Fix password hash file generation behavior
- Move the "create password hash file from hashed password" behavior to a separate variable, since having it in the default field of config would always cause the warning to trigger - Change type of hashedPassword to `nullOr str`
This commit is contained in:
parent
7bda4c4f11
commit
6563abc1c4
5 changed files with 95 additions and 23 deletions
21
default.nix
21
default.nix
|
@ -56,10 +56,27 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
hashedPassword = mkOption {
|
hashedPassword = mkOption {
|
||||||
type = types.str;
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
||||||
description = ''
|
description = ''
|
||||||
Hashed password. Use `mkpasswd` as follows
|
The user's hashed password. Use `mkpasswd` as follows
|
||||||
|
|
||||||
|
```
|
||||||
|
mkpasswd -m sha-512 "super secret password"
|
||||||
|
```
|
||||||
|
|
||||||
|
Warning: this is stored in plaintext in the Nix store!
|
||||||
|
Use `hashedPasswordFile` instead.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
hashedPasswordFile = mkOption {
|
||||||
|
type = with types; nullOr path;
|
||||||
|
default = null;
|
||||||
|
example = "/run/keys/user1-passwordhash";
|
||||||
|
description = ''
|
||||||
|
A file containing the user's hashed password. Use `mkpasswd` as follows
|
||||||
|
|
||||||
```
|
```
|
||||||
mkpasswd -m sha-512 "super secret password"
|
mkpasswd -m sha-512 "super secret password"
|
||||||
|
|
|
@ -14,17 +14,10 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||||
|
|
||||||
{ config, lib }:
|
{ config, pkgs, lib }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.mailserver;
|
cfg = config.mailserver;
|
||||||
# passwd :: [ String ]
|
|
||||||
passwd = lib.mapAttrsToList
|
|
||||||
(name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
|
|
||||||
+ (if lib.isString value.quota
|
|
||||||
then "userdb_quota_rule=*:storage=${value.quota}"
|
|
||||||
else ""))
|
|
||||||
cfg.loginAccounts;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# cert :: PATH
|
# cert :: PATH
|
||||||
|
@ -45,6 +38,11 @@ in
|
||||||
then "/var/lib/acme/${cfg.fqdn}/key.pem"
|
then "/var/lib/acme/${cfg.fqdn}/key.pem"
|
||||||
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
|
else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
|
||||||
|
|
||||||
# passwdFile :: PATH
|
passwordFiles = let
|
||||||
passwdFile = builtins.toFile "passwd" (lib.concatStringsSep "\n" passwd);
|
mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
|
||||||
|
in
|
||||||
|
lib.mapAttrs (name: value:
|
||||||
|
if value.hashedPasswordFile == null then
|
||||||
|
builtins.toString (mkHashFile name value.hashedPassword)
|
||||||
|
else value.hashedPasswordFile) cfg.loginAccounts;
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,11 +16,14 @@
|
||||||
|
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
with (import ./common.nix { inherit config lib; });
|
with (import ./common.nix { inherit config pkgs lib; });
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.mailserver;
|
cfg = config.mailserver;
|
||||||
|
|
||||||
|
passwdDir = "/run/dovecot2";
|
||||||
|
passwdFile = "${passwdDir}/passwd";
|
||||||
|
|
||||||
maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
|
maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
|
||||||
|
|
||||||
# maildir in format "/${domain}/${user}"
|
# maildir in format "/${domain}/${user}"
|
||||||
|
@ -47,6 +50,35 @@ let
|
||||||
done
|
done
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
genPasswdScript = pkgs.writeScript "generate-password-file" ''
|
||||||
|
#!${pkgs.stdenv.shell}
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
if (! test -d "${passwdDir}"); then
|
||||||
|
mkdir "${passwdDir}"
|
||||||
|
chmod 755 "${passwdDir}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
|
||||||
|
if [ ! -f "$f" ]; then
|
||||||
|
echo "Expected password hash file $f does not exist!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
cat <<EOF > ${passwdFile}
|
||||||
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
||||||
|
"${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
|
||||||
|
+ (if lib.isString value.quota
|
||||||
|
then "userdb_quota_rule=*:storage=${value.quota}"
|
||||||
|
else "")
|
||||||
|
) cfg.loginAccounts)}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod 600 ${passwdFile}
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = with cfg; lib.mkIf enable {
|
config = with cfg; lib.mkIf enable {
|
||||||
|
@ -165,7 +197,18 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.dovecot2.preStart = ''
|
systemd.services.gen-passwd-file = {
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = genPasswdScript;
|
||||||
|
Type = "oneshot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.dovecot2 = {
|
||||||
|
after = [ "gen-passwd-file.service" ];
|
||||||
|
wants = [ "gen-passwd-file.service" ];
|
||||||
|
requires = [ "gen-passwd-file.service" ];
|
||||||
|
preStart = ''
|
||||||
rm -rf '${stateDir}/imap_sieve'
|
rm -rf '${stateDir}/imap_sieve'
|
||||||
mkdir '${stateDir}/imap_sieve'
|
mkdir '${stateDir}/imap_sieve'
|
||||||
cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
|
cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
|
||||||
|
@ -174,6 +217,7 @@ in
|
||||||
done
|
done
|
||||||
chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
|
chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.postfix.restartTriggers = [ passwdFile ];
|
systemd.services.postfix.restartTriggers = [ passwdFile ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
|
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
with (import ./common.nix { inherit config lib; });
|
with (import ./common.nix { inherit config pkgs lib; });
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib.strings) concatStringsSep;
|
inherit (lib.strings) concatStringsSep;
|
||||||
|
|
|
@ -66,6 +66,19 @@ let
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
config = lib.mkIf enable {
|
config = lib.mkIf enable {
|
||||||
|
# assert that all accounts provide a password
|
||||||
|
assertions = (map (acct: {
|
||||||
|
assertion = (acct.hashedPassword != null || acct.hashedPasswordFile != null);
|
||||||
|
message = "${acct.name} must provide either a hashed password or a password hash file";
|
||||||
|
}) (lib.attrValues loginAccounts));
|
||||||
|
|
||||||
|
# warn for accounts that specify both password and file
|
||||||
|
warnings = (map
|
||||||
|
(acct: "${acct.name} specifies both a password hash and hash file; hash file will be used")
|
||||||
|
(lib.filter
|
||||||
|
(acct: (acct.hashedPassword != null && acct.hashedPasswordFile != null))
|
||||||
|
(lib.attrValues loginAccounts)));
|
||||||
|
|
||||||
# set the vmail gid to a specific value
|
# set the vmail gid to a specific value
|
||||||
users.groups = {
|
users.groups = {
|
||||||
"${vmailGroupName}" = { gid = vmailUID; };
|
"${vmailGroupName}" = { gid = vmailUID; };
|
||||||
|
|
Loading…
Reference in a new issue