fix mailserver: evaluate without auth module

2025-01-25 01:08:41 +04:00
parent 0c7a8d51b0
commit d8d1a1e86f
4 changed files with 127 additions and 118 deletions
--- a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix
+++ b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix
@@ -62,7 +62,7 @@ let
    '';
  };
 in
-lib.mkIf is-auth-enabled {
+{
  mailserver.ldap = {
    # note: in `ldapsearch` first comes filter, then attributes
    dovecot.userAttrs = "+"; # all operational attributes
--- a/sp-modules/simple-nixos-mailserver/auth-postfix.nix
+++ b/sp-modules/simple-nixos-mailserver/auth-postfix.nix
@@ -51,7 +51,7 @@ let
    destination = ldapVirtualMailboxMapFile;
  };
 in
-lib.mkIf is-auth-enabled {
+{
  mailserver.ldap = {
    postfix.mailAttribute = "mail";
    postfix.uidAttribute = "uid";
--- a/sp-modules/simple-nixos-mailserver/config.nix
+++ b/sp-modules/simple-nixos-mailserver/config.nix
@@ -1,8 +1,8 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, options, pkgs, ... }@nixos-args:
 let
  sp = config.selfprivacy;

-  inherit (import ./common.nix {inherit config pkgs;})
+  inherit (import ./common.nix { inherit config pkgs; })
    auth-passthru
    domain
    is-auth-enabled
@@ -67,8 +67,8 @@ let
      fi
    '';
 in
-lib.mkIf sp.modules.simple-nixos-mailserver.enable
-{
+lib.mkIf sp.modules.simple-nixos-mailserver.enable (lib.mkMerge [
+  {
    fileSystems = lib.mkIf sp.useBinds
      {
        "/var/vmail" = {
@@ -107,7 +107,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable

      # A list of all login accounts. To create the password hashes, use
      # mkpasswd -m sha-512 "super secret password"
-    loginAccounts = lib.mkIf (!is-auth-enabled) ({
+      loginAccounts = ({
        "${sp.username}@${sp.domain}" = {
          hashedPassword = sp.hashedMasterPassword;
          sieveScript = ''
@@ -136,7 +136,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
        })
        sp.users));

-    extraVirtualAliases = lib.mkIf (!is-auth-enabled) {
+      extraVirtualAliases = {
        "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
      };

@@ -157,10 +157,32 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
      virusScanning = false;

      mailDirectory = "/var/vmail";
+    };

+    systemd = {
+      services = {
+        dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
+        postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
+        rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
+        redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
+        opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
+      };
+      slices."simple_nixos_mailserver" = {
+        name = "simple_nixos_mailserver.slice";
+        description = "Simple NixOS Mailserver service slice";
+      };
+    };
+  }
+  # the following part is active only when "auth" module is enabled
+  (lib.attrsets.optionalAttrs
+    (options.selfprivacy.modules ? "auth")
+    (lib.mkIf is-auth-enabled {
+      mailserver = {
+        extraVirtualAliases = lib.mkForce { };
+        loginAccounts = lib.mkForce { };
        # LDAP is needed for Postfix to query Kanidm about email address ownership.
        # LDAP is needed for Dovecot also.
-    ldap = lib.mkIf is-auth-enabled {
+        ldap = {
          # false; otherwise, simple-nixos-mailserver enables auth via LDAP
          enable = false;

@@ -176,27 +198,16 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
          uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
        };
      };
-
-  systemd = {
-    services = {
-      dovecot2.serviceConfig.Slice = "simple_nixos_mailserver.slice";
-      postfix.serviceConfig.Slice = "simple_nixos_mailserver.slice";
-      rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
-      redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
-      opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
      # FIXME set auth module option instead
-      kanidm.serviceConfig.ExecStartPost =
-        lib.mkIf is-auth-enabled
-          (lib.mkAfter
-            [
+      systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
        ("+" + kanidmExecStartPostScriptRoot)
        kanidmExecStartPostScript
-            ]
-          );
-    };
-    slices."simple_nixos_mailserver" = {
-      name = "simple_nixos_mailserver.slice";
-      description = "Simple NixOS Mailserver service slice";
-    };
-  };
-}
+      ];
+    }))
+  (lib.attrsets.optionalAttrs
+    (options.selfprivacy.modules ? "auth")
+    (lib.mkIf is-auth-enabled (import ./auth-dovecot.nix nixos-args)))
+  (lib.attrsets.optionalAttrs
+    (options.selfprivacy.modules ? "auth")
+    (lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args)))
+])
--- a/sp-modules/simple-nixos-mailserver/flake.nix
+++ b/sp-modules/simple-nixos-mailserver/flake.nix
@@ -10,8 +10,6 @@
        mailserver.nixosModules.default
        ./options.nix
        ./config.nix
-        ./auth-postfix.nix
-        ./auth-dovecot.nix
      ];
    };
    configPathsNeeded =