From 3a9b2c8b59990ebb0bee14fb7138721e9209a1b6 Mon Sep 17 00:00:00 2001 From: Thomas Preisner Date: Sun, 23 Feb 2025 18:06:00 +0100 Subject: [PATCH] mailsystem: Add option extraSettingsFile to allow partial encryption of configuration --- mailsystem/common.nix | 14 ++++++++++---- mailsystem/default.nix | 12 ++++++++++++ mailsystem/dovecot.nix | 6 +++--- mailsystem/postfix.nix | 6 +++--- 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/mailsystem/common.nix b/mailsystem/common.nix index 2ff0a5e..48dcdcb 100644 --- a/mailsystem/common.nix +++ b/mailsystem/common.nix @@ -21,10 +21,16 @@ in rec { then ["acme-finished-${cfg.fqdn}.target"] else ["mailsystem-selfsigned-certificate.service"]; - mailnixCfgFile = pkgs.writeText "mailnix-public.json" (builtins.toJSON { - inherit (cfg) accounts domains; - aliases = cfg.virtualAliases; - }); + mailnixCmd = let + mailnixCfgFile = pkgs.writeText "mailnix-public.json" (builtins.toJSON { + inherit (cfg) accounts domains; + aliases = cfg.virtualAliases; + }); + extraCfgFile = + if (cfg.extraSettingsFile != null) + then cfg.extraSettingsFile + else ""; + in "${pkgs.mailnix}/bin/mailnix ${extraCfgFile} ${mailnixCfgFile}"; dovecotDynamicStateDir = "/var/lib/dovecot"; dovecotDynamicPasswdFile = "${dovecotDynamicStateDir}/passwd"; diff --git a/mailsystem/default.nix b/mailsystem/default.nix index cae1a62..8b6b7bb 100644 --- a/mailsystem/default.nix +++ b/mailsystem/default.nix @@ -206,6 +206,18 @@ in { default = {}; }; + extraSettingsFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + description = '' + YAML file to merge into the mailsystem configuration at runtime. + This can be used to store secrets, and, more importantly, keep your email + addresses out of the hands of spammers. This `extraSettingsFile` currently + supports `domains`, `accounts` and `virtualAliases` which can be defined in + the same manner as they can be via nix. + ''; + default = null; + }; + certificateScheme = lib.mkOption { type = lib.types.enum ["acme" "selfsigned"]; default = "acme"; diff --git a/mailsystem/dovecot.nix b/mailsystem/dovecot.nix index 3b05719..7d65cde 100644 --- a/mailsystem/dovecot.nix +++ b/mailsystem/dovecot.nix @@ -40,10 +40,10 @@ with (import ./common.nix {inherit config pkgs;}); let umask 077 # Prepare static passwd-file for system users - ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} generate-static-passdb > "${staticPasswdFile}" + ${mailnixCmd} generate-static-passdb > "${staticPasswdFile}" # Prepare/Update passwd-file for dynamic users - ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} update-dynamic-passdb ${dovecotDynamicPasswdFile} > "${dovecotDynamicPasswdFile}" + ${mailnixCmd} update-dynamic-passdb ${dovecotDynamicPasswdFile} > "${dovecotDynamicPasswdFile}" ${lib.optionalString cfg.roundcube.enable '' # Ensure roundcube has access to dynamic passwd file @@ -51,7 +51,7 @@ with (import ./common.nix {inherit config pkgs;}); let ''} # Prepare userdb-file - ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} generate-userdb > "${userdbFile}" + ${mailnixCmd} generate-userdb > "${userdbFile}" ''; genMaildirScript = pkgs.writeScript "generate-maildir" '' diff --git a/mailsystem/postfix.nix b/mailsystem/postfix.nix index f6c532f..3e31cb6 100644 --- a/mailsystem/postfix.nix +++ b/mailsystem/postfix.nix @@ -23,9 +23,9 @@ with (import ./common.nix {inherit config pkgs;}); let chmod 755 "${runtimeDir}" fi - ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-aliases" > "${aliases_file}" - ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-domains" > "${virtual_domains_file}" - ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-denied-recipients" > "${denied_recipients_file}" + ${mailnixCmd} "generate-aliases" > "${aliases_file}" + ${mailnixCmd} "generate-domains" > "${virtual_domains_file}" + ${mailnixCmd} "generate-denied-recipients" > "${denied_recipients_file}" ''; submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''