feat: compartmentalize idmail

2025-10-10 23:00:39 +02:00 · 2024-08-01 01:30:43 +02:00 · 2024-08-01 01:30:43 +02:00 · 58afd52f99
commit 58afd52f99
parent 76163bad98
3 changed files with 13 additions and 15 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1183,11 +1183,11 @@
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
-        "lastModified": 1722176502,
-        "narHash": "sha256-RQcVfsu1rJhNCHqCoRo5TKXz4SioNAuRYfcPCi0TLeI=",
+        "lastModified": 1722465026,
+        "narHash": "sha256-ARhBk+MO+/35IlnApuag1hK2Q7XZL16tO/suXB6KCrg=",
        "owner": "oddlama",
        "repo": "idmail",
-        "rev": "eb829345b2180bbffcb598f51dcb57f805ca1c4a",
+        "rev": "5f8a184cb8be04e7b80fea4f57b266687c67d09d",
        "type": "github"
      },
      "original": {
--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@ -21,12 +21,12 @@

  shortHash = x: lib.substring 0 16 (builtins.hashString "sha256" "${globals.salt}:${x}");
 in {
-  environment.persistence."/persist".directories = [
+  environment.persistence."/persist".directories = lib.trace "stalwart backups to dusk!" [
    {
-      directory = "/var/lib/idmail";
-      user = "idmail";
-      group = "idmail";
-      mode = "0700";
+      directory = config.services.idmail.dataDir;
+      user = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "4770";
    }
  ];

@ -52,15 +52,12 @@ in {
    network = "internet";
  };

-  #systemd.tmpfiles.settings."50-idmail"."${dataDir}".d = {
-  #  user = "idmail";
-  #  mode = "0750";
-  #};
-
  services.idmail = {
    enable = true;
+    # Stalwart will change permissions due to SQLite implementation.
+    # Therefore, run as stalwart-mail since we don't allow reading
+    # stalwarts folder anyway (sandboxing is on).
    user = "stalwart-mail";
-    dataDir = "/var/lib/stalwart-mail";
    provision = {
      enable = true;
      users.admin = {
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@ -85,7 +85,7 @@ in {

        store.idmail = {
          type = "sqlite";
-          path = "${dataDir}/idmail.db";
+          path = "${config.services.idmail.dataDir}/idmail.db";
          query = let
            # Remove comments from SQL and make it single-line
            toSingleLineSql = sql:
@ -481,6 +481,7 @@ in {
    '';
    serviceConfig = {
      RuntimeDirectory = "stalwart-mail";
+      ReadWritePaths = [config.services.idmail.dataDir];
      ExecStart = lib.mkForce [
        ""
        "${cfg.package}/bin/stalwart-mail --config=/run/stalwart-mail/config.toml"