thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix mailserver: evaluate without auth module

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-25 01:08:41 +04:00
parent 0c7a8d51b0
commit d8d1a1e86f
4 changed files with 127 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sp-modules/simple-nixos-mailserver/auth-dovecot.nix
View File

@@ -62,7 +62,7 @@ let
''; '';
}; };
in in
lib.mkIf is-auth-enabled { {
mailserver.ldap = { mailserver.ldap = {
# note: in `ldapsearch` first comes filter, then attributes # note: in `ldapsearch` first comes filter, then attributes
dovecot.userAttrs = "+"; # all operational attributes dovecot.userAttrs = "+"; # all operational attributes

2
sp-modules/simple-nixos-mailserver/auth-postfix.nix
View File

@@ -51,7 +51,7 @@ let
destination = ldapVirtualMailboxMapFile; destination = ldapVirtualMailboxMapFile;
}; };
in in
lib.mkIf is-auth-enabled { {
mailserver.ldap = { mailserver.ldap = {
postfix.mailAttribute = "mail"; postfix.mailAttribute = "mail";
postfix.uidAttribute = "uid"; postfix.uidAttribute = "uid";

67
sp-modules/simple-nixos-mailserver/config.nix
View File

@@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, options, pkgs, ... }@nixos-args:
let let
sp = config.selfprivacy; sp = config.selfprivacy;
inherit (import ./common.nix {inherit config pkgs;}) inherit (import ./common.nix { inherit config pkgs; })
auth-passthru auth-passthru
domain domain
is-auth-enabled is-auth-enabled
@@ -67,8 +67,8 @@ let
fi fi
''; '';
in in
lib.mkIf sp.modules.simple-nixos-mailserver.enable lib.mkIf sp.modules.simple-nixos-mailserver.enable (lib.mkMerge [
{ {
fileSystems = lib.mkIf sp.useBinds fileSystems = lib.mkIf sp.useBinds
{ {
"/var/vmail" = { "/var/vmail" = {
@@ -107,7 +107,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password" # mkpasswd -m sha-512 "super secret password"
loginAccounts = lib.mkIf (!is-auth-enabled) ({ loginAccounts = ({
"${sp.username}@${sp.domain}" = { "${sp.username}@${sp.domain}" = {
hashedPassword = sp.hashedMasterPassword; hashedPassword = sp.hashedMasterPassword;
sieveScript = '' sieveScript = ''
@@ -136,7 +136,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
}) })
sp.users)); sp.users));
extraVirtualAliases = lib.mkIf (!is-auth-enabled) { extraVirtualAliases = {
"admin@${sp.domain}" = "${sp.username}@${sp.domain}"; "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
}; };
@@ -157,10 +157,32 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
virusScanning = false; virusScanning = false;
mailDirectory = "/var/vmail"; mailDirectory = "/var/vmail";
};
systemd = {
services = {
dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
};
slices."simple_nixos_mailserver" = {
name = "simple_nixos_mailserver.slice";
description = "Simple NixOS Mailserver service slice";
};
};
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
mailserver = {
extraVirtualAliases = lib.mkForce { };
loginAccounts = lib.mkForce { };
# LDAP is needed for Postfix to query Kanidm about email address ownership. # LDAP is needed for Postfix to query Kanidm about email address ownership.
# LDAP is needed for Dovecot also. # LDAP is needed for Dovecot also.
ldap = lib.mkIf is-auth-enabled { ldap = {
# false; otherwise, simple-nixos-mailserver enables auth via LDAP # false; otherwise, simple-nixos-mailserver enables auth via LDAP
enable = false; enable = false;
@@ -176,27 +198,16 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ]; uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
}; };
}; };
systemd = {
services = {
dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
# FIXME set auth module option instead # FIXME set auth module option instead
kanidm.serviceConfig.ExecStartPost = systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
lib.mkIf is-auth-enabled
(lib.mkAfter
[
("+" + kanidmExecStartPostScriptRoot) ("+" + kanidmExecStartPostScriptRoot)
kanidmExecStartPostScript kanidmExecStartPostScript
] ];
); }))
}; (lib.attrsets.optionalAttrs
slices."simple_nixos_mailserver" = { (options.selfprivacy.modules ? "auth")
name = "simple_nixos_mailserver.slice"; (lib.mkIf is-auth-enabled (import ./auth-dovecot.nix nixos-args)))
description = "Simple NixOS Mailserver service slice"; (lib.attrsets.optionalAttrs
}; (options.selfprivacy.modules ? "auth")
}; (lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args)))
} ])

2
sp-modules/simple-nixos-mailserver/flake.nix
View File

@@ -10,8 +10,6 @@
mailserver.nixosModules.default mailserver.nixosModules.default
./options.nix ./options.nix
./config.nix ./config.nix
./auth-postfix.nix
./auth-dovecot.nix
]; ];
}; };
configPathsNeeded = configPathsNeeded =