diff options
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/exim-retiolum.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/exim-smarthost.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/exim.nix | 80 | ||||
-rw-r--r-- | krebs/4lib/types.nix | 12 |
5 files changed, 95 insertions, 2 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 9dac50d55..e87b33600 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -13,6 +13,7 @@ let ./buildbot/slave.nix ./build.nix ./current.nix + ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix ./fetchWallpaper.nix diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 696c48baf..8b6ac4a4e 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -32,7 +32,7 @@ let }; imp = { - services.exim = { + krebs.exim = { enable = true; config = # This configuration makes only sense for retiolum-enabled hosts. diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index a01ab543b..8d9227039 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -105,7 +105,7 @@ let requires = [ "secret.service" ]; }; }; - services.exim = { + krebs.exim = { enable = true; config = '' keep_environment = diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix new file mode 100644 index 000000000..16a2a37b6 --- /dev/null +++ b/krebs/3modules/exim.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: with config.krebs.lib; let + cfg = config.krebs.exim; +in { + options.krebs.exim = { + enable = mkEnableOption "krebs.exim"; + config = mkOption { + type = types.str; + default = ""; + description = '' + Verbatim Exim configuration. This should not contain exim_user, + exim_group, exim_path, or spool_directory. + ''; + }; + user = mkOption { + type = types.user; + default = { + name = "exim"; + home = "/var/spool/exim"; + }; + description = '' + User to use when no root privileges are required. + In particular, this applies when receiving messages and when doing + remote deliveries. (Local deliveries run as various non-root users, + typically as the owner of a local mailbox.) Specifying this value + as root is not supported. + ''; + }; + group = mkOption { + type = types.group; + default = { + name = "exim"; + }; + description = '' + Group to use when no root privileges are required. + ''; + }; + }; + config = lib.mkIf cfg.enable { + environment = { + etc."exim.conf".text = '' + exim_user = ${cfg.user.name} + exim_group = ${cfg.group.name} + exim_path = /var/setuid-wrappers/exim + spool_directory = ${cfg.user.home} + ${cfg.config} + ''; + systemPackages = [ pkgs.exim ]; + }; + krebs.setuid = { + exim = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + }; + systemd.services.exim = { + restartTriggers = [ + config.environment.etc."exim.conf".source + ]; + serviceConfig = { + ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + wantedBy = [ "multi-user.target" ]; + }; + users = { + groups.${cfg.group.name} = { + inherit (cfg.group) name gid; + }; + users.${cfg.user.name} = { + inherit (cfg.user) home name uid; + createHome = true; + group = cfg.group.name; + }; + }; + }; +} diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 405a91e45..56d1d55c3 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -213,6 +213,18 @@ types // rec { }; }; }); + group = submodule ({ config, ... }: { + options = { + name = mkOption { + type = username; + default = config._module.args.name; + }; + gid = mkOption { + type = int; + default = genid config.name; + }; + }; + }); addr = either addr4 addr6; addr4 = mkOptionType { |