summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-07-11 09:28:58 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-07-11 09:28:58 +0200
commit7f04383e716b8b5b67e28422d7d72896fb080918 (patch)
tree31e64aaf5e49fa0ffbc56962c35f83bd17f7b9c7
parenta834240c59d3cbec274a5249463f339ede65bc85 (diff)
downloadnixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar
nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.gz
nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.bz2
nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.xz
nixos-7f04383e716b8b5b67e28422d7d72896fb080918.zip
bouncy.email: MTA-STS
-rw-r--r--_sources/generated.json20
-rw-r--r--_sources/generated.nix14
-rw-r--r--flake.nix2
-rw-r--r--hosts/surtr/email/default.nix4
-rw-r--r--modules/postfix-mta-sts-resolver.nix63
-rw-r--r--nvfetcher.toml7
-rw-r--r--overlays/postfix-mta-sts-resolver.nix25
7 files changed, 127 insertions, 8 deletions
diff --git a/_sources/generated.json b/_sources/generated.json
index c65147bb..be2bdcb0 100644
--- a/_sources/generated.json
+++ b/_sources/generated.json
@@ -67,12 +67,12 @@
67 "fetchSubmodules": false, 67 "fetchSubmodules": false,
68 "leaveDotGit": false, 68 "leaveDotGit": false,
69 "name": null, 69 "name": null,
70 "rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0", 70 "rev": "586675942a4014fc2c277fd5c7ee44a1a20147fb",
71 "sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=", 71 "sha256": "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=",
72 "type": "git", 72 "type": "git",
73 "url": "https://github.com/FreeRDP/FreeRDP" 73 "url": "https://github.com/FreeRDP/FreeRDP"
74 }, 74 },
75 "version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0" 75 "version": "586675942a4014fc2c277fd5c7ee44a1a20147fb"
76 }, 76 },
77 "lesspipe": { 77 "lesspipe": {
78 "cargoLocks": null, 78 "cargoLocks": null,
@@ -182,6 +182,20 @@
182 }, 182 },
183 "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92" 183 "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92"
184 }, 184 },
185 "postfix-mta-sts-resolver": {
186 "cargoLocks": null,
187 "extract": null,
188 "name": "postfix-mta-sts-resolver",
189 "passthru": null,
190 "pinned": false,
191 "src": {
192 "name": null,
193 "sha256": "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=",
194 "type": "url",
195 "url": "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz"
196 },
197 "version": "1.1.3"
198 },
185 "psql-versioning": { 199 "psql-versioning": {
186 "cargoLocks": null, 200 "cargoLocks": null,
187 "extract": null, 201 "extract": null,
diff --git a/_sources/generated.nix b/_sources/generated.nix
index b077edf5..488f0a68 100644
--- a/_sources/generated.nix
+++ b/_sources/generated.nix
@@ -38,14 +38,14 @@
38 }; 38 };
39 freerdp = { 39 freerdp = {
40 pname = "freerdp"; 40 pname = "freerdp";
41 version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; 41 version = "586675942a4014fc2c277fd5c7ee44a1a20147fb";
42 src = fetchgit { 42 src = fetchgit {
43 url = "https://github.com/FreeRDP/FreeRDP"; 43 url = "https://github.com/FreeRDP/FreeRDP";
44 rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; 44 rev = "586675942a4014fc2c277fd5c7ee44a1a20147fb";
45 fetchSubmodules = false; 45 fetchSubmodules = false;
46 deepClone = false; 46 deepClone = false;
47 leaveDotGit = false; 47 leaveDotGit = false;
48 sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw="; 48 sha256 = "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=";
49 }; 49 };
50 }; 50 };
51 lesspipe = { 51 lesspipe = {
@@ -112,6 +112,14 @@
112 sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk="; 112 sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk=";
113 }); 113 });
114 }; 114 };
115 postfix-mta-sts-resolver = {
116 pname = "postfix-mta-sts-resolver";
117 version = "1.1.3";
118 src = fetchurl {
119 url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz";
120 sha256 = "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=";
121 };
122 };
115 psql-versioning = { 123 psql-versioning = {
116 pname = "psql-versioning"; 124 pname = "psql-versioning";
117 version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e"; 125 version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e";
diff --git a/flake.nix b/flake.nix
index 72c93162..e7557b2d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -89,7 +89,7 @@
89 89
90 mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; }; 90 mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; };
91 91
92 mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; } // mkSources prev); 92 mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; flakeInputs = inputs; flake = self; } // mkSources prev);
93 93
94 mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec { 94 mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec {
95 specialArgs = { 95 specialArgs = {
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index d72a4465..9bdaac75 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -87,6 +87,8 @@ in {
87 .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem 87 .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
88 ''}''; 88 ''}'';
89 89
90 smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
91
90 local_recipient_maps = ""; 92 local_recipient_maps = "";
91 93
92 # 10 GiB 94 # 10 GiB
@@ -723,5 +725,7 @@ in {
723 format = "binary"; 725 format = "binary";
724 sopsFile = ./spm-keys.json; 726 sopsFile = ./spm-keys.json;
725 }; 727 };
728
729 services.postfix-mta-sts-resolver.enable = true;
726 }; 730 };
727} 731}
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix
new file mode 100644
index 00000000..9e126361
--- /dev/null
+++ b/modules/postfix-mta-sts-resolver.nix
@@ -0,0 +1,63 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.postfix-mta-sts-resolver;
7in {
8 options = {
9 services.postfix-mta-sts-resolver = {
10 enable = mkEnableOption "mta-sts-daemon";
11 package = mkPackageOption pkgs "postfix-mta-sts-resolver";
12
13 redis = mkEnableOption "redis cache" // { default = true; example = false; };
14
15 settings = mkOption {
16 type = types.attrs;
17 };
18 };
19 };
20
21 config = mkIf cfg.enable {
22 services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock";
23 services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660
24
25 services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis {
26 redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}";
27 };
28
29 services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis {
30 enable = true;
31 };
32
33 users.users.postfix-mta-sts-resolver = {
34 isSystemUser = true;
35 group = "postfix-mta-sts-resolver";
36 };
37 users.groups.postfix-mta-sts-resolver = {
38 members = ["postfix"];
39 };
40
41 systemd.services."postfix-mta-sts-resolver" = {
42 wantedBy = ["postfix.service"];
43 before = ["postfix.service"];
44
45 serviceConfig = {
46 ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}";
47 SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user;
48 RuntimeDirectory = "postfix-mta-sts-resolver";
49
50 User = "postfix-mta-sts-resolver";
51 Group = "postfix-mta-sts-resolver";
52
53 RemoveIPC = true;
54 PrivateTmp = true;
55 NoNewPrivileges = true;
56 RestrictSUIDSGID = true;
57 ProtectSystem = "strict";
58 ProtectHome = "read-only";
59 ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"];
60 };
61 };
62 };
63}
diff --git a/nvfetcher.toml b/nvfetcher.toml
index c723654e..cb87d2e1 100644
--- a/nvfetcher.toml
+++ b/nvfetcher.toml
@@ -57,4 +57,9 @@ fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz"
57 57
58[freerdp] 58[freerdp]
59src.git = "https://github.com/FreeRDP/FreeRDP" 59src.git = "https://github.com/FreeRDP/FreeRDP"
60fetch.git = "https://github.com/FreeRDP/FreeRDP" \ No newline at end of file 60fetch.git = "https://github.com/FreeRDP/FreeRDP"
61
62[postfix-mta-sts-resolver]
63src.github = "Snawoot/postfix-mta-sts-resolver"
64src.prefix = "v"
65fetch.url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v$ver.tar.gz" \ No newline at end of file
diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix
new file mode 100644
index 00000000..3f08920f
--- /dev/null
+++ b/overlays/postfix-mta-sts-resolver.nix
@@ -0,0 +1,25 @@
1{ final, prev, flakeInputs, sources, ... }:
2{
3 postfix-mta-sts-resolver = flakeInputs.mach-nix.lib.${final.system}.buildPythonPackage {
4 inherit (sources.postfix-mta-sts-resolver) src pname version;
5 extras = "redis";
6 ignoreDataOutdated = true;
7
8 requirements = ''
9 redis>=4.2.0rc1
10 aiodns>=1.1.1
11 aiohttp>=3.4.4
12 PyYAML>=3.12
13 '';
14
15 providers._default = "nixpkgs,sdist";
16
17 overridesPost = [
18 (self: super: {
19 frozenlist = super.frozenlist.overrideAttrs (oldAttrs: {
20 nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ final.python310Packages.cython ];
21 });
22 })
23 ];
24 };
25}