postfix: add to vno1-oh2

2023-07-26 13:26:11 +03:00 · 2023-07-26 13:26:11 +03:00 · bac191ef2f
parent 60936605c9
commit bac191ef2f
17 changed files with 120 additions and 91 deletions
--- a/flake.nix
+++ b/flake.nix
@ -63,7 +63,7 @@
            age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;

            age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
-            age.secrets.sasl-passwd.file = ./secrets/hel1-a/postfix/sasl_passwd.age;
+            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
            age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
            age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
            age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
@ -84,6 +84,8 @@
          agenix.nixosModules.default

          {
+            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+
            age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
            age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
            age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age;
--- a/hosts/hel1-a/configuration.nix
+++ b/hosts/hel1-a/configuration.nix
@ -18,6 +18,11 @@ in {
    timeZone = "UTC";

    services = {
+      postfix = {
+        enable = true;
+        saslPasswdPath = config.age.secrets.sasl-passwd.path;
+      };
+
      zfsunlock = {
        enable = true;
        targets."vno1-oh2.servers.jakst" = {
@ -371,31 +376,6 @@ in {
      };
    };

-    postfix = {
-      enable = true;
-      enableSmtp = true;
-      networks = [
-        "127.0.0.1/8"
-        "[::ffff:127.0.0.0]/104"
-        "[::1]/128"
-        myData.tailscale_subnet.cidr
-      ];
-      hostname = "${config.networking.hostName}.${config.networking.domain}";
-      relayHost = "smtp.sendgrid.net";
-      relayPort = 587;
-      mapFiles = {
-        sasl_passwd = config.age.secrets.sasl-passwd.path;
-      };
-      extraConfig = ''
-        smtp_sasl_auth_enable = yes
-        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-        smtp_sasl_security_options = noanonymous
-        smtp_sasl_tls_security_options = noanonymous
-        smtp_tls_security_level = encrypt
-        header_size_limit = 4096000
-      '';
-    };
-
    logrotate = {
      settings = {
        "/var/log/caddy/access-jakstys.lt.log" = {
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@ -40,21 +40,28 @@
      };
    };

-    services.syncthing = {
-      enable = true;
-      dataDir = "/home/motiejus/";
-      user = "motiejus";
-      group = "users";
-    };
+    services = {
+      postfix = {
+        enable = true;
+        saslPasswdPath = config.age.secrets.sasl-passwd.path;
+      };

-    services.zfsunlock = {
-      enable = true;
-      targets."hel1-a.servers.jakst" = {
-        sshEndpoint = myData.hosts."hel1-a.servers.jakst".publicIP;
-        pingEndpoint = "hel1-a.servers.jakst";
-        remotePubkey = myData.hosts."hel1-a.servers.jakst".initrdPubKey;
-        pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
-        startAt = "*-*-* *:00/5:00";
+      syncthing = {
+        enable = true;
+        dataDir = "/home/motiejus/";
+        user = "motiejus";
+        group = "users";
+      };
+
+      zfsunlock = {
+        enable = true;
+        targets."hel1-a.servers.jakst" = {
+          sshEndpoint = myData.hosts."hel1-a.servers.jakst".publicIP;
+          pingEndpoint = "hel1-a.servers.jakst";
+          remotePubkey = myData.hosts."hel1-a.servers.jakst".initrdPubKey;
+          pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
+          startAt = "*-*-* *:00/5:00";
+        };
      };
    };
  };
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -5,6 +5,7 @@
  ...
 }: {
  imports = [
+    ./postfix
    ./syncthing
    ./zfsunlock
  ];
--- a/modules/services/postfix/default.nix
+++ b/modules/services/postfix/default.nix
@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  myData,
+  ...
+}: {
+  options.mj.services.postfix = with lib.types; {
+    enable = lib.mkEnableOption "Enable postfix";
+    saslPasswdPath = lib.mkOption {type = path;};
+  };
+
+  config = lib.mkIf config.mj.services.postfix.enable {
+    services.postfix = {
+      enable = true;
+      enableSmtp = true;
+      networks = [
+        "127.0.0.1/8"
+        "[::ffff:127.0.0.0]/104"
+        "[::1]/128"
+        myData.tailscale_subnet.cidr
+      ];
+      hostname = "${config.networking.hostName}.${config.networking.domain}";
+      relayHost = "smtp.sendgrid.net";
+      relayPort = 587;
+      mapFiles = {
+        sasl_passwd = config.mj.services.postfix.saslPasswdPath;
+      };
+      extraConfig = ''
+        smtp_sasl_auth_enable = yes
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        smtp_sasl_security_options = noanonymous
+        smtp_sasl_tls_security_options = noanonymous
+        smtp_tls_security_level = encrypt
+        header_size_limit = 4096000
+      '';
+    };
+
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -10,7 +10,6 @@ let
 in {
  # hel1-a + motiejus
  "secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
-  "secrets/hel1-a/postfix/sasl_passwd.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
@ -23,4 +22,5 @@ in {
  # everywhere + motiejus
  "secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
  "secrets/root_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
+  "secrets/postfix_sasl_passwd.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
 }
--- a/secrets/hel1-a/borgbackup/password.age
+++ b/secrets/hel1-a/borgbackup/password.age
@ -1,14 +1,14 @@
 age-encryption.org/v1
-> ssh-ed25519 vDjOfg jXKd84hBLGshv+pBkasnRvAOR6zJOv9kqj3MFhNEfSc
-PR634A9Br6c0NTSZUoq6HpHfbIkbZxCrx+QzdK0tnHo
-> X25519 EQxm5Y1GnCgOAxq/sWSksofOs4bqh5thYKchFE7AVlY
-i0eqmFuXZ2VGMOHqS42vifcYXuBCTlF+Ckp6M2Dxrrc
-> piv-p256 +y2G/w AvNFDhoheGvhx1OPcsYjNiXgcE2IyzNxnQa5o92TOfo/
-ORGLR75OPtt5t3ZntdrmKeWNqcoOh9/9l9LPrbNd9/s
-> piv-p256 jNqd3A A0hKbEWxWIgzjqC5rPnQvI6C89vvp3Ejm5X3hoSmJwcV
-nae0utik6loEuMbOUe7EZoWszJYMsA4aYIT1fBu7rmk
-> W3-grease Bi-\Y /Yn
-vVlW417ifsv6IU8m3IZWxis
--- 4+ia3CXXOvu7hPj9GLiTnzqQWwNPc8osiIysKZl1ApI
-y?sA«EöoFkÏ'ÑE2Î¬–ù²þÐÙ*Ò*ñ’Zc»÷-éêq˜S„ä
-JI6Ýóu,êD¢
+-> ssh-ed25519 vDjOfg vySEUwrEbfzV/E9EKMzF7il7gSKxn80EQKSTSKE4WGA
++iFPSRIhJ3nRa2AKoCqctDt+gmQCrmrZeDt8NXPjRI
+-> X25519 aFkDi0dqTmG0ZRK3x/GwJgktpCXp8H1+UqHfGIZ2Bzs
+DXdwjN9xu9c40bdMyJmNI/iE9ejsQGxJrrfutrFBOIg
+-> piv-p256 +y2G/w Ay2OS/A9MQ8kz4GFqGA2Jqu+qw2r1RkY7XDX8vRIM/bp
+6jE/jqzx8Z7KFoX6OerNLqEXi8oEsQSzbu/4UTDfjt8
+-> piv-p256 jNqd3A AtoS0czOJchiKvrVfng6DWWdjdtyObdkwn3p5T3D+1uf
+i62iUXpOEN0nTgcYe/YrXUki6QG9cq6hXRv2Ar/JrAc
+-> g_@F2fyi-grease mXj
+lTRFX2OWma7s/ER1R0NLRL//r2j50z4Hfv/ka0HJhg
+--- YbEUnvdIuGKWPKLybsHLoDH5uBbnau59aiUJk72V1UQ
+i;î Äýu1tô„yXh±Lî
+J|Õ¼¼ä–°9®~’mÐAñ©ûUŠì_Í§B7Ûüˆ@}3§¨
--- a/secrets/hel1-a/postfix/sasl_passwd.age
+++ b/secrets/hel1-a/postfix/sasl_passwd.age
--- a/secrets/hel1-a/synapse/jakstys_lt_signing_key.age
+++ b/secrets/hel1-a/synapse/jakstys_lt_signing_key.age
--- a/secrets/hel1-a/synapse/macaroon_secret_key.age
+++ b/secrets/hel1-a/synapse/macaroon_secret_key.age
--- a/secrets/hel1-a/synapse/registration_shared_secret.age
+++ b/secrets/hel1-a/synapse/registration_shared_secret.age
--- a/secrets/hel1-a/turn/static_auth_secret.age
+++ b/secrets/hel1-a/turn/static_auth_secret.age
@ -1,14 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 vDjOfg DGeT72n4VsH43Ns9yEnxfgy/uYKynfQGUzAtDPf+2mU
-LPe1Uwll/Ee//jfjz4jRryl0Fej3jyev6QnYAtcEGD4
-> X25519 LYVUZF8IQa2pfNevLpSI26VfzRe4wlMy23FeTIH9eVQ
-HYXSzjCz7aeMm2BzGrD96m0CbWjLH/XYskhMNYtbX4g
-> piv-p256 +y2G/w AqE+qszNsNVu365Jq5MwieKVzPG2rAYMrO1bOF2z7Wh/
-KUdsBS22jiqWPB+9PoNSugsOKRk5PnFacCoRI05dnRg
-> piv-p256 jNqd3A A+sbeoWSbRRLu2mtTWPX/DJHjB19j7T7TR33zP0tqK3M
-WCsLFXjWeDBNEnBwITpjAQz2HJjcv46YFO9OSB/0psc
-> -.}!Z;^n-grease K
-fpu7Uos5Lia2hiTlW0SixCdyJP4FXRmmeHP5ufJGbk6qy972vmOeacC4M6/6Ck6h
-eex4qQEs2epkNf0tsYvfeA
--- b54YQan0Bm8INDPrhn8N9LIt41/yGKQ8HeStn2Wqf5Q
-_¶§‚ìb©6¨ÑÌÉ!NÅP%ÙEôœ˜¬³ÿ¯pðìÑ'ppÈ,ÈVÈŠ¶§eÐÖ6ÞE
+-> ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8
+/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU
+-> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg
+Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs
+-> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl
+G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4
+-> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4
+Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE
+-> ;\NX'-grease 4{cJ&fP
+5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ
+--- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs
+8Ä	,„1À€¼dÒ<64>j%
<0A>Zr¡ÏdwÑA]CÜÖWAÝ•*©JæÐŠ`Q£µ(·ðŠIô
--- a/secrets/hel1-a/zfs-passphrase.age
+++ b/secrets/hel1-a/zfs-passphrase.age
@ -1,13 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 gJrHQg DsQM1OiPx2mZ5zCIoWhswaXAruIyjeYvDT/NpCfQang
-ExnIjettDSsT1BhtrOiuKTHmkuG1UH2oJVFvtaxcskI
-> X25519 cOjSCW3bPvgvXwZ+OGhYqmuuzTyBG5D0EUA9aSPIABE
-7dzr3eQjQcF3buVLfn66yiv4Oo8gVATjngSn3JtYiEA
-> piv-p256 +y2G/w A9mCDRKigSM1Bjz5UfNn6pCge9Ifip1qEuSi8oXrqxFR
-v7VYoxTUZhVwjvo6HwGuLwppz808rVadQV+uSTisKc4
-> piv-p256 jNqd3A A+IpWq0hEn3lvkXGhdA4HwzOf7qMUfP8h2Ulyw6RJWr2
-VKT5WZBnNscxcu2Bv3JyvRzzs9C1PwrrdHOW4mwJbg4
-> c[,kV-grease
-V6pw1EYTT8KqLcGIVKZWTAGr5gjj1J3O6+jElQ
--- rU4We/c5iA84jdP6PP46PtDHPv2hFUnKIQd7d8C2AR8
-<EFBFBD>ÝâF;Dšľ`A
¤Î<C2A4>ŕÝcHŃťV o¸J9y_¬Z°N°áÚŚoý<6F>ĹëŢ/ýÝ+ŻiśÂj±F<oô†›ó
+-> ssh-ed25519 gJrHQg mQiy3u+UMFfs61WPlbo0OHqLxahWNfpYACeYIo267BA
+TW0fW13NrjYjj3iwckwEzXjIx6IIckCh5r+UHw8Ij3I
+-> X25519 rt/IGRSKAZ5ZkGv0pWmhj86+Uq9e2GXAmIv+HBZ2ZHI
+C1j2j2U+HCko+ohp1gOY4Ng70pE3gOS6REm4/PQzB60
+-> piv-p256 +y2G/w Al/4EHKxjWqlWu15ijrzuh9wMq5VMiVP/W7Le4XxzV33
+X1kHLFt0LrGJkVNS5Jb2s/mYzoNgLye6Cxi8uu9lGLM
+-> piv-p256 jNqd3A Ak1e2RkiQSLkIdP2GVE4P59DZ0I5eSdVD+bxpsezr3d4
+9aZR3+vmaOs3SH/i3ZOjl03VBwYvYByPiqLRJsHztVM
+-> #iyKy*r-grease I~l K,!{*
+36alLYkZaIJjAYgaw62ulNfYAj8b8Q0
+--- 0E+LmPXzbCtwllF5uDoIEkYI/qMLWdmfLwdtY1/iYqs
+êðýt˜úµ$»¯nMÚ	R8f¼jgÎõ.Ÿ6$ÚWvW=Ï×ò·ŽaP@$ä	Öy¸Ïq'ñ×	z¢ò<C2A2>åÿŽ
--- a/secrets/motiejus_passwd_hash.age
+++ b/secrets/motiejus_passwd_hash.age
--- a/secrets/postfix_sasl_passwd.age
+++ b/secrets/postfix_sasl_passwd.age
--- a/secrets/root_passwd_hash.age
+++ b/secrets/root_passwd_hash.age
--- a/secrets/vno1-oh2/zfs-passphrase.age
+++ b/secrets/vno1-oh2/zfs-passphrase.age
@ -1,13 +1,14 @@
 age-encryption.org/v1
-> ssh-ed25519 vDjOfg yX0zrlNsaJBSf3PqD4ccm/9z5tQhv5d7vbGQbITKNGQ
-1adV8hkhSTQPSlPuKQypvWPAcker/kjObBxDfos6x2I
-> X25519 TASHTwnBupJ72eFuJs4Oph68Js31AyjtpXcHDR8xKl8
-/181mos15wmANSJwo5QPZRUAx3vFoZ4wPpimbIfvC4o
-> piv-p256 +y2G/w A09p8H96e0/FfHSTajYQZTvSYXwT7EvzFf1qVZtdwsax
-Mgkl6t5uDGN8cYVoDXjEYB+RxeXyyLsZrWvGP7KMCNc
-> piv-p256 jNqd3A A3Rh+tYvU/vfS6+2GXyOOM3auOu4KfXWFhyvyXgojBbf
-l0whgIauEX31OqPyDMTZ2OLUBOzPVFSVnjxbYu7JeSE
-> cD-grease u8 9nH (N(2JYW 'd
-mAo1sjuzyaHtnQhYLApV9g
--- QcxzgeZhzogykC09MKj4VMVOZdq6i8N1OOcFf0nkABc
-kë{nµúþã/c8ÒgQ~ã1¦÷®ó“†v§Šçqùà{À<>sÝ€Å<E282AC>€„¶O²
+-> ssh-ed25519 vDjOfg DSA11LD9kTPJXL6q7ezsCRMlN3QBgcEA+i7PpYbn1HM
+002pudzzJdq69RLzbnmEu1uXaF578FCwpUEUeQvrE1I
+-> X25519 k+nrZinBJQOsxyUC/qw+UQ4F0EFxs4Dt2oPvHMwguS4
+zEYUmyjLq5gU9M0sTx2CVLMTaiLXw6O1f6kWz6tG01g
+-> piv-p256 +y2G/w AnR7AVB8k5lZ+6DuqVvT+6tR9rw24Z7GZ15wlIWAakMq
+1bvu/AJ9DkZ1cgL1crnhH8gi5SkE8hW4sjVNWw6znBc
+-> piv-p256 jNqd3A AmqhEzPN6+LvtcYHlF26ygzX3lgdNY8alH5SHECivjnq
+jb/Iv7sHqn3FCBgH65YoKsIE0GT390Zrki5mPN2NRyM
+-> ]IKx--grease
+0ZRby4OvsWGHVKCIhG27byA9hQw2a1xgQQgxrYy8QbxvmcY97+zbYY4nYThDUsA8
+/oJsg5IfHI3ukFzek3SoLw
+--- ceQ+78jo/wEnqKEzoDo3dYvkISTigadwZ/R9U9e0Z5U
+ćţ]ŻS÷rŕ–’9lŽúP	<09>E?f€Š(kĎvZ‘‘Ú•°Od›=u™´g