nerf/nixConfig
1
0
Fork 0
forked from Fachschaft/nixConfig
Code Pull requests Activity

Address second round of review

Browse source
This commit is contained in:
Gonne 2025-02-27 13:22:48 +01:00
parent 361eed84af
commit cc91339f80
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/mail.nix
View file

@ -24,18 +24,18 @@
mkEnableOption
mkOption
;
inherit (lib.types) listOf strMatching str path;
inherit (lib.types) listOf strMatching nonEmptyStr path;
cfg = config.services.mathebau-mail;
in {
options.services.mathebau-mail = {
enable = mkEnableOption "mathebau mail service";
stalwartAdmin = mkOption {
type = path;
description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth";
description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth. Update together with the stalwartAdminHash and the pass store.";
};
stalwartAdminHash = mkOption {
type = str;
description = "String containing the hashed fallback admin password";
type = nonEmptyStr;
description = "String containing the hashed fallback admin password. Update together with the stalwartAdmin setting and the pass store.";
};
domains = mkOption {
type = listOf (lib.types.submodule {
@ -98,6 +98,7 @@ in {
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
default = true;
};
# Reevaluate after DKIM and DMARC deployment
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly
@ -162,6 +163,7 @@ in {
# We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
# because only TOML-based keys may use macros to load files from disk.
# We want this to be able to load our sieve-script for mail forwarding.
# See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
config.local-keys =
[
"store.*"
@ -226,6 +228,7 @@ in {
}: ''
echo "process ${domain}"
# This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
# The regex searches for alphanumerics combined with some special characters as local paths and the right domain.
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
# This line searches for available redirects and adds them to the submission file.
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
@ -260,6 +263,7 @@ in {
RestrictSUIDSGID = true;
};
};
# This service is defined by the nixpkgs stalwart module and we only modify it.
"stalwart-mail" = {
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script