commit 8a4f016281d5d1458013aef414e17574f883d338

pyrox.dev / nixpkgs

lol

fork atom

nixos/maddy: tls.loader add acme support, add secrets option

authored by

Jonas Heinrich and committed by

Yt 2 years ago 8a4f0162 8c00e98e

+61 -20

2 changed files

expand all

unified split

nixos

doc

manual

release-notes

rl-2305.section.md

modules

services

mail

maddy.nix

+1 -1

nixos/doc/manual/release-notes/rl-2305.section.md

··· 379 380 - `services.maddy` got several updates: 381 - Configuration of users and their credentials using `services.maddy.ensureCredentials`. 382 - - Configuration of TLS key and certificate files using `services.maddy.tls`. 383 384 - The `dnsmasq` service now takes configuration via the 385 `services.dnsmasq.settings` attribute set. The option

··· 379 380 - `services.maddy` got several updates: 381 - Configuration of users and their credentials using `services.maddy.ensureCredentials`. 382 + - TLS configuration is now possible via `services.maddy.tls` with two loaders present: ACME and file based. 383 384 - The `dnsmasq` service now takes configuration via the 385 `services.dnsmasq.settings` attribute set. The option

+60 -19

nixos/modules/services/mail/maddy.nix

··· 206 Server configuration, see 207 [https://maddy.email](https://maddy.email) for 208 more information. The default configuration of this module will setup 209 - minimal maddy instance for mail transfer without TLS encryption. 210 211 ::: {.note} 212 This should not be used in a production environment. ··· 216 217 tls = { 218 loader = mkOption { 219 - type = with types; nullOr (enum [ "file" "off" ]); 220 default = "off"; 221 description = lib.mdDoc '' 222 TLS certificates are obtained by modules called "certificate 223 - loaders". Currently only the file loader is supported which reads 224 - certificates from files specifying the options `keyPaths` and 225 - `certPaths`. 226 ''; 227 }; 228 ··· 261 extraConfig = mkOption { 262 type = with types; nullOr lines; 263 description = lib.mdDoc '' 264 - Arguments for the specific certificate loader. Note that Maddy uses 265 - secure defaults for the TLS configuration so there is no need to 266 - change anything in most cases. 267 - See [upstream manual](https://maddy.email/reference/tls/) for 268 - available options. 269 ''; 270 default = ""; 271 }; ··· 321 }); 322 }; 323 324 }; 325 }; 326 327 config = mkIf cfg.enable { 328 329 - assertions = [{ 330 - assertion = cfg.tls.loader == "file" -> cfg.tls.certificates != []; 331 - message = '' 332 - If maddy is configured to use TLS, tls.certificates with attribute sets 333 - of certPath and keyPath must be provided. 334 - Read more about obtaining TLS certificates here: 335 - https://maddy.email/tutorials/setting-up/#tls-certificates 336 - ''; 337 - }]; 338 339 systemd = { 340 ··· 345 User = cfg.user; 346 Group = cfg.group; 347 StateDirectory = [ "maddy" ]; 348 }; 349 restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ]; 350 wantedBy = [ "multi-user.target" ]; ··· 391 ) cfg.tls.certificates)} ${optionalString (cfg.tls.extraConfig != "") '' 392 { ${cfg.tls.extraConfig} } 393 ''} 394 '' else if (cfg.tls.loader == "off") then '' 395 tls off 396 '' else ""}

··· 206 Server configuration, see 207 [https://maddy.email](https://maddy.email) for 208 more information. The default configuration of this module will setup 209 + minimal Maddy instance for mail transfer without TLS encryption. 210 211 ::: {.note} 212 This should not be used in a production environment. ··· 216 217 tls = { 218 loader = mkOption { 219 + type = with types; nullOr (enum [ "off" "file" "acme" ]); 220 default = "off"; 221 description = lib.mdDoc '' 222 TLS certificates are obtained by modules called "certificate 223 + loaders". 224 + 225 + The `file` loader module reads certificates from files specified by 226 + the `certificates` option. 227 + 228 + Alternatively the `acme` module can be used to automatically obtain 229 + certificates using the ACME protocol. 230 + 231 + Module configuration is done via the `tls.extraConfig` option. 232 + 233 + Secrets such as API keys or passwords should not be supplied in 234 + plaintext. Instead the `secrets` option can be used to read secrets 235 + at runtime as environment variables. Secrets can be referenced with 236 + `{env:VAR}`. 237 ''; 238 }; 239 ··· 272 extraConfig = mkOption { 273 type = with types; nullOr lines; 274 description = lib.mdDoc '' 275 + Arguments for the specified certificate loader. 276 + 277 + In case the `tls` loader is set, the defaults are considered secure 278 + and there is no need to change anything in most cases. 279 + For available options see [upstream manual](https://maddy.email/reference/tls/). 280 + 281 + For ACME configuration, see [following page](https://maddy.email/reference/tls-acme). 282 ''; 283 default = ""; 284 }; ··· 334 }); 335 }; 336 337 + secrets = lib.mkOption { 338 + type = lib.types.path; 339 + description = lib.mdDoc '' 340 + A file containing the various secrets. Should be in the format 341 + expected by systemd's `EnvironmentFile` directory. Secrets can be 342 + referenced in the format `{env:VAR}`. 343 + ''; 344 + }; 345 + 346 }; 347 }; 348 349 config = mkIf cfg.enable { 350 351 + assertions = [ 352 + { 353 + assertion = cfg.tls.loader == "file" -> cfg.tls.certificates != []; 354 + message = '' 355 + If Maddy is configured to use TLS, tls.certificates with attribute sets 356 + of certPath and keyPath must be provided. 357 + Read more about obtaining TLS certificates here: 358 + https://maddy.email/tutorials/setting-up/#tls-certificates 359 + ''; 360 + } 361 + { 362 + assertion = cfg.tls.loader == "acme" -> cfg.tls.extraConfig != ""; 363 + message = '' 364 + If Maddy is configured to obtain TLS certificates using the ACME 365 + loader, extra configuration options must be supplied via 366 + tls.extraConfig option. 367 + See upstream documentation for more details: 368 + https://maddy.email/reference/tls-acme 369 + ''; 370 + } 371 + ]; 372 373 systemd = { 374 ··· 379 User = cfg.user; 380 Group = cfg.group; 381 StateDirectory = [ "maddy" ]; 382 + EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}"; 383 }; 384 restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ]; 385 wantedBy = [ "multi-user.target" ]; ··· 426 ) cfg.tls.certificates)} ${optionalString (cfg.tls.extraConfig != "") '' 427 { ${cfg.tls.extraConfig} } 428 ''} 429 + '' else if (cfg.tls.loader == "acme") then '' 430 + tls { 431 + loader acme { 432 + ${cfg.tls.extraConfig} 433 + } 434 + } 435 '' else if (cfg.tls.loader == "off") then '' 436 tls off 437 '' else ""}