diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-05-18 13:45:29 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-06-05 20:44:36 +0000 |
commit | 03b12c28b04544d358806fa32b57b12214f55365 (patch) | |
tree | 98b45144ddfb75ea65c7c4c2354d0c4b274f5d5e /nixpkgs/nixos | |
parent | 9fc1326a7e1cb5598b4f0607cfd133932bd91765 (diff) | |
download | nixlib-03b12c28b04544d358806fa32b57b12214f55365.tar nixlib-03b12c28b04544d358806fa32b57b12214f55365.tar.gz nixlib-03b12c28b04544d358806fa32b57b12214f55365.tar.bz2 nixlib-03b12c28b04544d358806fa32b57b12214f55365.tar.lz nixlib-03b12c28b04544d358806fa32b57b12214f55365.tar.xz nixlib-03b12c28b04544d358806fa32b57b12214f55365.tar.zst nixlib-03b12c28b04544d358806fa32b57b12214f55365.zip |
nixos/mailman: randomly generate REST API token
(cherry picked from commit 43465c94d4d30c5c977b78ae12f4e1a47a3760ea)
Diffstat (limited to 'nixpkgs/nixos')
-rw-r--r-- | nixpkgs/nixos/modules/services/mail/mailman.nix | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/nixpkgs/nixos/modules/services/mail/mailman.nix b/nixpkgs/nixos/modules/services/mail/mailman.nix index 1e942c17c5f9..61b2b664d944 100644 --- a/nixpkgs/nixos/modules/services/mail/mailman.nix +++ b/nixpkgs/nixos/modules/services/mail/mailman.nix @@ -44,8 +44,11 @@ let transport_file_type: hash ''; - mailmanCfg = pkgs.writeText "mailman.cfg" - ((lib.generators.toINI {} cfg.settings) + cfg.extraConfig); + mailmanCfg = lib.generators.toINI {} (recursiveUpdate cfg.settings { + webservice.admin_pass = "#NIXOS_MAILMAN_REST_API_PASS_SECRET#"; + }); + + mailmanCfgFile = pkgs.writeText "mailman-raw.cfg" mailmanCfg; mailmanHyperkittyCfg = pkgs.writeText "mailman-hyperkitty.cfg" '' [general] @@ -383,6 +386,7 @@ in { environment.etc."mailman3/settings.py".text = '' import os + from configparser import ConfigParser # Required by mailman_web.settings, but will be overridden when # settings_local.json is loaded. @@ -399,10 +403,10 @@ in { with open('/var/lib/mailman-web/settings_local.json') as f: globals().update(json.load(f)) - ${optionalString (cfg.restApiPassFile != null) '' - with open('${cfg.restApiPassFile}') as f: - MAILMAN_REST_API_PASS = f.read().rstrip('\n') - ''} + with open('/etc/mailman.cfg') as f: + config = ConfigParser() + config.read_file(f) + MAILMAN_REST_API_PASS = config['webservice']['admin_pass'] ${optionalString (cfg.ldap.enable) '' import ldap @@ -464,7 +468,7 @@ in { after = [ "network.target" ] ++ lib.optional cfg.enablePostfix "postfix-setup.service" ++ lib.optional withPostgresql "postgresql.service"; - restartTriggers = [ mailmanCfg ]; + restartTriggers = [ mailmanCfgFile ]; requires = optional withPostgresql "postgresql.service"; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -488,8 +492,11 @@ in { requires = optional withPostgresql "postgresql.service"; serviceConfig.Type = "oneshot"; script = '' - install -m0750 -o mailman -g mailman ${mailmanCfg} /etc/mailman.cfg - ${optionalString (cfg.restApiPassFile != null) '' + install -m0750 -o mailman -g mailman ${mailmanCfgFile} /etc/mailman.cfg + ${if cfg.restApiPassFile == null then '' + sed -i "s/#NIXOS_MAILMAN_REST_API_PASS_SECRET#/$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64)/g" \ + /etc/mailman.cfg + '' else '' ${pkgs.replace-secret}/bin/replace-secret \ '#NIXOS_MAILMAN_REST_API_PASS_SECRET#' \ ${cfg.restApiPassFile} \ @@ -587,7 +594,7 @@ in { mailman-daily = { description = "Trigger daily Mailman events"; startAt = "daily"; - restartTriggers = [ mailmanCfg ]; + restartTriggers = [ mailmanCfgFile ]; serviceConfig = { ExecStart = "${mailmanEnv}/bin/mailman digests --send"; User = "mailman"; |