diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-07-11 09:28:58 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-07-11 09:28:58 +0200 |
commit | 7f04383e716b8b5b67e28422d7d72896fb080918 (patch) | |
tree | 31e64aaf5e49fa0ffbc56962c35f83bd17f7b9c7 | |
parent | a834240c59d3cbec274a5249463f339ede65bc85 (diff) | |
download | nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.gz nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.bz2 nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.xz nixos-7f04383e716b8b5b67e28422d7d72896fb080918.zip |
bouncy.email: MTA-STS
-rw-r--r-- | _sources/generated.json | 20 | ||||
-rw-r--r-- | _sources/generated.nix | 14 | ||||
-rw-r--r-- | flake.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 4 | ||||
-rw-r--r-- | modules/postfix-mta-sts-resolver.nix | 63 | ||||
-rw-r--r-- | nvfetcher.toml | 7 | ||||
-rw-r--r-- | overlays/postfix-mta-sts-resolver.nix | 25 |
7 files changed, 127 insertions, 8 deletions
diff --git a/_sources/generated.json b/_sources/generated.json index c65147bb..be2bdcb0 100644 --- a/_sources/generated.json +++ b/_sources/generated.json | |||
@@ -67,12 +67,12 @@ | |||
67 | "fetchSubmodules": false, | 67 | "fetchSubmodules": false, |
68 | "leaveDotGit": false, | 68 | "leaveDotGit": false, |
69 | "name": null, | 69 | "name": null, |
70 | "rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0", | 70 | "rev": "586675942a4014fc2c277fd5c7ee44a1a20147fb", |
71 | "sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=", | 71 | "sha256": "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=", |
72 | "type": "git", | 72 | "type": "git", |
73 | "url": "https://github.com/FreeRDP/FreeRDP" | 73 | "url": "https://github.com/FreeRDP/FreeRDP" |
74 | }, | 74 | }, |
75 | "version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0" | 75 | "version": "586675942a4014fc2c277fd5c7ee44a1a20147fb" |
76 | }, | 76 | }, |
77 | "lesspipe": { | 77 | "lesspipe": { |
78 | "cargoLocks": null, | 78 | "cargoLocks": null, |
@@ -182,6 +182,20 @@ | |||
182 | }, | 182 | }, |
183 | "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92" | 183 | "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92" |
184 | }, | 184 | }, |
185 | "postfix-mta-sts-resolver": { | ||
186 | "cargoLocks": null, | ||
187 | "extract": null, | ||
188 | "name": "postfix-mta-sts-resolver", | ||
189 | "passthru": null, | ||
190 | "pinned": false, | ||
191 | "src": { | ||
192 | "name": null, | ||
193 | "sha256": "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=", | ||
194 | "type": "url", | ||
195 | "url": "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz" | ||
196 | }, | ||
197 | "version": "1.1.3" | ||
198 | }, | ||
185 | "psql-versioning": { | 199 | "psql-versioning": { |
186 | "cargoLocks": null, | 200 | "cargoLocks": null, |
187 | "extract": null, | 201 | "extract": null, |
diff --git a/_sources/generated.nix b/_sources/generated.nix index b077edf5..488f0a68 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix | |||
@@ -38,14 +38,14 @@ | |||
38 | }; | 38 | }; |
39 | freerdp = { | 39 | freerdp = { |
40 | pname = "freerdp"; | 40 | pname = "freerdp"; |
41 | version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; | 41 | version = "586675942a4014fc2c277fd5c7ee44a1a20147fb"; |
42 | src = fetchgit { | 42 | src = fetchgit { |
43 | url = "https://github.com/FreeRDP/FreeRDP"; | 43 | url = "https://github.com/FreeRDP/FreeRDP"; |
44 | rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; | 44 | rev = "586675942a4014fc2c277fd5c7ee44a1a20147fb"; |
45 | fetchSubmodules = false; | 45 | fetchSubmodules = false; |
46 | deepClone = false; | 46 | deepClone = false; |
47 | leaveDotGit = false; | 47 | leaveDotGit = false; |
48 | sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw="; | 48 | sha256 = "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4="; |
49 | }; | 49 | }; |
50 | }; | 50 | }; |
51 | lesspipe = { | 51 | lesspipe = { |
@@ -112,6 +112,14 @@ | |||
112 | sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk="; | 112 | sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk="; |
113 | }); | 113 | }); |
114 | }; | 114 | }; |
115 | postfix-mta-sts-resolver = { | ||
116 | pname = "postfix-mta-sts-resolver"; | ||
117 | version = "1.1.3"; | ||
118 | src = fetchurl { | ||
119 | url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz"; | ||
120 | sha256 = "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw="; | ||
121 | }; | ||
122 | }; | ||
115 | psql-versioning = { | 123 | psql-versioning = { |
116 | pname = "psql-versioning"; | 124 | pname = "psql-versioning"; |
117 | version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e"; | 125 | version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e"; |
@@ -89,7 +89,7 @@ | |||
89 | 89 | ||
90 | mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; }; | 90 | mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; }; |
91 | 91 | ||
92 | mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; } // mkSources prev); | 92 | mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; flakeInputs = inputs; flake = self; } // mkSources prev); |
93 | 93 | ||
94 | mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec { | 94 | mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec { |
95 | specialArgs = { | 95 | specialArgs = { |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index d72a4465..9bdaac75 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -87,6 +87,8 @@ in { | |||
87 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 87 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem |
88 | ''}''; | 88 | ''}''; |
89 | 89 | ||
90 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; | ||
91 | |||
90 | local_recipient_maps = ""; | 92 | local_recipient_maps = ""; |
91 | 93 | ||
92 | # 10 GiB | 94 | # 10 GiB |
@@ -723,5 +725,7 @@ in { | |||
723 | format = "binary"; | 725 | format = "binary"; |
724 | sopsFile = ./spm-keys.json; | 726 | sopsFile = ./spm-keys.json; |
725 | }; | 727 | }; |
728 | |||
729 | services.postfix-mta-sts-resolver.enable = true; | ||
726 | }; | 730 | }; |
727 | } | 731 | } |
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..9e126361 --- /dev/null +++ b/modules/postfix-mta-sts-resolver.nix | |||
@@ -0,0 +1,63 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.services.postfix-mta-sts-resolver; | ||
7 | in { | ||
8 | options = { | ||
9 | services.postfix-mta-sts-resolver = { | ||
10 | enable = mkEnableOption "mta-sts-daemon"; | ||
11 | package = mkPackageOption pkgs "postfix-mta-sts-resolver"; | ||
12 | |||
13 | redis = mkEnableOption "redis cache" // { default = true; example = false; }; | ||
14 | |||
15 | settings = mkOption { | ||
16 | type = types.attrs; | ||
17 | }; | ||
18 | }; | ||
19 | }; | ||
20 | |||
21 | config = mkIf cfg.enable { | ||
22 | services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock"; | ||
23 | services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660 | ||
24 | |||
25 | services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis { | ||
26 | redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}"; | ||
27 | }; | ||
28 | |||
29 | services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis { | ||
30 | enable = true; | ||
31 | }; | ||
32 | |||
33 | users.users.postfix-mta-sts-resolver = { | ||
34 | isSystemUser = true; | ||
35 | group = "postfix-mta-sts-resolver"; | ||
36 | }; | ||
37 | users.groups.postfix-mta-sts-resolver = { | ||
38 | members = ["postfix"]; | ||
39 | }; | ||
40 | |||
41 | systemd.services."postfix-mta-sts-resolver" = { | ||
42 | wantedBy = ["postfix.service"]; | ||
43 | before = ["postfix.service"]; | ||
44 | |||
45 | serviceConfig = { | ||
46 | ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}"; | ||
47 | SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user; | ||
48 | RuntimeDirectory = "postfix-mta-sts-resolver"; | ||
49 | |||
50 | User = "postfix-mta-sts-resolver"; | ||
51 | Group = "postfix-mta-sts-resolver"; | ||
52 | |||
53 | RemoveIPC = true; | ||
54 | PrivateTmp = true; | ||
55 | NoNewPrivileges = true; | ||
56 | RestrictSUIDSGID = true; | ||
57 | ProtectSystem = "strict"; | ||
58 | ProtectHome = "read-only"; | ||
59 | ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"]; | ||
60 | }; | ||
61 | }; | ||
62 | }; | ||
63 | } | ||
diff --git a/nvfetcher.toml b/nvfetcher.toml index c723654e..cb87d2e1 100644 --- a/nvfetcher.toml +++ b/nvfetcher.toml | |||
@@ -57,4 +57,9 @@ fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz" | |||
57 | 57 | ||
58 | [freerdp] | 58 | [freerdp] |
59 | src.git = "https://github.com/FreeRDP/FreeRDP" | 59 | src.git = "https://github.com/FreeRDP/FreeRDP" |
60 | fetch.git = "https://github.com/FreeRDP/FreeRDP" \ No newline at end of file | 60 | fetch.git = "https://github.com/FreeRDP/FreeRDP" |
61 | |||
62 | [postfix-mta-sts-resolver] | ||
63 | src.github = "Snawoot/postfix-mta-sts-resolver" | ||
64 | src.prefix = "v" | ||
65 | fetch.url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v$ver.tar.gz" \ No newline at end of file | ||
diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..3f08920f --- /dev/null +++ b/overlays/postfix-mta-sts-resolver.nix | |||
@@ -0,0 +1,25 @@ | |||
1 | { final, prev, flakeInputs, sources, ... }: | ||
2 | { | ||
3 | postfix-mta-sts-resolver = flakeInputs.mach-nix.lib.${final.system}.buildPythonPackage { | ||
4 | inherit (sources.postfix-mta-sts-resolver) src pname version; | ||
5 | extras = "redis"; | ||
6 | ignoreDataOutdated = true; | ||
7 | |||
8 | requirements = '' | ||
9 | redis>=4.2.0rc1 | ||
10 | aiodns>=1.1.1 | ||
11 | aiohttp>=3.4.4 | ||
12 | PyYAML>=3.12 | ||
13 | ''; | ||
14 | |||
15 | providers._default = "nixpkgs,sdist"; | ||
16 | |||
17 | overridesPost = [ | ||
18 | (self: super: { | ||
19 | frozenlist = super.frozenlist.overrideAttrs (oldAttrs: { | ||
20 | nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ final.python310Packages.cython ]; | ||
21 | }); | ||
22 | }) | ||
23 | ]; | ||
24 | }; | ||
25 | } | ||