postfix: add to vno1-oh2

flake.nix

@@ -63,7 +63,7 @@
             age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
 
             age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
-            age.secrets.sasl-passwd.file = ./secrets/hel1-a/postfix/sasl_passwd.age;
+            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
             age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
             age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
             age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
@@ -84,6 +84,8 @@
           agenix.nixosModules.default
 
           {
+            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+
             age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
             age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
             age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age;

hosts/hel1-a/configuration.nix

@@ -18,6 +18,11 @@ in {
     timeZone = "UTC";
 
     services = {
+      postfix = {
+        enable = true;
+        saslPasswdPath = config.age.secrets.sasl-passwd.path;
+      };
+
       zfsunlock = {
         enable = true;
         targets."vno1-oh2.servers.jakst" = {
@@ -371,31 +376,6 @@ in {
       };
     };
 
-    postfix = {
-      enable = true;
-      enableSmtp = true;
-      networks = [
-        "127.0.0.1/8"
-        "[::ffff:127.0.0.0]/104"
-        "[::1]/128"
-        myData.tailscale_subnet.cidr
-      ];
-      hostname = "${config.networking.hostName}.${config.networking.domain}";
-      relayHost = "smtp.sendgrid.net";
-      relayPort = 587;
-      mapFiles = {
-        sasl_passwd = config.age.secrets.sasl-passwd.path;
-      };
-      extraConfig = ''
-        smtp_sasl_auth_enable = yes
-        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-        smtp_sasl_security_options = noanonymous
-        smtp_sasl_tls_security_options = noanonymous
-        smtp_tls_security_level = encrypt
-        header_size_limit = 4096000
-      '';
-    };
-
     logrotate = {
       settings = {
         "/var/log/caddy/access-jakstys.lt.log" = {

hosts/vno1-oh2/configuration.nix

@@ -40,21 +40,28 @@
       };
     };
 
-    services.syncthing = {
+    services = {
-      enable = true;
+      postfix = {
-      dataDir = "/home/motiejus/";
+        enable = true;
-      user = "motiejus";
+        saslPasswdPath = config.age.secrets.sasl-passwd.path;
-      group = "users";
+      };
-    };
 
-    services.zfsunlock = {
+      syncthing = {
-      enable = true;
+        enable = true;
-      targets."hel1-a.servers.jakst" = {
+        dataDir = "/home/motiejus/";
-        sshEndpoint = myData.hosts."hel1-a.servers.jakst".publicIP;
+        user = "motiejus";
-        pingEndpoint = "hel1-a.servers.jakst";
+        group = "users";
-        remotePubkey = myData.hosts."hel1-a.servers.jakst".initrdPubKey;
+      };
-        pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
+
-        startAt = "*-*-* *:00/5:00";
+      zfsunlock = {
+        enable = true;
+        targets."hel1-a.servers.jakst" = {
+          sshEndpoint = myData.hosts."hel1-a.servers.jakst".publicIP;
+          pingEndpoint = "hel1-a.servers.jakst";
+          remotePubkey = myData.hosts."hel1-a.servers.jakst".initrdPubKey;
+          pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
+          startAt = "*-*-* *:00/5:00";
+        };
       };
     };
   };

modules/services/default.nix

@@ -5,6 +5,7 @@
   ...
 }: {
   imports = [
+    ./postfix
     ./syncthing
     ./zfsunlock
   ];

modules/services/postfix/default.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  myData,
+  ...
+}: {
+  options.mj.services.postfix = with lib.types; {
+    enable = lib.mkEnableOption "Enable postfix";
+    saslPasswdPath = lib.mkOption {type = path;};
+  };
+
+  config = lib.mkIf config.mj.services.postfix.enable {
+    services.postfix = {
+      enable = true;
+      enableSmtp = true;
+      networks = [
+        "127.0.0.1/8"
+        "[::ffff:127.0.0.0]/104"
+        "[::1]/128"
+        myData.tailscale_subnet.cidr
+      ];
+      hostname = "${config.networking.hostName}.${config.networking.domain}";
+      relayHost = "smtp.sendgrid.net";
+      relayPort = 587;
+      mapFiles = {
+        sasl_passwd = config.mj.services.postfix.saslPasswdPath;
+      };
+      extraConfig = ''
+        smtp_sasl_auth_enable = yes
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        smtp_sasl_security_options = noanonymous
+        smtp_sasl_tls_security_options = noanonymous
+        smtp_tls_security_level = encrypt
+        header_size_limit = 4096000
+      '';
+    };
+
+  };
+}

secrets.nix

@@ -10,7 +10,6 @@ let
 in {
   # hel1-a + motiejus
   "secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
-  "secrets/hel1-a/postfix/sasl_passwd.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
@@ -23,4 +22,5 @@ in {
   # everywhere + motiejus
   "secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
   "secrets/root_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
+  "secrets/postfix_sasl_passwd.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
 }

secrets/hel1-a/borgbackup/password.age

@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 vDjOfg jXKd84hBLGshv+pBkasnRvAOR6zJOv9kqj3MFhNEfSc
+-> ssh-ed25519 vDjOfg vySEUwrEbfzV/E9EKMzF7il7gSKxn80EQKSTSKE4WGA
-PR634A9Br6c0NTSZUoq6HpHfbIkbZxCrx+QzdK0tnHo
+++iFPSRIhJ3nRa2AKoCqctDt+gmQCrmrZeDt8NXPjRI
--> X25519 EQxm5Y1GnCgOAxq/sWSksofOs4bqh5thYKchFE7AVlY
+-> X25519 aFkDi0dqTmG0ZRK3x/GwJgktpCXp8H1+UqHfGIZ2Bzs
-i0eqmFuXZ2VGMOHqS42vifcYXuBCTlF+Ckp6M2Dxrrc
+DXdwjN9xu9c40bdMyJmNI/iE9ejsQGxJrrfutrFBOIg
--> piv-p256 +y2G/w AvNFDhoheGvhx1OPcsYjNiXgcE2IyzNxnQa5o92TOfo/
+-> piv-p256 +y2G/w Ay2OS/A9MQ8kz4GFqGA2Jqu+qw2r1RkY7XDX8vRIM/bp
-ORGLR75OPtt5t3ZntdrmKeWNqcoOh9/9l9LPrbNd9/s
+6jE/jqzx8Z7KFoX6OerNLqEXi8oEsQSzbu/4UTDfjt8
--> piv-p256 jNqd3A A0hKbEWxWIgzjqC5rPnQvI6C89vvp3Ejm5X3hoSmJwcV
+-> piv-p256 jNqd3A AtoS0czOJchiKvrVfng6DWWdjdtyObdkwn3p5T3D+1uf
-nae0utik6loEuMbOUe7EZoWszJYMsA4aYIT1fBu7rmk
+i62iUXpOEN0nTgcYe/YrXUki6QG9cq6hXRv2Ar/JrAc
--> W3-grease Bi-\Y /Yn
+-> g_@F2fyi-grease mXj
-vVlW417ifsv6IU8m3IZWxis
+lTRFX2OWma7s/ER1R0NLRL//r2j50z4Hfv/ka0HJhg
---- 4+ia3CXXOvu7hPj9GLiTnzqQWwNPc8osiIysKZl1ApI
+--- YbEUnvdIuGKWPKLybsHLoDH5uBbnau59aiUJk72V1UQ
-y?sA«EöoFkÏ'ÑE2ά–ù²þÐÙ*Ò*ñ’Zc»÷-éêq˜S„ä
+i;î Äýu1tô„yXh±Lî
-JI6Ýóu,êD¢
+J|Õ¼
¼ä–°9®~’mÐAñ©ûUŠì_ͧB7Ûüˆ@}3§¨

secrets/hel1-a/turn/static_auth_secret.age

@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 vDjOfg DGeT72n4VsH43Ns9yEnxfgy/uYKynfQGUzAtDPf+2mU
+-> ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8
-LPe1Uwll/Ee//jfjz4jRryl0Fej3jyev6QnYAtcEGD4
+/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU
--> X25519 LYVUZF8IQa2pfNevLpSI26VfzRe4wlMy23FeTIH9eVQ
+-> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg
-HYXSzjCz7aeMm2BzGrD96m0CbWjLH/XYskhMNYtbX4g
+Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs
--> piv-p256 +y2G/w AqE+qszNsNVu365Jq5MwieKVzPG2rAYMrO1bOF2z7Wh/
+-> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl
-KUdsBS22jiqWPB+9PoNSugsOKRk5PnFacCoRI05dnRg
+G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4
--> piv-p256 jNqd3A A+sbeoWSbRRLu2mtTWPX/DJHjB19j7T7TR33zP0tqK3M
+-> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4
-WCsLFXjWeDBNEnBwITpjAQz2HJjcv46YFO9OSB/0psc
+Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE
--> -.}!Z;^n-grease K
+-> ;\NX'-grease 4{cJ&fP
-fpu7Uos5Lia2hiTlW0SixCdyJP4FXRmmeHP5ufJGbk6qy972vmOeacC4M6/6Ck6h
+5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ
-eex4qQEs2epkNf0tsYvfeA
+--- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs
---- b54YQan0Bm8INDPrhn8N9LIt41/yGKQ8HeStn2Wqf5Q
+8Ä	,„1À€¼dÒ<64>j%
<0A>Zr¡ÏdwÑA]CÜÖWAÝ•*©JæЊ`Q£µ(·ðŠIô
-_¶§‚ìb©6¨ÑÌÉ!NÅP%ÙEôœ˜¬³ÿ¯pðìÑ'ppÈ,ÈVÈŠ¶§eÐÖ6ÞE

secrets/hel1-a/zfs-passphrase.age

@@ -1,13 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 gJrHQg DsQM1OiPx2mZ5zCIoWhswaXAruIyjeYvDT/NpCfQang
+-> ssh-ed25519 gJrHQg mQiy3u+UMFfs61WPlbo0OHqLxahWNfpYACeYIo267BA
-ExnIjettDSsT1BhtrOiuKTHmkuG1UH2oJVFvtaxcskI
+TW0fW13NrjYjj3iwckwEzXjIx6IIckCh5r+UHw8Ij3I
--> X25519 cOjSCW3bPvgvXwZ+OGhYqmuuzTyBG5D0EUA9aSPIABE
+-> X25519 rt/IGRSKAZ5ZkGv0pWmhj86+Uq9e2GXAmIv+HBZ2ZHI
-7dzr3eQjQcF3buVLfn66yiv4Oo8gVATjngSn3JtYiEA
+C1j2j2U+HCko+ohp1gOY4Ng70pE3gOS6REm4/PQzB60
--> piv-p256 +y2G/w A9mCDRKigSM1Bjz5UfNn6pCge9Ifip1qEuSi8oXrqxFR
+-> piv-p256 +y2G/w Al/4EHKxjWqlWu15ijrzuh9wMq5VMiVP/W7Le4XxzV33
-v7VYoxTUZhVwjvo6HwGuLwppz808rVadQV+uSTisKc4
+X1kHLFt0LrGJkVNS5Jb2s/mYzoNgLye6Cxi8uu9lGLM
--> piv-p256 jNqd3A A+IpWq0hEn3lvkXGhdA4HwzOf7qMUfP8h2Ulyw6RJWr2
+-> piv-p256 jNqd3A Ak1e2RkiQSLkIdP2GVE4P59DZ0I5eSdVD+bxpsezr3d4
-VKT5WZBnNscxcu2Bv3JyvRzzs9C1PwrrdHOW4mwJbg4
+9aZR3+vmaOs3SH/i3ZOjl03VBwYvYByPiqLRJsHztVM
--> c[,kV-grease
+-> #iyKy*r-grease I~l K,!{*
-V6pw1EYTT8KqLcGIVKZWTAGr5gjj1J3O6+jElQ
+36alLYkZaIJjAYgaw62ulNfYAj8b8Q0
---- rU4We/c5iA84jdP6PP46PtDHPv2hFUnKIQd7d8C2AR8
+--- 0E+LmPXzbCtwllF5uDoIEkYI/qMLWdmfLwdtY1/iYqs
-<EFBFBD>ÝâF;Dšľ`
A
¤Î<C2A4>ŕÝcHŃťV o¸J9y_¬Z°N°áÚŚoý<6F>ĹëŢ/ýÝ+ŻiśÂj±F<oô†›­ó
+êðýt˜úµ$»¯nMÚ	R8f¼jgÎõ.Ÿ6$ÚWvW=Ï×ò·ŽaP@$ä	Öy¸Ïq'ñ×	z¢ò<C2A2>åÿŽ

secrets/vno1-oh2/zfs-passphrase.age

@@ -1,13 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 vDjOfg yX0zrlNsaJBSf3PqD4ccm/9z5tQhv5d7vbGQbITKNGQ
+-> ssh-ed25519 vDjOfg DSA11LD9kTPJXL6q7ezsCRMlN3QBgcEA+i7PpYbn1HM
-1adV8hkhSTQPSlPuKQypvWPAcker/kjObBxDfos6x2I
+002pudzzJdq69RLzbnmEu1uXaF578FCwpUEUeQvrE1I
--> X25519 TASHTwnBupJ72eFuJs4Oph68Js31AyjtpXcHDR8xKl8
+-> X25519 k+nrZinBJQOsxyUC/qw+UQ4F0EFxs4Dt2oPvHMwguS4
-/181mos15wmANSJwo5QPZRUAx3vFoZ4wPpimbIfvC4o
+zEYUmyjLq5gU9M0sTx2CVLMTaiLXw6O1f6kWz6tG01g
--> piv-p256 +y2G/w A09p8H96e0/FfHSTajYQZTvSYXwT7EvzFf1qVZtdwsax
+-> piv-p256 +y2G/w AnR7AVB8k5lZ+6DuqVvT+6tR9rw24Z7GZ15wlIWAakMq
-Mgkl6t5uDGN8cYVoDXjEYB+RxeXyyLsZrWvGP7KMCNc
+1bvu/AJ9DkZ1cgL1crnhH8gi5SkE8hW4sjVNWw6znBc
--> piv-p256 jNqd3A A3Rh+tYvU/vfS6+2GXyOOM3auOu4KfXWFhyvyXgojBbf
+-> piv-p256 jNqd3A AmqhEzPN6+LvtcYHlF26ygzX3lgdNY8alH5SHECivjnq
-l0whgIauEX31OqPyDMTZ2OLUBOzPVFSVnjxbYu7JeSE
+jb/Iv7sHqn3FCBgH65YoKsIE0GT390Zrki5mPN2NRyM
--> cD-grease u8 9nH (N(2JYW 'd
+-> ]IKx--grease
-mAo1sjuzyaHtnQhYLApV9g
+0ZRby4OvsWGHVKCIhG27byA9hQw2a1xgQQgxrYy8QbxvmcY97+zbYY4nYThDUsA8
---- QcxzgeZhzogykC09MKj4VMVOZdq6i8N1OOcFf0nkABc
+/oJsg5IfHI3ukFzek3SoLw
-kë{nµúþã/c8ÒgQ~ã1¦÷®ó“†v§Šçqùà{À<>sÝ€Å<E282AC>€„¶O²
+--- ceQ+78jo/wEnqKEzoDo3dYvkISTigadwZ/R9U9e0Z5U
+ćţ]ŻS÷rŕ–’9lŽúP	<09>E?f€Š(kĎvZ‘‘Ú•°Od›=u™´g