postfix: use built-in set-permission tool to setup queue

Make top level /var/lib/postfix as root:root 0755 After generating custom configs in /var/lib/postfix/conf, `postfix set-permissions` called, to perform all required tricks related to queue handling (postfix use file mode bits to keep some internal statuses, so `chmod -R` not recommended by authors, see comments in $out/libexec/postfix/post-install for details) Also post-install script was patched, to skip permission check/update for files inside $out, as well as symlinks following to $NIX_STORE. Config file `main.cf` extended with all default directory locations, to prevent post-install script from guessing and overwrite them. And finally all actions in activation script snippets performed by postmap/postalias/postfix tools from current build, not random one from paths.
2016-01-18 23:10:58 +02:00 · 2016-01-18 23:10:58 +02:00 · 39bd9be5a9
commit 39bd9be5a9
parent b4052f0a1e
3 changed files with 62 additions and 9 deletions
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -20,6 +20,23 @@ let
      mail_owner = ${user}
      default_privs = nobody

+      # NixOS specific locations
+      data_directory = /var/lib/postfix/data
+      queue_directory = /var/lib/postfix/queue
+
+      # Default location of everything in package
+      meta_directory = ${pkgs.postfix}/etc/postfix
+      command_directory = ${pkgs.postfix}/bin
+      sample_directory = /etc/postfix
+      newaliases_path = ${pkgs.postfix}/bin/newaliases
+      mailq_path = ${pkgs.postfix}/bin/mailq
+      readme_directory = no
+      sendmail_path = ${pkgs.postfix}/bin/sendmail
+      daemon_directory = ${pkgs.postfix}/libexec/postfix
+      manpage_directory = ${pkgs.postfix}/share/man
+      html_directory = ${pkgs.postfix}/share/postfix/doc/html
+      shlib_directory = no
+
    ''
    + optionalString config.networking.enableIPv6 ''
      inet_protocols = all
@ -435,31 +452,35 @@ in
              mkdir -p /var/lib
              mv /var/postfix /var/lib/postfix
            fi
-            mkdir -p /var/lib/postfix/data /var/lib/postfix/queue/{pid,public,maildrop}

-            chown -R ${user}:${group} /var/lib/postfix
-            chown root /var/lib/postfix/queue
-            chown root /var/lib/postfix/queue/pid
-            chgrp -R ${setgidGroup} /var/lib/postfix/queue/{public,maildrop}
-            chmod 770 /var/lib/postfix/queue/{public,maildrop}
+            # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script
+            mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop}
+            chmod 0755 /var/lib/postfix
+            chown root:root /var/lib/postfix

            rm -rf /var/lib/postfix/conf
            mkdir -p /var/lib/postfix/conf
+            chmod 0755 /var/lib/postfix/conf
+            ln -sf ${pkgs.postfix}/etc/postfix/postfix-files
            ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf
            ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf
+
            ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
              ln -sf ${from} /var/lib/postfix/conf/${to}
-              postalias /var/lib/postfix/conf/${to}
+              ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
            '') cfg.aliasFiles)}
            ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
              ln -sf ${from} /var/lib/postfix/conf/${to}
-              postmap /var/lib/postfix/conf/${to}
+              ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
            '') cfg.mapFiles)}

            mkdir -p /var/spool/mail
            chown root:root /var/spool/mail
            chmod a+rwxt /var/spool/mail
            ln -sf /var/spool/mail /var/
+
+            #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
+            ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
          '';
        };
    }
--- a/pkgs/servers/mail/postfix/3.0.nix
+++ b/pkgs/servers/mail/postfix/3.0.nix
@ -35,10 +35,14 @@ in stdenv.mkDerivation rec {
                ++ lib.optional withMySQL libmysql
                ++ lib.optional withSQLite sqlite;

-  patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ];
+  patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ./post-install-script.patch ];

  preBuild = ''
    sed -e '/^PATH=/d' -i postfix-install
+    sed -e "s|@PACKAGE@|$out|" -i conf/post-install
+
+    # post-install need skip permissions check/set on all symlinks following to /nix/store
+    sed -e "s|@NIX_STORE@|$NIX_STORE|" -i conf/post-install

    export command_directory=$out/sbin
    export config_directory=/etc/postfix
--- a/pkgs/servers/mail/postfix/post-install-script.patch
+++ b/pkgs/servers/mail/postfix/post-install-script.patch
@ -0,0 +1,28 @@
+--- a/conf/post-install	1970-01-01 03:00:01.000000000 +0300
+++ b/conf/post-install	2016-01-20 13:25:18.382233172 +0200
+@@ -254,6 +254,8 @@
+ }
+ 
+ # Bootstrapping problem.
+meta_directory="@PACKAGE@/etc/postfix"
+command_directory="@PACKAGE@/bin"
+ 
+ if [ -n "$command_directory" ]
+ then
+@@ -528,7 +530,16 @@
+ 	    # Skip uninstalled files.
+ 	    case $path in
+ 	    no|no/*) continue;;
+        # Skip immutable files from package, correct permissions provided by Nix.
+        @PACKAGE@/*) continue;
+ 	    esac
+        # Also skip symlinks following to /nix/store
+        if test -L $path; then
+            case "$(readlink $path)" in
+                @NIX_STORE@/*) continue;
+            esac
+        fi
+
+ 	    # Pick up the flags.
+ 	    case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
+ 	    case $flags in *c*) create_flag=1;; *) create_flag=;; esac