mailsystem: Add option extraSettingsFile to allow partial encryption of configuration

mailsystem/common.nix

@@ -21,10 +21,16 @@ in rec {
     then ["acme-finished-${cfg.fqdn}.target"]
     else ["mailsystem-selfsigned-certificate.service"];
 
-  mailnixCfgFile = pkgs.writeText "mailnix-public.json" (builtins.toJSON {
+  mailnixCmd = let
-    inherit (cfg) accounts domains;
+    mailnixCfgFile = pkgs.writeText "mailnix-public.json" (builtins.toJSON {
-    aliases = cfg.virtualAliases;
+      inherit (cfg) accounts domains;
-  });
+      aliases = cfg.virtualAliases;
+    });
+    extraCfgFile =
+      if (cfg.extraSettingsFile != null)
+      then cfg.extraSettingsFile
+      else "";
+  in "${pkgs.mailnix}/bin/mailnix ${extraCfgFile} ${mailnixCfgFile}";
 
   dovecotDynamicStateDir = "/var/lib/dovecot";
   dovecotDynamicPasswdFile = "${dovecotDynamicStateDir}/passwd";

mailsystem/default.nix

@@ -206,6 +206,18 @@ in {
       default = {};
     };
 
+    extraSettingsFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      description = ''
+        YAML file to merge into the mailsystem configuration at runtime.
+        This can be used to store secrets, and, more importantly, keep your email
+        addresses out of the hands of spammers. This `extraSettingsFile` currently
+        supports `domains`, `accounts` and `virtualAliases` which can be defined in
+        the same manner as they can be via nix.
+      '';
+      default = null;
+    };
+
     certificateScheme = lib.mkOption {
       type = lib.types.enum ["acme" "selfsigned"];
       default = "acme";

mailsystem/dovecot.nix

@@ -40,10 +40,10 @@ with (import ./common.nix {inherit config pkgs;}); let
     umask 077
 
     # Prepare static passwd-file for system users
-    ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} generate-static-passdb > "${staticPasswdFile}"
+    ${mailnixCmd} generate-static-passdb > "${staticPasswdFile}"
 
     # Prepare/Update passwd-file for dynamic users
-    ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} update-dynamic-passdb ${dovecotDynamicPasswdFile} > "${dovecotDynamicPasswdFile}"
+    ${mailnixCmd} update-dynamic-passdb ${dovecotDynamicPasswdFile} > "${dovecotDynamicPasswdFile}"
 
     ${lib.optionalString cfg.roundcube.enable ''
       # Ensure roundcube has access to dynamic passwd file
@@ -51,7 +51,7 @@ with (import ./common.nix {inherit config pkgs;}); let
     ''}
 
     # Prepare userdb-file
-    ${pkgs.mailnix}/bin/mailnix ${mailnixCfgFile} generate-userdb > "${userdbFile}"
+    ${mailnixCmd} generate-userdb > "${userdbFile}"
   '';
 
   genMaildirScript = pkgs.writeScript "generate-maildir" ''

mailsystem/postfix.nix

@@ -23,9 +23,9 @@ with (import ./common.nix {inherit config pkgs;}); let
       chmod 755 "${runtimeDir}"
     fi
 
-    ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-aliases" > "${aliases_file}"
+    ${mailnixCmd} "generate-aliases" > "${aliases_file}"
-    ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-domains" > "${virtual_domains_file}"
+    ${mailnixCmd} "generate-domains" > "${virtual_domains_file}"
-    ${pkgs.mailnix}/bin/mailnix "${mailnixCfgFile}" "generate-denied-recipients" > "${denied_recipients_file}"
+    ${mailnixCmd} "generate-denied-recipients" > "${denied_recipients_file}"
   '';
 
   submission_header_cleanup_rules = pkgs.writeText "submission_header_cleanup_rules" ''