Unverified Commit 0886377f authored by Sandro Jäckel's avatar Sandro Jäckel
Browse files

nixos/gitea: drop mailerUseSendmail option and use PROTOCOL as an indication instead 

This option does not configure sendmail itself because it is impossible
as sendmail is an alias for many things and could mean msmtp or postfix
or exim or something else.

Instead we rely on the PROTOCOL setting as initially proposed #384582
and based on that open up the sandboxing settings because if the user
configures sendmail, they want it to work and not have to configure yet
another things.

Also makes postfix specific things conditional on postfix being enabled
as msmtp does not need them.

Also we can set SENDMAIL_PATH unconditionally as every wrapper I am
aware of uses that path.
parent d54b0807

nixos/modules/services/misc/gitea.nix

+158 −129
Original line number Diff line number Diff line
@@ -27,6 +27,9 @@ let 


    ${optionalString (cfg.extraConfig != null) cfg.extraConfig}

  '';



  inherit (cfg.settings) mailer;

  useSendmail = mailer.ENABLED && mailer.PROTOCOL == "sendmail";

in



{
@@ -366,15 +369,6 @@ in 
        description = "Path to a file containing the SMTP password.";

      };



      mailerUseSendmail = mkOption {

        type = types.bool;

        default = false;

        description = ''

          Use the operating system's sendmail command instead of SMTP.

          Note: some sandbox settings will be disabled.

        '';

      };



      metricsTokenFile = mkOption {

        type = types.nullOr types.str;

        default = null;
@@ -422,7 +416,9 @@ in 
            };

          }

        '';

        type = types.submodule {

        type = types.submodule (

          { config, options, ... }:

          {

            freeformType = format.type;

            options = {

              log = {
@@ -446,6 +442,40 @@ in 
                };

              };



              mailer = {

                ENABLED = lib.mkOption {

                  type = lib.types.bool;

                  default = false;

                  description = "Whether to use an email service to send notifications.";

                };



                PROTOCOL = lib.mkOption {

                  type = lib.types.enum [

                    null

                    "smtp"

                    "smtps"

                    "smtp+starttls"

                    "smtp+unix"

                    "sendmail"

                    "dummy"

                  ];

                  default = null;

                  description = "Which mail server protocol to use.";

                };



                SENDMAIL_PATH = lib.mkOption {

                  type = lib.types.path;

                  # somewhat duplicated with useSendmail but cannot be deduped because of infinite recursion

                  default =

                    if config.mailer.ENABLED && config.mailer.PROTOCOL == "sendmail" then

                      "/run/wrappers/bin/sendmail"

                    else

                      "sendmail";

                  defaultText = lib.literalExpression ''if config.${options.mailer.ENABLED} && config.${options.mailer.PROTOCOL} == "sendmail" then "/run/wrappers/bin/sendmail" else "sendmail"'';

                  description = "Path to sendmail binary or script.";

                };

              };



              server = {

                PROTOCOL = mkOption {

                  type = types.enum [
@@ -535,7 +565,8 @@ in 
                };

              };

            };

        };

          }

        );

      };



      extraConfig = mkOption {
@@ -663,15 +694,9 @@ in 
          })

        ]);



        mailer = mkMerge [

          (mkIf (cfg.mailerPasswordFile != null) {

        mailer = mkIf (cfg.mailerPasswordFile != null) {

          PASSWD = "#mailerpass#";

          })

          (mkIf cfg.mailerUseSendmail {

            PROTOCOL = "sendmail";

            SENDMAIL_PATH = "/run/wrappers/bin/sendmail";

          })

        ];

        };



        metrics = mkIf (cfg.metricsTokenFile != null) {

          TOKEN = "#metricstoken#";
@@ -884,18 +909,18 @@ in 
          cfg.repositoryRoot

          cfg.stateDir

          cfg.lfs.contentDir

        ] ++ optional cfg.mailerUseSendmail "/var/lib/postfix/queue/maildrop";

        ] ++ lib.optional (useSendmail && config.services.postfix.enable) "/var/lib/postfix/queue/maildrop";

        UMask = "0027";

        # Capabilities

        CapabilityBoundingSet = "";

        # Security

        NoNewPrivileges = optional (!cfg.mailerUseSendmail) true;

        NoNewPrivileges = !useSendmail;

        # Sandboxing

        ProtectSystem = "strict";

        ProtectHome = true;

        PrivateTmp = true;

        PrivateDevices = true;

        PrivateUsers = optional (!cfg.mailerUseSendmail) true;

        PrivateUsers = !useSendmail;

        ProtectHostname = true;

        ProtectClock = true;

        ProtectKernelTunables = true;
@@ -906,7 +931,7 @@ in 
          "AF_UNIX"

          "AF_INET"

          "AF_INET6"

        ] ++ optional cfg.mailerUseSendmail "AF_NETLINK";

        ] ++ lib.optional (useSendmail && config.services.postfix.enable) "AF_NETLINK";

        RestrictNamespaces = true;

        LockPersonality = true;

        MemoryDenyWriteExecute = true;
@@ -916,10 +941,14 @@ in 
        PrivateMounts = true;

        # System Call Filtering

        SystemCallArchitectures = "native";

        SystemCallFilter = [

        SystemCallFilter =

          [

            "~@cpu-emulation @debug @keyring @mount @obsolete @setuid"

            "setrlimit"

        ] ++ optional (!cfg.mailerUseSendmail) "~@privileged";

          ]

          ++ lib.optionals (!useSendmail) [

            "~@privileged"

          ];

      };



      environment = {