commit 616ba4ae5cad56b00154da4889925eb767b51ce8 · pyrox.dev/nixpkgs

+3 -1

nixos/doc/manual/release-notes/rl-2305.section.md

···

       292
        
         replacement. It stores backups as volume dump files and thus better integrates

     

       293
        
         into contemporary backup solutions.

     

       294
        
       

     

       295
       -
       - `services.maddy` now allows to configure users and their credentials using `services.maddy.ensureCredentials`.

     

       0
        
       
     

       0
        
       
     

       296
        
       

     

       297
        
       - The `dnsmasq` service now takes configuration via the

     

       298
        
         `services.dnsmasq.settings` attribute set. The option

···

       292
        
         replacement. It stores backups as volume dump files and thus better integrates

     

       293
        
         into contemporary backup solutions.

     

       294
        
       

     

       295
       +
       - `services.maddy` got several updates:

     

       296
       +
         - Configuration of users and their credentials using `services.maddy.ensureCredentials`.

     

       297
       +
         - Configuration of TLS key and certificate files using `services.maddy.tls`.

     

       298
        
       

     

       299
        
       - The `dnsmasq` service now takes configuration via the

     

       300
        
         `services.dnsmasq.settings` attribute set. The option

+80 -3

nixos/modules/services/mail/maddy.nix

···

       13
        
           # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf

     

       14
        
           # Do not use this in production!

     

       15
        
       

     

       16
       -
           tls off

     

       17
       -
       

     

       18
        
           auth.pass_table local_authdb {

     

       19
        
             table sql_table {

     

       20
        
               driver sqlite3

     
···

       35
        
             }

     

       36
        
             optional_step file /etc/maddy/aliases

     

       37
        
           }

     

       0
        
       
     

       38
        
           msgpipeline local_routing {

     

       39
        
             destination postmaster $(local_domains) {

     

       40
        
               modify {

     
···

       215
        
               '';

     

       216
        
             };

     

       217
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       218
        
             openFirewall = mkOption {

     

       219
        
               type = types.bool;

     

       220
        
               default = false;

     
···

       224
        
             };

     

       225
        
       

     

       226
        
             ensureAccounts = mkOption {

     

       227
       -
               type = types.listOf types.str;

     

       228
        
               default = [];

     

       229
        
               description = lib.mdDoc ''

     

       230
        
                 List of IMAP accounts which get automatically created. Note that for

     
···

       270
        
       

     

       271
        
         config = mkIf cfg.enable {

     

       272
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       273
        
           systemd = {

     

       274
        
       

     

       275
        
             packages = [ pkgs.maddy ];

     
···

       318
        
               $(primary_domain) = ${cfg.primaryDomain}

     

       319
        
               $(local_domains) = ${toString cfg.localDomains}

     

       320
        
               hostname ${cfg.hostname}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       321
        
               ${cfg.config}

     

       322
        
             '';

     

       323
        
           };

···

       13
        
           # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf

     

       14
        
           # Do not use this in production!

     

       15
        
       

     

       0
        
       
     

       0
        
       
     

       16
        
           auth.pass_table local_authdb {

     

       17
        
             table sql_table {

     

       18
        
               driver sqlite3

     
···

       33
        
             }

     

       34
        
             optional_step file /etc/maddy/aliases

     

       35
        
           }

     

       36
       +
       

     

       37
        
           msgpipeline local_routing {

     

       38
        
             destination postmaster $(local_domains) {

     

       39
        
               modify {

     
···

       214
        
               '';

     

       215
        
             };

     

       216
        
       

     

       217
       +
             tls = {

     

       218
       +
               loader = mkOption {

     

       219
       +
                 type = with types; nullOr (enum [ "file" "off" ]);

     

       220
       +
                 default = "off";

     

       221
       +
                 description = lib.mdDoc ''

     

       222
       +
                   TLS certificates are obtained by modules called "certificate

     

       223
       +
                   loaders". Currently only the file loader is supported which reads

     

       224
       +
                   certificates from files specifying the options `keyPaths` and

     

       225
       +
                   `certPaths`.

     

       226
       +
                 '';

     

       227
       +
               };

     

       228
       +
       

     

       229
       +
               certificates = mkOption {

     

       230
       +
                 type = with types; listOf (submodule {

     

       231
       +
                   options = {

     

       232
       +
                     keyPath = mkOption {

     

       233
       +
                       type = types.path;

     

       234
       +
                       example = "/etc/ssl/mx1.example.org.key";

     

       235
       +
                       description = lib.mdDoc ''

     

       236
       +
                         Path to the private key used for TLS.

     

       237
       +
                       '';

     

       238
       +
                     };

     

       239
       +
                     certPath = mkOption {

     

       240
       +
                       type = types.path;

     

       241
       +
                       example = "/etc/ssl/mx1.example.org.crt";

     

       242
       +
                       description = lib.mdDoc ''

     

       243
       +
                         Path to the certificate used for TLS.

     

       244
       +
                       '';

     

       245
       +
                     };

     

       246
       +
                   };

     

       247
       +
                 });

     

       248
       +
                 default = [];

     

       249
       +
                 example = lib.literalExpression ''

     

       250
       +
                   [{

     

       251
       +
                     keyPath = "/etc/ssl/mx1.example.org.key";

     

       252
       +
                     certPath = "/etc/ssl/mx1.example.org.crt";

     

       253
       +
                   }]

     

       254
       +
                 '';

     

       255
       +
                 description = lib.mdDoc ''

     

       256
       +
                   A list of attribute sets containing paths to TLS certificates and

     

       257
       +
                   keys. Maddy will use SNI if multiple pairs are selected.

     

       258
       +
                 '';

     

       259
       +
               };

     

       260
       +
       

     

       261
       +
               extraConfig = mkOption {

     

       262
       +
                 type = with types; nullOr lines;

     

       263
       +
                 description = lib.mdDoc ''

     

       264
       +
                   Arguments for the specific certificate loader. Note that Maddy uses

     

       265
       +
                   secure defaults for the TLS configuration so there is no need to

     

       266
       +
                   change anything in most cases.

     

       267
       +
                   See [upstream manual](https://maddy.email/reference/tls/) for

     

       268
       +
                   available options.

     

       269
       +
                 '';

     

       270
       +
                 default = "";

     

       271
       +
               };

     

       272
       +
             };

     

       273
       +
       

     

       274
        
             openFirewall = mkOption {

     

       275
        
               type = types.bool;

     

       276
        
               default = false;

     
···

       280
        
             };

     

       281
        
       

     

       282
        
             ensureAccounts = mkOption {

     

       283
       +
               type = with types; listOf str;

     

       284
        
               default = [];

     

       285
        
               description = lib.mdDoc ''

     

       286
        
                 List of IMAP accounts which get automatically created. Note that for

     
···

       326
        
       

     

       327
        
         config = mkIf cfg.enable {

     

       328
        
       

     

       329
       +
           assertions = [{

     

       330
       +
             assertion = cfg.tls.loader == "file" -> cfg.tls.certificates != [];

     

       331
       +
             message = ''

     

       332
       +
               If maddy is configured to use TLS, tls.certificates with attribute sets

     

       333
       +
               of certPath and keyPath must be provided.

     

       334
       +
               Read more about obtaining TLS certificates here:

     

       335
       +
               https://maddy.email/tutorials/setting-up/#tls-certificates

     

       336
       +
             '';

     

       337
       +
           }];

     

       338
       +
       

     

       339
        
           systemd = {

     

       340
        
       

     

       341
        
             packages = [ pkgs.maddy ];

     
···

       384
        
               $(primary_domain) = ${cfg.primaryDomain}

     

       385
        
               $(local_domains) = ${toString cfg.localDomains}

     

       386
        
               hostname ${cfg.hostname}

     

       387
       +
       

     

       388
       +
               ${if (cfg.tls.loader == "file") then ''

     

       389
       +
                 tls file ${concatStringsSep " " (

     

       390
       +
                   map (x: x.certPath + " " + x.keyPath

     

       391
       +
                 ) cfg.tls.certificates)} ${optionalString (cfg.tls.extraConfig != "") ''

     

       392
       +
                   { ${cfg.tls.extraConfig} }

     

       393
       +
                 ''}

     

       394
       +
               '' else if (cfg.tls.loader == "off") then ''

     

       395
       +
                 tls off

     

       396
       +
               '' else ""}

     

       397
       +
       

     

       398
        
               ${cfg.config}

     

       399
        
             '';

     

       400
        
           };

+1 -1

nixos/tests/all-tests.nix

···

       390
        
         lxd-image-server = handleTest ./lxd-image-server.nix {};

     

       391
        
         #logstash = handleTest ./logstash.nix {};

     

       392
        
         lorri = handleTest ./lorri/default.nix {};

     

       393
       -
         maddy = handleTest ./maddy.nix {};

     

       394
        
         maestral = handleTest ./maestral.nix {};

     

       395
        
         magic-wormhole-mailbox-server = handleTest ./magic-wormhole-mailbox-server.nix {};

     

       396
        
         magnetico = handleTest ./magnetico.nix {};

···

       390
        
         lxd-image-server = handleTest ./lxd-image-server.nix {};

     

       391
        
         #logstash = handleTest ./logstash.nix {};

     

       392
        
         lorri = handleTest ./lorri/default.nix {};

     

       393
       +
         maddy = discoverTests (import ./maddy { inherit handleTest; });

     

       394
        
         maestral = handleTest ./maestral.nix {};

     

       395
        
         magic-wormhole-mailbox-server = handleTest ./magic-wormhole-mailbox-server.nix {};

     

       396
        
         magnetico = handleTest ./magnetico.nix {};

+2 -2

nixos/tests/maddy.nix nixos/tests/maddy/unencrypted.nix

···

       1
       -
       import ./make-test-python.nix ({ pkgs, ... }: {

     

       2
       -
         name = "maddy";

     

       3
        
         meta = with pkgs.lib.maintainers; { maintainers = [ onny ]; };

     

       4
        
       

     

       5
        
         nodes = {

···

       1
       +
       import ../make-test-python.nix ({ pkgs, ... }: {

     

       2
       +
         name = "maddy-unencrypted";

     

       3
        
         meta = with pkgs.lib.maintainers; { maintainers = [ onny ]; };

     

       4
        
       

     

       5
        
         nodes = {

nixos/tests/maddy/default.nix

···

       1
       +
       { handleTest }:

     

       2
       +
       

     

       3
       +
       {

     

       4
       +
         unencrypted = handleTest ./unencrypted.nix { };

     

       5
       +
         tls = handleTest ./tls.nix { };

     

       6
       +
       }

+94

nixos/tests/maddy/tls.nix

···

       1
       +
       import ../make-test-python.nix ({ pkgs, ... }:

     

       2
       +
       let

     

       3
       +
         certs = import ../common/acme/server/snakeoil-certs.nix;

     

       4
       +
         domain = certs.domain;

     

       5
       +
       in {

     

       6
       +
         name = "maddy-tls";

     

       7
       +
         meta = with pkgs.lib.maintainers; { maintainers = [ onny ]; };

     

       8
       +
       

     

       9
       +
         nodes = {

     

       10
       +
           server = { options, ... }: {

     

       11
       +
             services.maddy = {

     

       12
       +
               enable = true;

     

       13
       +
               hostname = domain;

     

       14
       +
               primaryDomain = domain;

     

       15
       +
               openFirewall = true;

     

       16
       +
               ensureAccounts = [ "postmaster@${domain}" ];

     

       17
       +
               ensureCredentials = {

     

       18
       +
                 # Do not use this in production. This will make passwords world-readable

     

       19
       +
                 # in the Nix store

     

       20
       +
                 "postmaster@${domain}".passwordFile = "${pkgs.writeText "postmaster" "test"}";

     

       21
       +
               };

     

       22
       +
               tls = {

     

       23
       +
                 loader = "file";

     

       24
       +
                 certificates = [{

     

       25
       +
                   certPath = "${certs.${domain}.cert}";

     

       26
       +
                   keyPath = "${certs.${domain}.key}";

     

       27
       +
                 }];

     

       28
       +
               };

     

       29
       +
               # Enable TLS listeners. Configuring this via the module is not yet

     

       30
       +
               # implemented.

     

       31
       +
               config = builtins.replaceStrings [

     

       32
       +
                 "imap tcp://0.0.0.0:143"

     

       33
       +
                 "submission tcp://0.0.0.0:587"

     

       34
       +
               ] [

     

       35
       +
                 "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"

     

       36
       +
                 "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"

     

       37
       +
               ] options.services.maddy.config.default;

     

       38
       +
             };

     

       39
       +
             # Not covered by openFirewall yet

     

       40
       +
             networking.firewall.allowedTCPPorts = [ 993 465 ];

     

       41
       +
           };

     

       42
       +
       

     

       43
       +
           client = { nodes, ... }: {

     

       44
       +
             security.pki.certificateFiles = [

     

       45
       +
               certs.ca.cert

     

       46
       +
             ];

     

       47
       +
             networking.extraHosts = ''

     

       48
       +
               ${nodes.server.networking.primaryIPAddress} ${domain}

     

       49
       +
            '';

     

       50
       +
             environment.systemPackages = [

     

       51
       +
               (pkgs.writers.writePython3Bin "send-testmail" { } ''

     

       52
       +
                 import smtplib

     

       53
       +
                 import ssl

     

       54
       +
                 from email.mime.text import MIMEText

     

       55
       +
       

     

       56
       +
                 context = ssl.create_default_context()

     

       57
       +
                 msg = MIMEText("Hello World")

     

       58
       +
                 msg['Subject'] = 'Test'

     

       59
       +
                 msg['From'] = "postmaster@${domain}"

     

       60
       +
                 msg['To'] = "postmaster@${domain}"

     

       61
       +
                 with smtplib.SMTP_SSL(host='${domain}', port=465, context=context) as smtp:

     

       62
       +
                     smtp.login('postmaster@${domain}', 'test')

     

       63
       +
                     smtp.sendmail(

     

       64
       +
                       'postmaster@${domain}', 'postmaster@${domain}', msg.as_string()

     

       65
       +
                     )

     

       66
       +
               '')

     

       67
       +
               (pkgs.writers.writePython3Bin "test-imap" { } ''

     

       68
       +
                 import imaplib

     

       69
       +
       

     

       70
       +
                 with imaplib.IMAP4_SSL('${domain}') as imap:

     

       71
       +
                     imap.login('postmaster@${domain}', 'test')

     

       72
       +
                     imap.select()

     

       73
       +
                     status, refs = imap.search(None, 'ALL')

     

       74
       +
                     assert status == 'OK'

     

       75
       +
                     assert len(refs) == 1

     

       76
       +
                     status, msg = imap.fetch(refs[0], 'BODY[TEXT]')

     

       77
       +
                     assert status == 'OK'

     

       78
       +
                     assert msg[0][1].strip() == b"Hello World"

     

       79
       +
               '')

     

       80
       +
             ];

     

       81
       +
           };

     

       82
       +
         };

     

       83
       +
       

     

       84
       +
         testScript = ''

     

       85
       +
           start_all()

     

       86
       +
           server.wait_for_unit("maddy.service")

     

       87
       +
           server.wait_for_open_port(143)

     

       88
       +
           server.wait_for_open_port(993)

     

       89
       +
           server.wait_for_open_port(587)

     

       90
       +
           server.wait_for_open_port(465)

     

       91
       +
           client.succeed("send-testmail")

     

       92
       +
           client.succeed("test-imap")

     

       93
       +
         '';

     

       94
       +
       })