260f38128e
This simplifies the remaining structure of `cfg.sieveDirectory` a lot and gets us one step closer to removing `activate-virtual-mail-users.service`.
94 lines
2.7 KiB
Nix
94 lines
2.7 KiB
Nix
# nixos-mailserver: a simple mail server
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.mailserver;
|
|
|
|
virtualMailUsersActivationScript =
|
|
pkgs.writeScript "activate-virtual-mail-users"
|
|
# bash
|
|
''
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
set -euo pipefail
|
|
|
|
# Prevent world-readable paths, even temporarily.
|
|
umask 007
|
|
|
|
# Create directory to store user sieve scripts if it doesn't exist
|
|
if (! test -d "${cfg.sieveDirectory}"); then
|
|
mkdir "${cfg.sieveDirectory}"
|
|
chown "${cfg.storage.owner}:${cfg.storage.group}" "${cfg.sieveDirectory}"
|
|
chmod 770 "${cfg.sieveDirectory}"
|
|
fi
|
|
'';
|
|
in
|
|
{
|
|
config = lib.mkIf cfg.enable {
|
|
# assert that all accounts provide a password
|
|
assertions = map (acct: {
|
|
assertion =
|
|
lib.length (
|
|
lib.filter (value: value != null) [
|
|
acct.hashedPassword
|
|
acct.hashedPasswordFile
|
|
acct.passwordFile
|
|
]
|
|
) == 1;
|
|
message = "Login account ${acct.name} must provide exactly one of password file, hashed password, or hashed password file";
|
|
}) (lib.attrValues cfg.accounts);
|
|
|
|
# warn for accounts that specify both password and file
|
|
warnings =
|
|
map (acct: "${acct.name} specifies both a password hash and hash file; hash file will be used")
|
|
(
|
|
lib.filter (acct: (acct.hashedPassword != null && acct.hashedPasswordFile != null)) (
|
|
lib.attrValues cfg.accounts
|
|
)
|
|
);
|
|
|
|
users.groups.${cfg.storage.group} = {
|
|
inherit (cfg.storage) gid;
|
|
};
|
|
users.users.${cfg.storage.owner} = lib.mkForce {
|
|
inherit (cfg.storage)
|
|
group
|
|
uid
|
|
;
|
|
name = cfg.storage.owner;
|
|
isSystemUser = true;
|
|
home = cfg.storage.path;
|
|
createHome = true;
|
|
};
|
|
|
|
systemd.services.activate-virtual-mail-users = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
before = [ "dovecot.service" ];
|
|
serviceConfig = {
|
|
ExecStart = virtualMailUsersActivationScript;
|
|
};
|
|
enable = true;
|
|
};
|
|
};
|
|
}
|