Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'cleanup' into 'master'

Browse source 
treewide: remove global `with lib` and overly broad `with cfg`

See merge request simple-nixos-mailserver/nixos-mailserver!416
This commit is contained in:
Martin Weinelt 2025-06-15 03:48:33 +00:00
commit 67b0a7e946
8 changed files with 723 additions and 721 deletions
Download patch file Download diff file Expand all files Collapse all files

53
default.nix
View file

@ -21,9 +21,20 @@
... ...
}: }:
with lib;
let let
inherit (lib)
literalExpression
literalMD
mkDefault
mkEnableOption
mkOption
mkOptionType
mkRemovedOptionModule
mkRenamedOptionModule
types
warn
;
cfg = config.mailserver; cfg = config.mailserver;
in in
{ {
@ -269,7 +280,7 @@ in
tlsCAFile = mkOption { tlsCAFile = mkOption {
type = types.path; type = types.path;
default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)"; defaultText = literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
description = '' description = ''
Certifificate trust anchors used to verify the LDAP server certificate. Certifificate trust anchors used to verify the LDAP server certificate.
''; '';
@ -1064,7 +1075,7 @@ in
type = types.str; type = types.str;
# read the default from nixos' redis module # read the default from nixos' redis module
default = config.services.redis.servers.rspamd.unixSocket; default = config.services.redis.servers.rspamd.unixSocket;
defaultText = lib.literalExpression "config.services.redis.servers.rspamd.unixSocket"; defaultText = literalExpression "config.services.redis.servers.rspamd.unixSocket";
description = '' description = ''
Path, IP address or hostname that Rspamd should use to contact Redis. Path, IP address or hostname that Rspamd should use to contact Redis.
''; '';
@ -1073,7 +1084,7 @@ in
port = mkOption { port = mkOption {
type = with types; nullOr port; type = with types; nullOr port;
default = null; default = null;
example = lib.literalExpression "config.services.redis.servers.rspamd.port"; example = literalExpression "config.services.redis.servers.rspamd.port";
description = '' description = ''
Port that Rspamd should use to contact Redis. Port that Rspamd should use to contact Redis.
''; '';
@ -1082,7 +1093,7 @@ in
password = mkOption { password = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = config.services.redis.servers.rspamd.requirePass; default = config.services.redis.servers.rspamd.requirePass;
defaultText = lib.literalExpression "config.services.redis.servers.rspamd.requirePass"; defaultText = literalExpression "config.services.redis.servers.rspamd.requirePass";
description = '' description = ''
Password that rspamd should use to contact redis, or null if not required. Password that rspamd should use to contact redis, or null if not required.
''; '';
@ -1102,7 +1113,7 @@ in
sendingFqdn = mkOption { sendingFqdn = mkOption {
type = types.str; type = types.str;
default = cfg.fqdn; default = cfg.fqdn;
defaultText = lib.literalMD "{option}`mailserver.fqdn`"; defaultText = literalMD "{option}`mailserver.fqdn`";
example = "myserver.example.com"; example = "myserver.example.com";
description = '' description = ''
The fully qualified domain name of the mail server used to The fully qualified domain name of the mail server used to
@ -1178,7 +1189,7 @@ in
start program = "${pkgs.systemd}/bin/systemctl start rspamd" start program = "${pkgs.systemd}/bin/systemctl start rspamd"
stop program = "${pkgs.systemd}/bin/systemctl stop rspamd" stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"
''; '';
defaultText = lib.literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)"; defaultText = literalMD "see [source](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/default.nix)";
description = '' description = ''
The configuration used for monitoring via monit. The configuration used for monitoring via monit.
Use a mail address that you actively check and set it via 'set alert ...'. Use a mail address that you actively check and set it via 'set alert ...'.
@ -1287,7 +1298,7 @@ in
locations = mkOption { locations = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
default = [ cfg.mailDirectory ]; default = [ cfg.mailDirectory ];
defaultText = lib.literalExpression "[ config.mailserver.mailDirectory ]"; defaultText = literalExpression "[ config.mailserver.mailDirectory ]";
description = "The locations that are to be backed up by borg."; description = "The locations that are to be backed up by borg.";
}; };
@ -1388,29 +1399,29 @@ in
}; };
imports = [ imports = [
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "enable" ] '' (mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "enable" ] ''
This option is not needed for fts-flatcurve This option is not needed for fts-flatcurve
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "onCalendar" ] '' (mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "onCalendar" ] ''
This option is not needed for fts-flatcurve This option is not needed for fts-flatcurve
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "randomizedDelaySec" ] '' (mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maintenance" "randomizedDelaySec" ] ''
This option is not needed for fts-flatcurve This option is not needed for fts-flatcurve
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "minSize" ] '' (mkRemovedOptionModule [ "mailserver" "fullTextSearch" "minSize" ] ''
This option is not supported by fts-flatcurve This option is not supported by fts-flatcurve
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maxSize" ] '' (mkRemovedOptionModule [ "mailserver" "fullTextSearch" "maxSize" ] ''
This option is not needed since fts-xapian 1.8.3 This option is not needed since fts-xapian 1.8.3
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "fullTextSearch" "indexAttachments" ] '' (mkRemovedOptionModule [ "mailserver" "fullTextSearch" "indexAttachments" ] ''
Text attachments are always indexed since fts-xapian 1.4.8 Text attachments are always indexed since fts-xapian 1.4.8
'') '')
(lib.mkRenamedOptionModule (mkRenamedOptionModule
[ "mailserver" "rebootAfterKernelUpgrade" "enable" ] [ "mailserver" "rebootAfterKernelUpgrade" "enable" ]
[ "system" "autoUpgrade" "allowReboot" ] [ "system" "autoUpgrade" "allowReboot" ]
) )
(lib.mkRemovedOptionModule [ "mailserver" "rebootAfterKernelUpgrade" "method" ] '' (mkRemovedOptionModule [ "mailserver" "rebootAfterKernelUpgrade" "method" ] ''
Use `system.autoUpgrade` instead. Use `system.autoUpgrade` instead.
'') '')
./mail-server/assertions.nix ./mail-server/assertions.nix
@ -1427,17 +1438,17 @@ in
./mail-server/rspamd.nix ./mail-server/rspamd.nix
./mail-server/nginx.nix ./mail-server/nginx.nix
./mail-server/kresd.nix ./mail-server/kresd.nix
(lib.mkRemovedOptionModule [ "mailserver" "policydSPFExtraConfig" ] '' (mkRemovedOptionModule [ "mailserver" "policydSPFExtraConfig" ] ''
SPF checking has been migrated to Rspamd, which makes this config redundant. Please look into the rspamd config to migrate your settings. SPF checking has been migrated to Rspamd, which makes this config redundant. Please look into the rspamd config to migrate your settings.
It may be that they are redundant and are already configured in rspamd like for skip_addresses. It may be that they are redundant and are already configured in rspamd like for skip_addresses.
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "dkimHeaderCanonicalization" ] '' (mkRemovedOptionModule [ "mailserver" "dkimHeaderCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization. DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] '' (mkRemovedOptionModule [ "mailserver" "dkimBodyCanonicalization" ] ''
DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization. DKIM signing has been migrated to Rspamd, which always uses relaxed canonicalization.
'') '')
(lib.mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] '' (mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default. The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
'') '')
]; ];

16
mail-server/dovecot.nix
View file

@ -163,9 +163,7 @@ let
in in
{ {
config = config = lib.mkIf cfg.enable {
with cfg;
lib.mkIf enable {
assertions = [ assertions = [
{ {
assertion = junkMailboxNumber == 1; assertion = junkMailboxNumber == 1;
@ -200,12 +198,12 @@ in
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
enableImap = enableImap || enableImapSsl; enableImap = cfg.enableImap || cfg.enableImapSsl;
enablePop3 = enablePop3 || enablePop3Ssl; enablePop3 = cfg.enablePop3 || cfg.enablePop3Ssl;
enablePAM = false; enablePAM = false;
enableQuota = true; enableQuota = true;
mailGroup = vmailGroupName; mailGroup = cfg.vmailGroupName;
mailUser = vmailUserName; mailUser = cfg.vmailUserName;
mailLocation = dovecotMaildir; mailLocation = dovecotMaildir;
sslServerCert = certificatePath; sslServerCert = certificatePath;
sslServerKey = keyPath; sslServerKey = keyPath;
@ -264,7 +262,7 @@ in
extraConfig = '' extraConfig = ''
#Extra Config #Extra Config
${lib.optionalString debug '' ${lib.optionalString cfg.debug ''
mail_debug = yes mail_debug = yes
auth_debug = yes auth_debug = yes
verbose_ssl = yes verbose_ssl = yes
@ -346,7 +344,7 @@ in
mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser} mail_max_userip_connections = ${toString cfg.maxConnectionsPerUser}
} }
mail_access_groups = ${vmailGroupName} mail_access_groups = ${cfg.vmailGroupName}
# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7 # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7
ssl = required ssl = required

6
mail-server/environment.nix
View file

@ -25,9 +25,7 @@ let
cfg = config.mailserver; cfg = config.mailserver;
in in
{ {
config = config = lib.mkIf cfg.enable {
with cfg;
lib.mkIf enable {
environment.systemPackages = environment.systemPackages =
with pkgs; with pkgs;
[ [
@ -36,6 +34,6 @@ in
postfix postfix
rspamd rspamd
] ]
++ (if certificateScheme == "selfsigned" then [ openssl ] else [ ]); ++ (if cfg.certificateScheme == "selfsigned" then [ openssl ] else [ ]);
}; };
} }

20
mail-server/networking.nix
View file

@ -20,21 +20,19 @@ let
cfg = config.mailserver; cfg = config.mailserver;
in in
{ {
config = config = lib.mkIf (cfg.enable && cfg.openFirewall) {
with cfg;
lib.mkIf (enable && openFirewall) {
networking.firewall = { networking.firewall = {
allowedTCPPorts = allowedTCPPorts =
[ 25 ] [ 25 ]
++ lib.optional enableSubmission 587 ++ lib.optional cfg.enableSubmission 587
++ lib.optional enableSubmissionSsl 465 ++ lib.optional cfg.enableSubmissionSsl 465
++ lib.optional enableImap 143 ++ lib.optional cfg.enableImap 143
++ lib.optional enableImapSsl 993 ++ lib.optional cfg.enableImapSsl 993
++ lib.optional enablePop3 110 ++ lib.optional cfg.enablePop3 110
++ lib.optional enablePop3Ssl 995 ++ lib.optional cfg.enablePop3Ssl 995
++ lib.optional enableManageSieve 4190 ++ lib.optional cfg.enableManageSieve 4190
++ lib.optional (certificateScheme == "acme-nginx") 80; ++ lib.optional (cfg.certificateScheme == "acme-nginx") 80;
}; };
}; };
} }

10
mail-server/postfix.nix
View file

@ -233,9 +233,7 @@ let
}; };
in in
{ {
config = config = lib.mkIf cfg.enable {
with cfg;
lib.mkIf enable {
systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable { systemd.services.postfix-setup = lib.mkIf cfg.ldap.enable {
preStart = '' preStart = ''
@ -250,7 +248,7 @@ in
services.postfix = { services.postfix = {
enable = true; enable = true;
hostname = "${sendingFqdn}"; hostname = "${cfg.sendingFqdn}";
networksStyle = "host"; networksStyle = "host";
mapFiles."valias" = valiases_file; mapFiles."valias" = valiases_file;
mapFiles."regex_valias" = regex_valiases_file; mapFiles."regex_valias" = regex_valiases_file;
@ -276,14 +274,14 @@ in
# Extra Config # Extra Config
mydestination = ""; mydestination = "";
recipient_delimiter = cfg.recipientDelimiter; recipient_delimiter = cfg.recipientDelimiter;
smtpd_banner = "${fqdn} ESMTP NO UCE"; smtpd_banner = "${cfg.fqdn} ESMTP NO UCE";
disable_vrfy_command = true; disable_vrfy_command = true;
message_size_limit = toString cfg.messageSizeLimit; message_size_limit = toString cfg.messageSizeLimit;
# virtual mail system # virtual mail system
virtual_uid_maps = "static:5000"; virtual_uid_maps = "static:5000";
virtual_gid_maps = "static:5000"; virtual_gid_maps = "static:5000";
virtual_mailbox_base = mailDirectory; virtual_mailbox_base = cfg.mailDirectory;
virtual_mailbox_domains = vhosts_file; virtual_mailbox_domains = vhosts_file;
virtual_mailbox_maps = virtual_mailbox_maps =
[ [

7
mail-server/rsnapshot.nix
View file

@ -21,9 +21,12 @@
... ...
}: }:
with lib;
let let
inherit (lib)
optionalString
mkIf
;
cfg = config.mailserver; cfg = config.mailserver;
preexecDefined = cfg.backup.cmdPreexec != null; preexecDefined = cfg.backup.cmdPreexec != null;

6
mail-server/rspamd.nix
View file

@ -52,9 +52,7 @@ let
''; '';
in in
{ {
config = config = lib.mkIf cfg.enable {
with cfg;
lib.mkIf enable {
environment.systemPackages = lib.mkBefore [ environment.systemPackages = lib.mkBefore [
(pkgs.runCommand "rspamc-wrapped" (pkgs.runCommand "rspamc-wrapped"
{ {
@ -69,7 +67,7 @@ in
services.rspamd = { services.rspamd = {
enable = true; enable = true;
inherit debug; inherit (cfg) debug;
locals = { locals = {
"milter_headers.conf" = { "milter_headers.conf" = {
text = '' text = ''

8
mail-server/systemd.nix
View file

@ -32,9 +32,7 @@ let
[ "acme-finished-${cfg.fqdn}.target" ]; [ "acme-finished-${cfg.fqdn}.target" ];
in in
{ {
config = config = lib.mkIf cfg.enable {
with cfg;
lib.mkIf enable {
# Create self signed certificate # Create self signed certificate
systemd.services.mailserver-selfsigned-certificate = systemd.services.mailserver-selfsigned-certificate =
lib.mkIf (cfg.certificateScheme == "selfsigned") lib.mkIf (cfg.certificateScheme == "selfsigned")
@ -68,7 +66,7 @@ in
preStart = preStart =
let let
directories = lib.strings.escapeShellArgs ( directories = lib.strings.escapeShellArgs (
[ mailDirectory ] ++ lib.optional (cfg.indexDir != null) cfg.indexDir [ cfg.mailDirectory ] ++ lib.optional (cfg.indexDir != null) cfg.indexDir
); );
in in
'' ''
@ -77,7 +75,7 @@ in
# Prevent world-readable paths, even temporarily. # Prevent world-readable paths, even temporarily.
umask 007 umask 007
mkdir -p ${directories} mkdir -p ${directories}
chgrp "${vmailGroupName}" ${directories} chgrp "${cfg.vmailGroupName}" ${directories}
chmod 02770 ${directories} chmod 02770 ${directories}
''; '';
}; };