{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.services.public-inbox;
inboxesDir = "/var/lib/public-inbox/inboxes";
inboxPath = name: "${inboxesDir}/${name}";
gitPath = name: "${inboxPath name}/all.git";
inboxes = mapAttrs (name: inbox:
(recursiveUpdate {
inherit (inbox) address url newsgroup watch;
mainrepo = inboxPath name;
watchheader = inbox.watchHeader;
} inbox.config))
cfg.inboxes;
concat = concatMap id;
configToList = attrs:
concat (mapAttrsToList (name': value':
if isAttrs value' then
map ({ name, value }: nameValuePair "${name'}.${name}" value)
(configToList value')
else if isList value' then map (nameValuePair name') value'
else if value' == null then []
else [ (nameValuePair name' value') ]) attrs);
configFull = recursiveUpdate {
publicinbox = inboxes // {
nntpserver = cfg.nntpServer;
wwwlisting = cfg.wwwListing;
};
publicinboxmda.spamcheck =
if (cfg.mda.spamCheck == null) then "none" else cfg.mda.spamCheck;
publicinboxwatch.spamcheck =
if (cfg.watch.spamCheck == null) then "none" else cfg.watch.spamCheck;
publicinboxwatch.watchspam = cfg.watch.watchSpam;
} cfg.config;
configList = configToList configFull;
gitConfig = key: val: ''
${pkgs.git}/bin/git config --add --file $out ${escapeShellArgs [ key val ]}
'';
configFile = pkgs.runCommand "public-inbox-config" {}
(concatStrings (map ({ name, value }: gitConfig name value) configList));
environment = {
PI_EMERGENCY = "/var/lib/public-inbox/emergency";
PI_CONFIG = configFile;
};
envList = mapAttrsToList (n: v: "${n}=${v}") environment;
# Can't use pkgs.linkFarm,
# because Postfix rejects .forward if it's a symlink.
home = pkgs.runCommand "public-inbox-home" {
forward = ''
|"env ${concatStringsSep " " envList} PATH=\"${makeBinPath cfg.path}:$PATH\" ${cfg.package}/bin/public-inbox-mda ${escapeShellArgs cfg.mda.args}
'';
passAsFile = [ "forward" ];
} ''
mkdir $out
ln -s /var/lib/public-inbox/spamassassin $out/.spamassassin
cp $forwardPath $out/.forward
'';
psgi = pkgs.writeText "public-inbox.psgi" ''
#!${cfg.package.fullperl} -w
# Copyright (C) 2014-2019 all contributors
# License: GPL-3.0+
use strict;
use PublicInbox::WWW;
use Plack::Builder;
my $www = PublicInbox::WWW->new;
$www->preload;
builder {
enable 'Head';
enable 'ReverseProxy';
${concatMapStrings (path: ''
mount q(${path}) => sub { $www->call(@_); };
'') cfg.http.mounts}
}
'';
descriptionFile = { description, ... }:
pkgs.writeText "description" description;
enableWatch = (any (i: i.watch != []) (attrValues cfg.inboxes))
|| (cfg.watch.watchSpam != null);
useSpamAssassin = cfg.mda.spamCheck == "spamc" ||
cfg.watch.spamCheck == "spamc";
in
{
options = {
services.public-inbox = {
enable = mkEnableOption "the public-inbox mail archiver";
package = mkOption {
type = types.package;
default = pkgs.public-inbox;
description = ''
public-inbox package to use with the public-inbox module
'';
};
path = mkOption {
type = with types; listOf package;
default = [];
example = literalExample "with pkgs; [ spamassassin ]";
description = ''
Additional packages to place in the path of public-inbox-mda,
public-inbox-watch, etc.
'';
};
inboxes = mkOption {
description = ''
Inboxes to configure, where attribute names are inbox names
'';
type = with types; loaOf (submodule {
options = {
address = mkOption {
type = listOf str;
example = "example-discuss@example.org";
};
url = mkOption {
type = nullOr str;
default = null;
example = "https://example.org/lists/example-discuss";
description = ''
URL where this inbox can be accessed over HTTP
'';
};
description = mkOption {
type = str;
example = "user/dev discussion of public-inbox itself";
description = ''
User-visible description for the repository
'';
};
config = mkOption {
type = attrs;
default = {};
description = ''
Additional structured config for the inbox
'';
};
newsgroup = mkOption {
type = nullOr str;
default = null;
description = ''
NNTP group name for the inbox
'';
};
watch = mkOption {
type = listOf str;
default = [];
description = ''
Paths for public-inbox-watch(1) to monitor for new mail
'';
example = [ "maildir:/path/to/test.example.com.git" ];
};
watchHeader = mkOption {
type = nullOr str;
default = null;
example = "List-Id:";
description = ''
If specified, public-inbox-watch(1) will only process
mail containing a matching header.
'';
};
};
});
};
mda = {
args = mkOption {
type = with types; listOf str;
default = [];
description = ''
Command-line arguments to pass to public-inbox-mda(1).
'';
};
spamCheck = mkOption {
type = with types; nullOr (enum [ "spamc" ]);
default = "spamc";
description = ''
If set to spamc, public-inbox-mda(1) will filter spam
using SpamAssassin
'';
};
};
watch = {
spamCheck = mkOption {
type = with types; nullOr (enum [ "spamc" ]);
default = "spamc";
description = ''
If set to spamc, public-inbox-watch(1) will filter spam
using SpamAssassin
'';
};
watchSpam = mkOption {
type = with types; nullOr str;
default = null;
example = "maildir:/path/to/spam";
description = ''
If set, mail in this maildir will be trained as spam and
deleted from all watched inboxes
'';
};
};
http = {
mounts = mkOption {
type = with types; listOf str;
default = [ "/" ];
example = [ "/lists/archives" ];
description = ''
Root paths or URLs that public-inbox will be served on.
If domain parts are present, only requests to those
domains will be accepted.
'';
};
listenStreams = mkOption {
type = with types; listOf str;
default = [ "/run/public-inbox-httpd.sock" ];
description = ''
systemd.socket(5) ListenStream values for the
public-inbox-httpd service to listen on
'';
};
};
nntp = {
listenStreams = mkOption {
type = with types; listOf str;
default = [ "0.0.0.0:119" "0.0.0.0:563" ];
description = ''
systemd.socket(5) ListenStream values for the
public-inbox-nntpd service to listen on
'';
};
cert = mkOption {
type = with types; nullOr str;
default = null;
example = "/path/to/fullchain.pem";
description = ''
Path to TLS certificate to use for public-inbox NNTP connections
'';
};
key = mkOption {
type = with types; nullOr str;
default = null;
example = "/path/to/key.pem";
description = ''
Path to TLS key to use for public-inbox NNTP connections
'';
};
extraGroups = mkOption {
type = with types; listOf str;
default = [];
example = [ "tls" ];
description = ''
Secondary groups to assign to the systemd DynamicUser
running public-inbox-nntpd, in addition to the
public-inbox group. This is useful for giving
public-inbox-nntpd access to a TLS certificate / key, for
example.
'';
};
};
nntpServer = mkOption {
type = with types; listOf str;
default = [];
example = [ "nntp://news.public-inbox.org" "nntps://news.public-inbox.org" ];
description = ''
NNTP URLs to this public-inbox instance
'';
};
wwwListing = mkOption {
type = with types; enum [ "all" "404" "match=domain" ];
default = "404";
description = ''
Controls which lists (if any) are listed for when the root
public-inbox URL is accessed over HTTP.
'';
};
spamAssassinRules = mkOption {
type = with types; nullOr path;
default = "${cfg.package.sa_config}/user/.spamassassin/user_prefs";
description = ''
SpamAssassin configuration specific to public-inbox
'';
};
config = mkOption {
type = with types; attrsOf attrs;
default = {};
description = ''
Additional structured config for the public-inbox config file
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = config.services.spamassassin.enable || !useSpamAssassin;
message = ''
public-inbox is configured to use SpamAssassin, but
services.spamassassin.enable is false. If you don't need
spam checking, set services.public-inbox.mda.spamCheck and
services.public-inbox.watch.spamCheck to null.
'';
}
{ assertion = cfg.path != [] || !useSpamAssassin;
message = ''
public-inbox is configured to use SpamAssassin, but there is
no spamc executable in services.public-inbox.path. If you
don't need spam checking, set
services.public-inbox.mda.spamCheck and
services.public-inbox.watch.spamCheck to null.
'';
}
];
users.users.public-inbox = {
inherit home;
group = "public-inbox";
isSystemUser = true;
};
users.groups.public-inbox = {};
systemd.sockets.public-inbox-httpd = {
inherit (cfg.http) listenStreams;
wantedBy = [ "sockets.target" ];
};
systemd.sockets.public-inbox-nntpd = {
inherit (cfg.nntp) listenStreams;
wantedBy = [ "sockets.target" ];
};
systemd.services.public-inbox-httpd = {
inherit environment;
serviceConfig.ExecStart = "${cfg.package}/bin/public-inbox-httpd ${psgi}";
serviceConfig.NonBlocking = true;
serviceConfig.DynamicUser = true;
serviceConfig.SupplementaryGroups = [ "public-inbox" ];
};
systemd.services.public-inbox-nntpd = {
inherit environment;
serviceConfig.ExecStart = escapeShellArgs (
[ "${cfg.package}/bin/public-inbox-nntpd" ] ++
(optionals (cfg.nntp.cert != null) [ "--cert" cfg.nntp.cert ]) ++
(optionals (cfg.nntp.key != null) [ "--key" cfg.nntp.key ])
);
serviceConfig.NonBlocking = true;
serviceConfig.DynamicUser = true;
serviceConfig.SupplementaryGroups = [ "public-inbox" ] ++ cfg.nntp.extraGroups;
};
systemd.services.public-inbox-watch = {
inherit environment;
inherit (cfg) path;
after = optional (cfg.watch.spamCheck == "spamc") "spamassassin.service";
wantedBy = optional enableWatch "multi-user.target";
serviceConfig.ExecStart = "${cfg.package}/bin/public-inbox-watch";
serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
serviceConfig.User = "public-inbox";
};
system.activationScripts.public-inbox = stringAfter [ "users" ] ''
install -m 0755 -o public-inbox -g public-inbox -d /var/lib/public-inbox
install -m 0750 -o public-inbox -g public-inbox -d ${inboxesDir}
install -m 0700 -o public-inbox -g public-inbox -d /var/lib/public-inbox/emergency
${optionalString useSpamAssassin ''
install -m 0700 -o spamd -d /var/lib/public-inbox/spamassassin
${optionalString (cfg.spamAssassinRules != null) ''
ln -sf ${cfg.spamAssassinRules} /var/lib/public-inbox/spamassassin/user_prefs
''}
''}
${concatStrings (mapAttrsToList (name: { address, url, ... } @ inbox: ''
if [ ! -e ${escapeShellArg (inboxPath name)} ]; then
# public-inbox-init creates an inbox and adds it to a config file.
# It tries to atomically write the config file by creating
# another file in the same directory, and renaming it.
# This has the sad consequence that we can't use
# /dev/null, or it would try to create a file in /dev.
conf_dir="$(${pkgs.sudo}/bin/sudo -u public-inbox mktemp -d)"
${pkgs.sudo}/bin/sudo -u public-inbox \
env PI_CONFIG=$conf_dir/conf \
${cfg.package}/bin/public-inbox-init -V2 \
${escapeShellArgs ([ name (inboxPath name) url ] ++ address)}
rm -rf $conf_dir
fi
ln -sf ${descriptionFile inbox} ${inboxPath name}/description
if [ -d ${escapeShellArg (gitPath name)} ]; then
# Config is inherited by each epoch repository,
# so just needs to be set for all.git.
${pkgs.git}/bin/git --git-dir ${gitPath name} \
config core.sharedRepository 0640
fi
'') cfg.inboxes)}
for inbox in /var/lib/public-inbox/inboxes/*/; do
ls -1 "$inbox" | grep -q '^xap' && continue
# This should be idempotent, but only do it for new
# inboxes anyway because it's only needed once, and could
# be slow for large pre-existing inboxes.
${pkgs.sudo}/bin/sudo -u public-inbox \
env ${concatStringsSep " " envList} \
${cfg.package}/bin/public-inbox-index "$inbox"
done
'';
environment.systemPackages = with pkgs; [ cfg.package ];
};
}