nixos/gitea: drop mailerUseSendmail option and use PROTOCOL as an indication instead (#384582) (3f7ea147) · Commits · nix / nixpkgs

nixos/modules/services/misc/gitea.nix

+158 −130

Original line number	Diff line number	Diff line
		@@ -27,6 +27,9 @@ let

		${optionalString (cfg.extraConfig != null) cfg.extraConfig}
		'';

		inherit (cfg.settings) mailer;
		useSendmail = mailer.ENABLED && mailer.PROTOCOL == "sendmail";
		in

		{
		@@ -366,15 +369,6 @@ in
		description = "Path to a file containing the SMTP password.";
		};

		mailerUseSendmail = mkOption {
		type = types.bool;
		default = false;
		description = ''
		Use the operating system's sendmail command instead of SMTP.
		Note: some sandbox settings will be disabled.
		'';
		};

		metricsTokenFile = mkOption {
		type = types.nullOr types.str;
		default = null;
		@@ -422,7 +416,9 @@ in
		};
		}
		'';
		type = types.submodule {
		type = types.submodule (
		{ config, options, ... }:
		{
		freeformType = format.type;
		options = {
		log = {
		@@ -446,6 +442,40 @@ in
		};
		};

		mailer = {
		ENABLED = lib.mkOption {
		type = lib.types.bool;
		default = false;
		description = "Whether to use an email service to send notifications.";
		};

		PROTOCOL = lib.mkOption {
		type = lib.types.enum [
		null
		"smtp"
		"smtps"
		"smtp+starttls"
		"smtp+unix"
		"sendmail"
		"dummy"
		];
		default = null;
		description = "Which mail server protocol to use.";
		};

		SENDMAIL_PATH = lib.mkOption {
		type = lib.types.path;
		# somewhat duplicated with useSendmail but cannot be deduped because of infinite recursion
		default =
		if config.mailer.ENABLED && config.mailer.PROTOCOL == "sendmail" then
		"/run/wrappers/bin/sendmail"
		else
		"sendmail";
		defaultText = lib.literalExpression ''if config.${options.mailer.ENABLED} && config.${options.mailer.PROTOCOL} == "sendmail" then "/run/wrappers/bin/sendmail" else "sendmail"'';
		description = "Path to sendmail binary or script.";
		};
		};

		server = {
		PROTOCOL = mkOption {
		type = types.enum [
		@@ -535,7 +565,8 @@ in
		};
		};
		};
		};
		}
		);
		};

		extraConfig = mkOption {
		@@ -663,15 +694,9 @@ in
		})
		]);

		mailer = mkMerge [
		(mkIf (cfg.mailerPasswordFile != null) {
		mailer = mkIf (cfg.mailerPasswordFile != null) {
		PASSWD = "#mailerpass#";
		})
		(mkIf cfg.mailerUseSendmail {
		PROTOCOL = "sendmail";
		SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
		})
		];
		};

		metrics = mkIf (cfg.metricsTokenFile != null) {
		TOKEN = "#metricstoken#";
		@@ -884,18 +909,18 @@ in
		cfg.repositoryRoot
		cfg.stateDir
		cfg.lfs.contentDir
		] ++ optional cfg.mailerUseSendmail "/var/lib/postfix/queue/maildrop";
		] ++ lib.optional (useSendmail && config.services.postfix.enable) "/var/lib/postfix/queue/maildrop";
		UMask = "0027";
		# Capabilities
		CapabilityBoundingSet = "";
		# Security
		NoNewPrivileges = optional (!cfg.mailerUseSendmail) true;
		NoNewPrivileges = !useSendmail;
		# Sandboxing
		ProtectSystem = "strict";
		ProtectHome = true;
		PrivateTmp = true;
		PrivateDevices = true;
		PrivateUsers = optional (!cfg.mailerUseSendmail) true;
		PrivateUsers = !useSendmail;
		ProtectHostname = true;
		ProtectClock = true;
		ProtectKernelTunables = true;
		@@ -906,7 +931,7 @@ in
		"AF_UNIX"
		"AF_INET"
		"AF_INET6"
		] ++ optional cfg.mailerUseSendmail "AF_NETLINK";
		] ++ lib.optional (useSendmail && config.services.postfix.enable) "AF_NETLINK";
		RestrictNamespaces = true;
		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		@@ -916,10 +941,14 @@ in
		PrivateMounts = true;
		# System Call Filtering
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		SystemCallFilter =
		[
		"~@cpu-emulation @debug @keyring @mount @obsolete @setuid"
		"setrlimit"
		] ++ optional (!cfg.mailerUseSendmail) "~@privileged";
		]
		++ lib.optionals (!useSendmail) [
		"~@privileged"
		];
		};

		environment = {
		@@ -997,7 +1026,6 @@ in
		};

		meta.maintainers = with lib.maintainers; [
		ma27
		techknowlogick
		SuperSandro2000
		];

Admin message