traxys/mail-accounts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add a nixos module

Browse source
This commit is contained in:
traxys 2023-10-10 20:35:10 +02:00
parent e1d539e893
commit b1df749b24
2 changed files with 149 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

146
nixos/default.nix Normal file
View file

@ -0,0 +1,146 @@
self: {
lib,
pkgs,
config,
options,
...
}:
with lib; {
options.services.stalwart-accounts = {
enable = mkEnableOption "stalwart-accounts, an account manager for stalwart mail server";
package = mkOption {
type = types.package;
inherit (self.packages.${config.nixpkgs.system}) default;
};
logLevel = mkOption {
type = types.str;
default = "info";
};
settings = {
jwtSecret = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The JWT secret to be used by the application. Should be passed through environmentFile,
with MAIL_ADMIN_JWT_SECRET.
'';
};
oidcEndpoint = mkOption {
type = types.str;
};
oidcClientId = mkOption {
type = types.str;
};
oidcClientSecret = mkOption {
type = types.nullOr types.str;
default = null;
description = "The environment variable MAIL_ADMIN_CLIENT_SECRET should be preferred";
};
domain = mkOption {
type = types.str;
};
scopes = mkOption {
type = types.str;
default = "openid,profile";
};
mailDomain = mkOption {
type = types.str;
};
databaseUrl = mkOption {
type = types.str;
default = "postgres://${config.services.stalwart-accounts.user}/stalwart-accounts?host=/var/run/postgresql";
};
};
user = mkOption {
type = types.str;
default = "stalwart-accounts";
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
};
};
config = let
cfg = config.services.stalwart-accounts;
in
mkIf cfg.enable {
systemd.services.stalwart-accounts = {
description = "stalwart-accounts";
after = ["network.target" "postgresql.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
User = cfg.user;
ExecStart = "${cfg.package}/bin/mail_accounts";
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
};
environment = {
RUST_LOG = cfg.logLevel;
MAIL_ADMIN_DATABASE_URL = cfg.settings.databaseUrl;
MAIL_ADMIN_DOMAIN = cfg.settings.domain;
MAIL_ADMIN_OIDC_ENDPOINT = cfg.settings.oidcEndpoint;
MAIL_ADMIN_CLIENT_ID = cfg.settings.oidcClientId;
MAIL_ADMIN_SCOPES = cfg.settings.scopes;
MAIL_ADMIN_MAIL_DOMAIN = cfg.settings.mailDomain;
MAIL_ADMIN_JWT_SECRET = cfg.settings.jwtSecret;
MAIL_ADMIN_CLIENT_SECRET = cfg.settings.oidcClientSecret;
};
};
services.postgresql =
mkIf (cfg.settings.databaseUrl == options.services.stalwart-accounts.settings.databaseUrl.default)
{
ensureUsers = [
{
name = cfg.user;
ensurePermissions = {"DATABASE \"stalwart-accounts\"" = "ALL PRIVILEGES";};
}
];
ensureDatabases = ["stalwart-accounts"];
};
users = mkIf (cfg.user == "stalwart-accounts") {
users.stalwart-accounts = {
description = "stalwart-accounts user";
group = "stalwart-accounts";
isSystemUser = true;
};
groups.stalwart-accounts = {};
};
};
}