2017-09-03 11:15:18 +02:00
|
|
|
# nixos-mailserver: a simple mail server
|
2018-01-29 10:34:27 +01:00
|
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
2017-09-03 11:15:18 +02:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
|
2020-03-06 18:27:47 +01:00
|
|
|
{ config, pkgs, lib }:
|
2017-09-03 11:15:18 +02:00
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.mailserver;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
# cert :: PATH
|
2023-02-15 13:15:09 +01:00
|
|
|
certificatePath = if cfg.certificateScheme == "manual"
|
2017-09-03 11:15:18 +02:00
|
|
|
then cfg.certificateFile
|
2023-02-15 13:15:09 +01:00
|
|
|
else if cfg.certificateScheme == "selfsigned"
|
2017-11-11 10:44:45 +01:00
|
|
|
then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
|
2023-02-15 13:15:09 +01:00
|
|
|
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
2023-06-28 21:42:37 +02:00
|
|
|
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
|
2023-02-15 13:15:09 +01:00
|
|
|
else throw "unknown certificate scheme";
|
2017-09-03 11:15:18 +02:00
|
|
|
|
|
|
|
# key :: PATH
|
2023-02-15 13:15:09 +01:00
|
|
|
keyPath = if cfg.certificateScheme == "manual"
|
2017-09-03 11:15:18 +02:00
|
|
|
then cfg.keyFile
|
2023-02-15 13:15:09 +01:00
|
|
|
else if cfg.certificateScheme == "selfsigned"
|
2017-11-11 10:44:45 +01:00
|
|
|
then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
|
2023-02-15 13:15:09 +01:00
|
|
|
else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
|
2023-06-28 21:42:37 +02:00
|
|
|
then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
|
2023-02-15 13:15:09 +01:00
|
|
|
else throw "unknown certificate scheme";
|
2017-12-22 16:58:35 +01:00
|
|
|
|
2020-03-06 18:27:47 +01:00
|
|
|
passwordFiles = let
|
|
|
|
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
|
|
|
in
|
|
|
|
lib.mapAttrs (name: value:
|
|
|
|
if value.hashedPasswordFile == null then
|
|
|
|
builtins.toString (mkHashFile name value.hashedPassword)
|
|
|
|
else value.hashedPasswordFile) cfg.loginAccounts;
|
2023-05-20 00:12:02 +02:00
|
|
|
|
|
|
|
# Appends the LDAP bind password to files to avoid writing this
|
|
|
|
# password into the Nix store.
|
|
|
|
appendLdapBindPwd = {
|
2024-04-13 16:08:58 +02:00
|
|
|
name, file, prefix, suffix ? "", passwordFile, destination
|
2023-05-20 00:12:02 +02:00
|
|
|
}: pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
|
|
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
baseDir=$(dirname ${destination})
|
|
|
|
if (! test -d "$baseDir"); then
|
|
|
|
mkdir -p $baseDir
|
|
|
|
chmod 755 $baseDir
|
|
|
|
fi
|
|
|
|
|
|
|
|
cat ${file} > ${destination}
|
2024-04-13 16:08:58 +02:00
|
|
|
echo -n '${prefix}' >> ${destination}
|
2023-05-20 00:12:02 +02:00
|
|
|
cat ${passwordFile} >> ${destination}
|
2024-04-13 16:08:58 +02:00
|
|
|
echo -n '${suffix}' >> ${destination}
|
2023-05-20 00:12:02 +02:00
|
|
|
chmod 600 ${destination}
|
|
|
|
'';
|
|
|
|
|
2017-09-03 11:15:18 +02:00
|
|
|
}
|