From 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 16 Oct 2021 17:40:07 +0200 Subject: Use attrs for secrets instead of lists --- modules/private/mail/dovecot.nix | 45 ++++++++++++++++++-------------------- modules/private/mail/milters.nix | 19 +++++++--------- modules/private/mail/opensmtpd.nix | 19 +++++++--------- modules/private/mail/postfix.nix | 42 ++++++++++++++--------------------- modules/private/mail/relay.nix | 24 +++++++++----------- modules/private/mail/sympa.nix | 17 +++++++------- 6 files changed, 72 insertions(+), 94 deletions(-) (limited to 'modules/private/mail') diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 23e795f..0ef3467 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix @@ -18,36 +18,33 @@ in + /var/lib/dhparams + /var/lib/dovecot ''; - secrets.keys = [ - { - dest = "dovecot/ldap"; - user = config.services.dovecot2.user; - group = config.services.dovecot2.group; - permissions = "0400"; - text = '' - hosts = ${config.myEnv.mail.dovecot.ldap.host} - tls = yes + secrets.keys."dovecot/ldap" = { + user = config.services.dovecot2.user; + group = config.services.dovecot2.group; + permissions = "0400"; + text = '' + hosts = ${config.myEnv.mail.dovecot.ldap.host} + tls = yes - dn = ${config.myEnv.mail.dovecot.ldap.dn} - dnpass = ${config.myEnv.mail.dovecot.ldap.password} + dn = ${config.myEnv.mail.dovecot.ldap.dn} + dnpass = ${config.myEnv.mail.dovecot.ldap.password} - auth_bind = yes + auth_bind = yes - ldap_version = 3 + ldap_version = 3 - base = ${config.myEnv.mail.dovecot.ldap.base} - scope = subtree + base = ${config.myEnv.mail.dovecot.ldap.base} + scope = subtree - pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} - pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} + pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} + pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} - user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} - user_filter = ${config.myEnv.mail.dovecot.ldap.filter} - iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} - iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} - ''; - } - ]; + user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} + user_filter = ${config.myEnv.mail.dovecot.ldap.filter} + iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} + iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} + ''; + }; users.users.vhost = { group = "vhost"; diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 172e216..4b93a7a 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -17,30 +17,27 @@ ''; }; config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { - secrets.keys = [ - { - dest = "opendkim"; + secrets.keys = { + "opendkim" = { isDir = true; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0550"; - } - { - dest = "opendkim/eldiron.private"; + }; + "opendkim/eldiron.private" = { user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0400"; text = config.myEnv.mail.dkim.eldiron.private; - } - { - dest = "opendkim/eldiron.txt"; + }; + "opendkim/eldiron.txt" = { user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0444"; text = '' eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; - } - ]; + }; + }; users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; services.opendkim = { enable = true; diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix index a7be066..e05bba9 100644 --- a/modules/private/mail/opensmtpd.nix +++ b/modules/private/mail/opensmtpd.nix @@ -1,17 +1,14 @@ { lib, pkgs, config, name, ... }: { config = lib.mkIf config.myServices.mailRelay.enable { - secrets.keys = [ - { - dest = "opensmtpd/creds"; - user = "smtpd"; - group = "smtpd"; - permissions = "0400"; - text = '' - eldiron ${name}:${config.hostEnv.ldap.password} - ''; - } - ]; + secrets.keys."opensmtpd/creds" = { + user = "smtpd"; + group = "smtpd"; + permissions = "0400"; + text = '' + eldiron ${name}:${config.hostEnv.ldap.password} + ''; + }; users.users.smtpd.extraGroups = [ "keys" ]; services.opensmtpd = { enable = true; diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index de5e59d..054b93e 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -4,9 +4,8 @@ services.duplyBackup.profiles.mail.excludeFile = '' + /var/lib/postfix ''; - secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; + secrets.keys = { + "postfix/mysql_alias_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -32,9 +31,8 @@ FROM forwardings_blacklisted WHERE source = '%s' ''; - } - { - dest = "postfix/ldap_mailboxes"; + }; + "postfix/ldap_mailboxes" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -48,9 +46,8 @@ result_format = dummy version = 3 ''; - } - { - dest = "postfix/mysql_sender_login_maps"; + }; + "postfix/mysql_sender_login_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -72,9 +69,8 @@ AND active = 1 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination ''; - } - { - dest = "postfix/mysql_sender_relays_maps"; + }; + "postfix/mysql_sender_relays_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -102,9 +98,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_hosts"; + }; + "postfix/mysql_sender_relays_hosts" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -122,9 +117,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_creds"; + }; + "postfix/mysql_sender_relays_creds" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -142,9 +136,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/ldap_ejabberd_users_immae_fr"; + }; + "postfix/ldap_ejabberd_users_immae_fr" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -159,14 +152,13 @@ result_format = ejabberd@localhost version = 3 ''; - } - ] ++ (lib.mapAttrsToList (name: v: { - dest = "postfix/scripts/${name}-env"; + }; + } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" { user = "postfixscripts"; group = "root"; permissions = "0400"; text = builtins.toJSON v.env; - }) config.myEnv.mail.scripts); + }) config.myEnv.mail.scripts; networking.firewall.allowedTCPPorts = [ 25 465 587 ]; diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 651452c..668d365 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix @@ -13,9 +13,8 @@ mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx; in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); }; - secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; + secrets.keys = { + "postfix/mysql_alias_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -41,9 +40,8 @@ FROM forwardings_blacklisted WHERE source = '%s' ''; - } - { - dest = "postfix/ldap_mailboxes"; + }; + "postfix/ldap_mailboxes" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -57,9 +55,8 @@ result_format = dummy version = 3 ''; - } - { - dest = "postfix/sympa_mailbox_maps"; + }; + "postfix/sympa_mailbox_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -82,9 +79,8 @@ CONCAT('abuse-feedback-report@', robot_list) ) ''; - } - { - dest = "postfix/ldap_ejabberd_users_immae_fr"; + }; + "postfix/ldap_ejabberd_users_immae_fr" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -99,8 +95,8 @@ result_format = ejabberd@localhost version = 3 ''; - } - ]; + }; + }; networking.firewall.allowedTCPPorts = [ 25 ]; diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix index 5270b69..920daa9 100644 --- a/modules/private/mail/sympa.nix +++ b/modules/private/mail/sympa.nix @@ -34,20 +34,19 @@ in ]; }; - secrets.keys = [ - { - dest = "sympa/db_password"; + secrets.keys = { + "sympa/db_password" = { permissions = "0400"; group = "sympa"; user = "sympa"; text = sympaConfig.postgresql.password; - } - ] - ++ lib.mapAttrsToList (n: v: { - dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; + }; + } + // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" { + permissions = "0400"; group = "sympa"; user = "sympa"; text = v; }) sympaConfig.data_sources - ++ lib.mapAttrsToList (n: v: { - dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; + // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" { + permissions = "0400"; group = "sympa"; user = "sympa"; text = v; }) sympaConfig.scenari; users.users.sympa.extraGroups = [ "keys" ]; systemd.slices.mail-sympa = { -- cgit v1.2.3