From f3727540528b00aa7a1af818441ec41f2dfdb086 Mon Sep 17 00:00:00 2001 From: John Boehr Date: Thu, 9 Nov 2017 14:17:03 -0800 Subject: [PATCH] Qualify user names --- default.nix | 1 + mail-server/common.nix | 9 ++++++++- mail-server/dovecot.nix | 2 +- mail-server/nginx.nix | 13 +++++-------- mail-server/postfix.nix | 6 +++--- mail-server/users.nix | 6 ++++-- nixops/single-server.nix | 16 ++++++++-------- 7 files changed, 30 insertions(+), 23 deletions(-) diff --git a/default.nix b/default.nix index f9303a7..381a0d1 100644 --- a/default.nix +++ b/default.nix @@ -35,6 +35,7 @@ in extraDomains = mkOption { type = types.listOf types.str; example = "[ example.com ]"; + default = []; description = "Extra domains that this mail server serves."; }; diff --git a/mail-server/common.nix b/mail-server/common.nix index 42d0180..f491911 100644 --- a/mail-server/common.nix +++ b/mail-server/common.nix @@ -14,10 +14,11 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see -{ config }: +{ config, lib }: let cfg = config.mailserver; + inherit (lib.strings) stringToCharacters; in { # cert :: PATH @@ -37,4 +38,10 @@ in else if cfg.certificateScheme == 3 then "/var/lib/acme/mailserver/key.pem" else throw "Error: Certificate Scheme must be in { 1, 2, 3 }"; + + # appends cfg.domain to argument if it does not contain "@" + qualifyUser = user: ( + if (builtins.any (c: c == "@") (stringToCharacters user)) + then user + else "${user}@${cfg.domain}"); } diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 7ccaab1..fb8330b 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -16,7 +16,7 @@ { config, pkgs, lib, ... }: -with (import ./common.nix { inherit config; }); +with (import ./common.nix { inherit config lib; }); let cfg = config.mailserver; diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix index 52a0bbb..9eeace4 100644 --- a/mail-server/nginx.nix +++ b/mail-server/nginx.nix @@ -26,11 +26,11 @@ let acmeRoot = "/var/lib/acme/acme-challenge"; in { - config = with cfg; lib.mkIf (certificateScheme == 3) { + config = lib.mkIf (cfg.certificateScheme == 3) { services.nginx = { enable = true; - virtualHosts = genAttrs allDomains (domain: { - serverName = "${hostPrefix}.${domain}"; + virtualHosts = genAttrs (map (domain: "${cfg.hostPrefix}.${domain}") allDomains) (domain: { + serverName = "${domain}"; forceSSL = true; enableACME = true; locations."/" = { @@ -40,11 +40,8 @@ in }); }; security.acme.certs."mailserver" = { - # @todo what user/group should this run as? - user = "postfix"; # cfg.user; - group = "postfix"; # lib.mkDefault cfg.group; - domain = "${hostPrefix}.${domain}"; - extraDomains = map (domain: "${hostPrefix}.${domain}") extraDomains; + domain = "${cfg.hostPrefix}.${cfg.domain}"; + extraDomains = genAttrs (map (domain: "${cfg.hostPrefix}.${domain}") cfg.extraDomains) (domain: null); webroot = acmeRoot; # @todo should we reload postfix here? postRun = '' diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index ee91da9..a03e366 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -16,7 +16,7 @@ { config, pkgs, lib, ... }: -with (import ./common.nix { inherit config; }); +with (import ./common.nix { inherit config lib; }); let inherit (lib.strings) concatStringsSep; @@ -27,11 +27,11 @@ let valiases_postfix = map (from: let to = cfg.virtualAliases.${from}; - in "${from} ${to}") + in "${qualifyUser from} ${qualifyUser to}") (builtins.attrNames cfg.virtualAliases); # accountToIdentity :: User -> String - accountToIdentity = account: "${account.name} ${account.name}"; + accountToIdentity = account: "${qualifyUser account.name} ${qualifyUser account.name}"; # vaccounts_identity :: [ String ] vaccounts_identity = map accountToIdentity (lib.attrValues cfg.loginAccounts); diff --git a/mail-server/users.nix b/mail-server/users.nix index f49be1f..d813101 100644 --- a/mail-server/users.nix +++ b/mail-server/users.nix @@ -19,6 +19,8 @@ with config.mailserver; let + qualifyUser = (import ./common.nix { inherit config lib; }).qualifyUser; + vmail_user = { name = vmailUserName; isNormalUser = false; @@ -30,14 +32,14 @@ let # accountsToUser :: String -> UserRecord accountsToUser = account: { - name = account.name; + name = (qualifyUser account.name); isNormalUser = false; group = vmailGroupName; inherit (account) hashedPassword; }; # mail_users :: { [String]: UserRecord } - mail_users = lib.foldl (prev: next: prev // { "${next.name}" = next; }) {} + mail_users = lib.foldl (prev: next: prev // { "${qualifyUser next.name}" = next; }) {} (map accountsToUser (lib.attrValues loginAccounts)); in diff --git a/nixops/single-server.nix b/nixops/single-server.nix index 8072233..af909d1 100644 --- a/nixops/single-server.nix +++ b/nixops/single-server.nix @@ -15,18 +15,18 @@ hostPrefix = "mail"; loginAccounts = { - "user1@example.com" = { + "user1" = { hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; }; }; virtualAliases = { - "user1@example2.com" = "user1@example.com"; - "info@example.com" = "user1@example.com"; - "postmaster@example.com" = "user1@example.com"; - "abuse@example.com" = "user1@example.com"; - "info@example2.com" = "user1@example.com"; - "postmaster@example2.com" = "user1@example.com"; - "abuse@example2.com" = "user1@example.com"; + "info" = "user1"; + "postmaster" = "user1"; + "abuse" = "user1"; + "user1@example2.com" = "user1"; + "info@example2.com" = "user1"; + "postmaster@example2.com" = "user1"; + "abuse@example2.com" = "user1"; }; }; };