aboutsummaryrefslogtreecommitdiff
path: root/modules/private/mail
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-16 17:40:07 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-16 20:20:45 +0200
commit4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 (patch)
tree9a7ede9ac3f1899074e9ef568a447f883191d3b5 /modules/private/mail
parentda30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (diff)
downloadNix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.gz
Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.zst
Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.zip
Use attrs for secrets instead of lists
Diffstat (limited to 'modules/private/mail')
-rw-r--r--modules/private/mail/dovecot.nix45
-rw-r--r--modules/private/mail/milters.nix19
-rw-r--r--modules/private/mail/opensmtpd.nix19
-rw-r--r--modules/private/mail/postfix.nix42
-rw-r--r--modules/private/mail/relay.nix24
-rw-r--r--modules/private/mail/sympa.nix17
6 files changed, 72 insertions, 94 deletions
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index 23e795f..0ef3467 100644
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -18,36 +18,33 @@ in
18 + /var/lib/dhparams 18 + /var/lib/dhparams
19 + /var/lib/dovecot 19 + /var/lib/dovecot
20 ''; 20 '';
21 secrets.keys = [ 21 secrets.keys."dovecot/ldap" = {
22 { 22 user = config.services.dovecot2.user;
23 dest = "dovecot/ldap"; 23 group = config.services.dovecot2.group;
24 user = config.services.dovecot2.user; 24 permissions = "0400";
25 group = config.services.dovecot2.group; 25 text = ''
26 permissions = "0400"; 26 hosts = ${config.myEnv.mail.dovecot.ldap.host}
27 text = '' 27 tls = yes
28 hosts = ${config.myEnv.mail.dovecot.ldap.host}
29 tls = yes
30 28
31 dn = ${config.myEnv.mail.dovecot.ldap.dn} 29 dn = ${config.myEnv.mail.dovecot.ldap.dn}
32 dnpass = ${config.myEnv.mail.dovecot.ldap.password} 30 dnpass = ${config.myEnv.mail.dovecot.ldap.password}
33 31
34 auth_bind = yes 32 auth_bind = yes
35 33
36 ldap_version = 3 34 ldap_version = 3
37 35
38 base = ${config.myEnv.mail.dovecot.ldap.base} 36 base = ${config.myEnv.mail.dovecot.ldap.base}
39 scope = subtree 37 scope = subtree
40 38
41 pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} 39 pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
42 pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} 40 pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
43 41
44 user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} 42 user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
45 user_filter = ${config.myEnv.mail.dovecot.ldap.filter} 43 user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
46 iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} 44 iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
47 iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} 45 iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
48 ''; 46 '';
49 } 47 };
50 ];
51 48
52 users.users.vhost = { 49 users.users.vhost = {
53 group = "vhost"; 50 group = "vhost";
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 172e216..4b93a7a 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -17,30 +17,27 @@
17 ''; 17 '';
18 }; 18 };
19 config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { 19 config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
20 secrets.keys = [ 20 secrets.keys = {
21 { 21 "opendkim" = {
22 dest = "opendkim";
23 isDir = true; 22 isDir = true;
24 user = config.services.opendkim.user; 23 user = config.services.opendkim.user;
25 group = config.services.opendkim.group; 24 group = config.services.opendkim.group;
26 permissions = "0550"; 25 permissions = "0550";
27 } 26 };
28 { 27 "opendkim/eldiron.private" = {
29 dest = "opendkim/eldiron.private";
30 user = config.services.opendkim.user; 28 user = config.services.opendkim.user;
31 group = config.services.opendkim.group; 29 group = config.services.opendkim.group;
32 permissions = "0400"; 30 permissions = "0400";
33 text = config.myEnv.mail.dkim.eldiron.private; 31 text = config.myEnv.mail.dkim.eldiron.private;
34 } 32 };
35 { 33 "opendkim/eldiron.txt" = {
36 dest = "opendkim/eldiron.txt";
37 user = config.services.opendkim.user; 34 user = config.services.opendkim.user;
38 group = config.services.opendkim.group; 35 group = config.services.opendkim.group;
39 permissions = "0444"; 36 permissions = "0444";
40 text = '' 37 text = ''
41 eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; 38 eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
42 } 39 };
43 ]; 40 };
44 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; 41 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
45 services.opendkim = { 42 services.opendkim = {
46 enable = true; 43 enable = true;
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix
index a7be066..e05bba9 100644
--- a/modules/private/mail/opensmtpd.nix
+++ b/modules/private/mail/opensmtpd.nix
@@ -1,17 +1,14 @@
1{ lib, pkgs, config, name, ... }: 1{ lib, pkgs, config, name, ... }:
2{ 2{
3 config = lib.mkIf config.myServices.mailRelay.enable { 3 config = lib.mkIf config.myServices.mailRelay.enable {
4 secrets.keys = [ 4 secrets.keys."opensmtpd/creds" = {
5 { 5 user = "smtpd";
6 dest = "opensmtpd/creds"; 6 group = "smtpd";
7 user = "smtpd"; 7 permissions = "0400";
8 group = "smtpd"; 8 text = ''
9 permissions = "0400"; 9 eldiron ${name}:${config.hostEnv.ldap.password}
10 text = '' 10 '';
11 eldiron ${name}:${config.hostEnv.ldap.password} 11 };
12 '';
13 }
14 ];
15 users.users.smtpd.extraGroups = [ "keys" ]; 12 users.users.smtpd.extraGroups = [ "keys" ];
16 services.opensmtpd = { 13 services.opensmtpd = {
17 enable = true; 14 enable = true;
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index de5e59d..054b93e 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -4,9 +4,8 @@
4 services.duplyBackup.profiles.mail.excludeFile = '' 4 services.duplyBackup.profiles.mail.excludeFile = ''
5 + /var/lib/postfix 5 + /var/lib/postfix
6 ''; 6 '';
7 secrets.keys = [ 7 secrets.keys = {
8 { 8 "postfix/mysql_alias_maps" = {
9 dest = "postfix/mysql_alias_maps";
10 user = config.services.postfix.user; 9 user = config.services.postfix.user;
11 group = config.services.postfix.group; 10 group = config.services.postfix.group;
12 permissions = "0440"; 11 permissions = "0440";
@@ -32,9 +31,8 @@
32 FROM forwardings_blacklisted 31 FROM forwardings_blacklisted
33 WHERE source = '%s' 32 WHERE source = '%s'
34 ''; 33 '';
35 } 34 };
36 { 35 "postfix/ldap_mailboxes" = {
37 dest = "postfix/ldap_mailboxes";
38 user = config.services.postfix.user; 36 user = config.services.postfix.user;
39 group = config.services.postfix.group; 37 group = config.services.postfix.group;
40 permissions = "0440"; 38 permissions = "0440";
@@ -48,9 +46,8 @@
48 result_format = dummy 46 result_format = dummy
49 version = 3 47 version = 3
50 ''; 48 '';
51 } 49 };
52 { 50 "postfix/mysql_sender_login_maps" = {
53 dest = "postfix/mysql_sender_login_maps";
54 user = config.services.postfix.user; 51 user = config.services.postfix.user;
55 group = config.services.postfix.group; 52 group = config.services.postfix.group;
56 permissions = "0440"; 53 permissions = "0440";
@@ -72,9 +69,8 @@
72 AND active = 1 69 AND active = 1
73 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination 70 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
74 ''; 71 '';
75 } 72 };
76 { 73 "postfix/mysql_sender_relays_maps" = {
77 dest = "postfix/mysql_sender_relays_maps";
78 user = config.services.postfix.user; 74 user = config.services.postfix.user;
79 group = config.services.postfix.group; 75 group = config.services.postfix.group;
80 permissions = "0440"; 76 permissions = "0440";
@@ -102,9 +98,8 @@
102 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) 98 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
103 AND active = 1 99 AND active = 1
104 ''; 100 '';
105 } 101 };
106 { 102 "postfix/mysql_sender_relays_hosts" = {
107 dest = "postfix/mysql_sender_relays_hosts";
108 user = config.services.postfix.user; 103 user = config.services.postfix.user;
109 group = config.services.postfix.group; 104 group = config.services.postfix.group;
110 permissions = "0440"; 105 permissions = "0440";
@@ -122,9 +117,8 @@
122 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) 117 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
123 AND active = 1 118 AND active = 1
124 ''; 119 '';
125 } 120 };
126 { 121 "postfix/mysql_sender_relays_creds" = {
127 dest = "postfix/mysql_sender_relays_creds";
128 user = config.services.postfix.user; 122 user = config.services.postfix.user;
129 group = config.services.postfix.group; 123 group = config.services.postfix.group;
130 permissions = "0440"; 124 permissions = "0440";
@@ -142,9 +136,8 @@
142 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) 136 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
143 AND active = 1 137 AND active = 1
144 ''; 138 '';
145 } 139 };
146 { 140 "postfix/ldap_ejabberd_users_immae_fr" = {
147 dest = "postfix/ldap_ejabberd_users_immae_fr";
148 user = config.services.postfix.user; 141 user = config.services.postfix.user;
149 group = config.services.postfix.group; 142 group = config.services.postfix.group;
150 permissions = "0440"; 143 permissions = "0440";
@@ -159,14 +152,13 @@
159 result_format = ejabberd@localhost 152 result_format = ejabberd@localhost
160 version = 3 153 version = 3
161 ''; 154 '';
162 } 155 };
163 ] ++ (lib.mapAttrsToList (name: v: { 156 } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
164 dest = "postfix/scripts/${name}-env";
165 user = "postfixscripts"; 157 user = "postfixscripts";
166 group = "root"; 158 group = "root";
167 permissions = "0400"; 159 permissions = "0400";
168 text = builtins.toJSON v.env; 160 text = builtins.toJSON v.env;
169 }) config.myEnv.mail.scripts); 161 }) config.myEnv.mail.scripts;
170 162
171 networking.firewall.allowedTCPPorts = [ 25 465 587 ]; 163 networking.firewall.allowedTCPPorts = [ 25 465 587 ];
172 164
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix
index 651452c..668d365 100644
--- a/modules/private/mail/relay.nix
+++ b/modules/private/mail/relay.nix
@@ -13,9 +13,8 @@
13 mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx; 13 mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx;
14 in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); 14 in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
15 }; 15 };
16 secrets.keys = [ 16 secrets.keys = {
17 { 17 "postfix/mysql_alias_maps" = {
18 dest = "postfix/mysql_alias_maps";
19 user = config.services.postfix.user; 18 user = config.services.postfix.user;
20 group = config.services.postfix.group; 19 group = config.services.postfix.group;
21 permissions = "0440"; 20 permissions = "0440";
@@ -41,9 +40,8 @@
41 FROM forwardings_blacklisted 40 FROM forwardings_blacklisted
42 WHERE source = '%s' 41 WHERE source = '%s'
43 ''; 42 '';
44 } 43 };
45 { 44 "postfix/ldap_mailboxes" = {
46 dest = "postfix/ldap_mailboxes";
47 user = config.services.postfix.user; 45 user = config.services.postfix.user;
48 group = config.services.postfix.group; 46 group = config.services.postfix.group;
49 permissions = "0440"; 47 permissions = "0440";
@@ -57,9 +55,8 @@
57 result_format = dummy 55 result_format = dummy
58 version = 3 56 version = 3
59 ''; 57 '';
60 } 58 };
61 { 59 "postfix/sympa_mailbox_maps" = {
62 dest = "postfix/sympa_mailbox_maps";
63 user = config.services.postfix.user; 60 user = config.services.postfix.user;
64 group = config.services.postfix.group; 61 group = config.services.postfix.group;
65 permissions = "0440"; 62 permissions = "0440";
@@ -82,9 +79,8 @@
82 CONCAT('abuse-feedback-report@', robot_list) 79 CONCAT('abuse-feedback-report@', robot_list)
83 ) 80 )
84 ''; 81 '';
85 } 82 };
86 { 83 "postfix/ldap_ejabberd_users_immae_fr" = {
87 dest = "postfix/ldap_ejabberd_users_immae_fr";
88 user = config.services.postfix.user; 84 user = config.services.postfix.user;
89 group = config.services.postfix.group; 85 group = config.services.postfix.group;
90 permissions = "0440"; 86 permissions = "0440";
@@ -99,8 +95,8 @@
99 result_format = ejabberd@localhost 95 result_format = ejabberd@localhost
100 version = 3 96 version = 3
101 ''; 97 '';
102 } 98 };
103 ]; 99 };
104 100
105 networking.firewall.allowedTCPPorts = [ 25 ]; 101 networking.firewall.allowedTCPPorts = [ 25 ];
106 102
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix
index 5270b69..920daa9 100644
--- a/modules/private/mail/sympa.nix
+++ b/modules/private/mail/sympa.nix
@@ -34,20 +34,19 @@ in
34 ]; 34 ];
35 }; 35 };
36 36
37 secrets.keys = [ 37 secrets.keys = {
38 { 38 "sympa/db_password" = {
39 dest = "sympa/db_password";
40 permissions = "0400"; 39 permissions = "0400";
41 group = "sympa"; 40 group = "sympa";
42 user = "sympa"; 41 user = "sympa";
43 text = sympaConfig.postgresql.password; 42 text = sympaConfig.postgresql.password;
44 } 43 };
45 ] 44 }
46 ++ lib.mapAttrsToList (n: v: { 45 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
47 dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; 46 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
48 }) sympaConfig.data_sources 47 }) sympaConfig.data_sources
49 ++ lib.mapAttrsToList (n: v: { 48 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
50 dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; 49 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
51 }) sympaConfig.scenari; 50 }) sympaConfig.scenari;
52 users.users.sympa.extraGroups = [ "keys" ]; 51 users.users.sympa.extraGroups = [ "keys" ];
53 systemd.slices.mail-sympa = { 52 systemd.slices.mail-sympa = {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-20 11:14:58 +0000