Advantages of including the SHA256:
(i) removes the impurity of the tarball contents being changed
(ii) if sha256 is not included, then each nixops deploy triggers a re-download of the tarball
Here's how to get the expected hash:
$ nix-prefetch-url --unpack 'https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz'
unpacking...
[0.0 MiB DL]
path is '/nix/store/dwg8xlfnlw7mhr4cjk1viwmm0b249b74-nixos-mailserver-v2.2.0.tar.gz'
0gqzgy50hgb5zmdjiffaqp277a68564vflfpjvk1gv6079zahksc
Fix#136 (stop pulling the files from @griff's poor server), also add a script
to update the files.
The fun thing about this is that due to sourcing the files from
`https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/raw/master/tests/clamav`
during the tests, updates to the `hashes.json` and `*.cvd` files will always
fail CI. I guess this is a reasonable tradeoff as long as people are aware of
it.
It seemed weird to me that preStart on postfix was used to generate
files not needed directly by postfix and for the self-signed
certificate which is also needed by dovecot. nginx.service was also
used as a proxy for when ACME certificate generation was done.
So I have created mailserver-certificates.target for when certificates
are available for other services. For self-signed that means that a
new oneshot service called mailserver-selfsigned-certificate has been
run. And for ACME this means that the target
acme-selfsigned-certificates has been reached (which is when acme has
created the self-signed certificates used before the actual
certificates provided by LetsEncrypt are created). This setup has the
added bonus that if you want to run a service to provide your own
certificates you can set that to run before
mailserver-certificates.target.
DH Parameters are only needed by dovecot so generation of that file has
been moved to the dovecot2 preStart.
And lastly the only remaining reason to for dovecot to start before
postfix was that the auth and lmtp sockets where located in a directory
created by postfix. But since they could just as well be located in
/run/dovecot2 as long as postfix has access to them I have moved them
there.
The dh.pem file is currently created by the postfix prestart
script. If the entropy of the system is to low, the postfix prestart
can timeout. In this case, an empty file is created.
If the user restarts the postfix service, the dh.pem is not created
because the file already exists (but is empty).
When a ssl is established with dovecot, it fails with this message:
imap-login: `Error:Failed to initialize SSL server context: Couldn't parse DH parameters:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
PARAMETERS`
With this patch, the postfix service creates the dh.pem if the dh.pem
doesn't exist or if it is empty. It doesn't fix the entropy or
timeout issue but at least, the user knows something is failing:/