From 86a685ceb1af9fd80432b991f2c7731f34a8f77c Mon Sep 17 00:00:00 2001 From: Jonas Heinrich Date: Tue, 11 Apr 2023 10:17:04 +0200 Subject: [PATCH] nixos/maddy: Add option ensureCredentials --- .../manual/release-notes/rl-2305.section.md | 2 + nixos/modules/services/mail/maddy.nix | 38 ++++++++++++++++++- nixos/tests/maddy.nix | 8 ++-- 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 8c8a81519659..8d3b3ffa5e0f 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -274,6 +274,8 @@ In addition to numerous new and upgraded packages, this release has the followin replacement. It stores backups as volume dump files and thus better integrates into contemporary backup solutions. +- `services.maddy` now allows to configure users and their credentials using `services.maddy.ensureCredentials`. + - The `dnsmasq` service now takes configuration via the `services.dnsmasq.settings` attribute set. The option `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches diff --git a/nixos/modules/services/mail/maddy.nix b/nixos/modules/services/mail/maddy.nix index 5f3a9b56292d..d0b525bcb002 100644 --- a/nixos/modules/services/mail/maddy.nix +++ b/nixos/modules/services/mail/maddy.nix @@ -228,8 +228,8 @@ in { default = []; description = lib.mdDoc '' List of IMAP accounts which get automatically created. Note that for - a complete setup, user credentials for these accounts are required too - and can be created using the command `maddyctl creds`. + a complete setup, user credentials for these accounts are required + and can be created using the `ensureCredentials` option. This option does not delete accounts which are not (anymore) listed. ''; example = [ @@ -238,6 +238,33 @@ in { ]; }; + ensureCredentials = mkOption { + default = {}; + description = lib.mdDoc '' + List of user accounts which get automatically created if they don't + exist yet. Note that for a complete setup, corresponding mail boxes + have to get created using the `ensureAccounts` option. + This option does not delete accounts which are not (anymore) listed. + ''; + example = { + "user1@localhost".passwordFile = /secrets/user1-localhost; + "user2@localhost".passwordFile = /secrets/user2-localhost; + }; + type = types.attrsOf (types.submodule { + options = { + passwordFile = mkOption { + type = types.path; + example = "/path/to/file"; + default = null; + description = lib.mdDoc '' + Specifies the path to a file containing the + clear text password for the user. + ''; + }; + }; + }); + }; + }; }; @@ -265,6 +292,13 @@ in { fi '') cfg.ensureAccounts} ''} + ${optionalString (cfg.ensureCredentials != {}) '' + ${concatStringsSep "\n" (mapAttrsToList (name: cfg: '' + if ! ${pkgs.maddy}/bin/maddyctl creds list | grep "${name}"; then + ${pkgs.maddy}/bin/maddyctl creds create --password $(cat ${escapeShellArg cfg.passwordFile}) ${name} + fi + '') cfg.ensureCredentials)} + ''} ''; serviceConfig = { Type = "oneshot"; diff --git a/nixos/tests/maddy.nix b/nixos/tests/maddy.nix index 800d254f1770..742043033337 100644 --- a/nixos/tests/maddy.nix +++ b/nixos/tests/maddy.nix @@ -10,6 +10,11 @@ import ./make-test-python.nix ({ pkgs, ... }: { primaryDomain = "server"; openFirewall = true; ensureAccounts = [ "postmaster@server" ]; + ensureCredentials = { + # Do not use this in production. This will make passwords world-readable + # in the Nix store + "postmaster@server".passwordFile = "${pkgs.writeText "postmaster" "test"}"; + }; }; }; @@ -49,9 +54,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { server.wait_for_unit("maddy.service") server.wait_for_open_port(143) server.wait_for_open_port(587) - - server.succeed("maddyctl creds create --password test postmaster@server") - client.succeed("send-testmail") client.succeed("test-imap") '';