Commit Graph

562 Commits

Author SHA1 Message Date
Marcel
896a4d62d8
listmonk: ensure correct application of data migration 2024-03-01 10:45:12 +01:00
Manuel Stahl
cd8aad903c stalwart-mail: fix default configuration and test 2024-02-13 20:34:22 +01:00
Marco Rebhan
522d660f25
nixos/dovecot: fix sieve script config generation 2024-01-29 19:42:55 +01:00
Marco Rebhan
26e71b5a5b
nixos/dovecot: remove unused imports 2024-01-29 12:21:58 +01:00
Lassulus
da25b2382d
Merge pull request #280373 from h7x4/treewide-use-new-tmpfiles-api
treewide: use new tmpfiles API
2024-01-26 10:47:18 +01:00
Raito Bezarius
3cb7823738 nixos/mail/dovecot2: warn about potential collision due to structured configuration
Plugin configuration is pesky in dovecot2, let's warn about potential conflicts
in the module system by using a fancy regex.

This is only band-aid, this should be removed ASAP.

We clean up also a 21.05-era warning.
2024-01-25 17:18:58 +01:00
h7x4
f5d513c573
treewide: use new tmpfiles api 2024-01-24 05:13:17 +01:00
Raito Bezarius
72e23635e6 nixos/mail/dovecot2: imapsieve.mailbox.*.causes is a list
Otherwise, it's not possible to pass `COPY,APPEND` properly.
2024-01-23 14:04:08 +01:00
Raito Bezarius
caf9e51e0f nixos/mail/dovecot2: re-introduce extra settings and rename sieveScripts
https://github.com/NixOS/nixpkgs/pull/275031 introduced structured configuration
for the dovecot2 sieve plugin, by doing so, it broke SNM configuration doing Sieve configurations.

This attempts to fix up the public API to make it possible for SNM to pick up the pieces.
2024-01-23 14:04:08 +01:00
Robert Schütz
6de0d9293e
Revert "Dovecot: Do not include empty sieve_extensions and sieve_global_extensions" 2024-01-22 10:02:51 -08:00
Kevin Cox
9cd3bd7a5c
Merge pull request #281915 from exi/patch-1
Dovecot: Do not include empty sieve_extensions and sieve_global_extensions
2024-01-20 09:10:41 -05:00
Jade Lovelace
fe474ed61a nixos: fix remaining services for network-online dep fix 2024-01-19 00:11:34 -08:00
Reno Reckling
33ede4cc7c
use concatMapStringsSep in dovecot config
Co-authored-by: h7x4 <h7x4@nani.wtf>
2024-01-19 07:14:59 +01:00
Reno Reckling
1e4065d90a
Do not include sieve_extensions and sieve_global_extensions if they are the default value
Setting them to empty string will disable the default behaviour, leading to missing extensions.
2024-01-19 01:21:07 +01:00
Ryan Lahfa
bbd92ae047
Merge pull request #280561 from RaitoBezarius/fix-listmonk-module
nixos/mail/listmonk: fix hardening directives
2024-01-17 03:42:31 +01:00
Maximilian Bosch
7f91c8ef83
Merge pull request #276496 from Izorkin/update-roundcube-nginx
nixos/roundcube: update nginx configuration
2024-01-16 20:40:12 +01:00
Nick Cao
2443ba38b6
Merge pull request #272910 from SuperSandro2000/nullmailer
nixos/nullmailer: be flexible about time related types
2024-01-14 14:23:28 -05:00
Raito Bezarius
4c84c9c1c3 nixos/mail/listmonk: fix hardening directives
For some reason, I don't know why I missed those, but
I didn't look at my logs for a while.

It would be nice if we could catch those statically kinda (?) in CI.
2024-01-12 20:14:52 +01:00
Ryan Lahfa
1b2aeec40a
Merge pull request #275031 from 2xsaiko/outgoing/sieve
nixos/dovecot: add support for sieve extensions, in particular imapsieve and pipe
2024-01-12 20:05:45 +01:00
Guillaume Girol
17fc67eb2e
Merge pull request #255464 from georgyo/postfix-dont-use-file-ownership
nixos/postfix: postalias should not use source file permissions
2023-12-31 15:20:48 +01:00
Izorkin
7ead602f93
nixos/roundcube: add configureNginx option 2023-12-30 15:01:13 +03:00
Izorkin
3b74d8781f
nixos/roundcube: update nginx configuration 2023-12-30 15:01:12 +03:00
Jonas Heinrich
80d88736da nixos/rspamd-trainer: init; rspamd-trainer: init at unstable-2023-11-27 2023-12-27 10:35:53 +01:00
Nick Cao
a83ee8f514
Merge pull request #255227 from tomfitzhenry/postfix-harden
nixos/postfix: add systemd hardening directives
2023-12-23 10:36:18 -05:00
Marco Rebhan
7004ee65c2
nixos/dovecot: add myself as maintainer 2023-12-21 12:41:08 +01:00
Marco Rebhan
1e31a631b7
nixos/dovecot: add support for sieve extensions, in particular imapsieve and pipe 2023-12-21 12:41:08 +01:00
Sandro Jäckel
b3b09c5eb2
nixos/nullmailer: be flexible about time related types 2023-12-08 14:59:28 +01:00
Emily Trau
7edd128431
Merge pull request #266746 from serpent213/patch-2
nixos/roundcube: Ignore newline at end of password file
2023-12-01 15:50:05 +11:00
h7x4
79d3d59f58
treewide: replace mkPackageOptionMD with mkPackageOption 2023-11-30 19:03:14 +01:00
h7x4
0a37316d6c
treewide: use mkPackageOption
This commit replaces a lot of usages of `mkOption` with the package
type, to be `mkPackageOption`, in order to reduce the amount of code.
2023-11-27 01:28:36 +01:00
Ryan Lahfa
ccfe07c316
Merge pull request #266270 from Ma27/postgresql-ownership-15 2023-11-17 18:02:17 +01:00
Maximilian Bosch
48459567ae nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989

First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.

The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).

After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].

So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that

* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
  `ensureUsers`. That way, the user is actually the owner and can
  perform `CREATE`.
* For such a postgres user, a database must be declared in
  `ensureDatabases`.

For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.

Regarding existing setups: there are effectively two options:

* Leave everything as-is (assuming that system user == db user == db
  name): then the DB user will automatically become the DB owner and
  everything else stays the same.

* Drop the `createDatabase = true;` declarations: nothing will change
  because a removal of `ensure*` statements is ignored, so it doesn't
  matter at all whether this option is kept after the first deploy (and
  later on you'd usually restore from backups anyways).

  The DB user isn't the owner of the DB then, but for an existing setup
  this is irrelevant because CREATE on the public schema isn't revoked
  from existing users (only not granted for new users).

[1] not really declarative though because removals of these statements
    are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
    because it IMHO falls into the category "manage the state on your
    own" (see the commit message). See also
    https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
    also add more things like collation for DBs or passwords that are
    _never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-13 17:16:25 +01:00
Molly Miller
9cec5c807a nixos/mailman: restart services on failure and increase mailman timeouts 2023-11-13 16:10:55 +01:00
Steffen Beyer
ae5fe741ba
nixos/roundcube: Ignore newline at end of password file 2023-11-11 00:17:53 +01:00
Linus Heckemann
8670794565
Merge pull request #263203 from nikstur/replace-activation
Replace simple activationScripts
2023-10-28 10:17:15 +02:00
nikstur
f18ff2ec0b nixos/mlmmj: replace activationScript 2023-10-26 01:44:21 +02:00
github-actions[bot]
cfc75eec46
Merge master into staging-next 2023-10-20 18:00:54 +00:00
Vladimír Čunát
9320d9e7bc
Merge #260527: Mailman fixes
...into staging-next
2023-10-20 18:56:03 +02:00
Bjørn Forsman
142074c2a8 nixos: fix bad mkEnableOption descriptions
Fix descriptions that don't account for (1) the "Whether to enable"
prefix or (2) the automatically added trailing dot.
2023-10-20 16:22:40 +01:00
Maximilian Bosch
2ee12a93de treewide: remove myself (ma27) from a few packages
It's time again, I guess :>

Main motivation is to stop being pinged about software that I maintained
for work now that I'm about to switch jobs. There's no point in pinging
me to review/test updates or to debug issues in e.g. the Atlassian stack
or on mailman since I use neither personally.

But there's also a bunch of other stuff that I stopped using personally. While
at it I realized that I'm still maintainer of a few tests & modules related to
packages I stopped maintaining in the past already.
2023-10-18 15:47:20 -03:00
Molly Miller
1a794a3e4b nixos/mailman: store locks in ephemeral runtime directory
nixosTests.mailman: test mailman master lock handling
2023-10-12 10:39:18 +00:00
Alyssa Ross
21e3908ea3
nixos/mailman: ensure uwsgi uses mailman's python
If they differ, uwsgi will fail to start, because it won't be able to
find the appropriate libraries.
2023-10-11 20:20:12 +00:00
George Shammas
142d83f90e
nixos/postfix: postalias should not use source file permissions
Our postfix-setup service ensures that the directory is only writable by root.

postalias by default drops permissions to the user of the source file. In the
case of NixOS that file is in the nix store and thus always owned by root and
everything works.

The problem is that when using a nixos-container with user namespaces (`-U`)
then the nix store is owned by nobody/nogroup, and postfix-setup.service will be
unable to create or modify `aliases.db`.

Since the file would otherwise be owned by root, we should tell postfix to not
assume the user and permissions of the `aliases` file by setting -o and -p

From postalias(1)

> -o Do not release root privileges when processing a non-root input file. By
> default, postalias(1) drops root privileges and runs as the source file owner
> instead.

> -p Do not inherit the file access permissions from the input file when
> creating a new file. Instead, create a new file with default access
> permissions (mode 0644).
2023-09-16 08:22:45 -04:00
Tom Fitzhenry
dd1b3b077a nixos/postfix: add systemd hardening directives
Inspired by
a9ccc48242/mail-mta/postfix/files/postfix.service

This decreases the systemd-analyze exposure level from UNSAFE to MEDIUM:

```
$ systemd-analyze security --offline=true postfix-hardened.service | grep Overall
→ Overall exposure level for postfix-hardened.service: 6.2 MEDIUM 😐

$ systemd-analyze security --offline=true postfix-original.service | grep Overall
→ Overall exposure level for postfix-original.service: 9.6 UNSAFE 😨
```
2023-09-16 06:37:00 +10:00
revol-xut
6f50091de7 nixos/listmonk: fixing datatype of options 2023-09-09 15:21:32 +02:00
BruNeu
c729c9746e nixos/stalwart-mail: fixed broken link 2023-09-08 23:59:03 +02:00
pacien
f6961de637 nixos/stalwart-mail: add module 2023-09-03 22:18:50 -04:00
Lin Jian
74fadae942
treewide: stop using types.string
It is an error[1] now.

[1]: https://github.com/NixOS/nixpkgs/pull/247848
2023-08-08 21:31:21 +08:00
Sandro Jäckel
b2c1b176d9
nixos/nullmailer: allow users in the nullmailer group to send mails
In combination with https://github.com/NixOS/nixpkgs/pull/231673 this
allows hardened services to use nullmailer's sendmail.
2023-07-13 17:02:19 +02:00
Luke Granger-Brown
cba7cd9b6d
Merge pull request #233282 from pkern/spamassassin
spamassassin: 3.4.6 → 4.0.0
2023-06-25 23:55:34 +01:00