CONCAT('abuse-feedback-report@', robot_list) |
83 | ) | 80 | ) |
84 | ''; | 81 | ''; |
85 | } | 82 | }; |
86 | { | 83 | "postfix/ldap_ejabberd_users_immae_fr" = { |
87 | dest = "postfix/ldap_ejabberd_users_immae_fr"; | ||
88 | user = config.services.postfix.user; | 84 | user = config.services.postfix.user; |
89 | group = config.services.postfix.group; | 85 | group = config.services.postfix.group; |
90 | permissions = "0440"; | 86 | permissions = "0440"; |
@@ -99,8 +95,8 @@ | |||
99 | result_format = ejabberd@localhost | 95 | result_format = ejabberd@localhost |
100 | version = 3 | 96 | version = 3 |
101 | ''; | 97 | ''; |
102 | } | 98 | }; |
103 | ]; | 99 | }; |
104 | 100 | ||
105 | networking.firewall.allowedTCPPorts = [ 25 ]; | 101 | networking.firewall.allowedTCPPorts = [ 25 ]; |
106 | 102 | ||
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix index 5270b69..920daa9 100644 --- a/modules/private/mail/sympa.nix +++ b/modules/private/mail/sympa.nix | |||
@@ -34,20 +34,19 @@ in | |||
34 | ]; | 34 | ]; |
35 | }; | 35 | }; |
36 | 36 | ||
37 | secrets.keys = [ | 37 | secrets.keys = { |
38 | { | 38 | "sympa/db_password" = { |
39 | dest = "sympa/db_password"; | ||
40 | permissions = "0400"; | 39 | permissions = "0400"; |
41 | group = "sympa"; | 40 | group = "sympa"; |
42 | user = "sympa"; | 41 | user = "sympa"; |
43 | text = sympaConfig.postgresql.password; | 42 | text = sympaConfig.postgresql.password; |
44 | } | 43 | }; |
45 | ] | 44 | } |
46 | ++ lib.mapAttrsToList (n: v: { | 45 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" { |
47 | dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | 46 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; |
48 | }) sympaConfig.data_sources | 47 | }) sympaConfig.data_sources |
49 | ++ lib.mapAttrsToList (n: v: { | 48 | // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" { |
50 | dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; | 49 | permissions = "0400"; group = "sympa"; user = "sympa"; text = v; |
51 | }) sympaConfig.scenari; | 50 | }) sympaConfig.scenari; |
52 | users.users.sympa.extraGroups = [ "keys" ]; | 51 | users.users.sympa.extraGroups = [ "keys" ]; |
53 | systemd.slices.mail-sympa = { | 52 | systemd.slices.mail-sympa = { |