Fix password hash file generation behavior

- Move the "create password hash file from hashed password" behavior to
  a separate variable, since having it in the default field of config
  would always cause the warning to trigger
- Change type of hashedPassword to `nullOr str`

4 files changed, 76 insertions, 21 deletions

diff --git a/mail-server/common.nix b/mail-server/common.nix
index 7e968d9..b20e4c7 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -14,17 +14,10 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 
-{ config, lib }:
+{ config, pkgs, lib }:
 
 let
   cfg = config.mailserver;
-  # passwd :: [ String ]
-  passwd = lib.mapAttrsToList
-    (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
-     + (if lib.isString value.quota
-            then "userdb_quota_rule=*:storage=${value.quota}"
-            else ""))
-            cfg.loginAccounts;
 in
 {
   # cert :: PATH
@@ -45,6 +38,11 @@ in
                    then "/var/lib/acme/${cfg.fqdn}/key.pem"
                    else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
 
-  # passwdFile :: PATH
-  passwdFile = builtins.toFile "passwd" (lib.concatStringsSep "\n" passwd);
+  passwordFiles = let
+    mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
+  in
+    lib.mapAttrs (name: value:
+    if value.hashedPasswordFile == null then
+      builtins.toString (mkHashFile name value.hashedPassword)
+    else value.hashedPasswordFile) cfg.loginAccounts;
 }
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index eef241d..f0a370a 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -16,11 +16,14 @@
 
 { config, pkgs, lib, ... }:
 
-with (import ./common.nix { inherit config lib; });
+with (import ./common.nix { inherit config pkgs lib; });
 
 let
   cfg = config.mailserver;
 
+  passwdDir = "/run/dovecot2";
+  passwdFile = "${passwdDir}/passwd";
+
   maildirLayoutAppendix = lib.optionalString cfg.useFsLayout ":LAYOUT=fs";
 
   # maildir in format "/${domain}/${user}"
@@ -47,6 +50,35 @@ let
       done
     '';
   };
+
+  genPasswdScript = pkgs.writeScript "generate-password-file" ''
+    #!${pkgs.stdenv.shell}
+
+    set -euo pipefail
+
+    if (! test -d "${passwdDir}"); then
+      mkdir "${passwdDir}"
+      chmod 755 "${passwdDir}"
+    fi
+
+    for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
+      if [ ! -f "$f" ]; then
+        echo "Expected password hash file $f does not exist!"
+        exit 1
+      fi
+    done
+
+    cat <<EOF > ${passwdFile}
+    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
+      "${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
+        + (if lib.isString value.quota
+              then "userdb_quota_rule=*:storage=${value.quota}"
+              else "")
+    ) cfg.loginAccounts)}
+    EOF
+
+    chmod 600 ${passwdFile}
+  '';
 in
 {
   config = with cfg; lib.mkIf enable {
@@ -165,15 +197,27 @@ in
       '';
     };
 
-    systemd.services.dovecot2.preStart = ''
-      rm -rf '${stateDir}/imap_sieve'
-      mkdir '${stateDir}/imap_sieve'
-      cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
-      for k in "${stateDir}/imap_sieve"/*.sieve ; do
-        ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
-      done
-      chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
-    '';
+    systemd.services.gen-passwd-file = {
+      serviceConfig = {
+        ExecStart = genPasswdScript;
+        Type = "oneshot";
+      };
+    };
+
+    systemd.services.dovecot2 = {
+      after = [ "gen-passwd-file.service" ];
+      wants = [ "gen-passwd-file.service" ];
+      requires = [ "gen-passwd-file.service" ];
+      preStart = ''
+        rm -rf '${stateDir}/imap_sieve'
+        mkdir '${stateDir}/imap_sieve'
+        cp -p "${./dovecot/imap_sieve}"/*.sieve '${stateDir}/imap_sieve/'
+        for k in "${stateDir}/imap_sieve"/*.sieve ; do
+          ${pkgs.dovecot_pigeonhole}/bin/sievec "$k"
+        done
+        chown -R '${dovecot2Cfg.mailUser}:${dovecot2Cfg.mailGroup}' '${stateDir}/imap_sieve'
+      '';
+    };
 
     systemd.services.postfix.restartTriggers = [ passwdFile ];
   };
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 06c6af0..b61f038 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -16,7 +16,7 @@
 
 { config, pkgs, lib, ... }:
 
-with (import ./common.nix { inherit config lib; });
+with (import ./common.nix { inherit config pkgs lib; });
 
 let
   inherit (lib.strings) concatStringsSep;
diff --git a/mail-server/users.nix b/mail-server/users.nix
index f335330..3ab31d5 100644
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@@ -66,6 +66,19 @@ let
   '';
 in {
   config = lib.mkIf enable {
+    # assert that all accounts provide a password
+    assertions = (map (acct: {
+      assertion = (acct.hashedPassword != null || acct.hashedPasswordFile != null);
+      message = "${acct.name} must provide either a hashed password or a password hash file";
+    }) (lib.attrValues loginAccounts));
+
+    # warn for accounts that specify both password and file
+    warnings = (map
+      (acct: "${acct.name} specifies both a password hash and hash file; hash file will be used")
+      (lib.filter
+        (acct: (acct.hashedPassword != null && acct.hashedPasswordFile != null))
+        (lib.attrValues loginAccounts)));
+
     # set the vmail gid to a specific value
     users.groups = {
       "${vmailGroupName}" = { gid = vmailUID; };