commit 86a685ceb1af9fd80432b991f2c7731f34a8f77c

pyrox.dev / nixpkgs

lol

fork atom

nixos/maddy: Add option ensureCredentials

authored by

Jonas Heinrich and committed by

Yt 2 years ago 86a685ce 14793416

+43 -5

3 changed files

expand all

unified split

nixos

doc

manual

release-notes

rl-2305.section.md

modules

services

mail

maddy.nix

tests

maddy.nix

nixos/doc/manual/release-notes/rl-2305.section.md

··· 274 replacement. It stores backups as volume dump files and thus better integrates 275 into contemporary backup solutions. 276 277 - The `dnsmasq` service now takes configuration via the 278 `services.dnsmasq.settings` attribute set. The option 279 `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches

··· 274 replacement. It stores backups as volume dump files and thus better integrates 275 into contemporary backup solutions. 276 277 + - `services.maddy` now allows to configure users and their credentials using `services.maddy.ensureCredentials`. 278 + 279 - The `dnsmasq` service now takes configuration via the 280 `services.dnsmasq.settings` attribute set. The option 281 `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches

+36 -2

nixos/modules/services/mail/maddy.nix

··· 228 default = []; 229 description = lib.mdDoc '' 230 List of IMAP accounts which get automatically created. Note that for 231 - a complete setup, user credentials for these accounts are required too 232 - and can be created using the command `maddyctl creds`. 233 This option does not delete accounts which are not (anymore) listed. 234 ''; 235 example = [ ··· 238 ]; 239 }; 240 241 }; 242 }; 243 ··· 264 ${pkgs.maddy}/bin/maddyctl imap-acct create ${account} 265 fi 266 '') cfg.ensureAccounts} 267 ''} 268 ''; 269 serviceConfig = {

··· 228 default = []; 229 description = lib.mdDoc '' 230 List of IMAP accounts which get automatically created. Note that for 231 + a complete setup, user credentials for these accounts are required 232 + and can be created using the `ensureCredentials` option. 233 This option does not delete accounts which are not (anymore) listed. 234 ''; 235 example = [ ··· 238 ]; 239 }; 240 241 + ensureCredentials = mkOption { 242 + default = {}; 243 + description = lib.mdDoc '' 244 + List of user accounts which get automatically created if they don't 245 + exist yet. Note that for a complete setup, corresponding mail boxes 246 + have to get created using the `ensureAccounts` option. 247 + This option does not delete accounts which are not (anymore) listed. 248 + ''; 249 + example = { 250 + "user1@localhost".passwordFile = /secrets/user1-localhost; 251 + "user2@localhost".passwordFile = /secrets/user2-localhost; 252 + }; 253 + type = types.attrsOf (types.submodule { 254 + options = { 255 + passwordFile = mkOption { 256 + type = types.path; 257 + example = "/path/to/file"; 258 + default = null; 259 + description = lib.mdDoc '' 260 + Specifies the path to a file containing the 261 + clear text password for the user. 262 + ''; 263 + }; 264 + }; 265 + }); 266 + }; 267 + 268 }; 269 }; 270 ··· 291 ${pkgs.maddy}/bin/maddyctl imap-acct create ${account} 292 fi 293 '') cfg.ensureAccounts} 294 + ''} 295 + ${optionalString (cfg.ensureCredentials != {}) '' 296 + ${concatStringsSep "\n" (mapAttrsToList (name: cfg: '' 297 + if ! ${pkgs.maddy}/bin/maddyctl creds list | grep "${name}"; then 298 + ${pkgs.maddy}/bin/maddyctl creds create --password $(cat ${escapeShellArg cfg.passwordFile}) ${name} 299 + fi 300 + '') cfg.ensureCredentials)} 301 ''} 302 ''; 303 serviceConfig = {

+5 -3

nixos/tests/maddy.nix

··· 10 primaryDomain = "server"; 11 openFirewall = true; 12 ensureAccounts = [ "postmaster@server" ]; 13 }; 14 }; 15 ··· 49 server.wait_for_unit("maddy.service") 50 server.wait_for_open_port(143) 51 server.wait_for_open_port(587) 52 - 53 - server.succeed("maddyctl creds create --password test postmaster@server") 54 - 55 client.succeed("send-testmail") 56 client.succeed("test-imap") 57 '';

··· 10 primaryDomain = "server"; 11 openFirewall = true; 12 ensureAccounts = [ "postmaster@server" ]; 13 + ensureCredentials = { 14 + # Do not use this in production. This will make passwords world-readable 15 + # in the Nix store 16 + "postmaster@server".passwordFile = "${pkgs.writeText "postmaster" "test"}"; 17 + }; 18 }; 19 }; 20 ··· 54 server.wait_for_unit("maddy.service") 55 server.wait_for_open_port(143) 56 server.wait_for_open_port(587) 57 client.succeed("send-testmail") 58 client.succeed("test-imap") 59 '';