nixos/maddy: Add option ensureCredentials

2025-01-08 14:40:07 +03:00 · 2023-04-11 10:17:04 +02:00 · 2023-04-11 10:17:04 +02:00 · 86a685ceb1
commit 86a685ceb1
parent 14793416a0
3 changed files with 43 additions and 5 deletions
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -274,6 +274,8 @@ In addition to numerous new and upgraded packages, this release has the followin
  replacement. It stores backups as volume dump files and thus better integrates
  into contemporary backup solutions.

+- `services.maddy` now allows to configure users and their credentials using `services.maddy.ensureCredentials`.
+
 - The `dnsmasq` service now takes configuration via the
  `services.dnsmasq.settings` attribute set. The option
  `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches
--- a/nixos/modules/services/mail/maddy.nix
+++ b/nixos/modules/services/mail/maddy.nix
@ -228,8 +228,8 @@ in {
        default = [];
        description = lib.mdDoc ''
          List of IMAP accounts which get automatically created. Note that for
-          a complete setup, user credentials for these accounts are required too
-          and can be created using the command `maddyctl creds`.
+          a complete setup, user credentials for these accounts are required
+          and can be created using the `ensureCredentials` option.
          This option does not delete accounts which are not (anymore) listed.
        '';
        example = [
@ -238,6 +238,33 @@ in {
        ];
      };

+      ensureCredentials = mkOption {
+        default = {};
+        description = lib.mdDoc ''
+          List of user accounts which get automatically created if they don't
+          exist yet. Note that for a complete setup, corresponding mail boxes
+          have to get created using the `ensureAccounts` option.
+          This option does not delete accounts which are not (anymore) listed.
+        '';
+        example = {
+          "user1@localhost".passwordFile = /secrets/user1-localhost;
+          "user2@localhost".passwordFile = /secrets/user2-localhost;
+        };
+        type = types.attrsOf (types.submodule {
+          options = {
+            passwordFile = mkOption {
+              type = types.path;
+              example = "/path/to/file";
+              default = null;
+              description = lib.mdDoc ''
+                Specifies the path to a file containing the
+                clear text password for the user.
+              '';
+            };
+          };
+        });
+      };
+
    };
  };

@ -265,6 +292,13 @@ in {
                fi
              '') cfg.ensureAccounts}
            ''}
+            ${optionalString (cfg.ensureCredentials != {}) ''
+              ${concatStringsSep "\n" (mapAttrsToList (name: cfg: ''
+                if ! ${pkgs.maddy}/bin/maddyctl creds list | grep "${name}"; then
+                  ${pkgs.maddy}/bin/maddyctl creds create --password $(cat ${escapeShellArg cfg.passwordFile}) ${name}
+                fi
+              '') cfg.ensureCredentials)}
+            ''}
          '';
          serviceConfig = {
            Type = "oneshot";
--- a/nixos/tests/maddy.nix
+++ b/nixos/tests/maddy.nix
@ -10,6 +10,11 @@ import ./make-test-python.nix ({ pkgs, ... }: {
        primaryDomain = "server";
        openFirewall = true;
        ensureAccounts = [ "postmaster@server" ];
+        ensureCredentials = {
+          # Do not use this in production. This will make passwords world-readable
+          # in the Nix store
+          "postmaster@server".passwordFile = "${pkgs.writeText "postmaster" "test"}";
+        };
      };
    };

@ -49,9 +54,6 @@ import ./make-test-python.nix ({ pkgs, ... }: {
    server.wait_for_unit("maddy.service")
    server.wait_for_open_port(143)
    server.wait_for_open_port(587)
-
-    server.succeed("maddyctl creds create --password test postmaster@server")
-
    client.succeed("send-testmail")
    client.succeed("test-imap")
  '';