From 58afd52f99f63ef0d30260a47e2b5723b662d4a7 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Thu, 1 Aug 2024 01:30:43 +0200
Subject: [PATCH] feat: compartmentalize idmail

---
 flake.lock                    |  6 +++---
 hosts/envoy/idmail.nix        | 19 ++++++++-----------
 hosts/envoy/stalwart-mail.nix |  3 ++-
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index c27cb33..d760cd3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1183,11 +1183,11 @@
         "pre-commit-hooks": "pre-commit-hooks_3"
       },
       "locked": {
-        "lastModified": 1722176502,
-        "narHash": "sha256-RQcVfsu1rJhNCHqCoRo5TKXz4SioNAuRYfcPCi0TLeI=",
+        "lastModified": 1722465026,
+        "narHash": "sha256-ARhBk+MO+/35IlnApuag1hK2Q7XZL16tO/suXB6KCrg=",
         "owner": "oddlama",
         "repo": "idmail",
-        "rev": "eb829345b2180bbffcb598f51dcb57f805ca1c4a",
+        "rev": "5f8a184cb8be04e7b80fea4f57b266687c67d09d",
         "type": "github"
       },
       "original": {
diff --git a/hosts/envoy/idmail.nix b/hosts/envoy/idmail.nix
index 8a90466..46e0de4 100644
--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@@ -21,12 +21,12 @@
 
   shortHash = x: lib.substring 0 16 (builtins.hashString "sha256" "${globals.salt}:${x}");
 in {
-  environment.persistence."/persist".directories = [
+  environment.persistence."/persist".directories = lib.trace "stalwart backups to dusk!" [
     {
-      directory = "/var/lib/idmail";
-      user = "idmail";
-      group = "idmail";
-      mode = "0700";
+      directory = config.services.idmail.dataDir;
+      user = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "4770";
     }
   ];
 
@@ -52,15 +52,12 @@ in {
     network = "internet";
   };
 
-  #systemd.tmpfiles.settings."50-idmail"."${dataDir}".d = {
-  #  user = "idmail";
-  #  mode = "0750";
-  #};
-
   services.idmail = {
     enable = true;
+    # Stalwart will change permissions due to SQLite implementation.
+    # Therefore, run as stalwart-mail since we don't allow reading
+    # stalwarts folder anyway (sandboxing is on).
     user = "stalwart-mail";
-    dataDir = "/var/lib/stalwart-mail";
     provision = {
       enable = true;
       users.admin = {
diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix
index cc15fe6..a91b0a5 100644
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@@ -85,7 +85,7 @@ in {
 
         store.idmail = {
           type = "sqlite";
-          path = "${dataDir}/idmail.db";
+          path = "${config.services.idmail.dataDir}/idmail.db";
           query = let
             # Remove comments from SQL and make it single-line
             toSingleLineSql = sql:
@@ -481,6 +481,7 @@ in {
     '';
     serviceConfig = {
       RuntimeDirectory = "stalwart-mail";
+      ReadWritePaths = [config.services.idmail.dataDir];
       ExecStart = lib.mkForce [
         ""
         "${cfg.package}/bin/stalwart-mail --config=/run/stalwart-mail/config.toml"