mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: compartmentalize idmail

Browse source
This commit is contained in:
oddlama 2024-08-01 01:30:43 +02:00
parent 76163bad98
commit 58afd52f99
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
3 changed files with 13 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -1183,11 +1183,11 @@
"pre-commit-hooks": "pre-commit-hooks_3" "pre-commit-hooks": "pre-commit-hooks_3"
}, },
"locked": { "locked": {
"lastModified": 1722176502, "lastModified": 1722465026,
"narHash": "sha256-RQcVfsu1rJhNCHqCoRo5TKXz4SioNAuRYfcPCi0TLeI=", "narHash": "sha256-ARhBk+MO+/35IlnApuag1hK2Q7XZL16tO/suXB6KCrg=",
"owner": "oddlama", "owner": "oddlama",
"repo": "idmail", "repo": "idmail",
"rev": "eb829345b2180bbffcb598f51dcb57f805ca1c4a", "rev": "5f8a184cb8be04e7b80fea4f57b266687c67d09d",
"type": "github" "type": "github"
}, },
"original": { "original": {

19
hosts/envoy/idmail.nix
View file

@ -21,12 +21,12 @@
shortHash = x: lib.substring 0 16 (builtins.hashString "sha256" "${globals.salt}:${x}"); shortHash = x: lib.substring 0 16 (builtins.hashString "sha256" "${globals.salt}:${x}");
in { in {
environment.persistence."/persist".directories = [ environment.persistence."/persist".directories = lib.trace "stalwart backups to dusk!" [
{ {
directory = "/var/lib/idmail"; directory = config.services.idmail.dataDir;
user = "idmail"; user = "stalwart-mail";
group = "idmail"; group = "stalwart-mail";
mode = "0700"; mode = "4770";
} }
]; ];
@ -52,15 +52,12 @@ in {
network = "internet"; network = "internet";
}; };
#systemd.tmpfiles.settings."50-idmail"."${dataDir}".d = {
# user = "idmail";
# mode = "0750";
#};
services.idmail = { services.idmail = {
enable = true; enable = true;
# Stalwart will change permissions due to SQLite implementation.
# Therefore, run as stalwart-mail since we don't allow reading
# stalwarts folder anyway (sandboxing is on).
user = "stalwart-mail"; user = "stalwart-mail";
dataDir = "/var/lib/stalwart-mail";
provision = { provision = {
enable = true; enable = true;
users.admin = { users.admin = {

3
hosts/envoy/stalwart-mail.nix
View file

@ -85,7 +85,7 @@ in {
store.idmail = { store.idmail = {
type = "sqlite"; type = "sqlite";
path = "${dataDir}/idmail.db"; path = "${config.services.idmail.dataDir}/idmail.db";
query = let query = let
# Remove comments from SQL and make it single-line # Remove comments from SQL and make it single-line
toSingleLineSql = sql: toSingleLineSql = sql:
@ -481,6 +481,7 @@ in {
''; '';
serviceConfig = { serviceConfig = {
RuntimeDirectory = "stalwart-mail"; RuntimeDirectory = "stalwart-mail";
ReadWritePaths = [config.services.idmail.dataDir];
ExecStart = lib.mkForce [ ExecStart = lib.mkForce [
"" ""
"${cfg.package}/bin/stalwart-mail --config=/run/stalwart-mail/config.toml" "${cfg.package}/bin/stalwart-mail --config=/run/stalwart-mail/config.toml"