diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2017-06-10 10:04:41 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2017-06-10 10:07:33 +0200 |
commit | cb9f953c923eb9fdb1f23458bbc43460f269c5c7 (patch) | |
tree | ed30af553d98d55f7a93a0cd55905a14e6bf3f62 /nixos | |
parent | 2993b7e096d11d63e5a61d0f2bc38d803093a4f1 (diff) | |
parent | 2d64e1b7d05dc31fb6a899092c99c693b169dd55 (diff) | |
download | nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.tar nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.tar.gz nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.tar.bz2 nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.tar.lz nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.tar.xz nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.tar.zst nixpkgs-cb9f953c923eb9fdb1f23458bbc43460f269c5c7.zip |
Merge branch 'master' into staging
More larger rebuilds.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 64 | ||||
-rw-r--r-- | nixos/modules/services/mail/spamassassin.nix | 164 |
2 files changed, 189 insertions, 39 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 321b9f7f375..a40c5ef9ebe 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -13,7 +13,7 @@ let description = '' Where the webroot of the HTTP vhost is located. <filename>.well-known/acme-challenge/</filename> directory - will be created automatically if it doesn't exist. + will be created below the webroot if it doesn't exist. <literal>http://example.org/.well-known/acme-challenge/</literal> must also be available (notice unencrypted HTTP). ''; @@ -46,7 +46,10 @@ let allowKeysForGroup = mkOption { type = types.bool; default = false; - description = "Give read permissions to the specified group to read SSL private certificates."; + description = '' + Give read permissions to the specified group + (<option>security.acme.group</option>) to read SSL private certificates. + ''; }; postRun = mkOption { @@ -65,21 +68,24 @@ let "cert.der" "cert.pem" "chain.pem" "external.sh" "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" ]); - default = [ "fullchain.pem" "key.pem" "account_key.json" ]; + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; description = '' Plugins to enable. With default settings simp_le will - store public certificate bundle in <filename>fullchain.pem</filename> - and private key in <filename>key.pem</filename> in its state directory. + store public certificate bundle in <filename>fullchain.pem</filename>, + private key in <filename>key.pem</filename> and those two previous + files combined in <filename>full.pem</filename> in its state directory. ''; }; extraDomains = mkOption { type = types.attrsOf (types.nullOr types.str); default = {}; - example = { - "example.org" = "/srv/http/nginx"; - "mydomain.org" = null; - }; + example = literalExample '' + { + "example.org" = "/srv/http/nginx"; + "mydomain.org" = null; + } + ''; description = '' Extra domain names for which certificates are to be issued, with their own server roots if needed. @@ -139,17 +145,19 @@ in description = '' Attribute set of certificates to get signed and renewed. ''; - example = { - "example.com" = { - webroot = "/var/www/challenges/"; - email = "foo@example.com"; - extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; - }; - "bar.example.com" = { - webroot = "/var/www/challenges/"; - email = "bar@example.com"; - }; - }; + example = literalExample '' + { + "example.com" = { + webroot = "/var/www/challenges/"; + email = "foo@example.com"; + extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; + }; + "bar.example.com" = { + webroot = "/var/www/challenges/"; + email = "bar@example.com"; + }; + } + ''; }; }; }; @@ -238,6 +246,9 @@ in mv $workdir/server.key ${cpath}/key.pem mv $workdir/server.crt ${cpath}/fullchain.pem + # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates) + cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem" + # Clean up working directory rm $workdir/server.csr rm $workdir/server.pass.key @@ -247,6 +258,8 @@ in chown '${data.user}:${data.group}' '${cpath}/key.pem' chmod ${rights} '${cpath}/fullchain.pem' chown '${data.user}:${data.group}' '${cpath}/fullchain.pem' + chmod ${rights} '${cpath}/full.pem' + chown '${data.user}:${data.group}' '${cpath}/full.pem' ''; serviceConfig = { Type = "oneshot"; @@ -275,15 +288,14 @@ in ) ); servicesAttr = listToAttrs services; - nginxAttr = { - nginx = { - after = [ "acme-selfsigned-certificates.target" ]; - wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; - }; + injectServiceDep = { + after = [ "acme-selfsigned-certificates.target" ]; + wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; }; in servicesAttr // - (if config.services.nginx.enable then nginxAttr else {}); + (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // + (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index 08953134b3b..fc8396cd85e 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -3,43 +3,129 @@ with lib; let - cfg = config.services.spamassassin; + spamassassin-local-cf = pkgs.writeText "local.cf" cfg.config; + spamassassin-init-pre = pkgs.writeText "init.pre" cfg.initPreConf; + + spamdEnv = pkgs.buildEnv { + name = "spamd-env"; + paths = []; + postBuild = '' + ln -sf ${spamassassin-init-pre} $out/init.pre + ln -sf ${spamassassin-local-cf} $out/local.cf + ''; + }; in { - - ###### interface - options = { services.spamassassin = { - enable = mkOption { default = false; - description = "Whether to run the SpamAssassin daemon."; + description = "Whether to run the SpamAssassin daemon"; }; debug = mkOption { default = false; - description = "Whether to run the SpamAssassin daemon in debug mode."; + description = "Whether to run the SpamAssassin daemon in debug mode"; }; - }; + config = mkOption { + type = types.lines; + description = '' + The SpamAssassin local.cf config + + If you are using this configuration: + add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ + + Then you can Use this sieve filter: + require ["fileinto", "reject", "envelope"]; + + if header :contains "X-Spam-Flag" "YES" { + fileinto "spam"; + } + + Or this procmail filter: + :0: + * ^X-Spam-Flag: YES + /var/vpopmail/domains/lastlog.de/js/.maildir/.spam/new + + To filter your messages based on the additional mail headers added by spamassassin. + ''; + example = '' + #rewrite_header Subject [***** SPAM _SCORE_ *****] + required_score 5.0 + use_bayes 1 + bayes_auto_learn 1 + add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ + ''; + default = ""; + }; + initPreConf = mkOption { + type = types.str; + description = "The SpamAssassin init.pre config."; + default = + '' + # + # to update this list, run this command in the rules directory: + # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq + # + + #loadplugin Mail::SpamAssassin::Plugin::AccessDB + #loadplugin Mail::SpamAssassin::Plugin::AntiVirus + loadplugin Mail::SpamAssassin::Plugin::AskDNS + # loadplugin Mail::SpamAssassin::Plugin::ASN + loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold + #loadplugin Mail::SpamAssassin::Plugin::AWL + loadplugin Mail::SpamAssassin::Plugin::Bayes + loadplugin Mail::SpamAssassin::Plugin::BodyEval + loadplugin Mail::SpamAssassin::Plugin::Check + #loadplugin Mail::SpamAssassin::Plugin::DCC + loadplugin Mail::SpamAssassin::Plugin::DKIM + loadplugin Mail::SpamAssassin::Plugin::DNSEval + loadplugin Mail::SpamAssassin::Plugin::FreeMail + loadplugin Mail::SpamAssassin::Plugin::Hashcash + loadplugin Mail::SpamAssassin::Plugin::HeaderEval + loadplugin Mail::SpamAssassin::Plugin::HTMLEval + loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch + loadplugin Mail::SpamAssassin::Plugin::ImageInfo + loadplugin Mail::SpamAssassin::Plugin::MIMEEval + loadplugin Mail::SpamAssassin::Plugin::MIMEHeader + # loadplugin Mail::SpamAssassin::Plugin::PDFInfo + #loadplugin Mail::SpamAssassin::Plugin::PhishTag + loadplugin Mail::SpamAssassin::Plugin::Pyzor + loadplugin Mail::SpamAssassin::Plugin::Razor2 + # loadplugin Mail::SpamAssassin::Plugin::RelayCountry + loadplugin Mail::SpamAssassin::Plugin::RelayEval + loadplugin Mail::SpamAssassin::Plugin::ReplaceTags + # loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody + # loadplugin Mail::SpamAssassin::Plugin::Shortcircuit + loadplugin Mail::SpamAssassin::Plugin::SpamCop + loadplugin Mail::SpamAssassin::Plugin::SPF + #loadplugin Mail::SpamAssassin::Plugin::TextCat + # loadplugin Mail::SpamAssassin::Plugin::TxRep + loadplugin Mail::SpamAssassin::Plugin::URIDetail + loadplugin Mail::SpamAssassin::Plugin::URIDNSBL + loadplugin Mail::SpamAssassin::Plugin::URIEval + # loadplugin Mail::SpamAssassin::Plugin::URILocalBL + loadplugin Mail::SpamAssassin::Plugin::VBounce + loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject + loadplugin Mail::SpamAssassin::Plugin::WLBLEval + ''; + }; + }; }; - - ###### implementation - config = mkIf cfg.enable { # Allow users to run 'spamc'. environment.systemPackages = [ pkgs.spamassassin ]; users.extraUsers = singleton { - name = "spamd"; + name = "spamd"; description = "Spam Assassin Daemon"; uid = config.ids.uids.spamd; group = "spamd"; @@ -50,13 +136,65 @@ in gid = config.ids.gids.spamd; }; + systemd.services.sa-update = { + script = '' + set +e + ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/ --siteconfigpath=${spamdEnv}/" spamd + + v=$? + set -e + if [ $v -gt 1 ]; then + echo "sa-update execution error" + exit $v + fi + if [ $v -eq 0 ]; then + systemctl reload spamd.service + fi + ''; + }; + + systemd.timers.sa-update = { + description = "sa-update-service"; + partOf = [ "sa-update.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "1:*"; + Persistent = true; + }; + }; + systemd.services.spamd = { description = "Spam Assassin Server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - script = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --nouser-config --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/var/run/spamd.pid"; + serviceConfig = { + ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --siteconfigpath=${spamdEnv} --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/var/run/spamd.pid"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + + # 0 and 1 no error, exitcode > 1 means error: + # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes + preStart = '' + # this abstraction requires no centralized config at all + if [ -d /etc/spamassassin ]; then + echo "This spamassassin does not support global '/etc/spamassassin' folder for configuration as this would be impure. Merge your configs into 'services.spamassassin' and remove the '/etc/spamassassin' folder to make this service work. Also see 'https://github.com/NixOS/nixpkgs/pull/26470'."; + exit 1 + fi + echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'" + mkdir -p /var/lib/spamassassin + chown spamd:spamd /var/lib/spamassassin -R + set +e + ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/ --siteconfigpath=${spamdEnv}/" spamd + v=$? + set -e + if [ $v -gt 1 ]; then + echo "sa-update execution error" + exit $v + fi + chown spamd:spamd /var/lib/spamassassin -R + ''; }; }; } |