mailsystem: Add option extraSettingsFile to allow partial encryption of configuration

2025-02-23 18:06:00 +01:00 · 2025-02-23 18:06:00 +01:00 · 3a9b2c8b59
commit 3a9b2c8b59
parent c1b19d6e33
4 changed files with 28 additions and 10 deletions
--- a/mailsystem/common.nix
+++ b/mailsystem/common.nix
@ -21,10 +21,16 @@ in rec {
    then ["acme-finished-${cfg.fqdn}.target"]
    else ["mailsystem-selfsigned-certificate.service"];
  mailnixCmd = let
    mailnixCfgFile = pkgs.writeText "mailnix-public.json" (builtins.toJSON {
      inherit (cfg) accounts domains;
      aliases = cfg.virtualAliases;
    });
    extraCfgFile =
      if (cfg.extraSettingsFile != null)
      then cfg.extraSettingsFile
      else "";
  in "${pkgs.mailnix}/bin/mailnix ${extraCfgFile} ${mailnixCfgFile}";
  dovecotDynamicStateDir = "/var/lib/dovecot";
  dovecotDynamicPasswdFile = "${dovecotDynamicStateDir}/passwd";
--- a/mailsystem/default.nix
+++ b/mailsystem/default.nix
@ -206,6 +206,18 @@ in {
      default = {};
    };
    extraSettingsFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      description = ''
        YAML file to merge into the mailsystem configuration at runtime.
        This can be used to store secrets, and, more importantly, keep your email
        addresses out of the hands of spammers. This `extraSettingsFile` currently
        supports `domains`, `accounts` and `virtualAliases` which can be defined in
        the same manner as they can be via nix.
      '';
      default = null;
    };
    certificateScheme = lib.mkOption {
      type = lib.types.enum ["acme" "selfsigned"];
      default = "acme";
--- a/mailsystem/dovecot.nix
+++ b/mailsystem/dovecot.nix
@ -40,10 +40,10 @@ with (import ./common.nix {inherit config pkgs;}); let
    umask 077
    # Prepare static passwd-file for system users
-    ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} generate-static-passdb > "${staticPasswdFile}"
+    ${mailnixCmd} generate-static-passdb > "${staticPasswdFile}"
    # Prepare/Update passwd-file for dynamic users
-    ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} update-dynamic-passdb ${dovecotDynamicPasswdFile} > "${dovecotDynamicPasswdFile}"
+    ${mailnixCmd} update-dynamic-passdb ${dovecotDynamicPasswdFile} > "${dovecotDynamicPasswdFile}"
    ${lib.optionalString cfg.roundcube.enable ''
      # Ensure roundcube has access to dynamic passwd file
@ -51,7 +51,7 @@ with (import ./common.nix {inherit config pkgs;}); let
    ''}
    # Prepare userdb-file
-    ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} generate-userdb > "${userdbFile}"
+    ${mailnixCmd} generate-userdb > "${userdbFile}"
  '';
  genMaildirScript = pkgs.writeScript "generate-maildir" ''
--- a/mailsystem/postfix.nix
+++ b/mailsystem/postfix.nix
@ -23,9 +23,9 @@ with (import ./common.nix {inherit config pkgs;}); let
      chmod 755 "${runtimeDir}"
    fi
-    ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-aliases" > "${aliases_file}"
+    ${mailnixCmd} "generate-aliases" > "${aliases_file}"
-    ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-domains" > "${virtual_domains_file}"
+    ${mailnixCmd} "generate-domains" > "${virtual_domains_file}"
-    ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-denied-recipients" > "${denied_recipients_file}"
+    ${mailnixCmd} "generate-denied-recipients" > "${denied_recipients_file}"
  '';
  submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''