add vitual mail users

2018-02-18 12:17:32 +01:00 · 2018-02-18 12:17:32 +01:00 · 436cf0513b
commit 436cf0513b
parent 3c625fc191 3b9b7961d4
7 changed files with 61 additions and 22 deletions
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@ -14,10 +14,17 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>

-{ config }:
+{ config, lib }:

 let
  cfg = config.mailserver;
+  # passwd :: [ String ]
+  passwd = lib.mapAttrsToList
+    (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
+     + (if lib.isString value.quota
+            then "userdb_quota_rule=*:storage=${value.quota}"
+            else ""))
+            cfg.loginAccounts;
 in
 {
  # cert :: PATH
@ -37,4 +44,7 @@ in
              else if cfg.certificateScheme == 3
                   then "/var/lib/acme/${cfg.fqdn}/key.pem"
                   else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
+
+  # passwdFile :: PATH
+  passwdFile = builtins.toFile "passwd" (lib.concatStringsSep "\n" passwd);
 }
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@ -16,7 +16,7 @@

 { config, pkgs, lib, ... }:

-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib; });

 let
  cfg = config.mailserver;
@ -33,6 +33,8 @@ in
      enable = true;
      enableImap = enableImap;
      enablePop3 = enablePop3;
+      enablePAM = false;
+      enableQuota = true;
      mailGroup = vmailGroupName;
      mailUser = vmailUserName;
      mailLocation = dovecot_maildir;
@ -79,6 +81,16 @@ in
          mail_plugins = $mail_plugins sieve
        }

+        passdb {
+          driver = passwd-file
+          args = ${passwdFile}
+        }
+
+        userdb {
+          driver = passwd-file
+          args = ${passwdFile}
+        }
+
        service auth {
          unix_listener /var/lib/postfix/queue/private/auth {
            mode = 0660
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@ -16,7 +16,7 @@

 { config, pkgs, lib, ... }:

-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib; });

 let
  inherit (lib.strings) concatStringsSep;
@ -124,6 +124,9 @@ in
        smtpd_sasl_auth_enable = yes
        smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

+        # quota
+        smtpd_recipient_restrictions = check_policy_service inet:mailstore.example.com:12340
+
        # TLS settings, inspired by https://github.com/jeaye/nix-files
        # Submission by mail clients is handled in submissionOptions
        smtpd_tls_security_level = may
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@ -28,16 +28,6 @@ let
    group = vmailGroupName;
  };

-  # accountsToUser :: String -> UserRecord
-  accountsToUser = account: {
-    isNormalUser = false;
-    group = vmailGroupName;
-    inherit (account) hashedPassword name;
-  };
-
-  # mail_users :: { [String]: UserRecord }
-  mail_users = lib.foldl (prev: next: prev // { "${next.name}" = next; }) {}
-    (map accountsToUser (lib.attrValues loginAccounts));

  virtualMailUsersActivationScript = pkgs.writeScript "activate-virtual-mail-users" ''
    #!${pkgs.stdenv.shell}
@ -82,7 +72,7 @@ in {
    };

    # define all users
-    users.users = mail_users // {
+    users.users = {
      "${vmail_user.name}" = lib.mkForce vmail_user;
    };