mail-accounts/nixos/default.nix

self: {
  lib,
  pkgs,
  config,
  options,
  ...
}:
with lib; {
  options.services.stalwart-accounts = {
    enable = mkEnableOption "stalwart-accounts, an account manager for stalwart mail server";

    package = mkOption {
      type = types.package;
      inherit (self.packages.${config.nixpkgs.system}) default;
    };

    logLevel = mkOption {
      type = types.str;
      default = "info";
    };

    settings = {
      jwtSecret = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          The JWT secret to be used by the application. Should be passed through environmentFile,
          with MAIL_ADMIN_JWT_SECRET.
        '';
      };

      oidcEndpoint = mkOption {
        type = types.str;
      };

      oidcClientId = mkOption {
        type = types.str;
      };

      oidcClientSecret = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "The environment variable MAIL_ADMIN_CLIENT_SECRET should be preferred";
      };

      domain = mkOption {
        type = types.str;
      };

      scopes = mkOption {
        type = types.str;
        default = "openid,profile";
      };

      mailDomain = mkOption {
        type = types.str;
      };

      databaseUrl = mkOption {
        type = types.str;
        default = "postgres://${config.services.stalwart-accounts.user}/stalwart-accounts?host=/var/run/postgresql";
      };
    };

    user = mkOption {
      type = types.str;
      default = "stalwart-accounts";
    };

    environmentFile = mkOption {
      type = types.nullOr types.path;
      default = null;
    };
  };

  config = let
    cfg = config.services.stalwart-accounts;
  in
    mkIf cfg.enable {
      systemd.services.stalwart-accounts = {
        description = "stalwart-accounts";
        after = ["network.target" "postgresql.service"];
        wantedBy = ["multi-user.target"];

        serviceConfig = {
          Type = "simple";
          User = cfg.user;
          ExecStart = "${cfg.package}/bin/stalwart-accounts";
          EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
          # Security
          NoNewPrivileges = true;
          # Sandboxing
          ProtectSystem = "strict";
          ProtectHome = true;
          PrivateTmp = true;
          PrivateDevices = true;
          PrivateUsers = true;
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          PrivateMounts = true;
        };

        environment = {
          RUST_LOG = cfg.logLevel;
          MAIL_ADMIN_DATABASE_URL = cfg.settings.databaseUrl;
          MAIL_ADMIN_DOMAIN = cfg.settings.domain;
          MAIL_ADMIN_OIDC_ENDPOINT = cfg.settings.oidcEndpoint;
          MAIL_ADMIN_CLIENT_ID = cfg.settings.oidcClientId;
          MAIL_ADMIN_SCOPES = cfg.settings.scopes;
          MAIL_ADMIN_MAIL_DOMAIN = cfg.settings.mailDomain;
          MAIL_ADMIN_JWT_SECRET = cfg.settings.jwtSecret;
          MAIL_ADMIN_CLIENT_SECRET = cfg.settings.oidcClientSecret;
        };
      };

      services.postgresql =
        mkIf (cfg.settings.databaseUrl == options.services.stalwart-accounts.settings.databaseUrl.default)
        {
          ensureUsers = [
            {
              name = cfg.user;
              ensurePermissions = {"DATABASE \"stalwart-accounts\"" = "ALL PRIVILEGES";};
            }
          ];
          ensureDatabases = ["stalwart-accounts"];
        };

      users = mkIf (cfg.user == "stalwart-accounts") {
        users.stalwart-accounts = {
          description = "stalwart-accounts user";
          group = "stalwart-accounts";
          isSystemUser = true;
        };
        groups.stalwart-accounts = {};
      };
    };
}
Add a nixos module 2023-10-10 20:35:10 +02:00			`self: {`
			`lib,`
			`pkgs,`
			`config,`
			`options,`
			`...`
			`}:`
			`with lib; {`
			`options.services.stalwart-accounts = {`
			`enable = mkEnableOption "stalwart-accounts, an account manager for stalwart mail server";`

			`package = mkOption {`
			`type = types.package;`
			`inherit (self.packages.${config.nixpkgs.system}) default;`
			`};`

			`logLevel = mkOption {`
			`type = types.str;`
			`default = "info";`
			`};`

			`settings = {`
			`jwtSecret = mkOption {`
			`type = types.nullOr types.str;`
			`default = null;`
			`description = ''`
			`The JWT secret to be used by the application. Should be passed through environmentFile,`
			`with MAIL_ADMIN_JWT_SECRET.`
			`'';`
			`};`

			`oidcEndpoint = mkOption {`
			`type = types.str;`
			`};`

			`oidcClientId = mkOption {`
			`type = types.str;`
			`};`

			`oidcClientSecret = mkOption {`
			`type = types.nullOr types.str;`
			`default = null;`
			`description = "The environment variable MAIL_ADMIN_CLIENT_SECRET should be preferred";`
			`};`

			`domain = mkOption {`
			`type = types.str;`
			`};`

			`scopes = mkOption {`
			`type = types.str;`
			`default = "openid,profile";`
			`};`

			`mailDomain = mkOption {`
			`type = types.str;`
			`};`

			`databaseUrl = mkOption {`
			`type = types.str;`
			`default = "postgres://${config.services.stalwart-accounts.user}/stalwart-accounts?host=/var/run/postgresql";`
			`};`
			`};`

			`user = mkOption {`
			`type = types.str;`
			`default = "stalwart-accounts";`
			`};`

			`environmentFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`};`
			`};`

			`config = let`
			`cfg = config.services.stalwart-accounts;`
			`in`
			`mkIf cfg.enable {`
			`systemd.services.stalwart-accounts = {`
			`description = "stalwart-accounts";`
			`after = ["network.target" "postgresql.service"];`
			`wantedBy = ["multi-user.target"];`

			`serviceConfig = {`
			`Type = "simple";`
			`User = cfg.user;`
Rename to stalwart-accounts 2023-10-10 21:19:02 +02:00			`ExecStart = "${cfg.package}/bin/stalwart-accounts";`
Add a nixos module 2023-10-10 20:35:10 +02:00			`EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;`
			`# Security`
			`NoNewPrivileges = true;`
			`# Sandboxing`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
			`PrivateUsers = true;`
			`ProtectHostname = true;`
			`ProtectClock = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelLogs = true;`
			`ProtectControlGroups = true;`
			`RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`PrivateMounts = true;`
			`};`

			`environment = {`
			`RUST_LOG = cfg.logLevel;`
			`MAIL_ADMIN_DATABASE_URL = cfg.settings.databaseUrl;`
			`MAIL_ADMIN_DOMAIN = cfg.settings.domain;`
			`MAIL_ADMIN_OIDC_ENDPOINT = cfg.settings.oidcEndpoint;`
			`MAIL_ADMIN_CLIENT_ID = cfg.settings.oidcClientId;`
			`MAIL_ADMIN_SCOPES = cfg.settings.scopes;`
			`MAIL_ADMIN_MAIL_DOMAIN = cfg.settings.mailDomain;`
			`MAIL_ADMIN_JWT_SECRET = cfg.settings.jwtSecret;`
			`MAIL_ADMIN_CLIENT_SECRET = cfg.settings.oidcClientSecret;`
			`};`
			`};`

			`services.postgresql =`
			`mkIf (cfg.settings.databaseUrl == options.services.stalwart-accounts.settings.databaseUrl.default)`
			`{`
			`ensureUsers = [`
			`{`
			`name = cfg.user;`
			`ensurePermissions = {"DATABASE \"stalwart-accounts\"" = "ALL PRIVILEGES";};`
			`}`
			`];`
			`ensureDatabases = ["stalwart-accounts"];`
			`};`

			`users = mkIf (cfg.user == "stalwart-accounts") {`
			`users.stalwart-accounts = {`
			`description = "stalwart-accounts user";`
			`group = "stalwart-accounts";`
			`isSystemUser = true;`
			`};`
			`groups.stalwart-accounts = {};`
			`};`
			`};`
			`}`