From 77087c1cc1379454be08be1eaf3ef68f47a9b5a5 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Mon, 25 Sep 2023 12:18:41 -0700
Subject: [PATCH] Scripts must be built at runtime.

---
 dovecot.nix | 56 +++++++++++++++++++++++++++++++++--------------------
 1 file changed, 35 insertions(+), 21 deletions(-)

diff --git a/dovecot.nix b/dovecot.nix
index 30ceae6..5995e12 100644
--- a/dovecot.nix
+++ b/dovecot.nix
@@ -4,27 +4,6 @@ with lib;
 let
   cfg = config.fudo.mail.dovecot;
 
-  sievePath = let
-    isRegularFile = _: type: type == "regular";
-    sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
-    headOrNull = lst: if lst == [ ] then null else head lst;
-    stripExt = ext: filename:
-      headOrNull (builtins.match "(.+)[.]${ext}$" filename);
-    compileFile = filename: _:
-      let
-        filePath = ./sieves + "/${filename}";
-        fileBaseName = stripExt "sieve" filename;
-      in "sievec ${filePath} $out/${fileBaseName}.svbin";
-  in pkgs.stdenv.mkDerivation {
-    name = "dovecot-sieves";
-    buildInputs = with pkgs; [ dovecot dovecot_pigeonhole ];
-    phases = [ "installPhase" ];
-    installPhase = ''
-      mkdir -p $out
-      ${concatStringsSep "\n" (mapAttrsToList compileFile sieves)}
-    '';
-  };
-
   sieveDirectory = "${cfg.state-directory}/sieves";
 
 in {
@@ -209,6 +188,41 @@ in {
         "d ${cfg.state-directory}/mail 0750 ${cfg.mail-user} ${cfg.mail-group} - -"
         "d ${cfg.state-directory}/sieves 0750 ${cfg.mail-user} ${cfg.mail-group} - -"
       ];
+
+      services.dovecot-sieve-generator = let
+        isRegularFile = _: type: type == "regular";
+        sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
+        headOrNull = lst: if lst == [ ] then null else head lst;
+        stripExt = ext: filename:
+          headOrNull (builtins.match "(.+)[.]${ext}$" filename);
+        compileFile = filename: _:
+          let
+            filePath = ./sieves + "/${filename}";
+            fileBaseName = stripExt "sieve" filename;
+          in "sievec ${filePath} ${sieveDirectory}/${fileBaseName}.svbin";
+      in {
+        wantedBy = [ "dovecot2.service" ];
+        before = [ "dovecot2.service" ];
+        serviceConfig = {
+          User = config.services.dovecot2.user;
+          ReadWritePaths = [ sieveDirectory ];
+          ExecStart = pkgs.writeShellScript "generate-sieves.sh"
+            (concatStringsSep "\n" (mapAttrsToList compileFile sieves));
+          PrivateNetwork = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateMounts = true;
+          ProtectControlGroups = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectSystem = true;
+          ProtectHostname = true;
+          ProtectHome = true;
+          ProtectClock = true;
+          ProtectKernelLogs = true;
+          Type = "oneshot";
+        };
+      };
     };
 
     services = {