commit 85231bbd6eabd6f94ce313056255f95deaba162c · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #182261 from mayflower/mailman-rest-api-pass-file

nixos/mailman: don't leak MAILMAN_REST_API_PASS into the store

authored by Maximilian Bosch and committed by GitHub 3 years ago 85231bbd f2e43c14

+30 -5

1 changed file

expand all

unified split

nixos

modules

services

mail

mailman.nix

+30 -5

nixos/modules/services/mail/mailman.nix

··· 44 44 transport_file_type: hash 45 45 ''; 46 46 47 - mailmanCfg = lib.generators.toINI {} cfg.settings; 47 + mailmanCfg = lib.generators.toINI {} 48 + (recursiveUpdate cfg.settings 49 + ((optionalAttrs (cfg.restApiPassFile != null) { 50 + webservice.admin_pass = "#NIXOS_MAILMAN_REST_API_PASS_SECRET#"; 51 + }))); 52 + 53 + mailmanCfgFile = pkgs.writeText "mailman-raw.cfg" mailmanCfg; 48 54 49 55 mailmanHyperkittyCfg = pkgs.writeText "mailman-hyperkitty.cfg" '' 50 56 [general] ··· 247 253 ''; 248 254 }; 249 255 256 + restApiPassFile = mkOption { 257 + default = null; 258 + type = types.nullOr types.str; 259 + description = '' 260 + Path to the file containing the value for <literal>MAILMAN_REST_API_PASS</literal>. 261 + ''; 262 + }; 263 + 250 264 serve = { 251 265 enable = mkEnableOption "Automatic nginx and uwsgi setup for mailman-web"; 252 266 }; ··· 362 376 group = "mailman"; 363 377 }; 364 378 users.groups.mailman = {}; 365 - 366 - environment.etc."mailman.cfg".text = mailmanCfg; 367 379 368 380 environment.etc."mailman3/settings.py".text = '' 369 381 import os ··· 383 395 with open('/var/lib/mailman-web/settings_local.json') as f: 384 396 globals().update(json.load(f)) 385 397 398 + ${optionalString (cfg.restApiPassFile != null) '' 399 + with open('${cfg.restApiPassFile}') as f: 400 + MAILMAN_REST_API_PASS = f.read().rstrip('\n') 401 + ''} 402 + 386 403 ${optionalString (cfg.ldap.enable) '' 387 404 import ldap 388 405 from django_auth_ldap.config import LDAPSearch, ${cfg.ldap.groupSearch.type} ··· 456 473 after = [ "network.target" ] 457 474 ++ lib.optional cfg.enablePostfix "postfix-setup.service" 458 475 ++ lib.optional withPostgresql "postgresql.service"; 459 - restartTriggers = [ config.environment.etc."mailman.cfg".source ]; 476 + restartTriggers = [ mailmanCfgFile ]; 460 477 requires = optional withPostgresql "postgresql.service"; 461 478 wantedBy = [ "multi-user.target" ]; 462 479 serviceConfig = { ··· 480 497 requires = optional withPostgresql "postgresql.service"; 481 498 serviceConfig.Type = "oneshot"; 482 499 script = '' 500 + install -m0750 -o mailman -g mailman ${mailmanCfgFile} /etc/mailman.cfg 501 + ${optionalString (cfg.restApiPassFile != null) '' 502 + ${pkgs.replace-secret}/bin/replace-secret \ 503 + '#NIXOS_MAILMAN_REST_API_PASS_SECRET#' \ 504 + ${cfg.restApiPassFile} \ 505 + /etc/mailman.cfg 506 + ''} 507 + 483 508 mailmanDir=/var/lib/mailman 484 509 mailmanWebDir=/var/lib/mailman-web 485 510 ··· 560 585 mailman-daily = { 561 586 description = "Trigger daily Mailman events"; 562 587 startAt = "daily"; 563 - restartTriggers = [ config.environment.etc."mailman.cfg".source ]; 588 + restartTriggers = [ mailmanCfgFile ]; 564 589 serviceConfig = { 565 590 ExecStart = "${mailmanEnv}/bin/mailman digests --send"; 566 591 User = "mailman";