nixos/maddy: tls.loader add acme support, add secrets option

authored by

Jonas Heinrich and committed by
Yt
8a4f0162 8c00e98e

+61 -20
+1 -1
nixos/doc/manual/release-notes/rl-2305.section.md
··· 379 379 380 380 - `services.maddy` got several updates: 381 381 - Configuration of users and their credentials using `services.maddy.ensureCredentials`. 382 - - Configuration of TLS key and certificate files using `services.maddy.tls`. 382 + - TLS configuration is now possible via `services.maddy.tls` with two loaders present: ACME and file based. 383 383 384 384 - The `dnsmasq` service now takes configuration via the 385 385 `services.dnsmasq.settings` attribute set. The option
+60 -19
nixos/modules/services/mail/maddy.nix
··· 206 206 Server configuration, see 207 207 [https://maddy.email](https://maddy.email) for 208 208 more information. The default configuration of this module will setup 209 - minimal maddy instance for mail transfer without TLS encryption. 209 + minimal Maddy instance for mail transfer without TLS encryption. 210 210 211 211 ::: {.note} 212 212 This should not be used in a production environment. ··· 216 216 217 217 tls = { 218 218 loader = mkOption { 219 - type = with types; nullOr (enum [ "file" "off" ]); 219 + type = with types; nullOr (enum [ "off" "file" "acme" ]); 220 220 default = "off"; 221 221 description = lib.mdDoc '' 222 222 TLS certificates are obtained by modules called "certificate 223 - loaders". Currently only the file loader is supported which reads 224 - certificates from files specifying the options `keyPaths` and 225 - `certPaths`. 223 + loaders". 224 + 225 + The `file` loader module reads certificates from files specified by 226 + the `certificates` option. 227 + 228 + Alternatively the `acme` module can be used to automatically obtain 229 + certificates using the ACME protocol. 230 + 231 + Module configuration is done via the `tls.extraConfig` option. 232 + 233 + Secrets such as API keys or passwords should not be supplied in 234 + plaintext. Instead the `secrets` option can be used to read secrets 235 + at runtime as environment variables. Secrets can be referenced with 236 + `{env:VAR}`. 226 237 ''; 227 238 }; 228 239 ··· 261 272 extraConfig = mkOption { 262 273 type = with types; nullOr lines; 263 274 description = lib.mdDoc '' 264 - Arguments for the specific certificate loader. Note that Maddy uses 265 - secure defaults for the TLS configuration so there is no need to 266 - change anything in most cases. 267 - See [upstream manual](https://maddy.email/reference/tls/) for 268 - available options. 275 + Arguments for the specified certificate loader. 276 + 277 + In case the `tls` loader is set, the defaults are considered secure 278 + and there is no need to change anything in most cases. 279 + For available options see [upstream manual](https://maddy.email/reference/tls/). 280 + 281 + For ACME configuration, see [following page](https://maddy.email/reference/tls-acme). 269 282 ''; 270 283 default = ""; 271 284 }; ··· 321 334 }); 322 335 }; 323 336 337 + secrets = lib.mkOption { 338 + type = lib.types.path; 339 + description = lib.mdDoc '' 340 + A file containing the various secrets. Should be in the format 341 + expected by systemd's `EnvironmentFile` directory. Secrets can be 342 + referenced in the format `{env:VAR}`. 343 + ''; 344 + }; 345 + 324 346 }; 325 347 }; 326 348 327 349 config = mkIf cfg.enable { 328 350 329 - assertions = [{ 330 - assertion = cfg.tls.loader == "file" -> cfg.tls.certificates != []; 331 - message = '' 332 - If maddy is configured to use TLS, tls.certificates with attribute sets 333 - of certPath and keyPath must be provided. 334 - Read more about obtaining TLS certificates here: 335 - https://maddy.email/tutorials/setting-up/#tls-certificates 336 - ''; 337 - }]; 351 + assertions = [ 352 + { 353 + assertion = cfg.tls.loader == "file" -> cfg.tls.certificates != []; 354 + message = '' 355 + If Maddy is configured to use TLS, tls.certificates with attribute sets 356 + of certPath and keyPath must be provided. 357 + Read more about obtaining TLS certificates here: 358 + https://maddy.email/tutorials/setting-up/#tls-certificates 359 + ''; 360 + } 361 + { 362 + assertion = cfg.tls.loader == "acme" -> cfg.tls.extraConfig != ""; 363 + message = '' 364 + If Maddy is configured to obtain TLS certificates using the ACME 365 + loader, extra configuration options must be supplied via 366 + tls.extraConfig option. 367 + See upstream documentation for more details: 368 + https://maddy.email/reference/tls-acme 369 + ''; 370 + } 371 + ]; 338 372 339 373 systemd = { 340 374 ··· 345 379 User = cfg.user; 346 380 Group = cfg.group; 347 381 StateDirectory = [ "maddy" ]; 382 + EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}"; 348 383 }; 349 384 restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ]; 350 385 wantedBy = [ "multi-user.target" ]; ··· 391 426 ) cfg.tls.certificates)} ${optionalString (cfg.tls.extraConfig != "") '' 392 427 { ${cfg.tls.extraConfig} } 393 428 ''} 429 + '' else if (cfg.tls.loader == "acme") then '' 430 + tls { 431 + loader acme { 432 + ${cfg.tls.extraConfig} 433 + } 434 + } 394 435 '' else if (cfg.tls.loader == "off") then '' 395 436 tls off 396 437 '' else ""}