From e741cc488190ab79e26b96d8e6f1402ab5965b6a Mon Sep 17 00:00:00 2001
From: Marius Bergmann <marius@yeai.de>
Date: Thu, 28 Sep 2017 08:38:59 +0200
Subject: nullmailer: add `remotesFile` option

The current `remotes` option is a string option containing nullmailer remote
definitions. However, those definitions may contain secret credentials and
should therefore not be put world-readable in the nix store.

I added a `remotesFile` option, which allows to specify a path to the remotes
definition file instead. This way, the definitions can be kept outside of the
nix store with more secure file permissions.
---
 nixos/modules/services/mail/nullmailer.nix | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix
index 68cba4a7436e..c5af1d4d381b 100644
--- a/nixos/modules/services/mail/nullmailer.nix
+++ b/nixos/modules/services/mail/nullmailer.nix
@@ -35,6 +35,18 @@ with lib;
         description = "Whether to set the system sendmail to nullmailer's.";
       };
 
+      remotesFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Path to the <code>remotes</code> control file. This file contains a
+          list of remote servers to which to send each message.
+
+          See <code>man 8 nullmailer-send</code> for syntax and available
+          options.
+        '';
+      };
+
       config = {
         adminaddr = mkOption {
           type = types.nullOr types.str;
@@ -173,13 +185,27 @@ with lib;
     cfg = config.services.nullmailer;
   in mkIf cfg.enable {
 
+    assertions = [
+      { assertion = cfg.config.remotes == null || cfg.remotesFile == null;
+        message = "Only one of `remotesFile` or `config.remotes` may be used at a time.";
+      }
+    ];
+
     environment = {
       systemPackages = [ pkgs.nullmailer ];
       etc = let
         getval  = attr: builtins.getAttr attr cfg.config;
         attrs   = builtins.attrNames cfg.config;
-        attrs'  = builtins.filter (attr: ! isNull (getval attr)) attrs;
-      in foldl' (as: attr: as // { "nullmailer/${attr}".text = getval attr; }) {} attrs';
+        remotesFilter = if cfg.remotesFile != null
+                        then (attr: attr != "remotes")
+                        else (_: true);
+        optionalRemotesFileLink = if cfg.remotesFile != null
+                                  then { "nullmailer/remotes".source = cfg.remotesFile; }
+                                  else {};
+        attrs'  = builtins.filter (attr: (! isNull (getval attr)) && (remotesFilter attr)) attrs;
+      in
+        (foldl' (as: attr: as // { "nullmailer/${attr}".text = getval attr; }) {} attrs')
+        // optionalRemotesFileLink;
     };
 
     users = {
-- 
cgit 1.4.1