Move postscript scripts sensible values out of the store

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-30 00:16:27 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-30 00:16:27 +0100
commit: 31d99b750fca57c660f98e23e12053eaf42d4929 (patch)
tree: 64df11201adf13ece3b8407c6768cd3aa04928f0 /modules
parent: 0c67c58418d0b69135109765226e31137bd13c0a (diff)
download: Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.gz
Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.zst
Nix-31d99b750fca57c660f98e23e12053eaf42d4929.zip
1 files changed, 18 insertions, 4 deletions
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index f6c4362..70c3f46 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -160,10 +160,21 @@
          version = 3
          '';
      }
-    ];
+    ] ++ (lib.mapAttrsToList (name: v: {
+      dest = "postfix/scripts/${name}-env";
+      user = "postfixscripts";
+      group = "root";
+      permissions = "0400";
+      text = builtins.toJSON v.env;
+    }) config.myEnv.mail.scripts);
    networking.firewall.allowedTCPPorts = [ 25 465 587 ];
+    users.users.postfixscripts = {
+      group = "keys";
+      uid = config.ids.uids.postfixscripts;
+      description = "Postfix scripts user";
+    };
    users.users."${config.services.postfix.user}".extraGroups = [ "keys" ];
    services.filesWatcher.postfix = {
      restart = true;
@@ -209,7 +220,7 @@
          fi
          '';
        scripts = lib.attrsets.mapAttrs (n: v:
-          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
+          toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; })
        ) config.myEnv.mail.scripts // {
          testmail = pkgs.writeScript "testmail" ''
            #! ${pkgs.stdenv.shell}
@@ -277,6 +288,9 @@
        mailbox_size_limit = "1073741825"; # Workaround, local delivered mails should all go through scripts
        alias_database = "\$alias_maps";
+        ### Aliases scripts user
+        default_privs = "postfixscripts";
        ### Virtual mailboxes config
        virtual_alias_maps = [
          "hash:/etc/postfix/virtual"
@@ -454,10 +468,10 @@
          in "${cfg'.mail_address}${sep}${host'}@${cfg'.mail_domain}";
        mails_to_receive = builtins.concatStringsSep " " (map (to_email cfg) reverseTargets);
      in ''
-        install -m 0555 -o nobody -g nogroup -d /var/lib/naemon/checks/email
+        install -m 0555 -o postfixscripts -g keys -d /var/lib/naemon/checks/email
        for f in ${mails_to_receive}; do
          if [ ! -f /var/lib/naemon/checks/email/$f ]; then
-            install -m 0644 -o nobody -g nogroup /dev/null -T /var/lib/naemon/checks/email/$f
+            install -m 0644 -o postfixscripts -g keys /dev/null -T /var/lib/naemon/checks/email/$f
            touch -m -d @0 /var/lib/naemon/checks/email/$f
          fi
        done
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-30 00:16:27 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-30 00:16:27 +0100
commit	31d99b750fca57c660f98e23e12053eaf42d4929 (patch)
tree	64df11201adf13ece3b8407c6768cd3aa04928f0 /modules
parent	0c67c58418d0b69135109765226e31137bd13c0a (diff)
download	Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.gz Nix-31d99b750fca57c660f98e23e12053eaf42d4929.tar.zst Nix-31d99b750fca57c660f98e23e12053eaf42d4929.zip