That's how nixpkgs-unstable is now, so to be compatible with both we
have to force that setting. Use systemd tmpfiles to provision
directory with correct owner.
- restructure rspamd config. It's nicer now, and it was getting
overridden the old way.
- "scan_mime_parts = false" apparently must be used in rspamd for ClamAV
to work
- refactor the clamav test a bit for cleanliness
- wait for rspamd and clamd sockets to open, before testing
- use clamdscan for speed, and verify that the virus was found
- verify msmtp returns virus scan result
Their CI environment currently doesn't have KVM. This commit should be
reverted when/if they do, for much better CI speed.
You can still run tests locally on your KVM-enabled machine as documented
on the wiki.
Workaround on GitLab is several pieces (injected through .gitlab-ci.yml):
- Make a /dev/kvm file so that nix thinks we have "kvm" system feature
and proceeds with executing the tests.
- Inject a QEMU package that replaces qemu-kvm with a full emulator.
- Monkey-patch the test script to wait longer for the VM to boot, since
it's slow on full emulation. 1200 seconds, double the previous value.
The patch method is not bulletproof, but better than maintaining forks of
nixpkgs.
- Set systemd's DefaultTimeoutStartSec=15min, so nix's "backdoor" test
service doesn't time out on the slow boot.
TLSv1.0 is as deprecated as the older SSL versions, and should not be
used. I've also disabled a slew of ciphers, and hopefully this will
make us less vulnerable to downgrade attacks and similar.
SNM used to define virtual_alias_maps in extraConfig which collides with
the same parameter defined by the standard services.postfix.virtual
option. This led to *lots* of warnings during postfix startup like
```
May 02 18:29:58 nun postfix/master[24758]: warning: /etc/postfix/main.cf, line 47: overriding earlier entry: virtual_alias_maps=hash:/etc/postfix/virtual
```
Refraining from overriding virtual_alias_maps has the additional
advantage that virtual aliases defined by other modules dont' stop
working with SNM.
Advantages of including the SHA256:
(i) removes the impurity of the tarball contents being changed
(ii) if sha256 is not included, then each nixops deploy triggers a re-download of the tarball
Here's how to get the expected hash:
$ nix-prefetch-url --unpack 'https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz'
unpacking...
[0.0 MiB DL]
path is '/nix/store/dwg8xlfnlw7mhr4cjk1viwmm0b249b74-nixos-mailserver-v2.2.0.tar.gz'
0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc
Fix#136 (stop pulling the files from @griff's poor server), also add a script
to update the files.
The fun thing about this is that due to sourcing the files from
`https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/raw/master/tests/clamav`
during the tests, updates to the `hashes.json` and `*.cvd` files will always
fail CI. I guess this is a reasonable tradeoff as long as people are aware of
it.
