Martin Weinelt
e9337b346f
The "login" prefix makes this option more confusing rather than clearer, because what other account types are there? LDAP ones for example, but you can login with those too, so the prefix is pointless.
92 lines
2.5 KiB
Nix
92 lines
2.5 KiB
Nix
# nixos-mailserver: a simple mail server
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.mailserver;
|
|
in
|
|
rec {
|
|
withACME = cfg.x509.useACMEHost != null;
|
|
|
|
x509CertificateFile =
|
|
if withACME then
|
|
"${config.security.acme.certs.${cfg.x509.useACMEHost}.directory}/fullchain.pem"
|
|
else
|
|
cfg.x509.certificateFile;
|
|
|
|
x509PrivateKeyFile =
|
|
if withACME then
|
|
"${config.security.acme.certs.${cfg.x509.useACMEHost}.directory}/key.pem"
|
|
else
|
|
cfg.x509.privateKeyFile;
|
|
|
|
passwordFiles =
|
|
let
|
|
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
|
in
|
|
lib.mapAttrs (
|
|
name: value:
|
|
if value.hashedPasswordFile != null then
|
|
value.hashedPasswordFile
|
|
else if value.hashedPassword != null then
|
|
builtins.toString (mkHashFile name value.hashedPassword)
|
|
else
|
|
value.passwordFile
|
|
) cfg.accounts;
|
|
|
|
# Collect accounts with plain text passwords that require hashing
|
|
accountsWithPlaintextPasswordFiles = lib.filter (name: cfg.accounts.${name}.passwordFile != null) (
|
|
builtins.attrNames cfg.accounts
|
|
);
|
|
|
|
# Appends the LDAP bind password to files to avoid writing this
|
|
# password into the Nix store.
|
|
appendLdapBindPwd =
|
|
{
|
|
name,
|
|
file,
|
|
prefix,
|
|
suffix ? "",
|
|
passwordFile,
|
|
destination,
|
|
}:
|
|
pkgs.writeScript "append-ldap-bind-pwd-in-${name}"
|
|
# bash
|
|
''
|
|
#!${pkgs.stdenv.shell}
|
|
set -euo pipefail
|
|
|
|
baseDir=$(dirname ${destination})
|
|
if (! test -d "$baseDir"); then
|
|
mkdir -p $baseDir
|
|
chmod 755 $baseDir
|
|
fi
|
|
|
|
cat ${file} > ${destination}
|
|
echo -n '${prefix}' >> ${destination}
|
|
cat ${passwordFile} | tr -d '\n' >> ${destination}
|
|
echo -n '${suffix}' >> ${destination}
|
|
chmod 600 ${destination}
|
|
'';
|
|
|
|
}
|