mirror of
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git
synced 2025-12-25 04:10:52 +01:00
33ba1ff52b
Drop most of the existing certificate handling, because we're effectively duplicating functionality that NixOS offers for free with better design, testing and maintainance than what we could provide downstream. The remaining two options are to reference an existing `security.acme.certs` configuration through `mailserver.x509.useACMEHost` or to provide existing key material via `mailserver.x509.certificateFile` and `mailserver.x509.privateKeyFile`. Support for automatic creation of self-signed certificates has been removed, because it is undesirable in public mail setups. The updated setup guide now displays the recommended configuration that relies on the NixOS ACME module, but requires further customization to select a suitable challenge. Co-Authored-By: Emily <git@emilylange.de>
82 lines
2.2 KiB
Nix
82 lines
2.2 KiB
Nix
# nixos-mailserver: a simple mail server
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.mailserver;
|
|
in
|
|
rec {
|
|
withACME = cfg.x509.useACMEHost != null;
|
|
|
|
x509CertificateFile =
|
|
if withACME then
|
|
"${config.security.acme.certs.${cfg.x509.useACMEHost}.directory}/fullchain.pem"
|
|
else
|
|
cfg.x509.certificateFile;
|
|
|
|
x509PrivateKeyFile =
|
|
if withACME then
|
|
"${config.security.acme.certs.${cfg.x509.useACMEHost}.directory}/key.pem"
|
|
else
|
|
cfg.x509.privateKeyFile;
|
|
|
|
passwordFiles =
|
|
let
|
|
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
|
in
|
|
lib.mapAttrs (
|
|
name: value:
|
|
if value.hashedPasswordFile == null then
|
|
builtins.toString (mkHashFile name value.hashedPassword)
|
|
else
|
|
value.hashedPasswordFile
|
|
) cfg.loginAccounts;
|
|
|
|
# Appends the LDAP bind password to files to avoid writing this
|
|
# password into the Nix store.
|
|
appendLdapBindPwd =
|
|
{
|
|
name,
|
|
file,
|
|
prefix,
|
|
suffix ? "",
|
|
passwordFile,
|
|
destination,
|
|
}:
|
|
pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
|
|
#!${pkgs.stdenv.shell}
|
|
set -euo pipefail
|
|
|
|
baseDir=$(dirname ${destination})
|
|
if (! test -d "$baseDir"); then
|
|
mkdir -p $baseDir
|
|
chmod 755 $baseDir
|
|
fi
|
|
|
|
cat ${file} > ${destination}
|
|
echo -n '${prefix}' >> ${destination}
|
|
cat ${passwordFile} | tr -d '\n' >> ${destination}
|
|
echo -n '${suffix}' >> ${destination}
|
|
chmod 600 ${destination}
|
|
'';
|
|
|
|
}
|