diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-15 14:41:49 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-15 14:41:49 +0200 |
| commit | 355b6d4ec02ad535b93ce314dd5734e8c6028dbc (patch) | |
| tree | 401e8e871f65e9b4fb153efc971f21c5323910af | |
| parent | c4b323d77c1f34b294406052d598c6a37a045765 (diff) | |
| download | nixos-355b6d4ec02ad535b93ce314dd5734e8c6028dbc.tar nixos-355b6d4ec02ad535b93ce314dd5734e8c6028dbc.tar.gz nixos-355b6d4ec02ad535b93ce314dd5734e8c6028dbc.tar.bz2 nixos-355b6d4ec02ad535b93ce314dd5734e8c6028dbc.tar.xz nixos-355b6d4ec02ad535b93ce314dd5734e8c6028dbc.zip | |
surtr: ...
| -rw-r--r-- | flake.lock | 12 | ||||
| -rw-r--r-- | flake.nix | 8 | ||||
| -rw-r--r-- | hosts/surtr/email/default.nix | 21 | ||||
| -rw-r--r-- | hosts/surtr/postgresql.nix | 37 |
4 files changed, 61 insertions, 17 deletions
| @@ -64,11 +64,11 @@ | |||
| 64 | ] | 64 | ] |
| 65 | }, | 65 | }, |
| 66 | "locked": { | 66 | "locked": { |
| 67 | "lastModified": 1651886851, | 67 | "lastModified": 1652214259, |
| 68 | "narHash": "sha256-kbXOJSf1uho0/7P54nZkJdJY3oAelIjyc6tfiRhaXJI=", | 68 | "narHash": "sha256-kbribVik1m3SU6QNpZ3euybljqs0CEQ0lEEz7MN+u8U=", |
| 69 | "owner": "nix-community", | 69 | "owner": "nix-community", |
| 70 | "repo": "home-manager", | 70 | "repo": "home-manager", |
| 71 | "rev": "882bd8118bdbff3a6e53e5ced393932b351ce2f6", | 71 | "rev": "f735a8502b098962ae965c2600c7be9f7711b814", |
| 72 | "type": "github" | 72 | "type": "github" |
| 73 | }, | 73 | }, |
| 74 | "original": { | 74 | "original": { |
| @@ -80,11 +80,11 @@ | |||
| 80 | }, | 80 | }, |
| 81 | "nixpkgs": { | 81 | "nixpkgs": { |
| 82 | "locked": { | 82 | "locked": { |
| 83 | "lastModified": 1652107188, | 83 | "lastModified": 1652424998, |
| 84 | "narHash": "sha256-6CVG9pABO7FB1qP/d7gwuP166COGHv3WC1AQ5r/n1ds=", | 84 | "narHash": "sha256-6rqAwXEVlnXzCcju+ZcxZnLNql6bdiG9deREbBAb2Pc=", |
| 85 | "owner": "NixOS", | 85 | "owner": "NixOS", |
| 86 | "repo": "nixpkgs", | 86 | "repo": "nixpkgs", |
| 87 | "rev": "403d21a9416b865c9f1da016a110c2610610b4c5", | 87 | "rev": "d999ca3e08b053b80d4e52e700a4627e692479eb", |
| 88 | "type": "github" | 88 | "type": "github" |
| 89 | }, | 89 | }, |
| 90 | "original": { | 90 | "original": { |
| @@ -210,10 +210,10 @@ | |||
| 210 | system = { | 210 | system = { |
| 211 | path = deploy-rs.lib.${self.nixosConfigurations.${hostname}.config.nixpkgs.system}.activate.nixos self.nixosConfigurations.${hostname}; | 211 | path = deploy-rs.lib.${self.nixosConfigurations.${hostname}.config.nixpkgs.system}.activate.nixos self.nixosConfigurations.${hostname}; |
| 212 | }; | 212 | }; |
| 213 | } // (mapAttrs (_user: usercfg: { | 213 | }; # // (mapAttrs (_user: usercfg: { |
| 214 | user = usercfg.home.username; | 214 | # user = usercfg.home.username; |
| 215 | path = activateHomeManager (self.nixosConfigurations.${hostname}.config.nixpkgs.system) usercfg.home; | 215 | # path = activateHomeManager (self.nixosConfigurations.${hostname}.config.nixpkgs.system) usercfg.home; |
| 216 | }) self.nixosConfigurations.${hostname}.config.home-manager.users); | 216 | # }) self.nixosConfigurations.${hostname}.config.home-manager.users); |
| 217 | }) (nixImport { dir = ./hosts; _import = (_path: name: name); }); | 217 | }) (nixImport { dir = ./hosts; _import = (_path: name: name); }); |
| 218 | overrides = if pathExists ./deploy then nixImport { dir = ./deploy; _import = path: _name: import (./deploy + "/${path}") inputs; } else {}; | 218 | overrides = if pathExists ./deploy then nixImport { dir = ./deploy; _import = path: _name: import (./deploy + "/${path}") inputs; } else {}; |
| 219 | filterEnabled = attrs: mapAttrs (_n: v: filterAttrs (n: _v: n != "enabled") v) (filterAttrs (_n: v: v.enabled or true) attrs); | 219 | filterEnabled = attrs: mapAttrs (_n: v: filterAttrs (n: _v: n != "enabled") v) (filterAttrs (_n: v: v.enabled or true) attrs); |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 2ddff519..57883864 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
| @@ -37,7 +37,7 @@ in { | |||
| 37 | services.postfix = { | 37 | services.postfix = { |
| 38 | enable = true; | 38 | enable = true; |
| 39 | hostname = "surtr.yggdrasil.li"; | 39 | hostname = "surtr.yggdrasil.li"; |
| 40 | recipientDelimiter = "+"; | 40 | recipientDelimiter = ""; |
| 41 | setSendmail = true; | 41 | setSendmail = true; |
| 42 | postmasterAlias = ""; rootAlias = ""; extraAliases = ""; | 42 | postmasterAlias = ""; rootAlias = ""; extraAliases = ""; |
| 43 | destination = []; | 43 | destination = []; |
| @@ -100,6 +100,11 @@ in { | |||
| 100 | "reject_unauth_pipelining" | 100 | "reject_unauth_pipelining" |
| 101 | "reject_non_fqdn_recipient" | 101 | "reject_non_fqdn_recipient" |
| 102 | "reject_unknown_recipient_domain" | 102 | "reject_unknown_recipient_domain" |
| 103 | "check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' | ||
| 104 | hosts = postgresql:///email | ||
| 105 | dbname = email | ||
| 106 | query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' | ||
| 107 | ''}" | ||
| 103 | "permit_mynetworks" | 108 | "permit_mynetworks" |
| 104 | "check_ccert_access ${relay_ccert}" | 109 | "check_ccert_access ${relay_ccert}" |
| 105 | "reject_non_fqdn_helo_hostname" | 110 | "reject_non_fqdn_helo_hostname" |
| @@ -156,7 +161,8 @@ in { | |||
| 156 | dbname = email | 161 | dbname = email |
| 157 | query = SELECT 1 FROM virtual_mailbox_mapping WHERE lookup = '%s' | 162 | query = SELECT 1 FROM virtual_mailbox_mapping WHERE lookup = '%s' |
| 158 | ''}''; | 163 | ''}''; |
| 159 | virtual_transport = "lmtp:unix:/run/postfix/dovecot-lmtp"; | 164 | dvlmtp_destination_recipient_limit = "1"; |
| 165 | virtual_transport = "dvlmtp:unix:/run/postfix/dovecot-lmtp"; | ||
| 160 | }; | 166 | }; |
| 161 | masterConfig = { | 167 | masterConfig = { |
| 162 | smtps = { | 168 | smtps = { |
| @@ -174,6 +180,12 @@ in { | |||
| 174 | "-o" ''smtpd_milters=${config.services.opendkim.socket}'' | 180 | "-o" ''smtpd_milters=${config.services.opendkim.socket}'' |
| 175 | ]; | 181 | ]; |
| 176 | }; | 182 | }; |
| 183 | dvlmtp = { | ||
| 184 | command = "lmtp"; | ||
| 185 | args = [ | ||
| 186 | "flags=DORX" | ||
| 187 | ]; | ||
| 188 | }; | ||
| 177 | }; | 189 | }; |
| 178 | }; | 190 | }; |
| 179 | 191 | ||
| @@ -375,7 +387,7 @@ in { | |||
| 375 | args = ${pkgs.writeText "dovecot-sql.conf" '' | 387 | args = ${pkgs.writeText "dovecot-sql.conf" '' |
| 376 | driver = pgsql | 388 | driver = pgsql |
| 377 | connect = dbname=email | 389 | connect = dbname=email |
| 378 | user_query = SELECT DISTINCT ON (local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE (local = '%n' AND domain = '%d') OR (local IS NULL AND domain = '%d') ORDER BY (local IS NULL) ASC | 390 | user_query = SELECT DISTINCT ON (extension IS NULL, local IS NULL) "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM lmtp_mapping WHERE CASE WHEN extension IS NOT NULL AND local IS NOT NULL THEN ('%n' :: citext) = local || '+' || extension AND domain = ('%d' :: citext) WHEN local IS NOT NULL THEN (local = ('%n' :: citext) OR ('%n' :: citext) ILIKE local || '+%%') AND domain = ('%d' :: citext) WHEN extension IS NOT NULL THEN ('%n' :: citext) ILIKE '%%+' || extension AND domain = ('%d' :: citext) ELSE domain = ('%d' :: citext) END ORDER BY (extension IS NULL) ASC, (local IS NULL) ASC |
| 379 | ''} | 391 | ''} |
| 380 | 392 | ||
| 381 | skip = never | 393 | skip = never |
| @@ -387,7 +399,8 @@ in { | |||
| 387 | mail_plugins = $mail_plugins quota | 399 | mail_plugins = $mail_plugins quota |
| 388 | mailbox_list_index = yes | 400 | mailbox_list_index = yes |
| 389 | postmaster_address = postmaster@yggdrasil.li | 401 | postmaster_address = postmaster@yggdrasil.li |
| 390 | recipient_delimiter = + | 402 | recipient_delimiter = |
| 403 | auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-+_@ | ||
| 391 | 404 | ||
| 392 | service lmtp { | 405 | service lmtp { |
| 393 | vsz_limit = 1G | 406 | vsz_limit = 1G |
diff --git a/hosts/surtr/postgresql.nix b/hosts/surtr/postgresql.nix index abd2cb26..a5e93ecf 100644 --- a/hosts/surtr/postgresql.nix +++ b/hosts/surtr/postgresql.nix | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | { pkgs, sources, ... }: | 1 | { pkgs, sources, config, ... }: |
| 2 | let | 2 | let |
| 3 | versioning = sources.psql-versioning.src; | 3 | versioning = sources.psql-versioning.src; |
| 4 | in { | 4 | in { |
| @@ -22,8 +22,19 @@ in { | |||
| 22 | ''; | 22 | ''; |
| 23 | }; | 23 | }; |
| 24 | 24 | ||
| 25 | systemd.services.postgresql = { | 25 | systemd.services.migrate-postgresql = { |
| 26 | postStart = '' | 26 | after = [ "postgresql.service" ]; |
| 27 | bindsTo = [ "postgresql.service" ]; | ||
| 28 | wantedBy = [ "postgresql.service" ]; | ||
| 29 | |||
| 30 | serviceConfig = { | ||
| 31 | Type = "oneshot"; | ||
| 32 | inherit (config.systemd.services.postgresql.serviceConfig) User Group; | ||
| 33 | RemainAfterExit = true; | ||
| 34 | }; | ||
| 35 | |||
| 36 | path = [ config.services.postgresql.package ]; | ||
| 37 | script = '' | ||
| 27 | psql email postgres -eXf ${pkgs.writeText "email.sql" '' | 38 | psql email postgres -eXf ${pkgs.writeText "email.sql" '' |
| 28 | \i ${versioning + "/install.versioning.sql"} | 39 | \i ${versioning + "/install.versioning.sql"} |
| 29 | 40 | ||
| @@ -78,6 +89,26 @@ in { | |||
| 78 | CREATE VIEW imap_user ("user", quota_rule) AS SELECT mailbox AS "user", quota_rule FROM mailbox_quota_rule; | 89 | CREATE VIEW imap_user ("user", quota_rule) AS SELECT mailbox AS "user", quota_rule FROM mailbox_quota_rule; |
| 79 | CREATE VIEW lmtp_mapping ("user", quota_rule, local, domain) AS SELECT mailbox_quota_rule.mailbox AS "user", quota_rule, local, domain FROM mailbox_quota_rule INNER JOIN mailbox_mapping ON mailbox_quota_rule.id = mailbox_mapping.mailbox; | 90 | CREATE VIEW lmtp_mapping ("user", quota_rule, local, domain) AS SELECT mailbox_quota_rule.mailbox AS "user", quota_rule, local, domain FROM mailbox_quota_rule INNER JOIN mailbox_mapping ON mailbox_quota_rule.id = mailbox_mapping.mailbox; |
| 80 | COMMIT; | 91 | COMMIT; |
| 92 | |||
| 93 | BEGIN; | ||
| 94 | SELECT _v.register_patch('003-extensions', ARRAY['000-base', '002-citext'], null); | ||
| 95 | |||
| 96 | ALTER TABLE mailbox_mapping ADD COLUMN extension citext CHECK (CASE WHEN extension IS NOT NULL THEN extension NOT LIKE '%+%' ELSE true END); | ||
| 97 | |||
| 98 | DROP VIEW virtual_mailbox_mapping; | ||
| 99 | DROP VIEW lmtp_mapping; | ||
| 100 | |||
| 101 | CREATE VIEW virtual_mailbox_mapping (lookup) AS SELECT (CASE WHEN local IS NULL THEN ''' ELSE local END) || (CASE WHEN extension IS NULL THEN ''' ELSE '+' || extension END) || '@' || domain AS lookup FROM mailbox_mapping WHERE mailbox IS NOT NULL; | ||
| 102 | CREATE VIEW virtual_mailbox_access (lookup, action) AS SELECT (CASE WHEN local IS NULL THEN ''' ELSE local END) || (CASE WHEN extension IS NULL THEN ''' ELSE '+' || extension END) || '@' || domain AS lookup, CASE WHEN mailbox IS NULL THEN 'REJECT' ELSE 'DUNNO' END AS action FROM mailbox_mapping; | ||
| 103 | CREATE VIEW lmtp_mapping ("user", quota_rule, local, extension, domain) AS SELECT mailbox_quota_rule.mailbox AS "user", quota_rule, local, extension, domain FROM mailbox_quota_rule INNER JOIN mailbox_mapping ON mailbox_quota_rule.id = mailbox_mapping.mailbox; | ||
| 104 | COMMIT; | ||
| 105 | |||
| 106 | BEGIN; | ||
| 107 | SELECT _v.register_patch('004-cascade', ARRAY['000-base'], null); | ||
| 108 | |||
| 109 | ALTER TABLE mailbox_mapping DROP CONSTRAINT mailbox_mapping_mailbox_fkey; | ||
| 110 | ALTER TABLE mailbox_mapping ADD CONSTRAINT mailbox_mapping_mailbox_fkey FOREIGN KEY (mailbox) REFERENCES mailbox(id) ON DELETE CASCADE ON UPDATE RESTRICT; | ||
| 111 | COMMIT; | ||
| 81 | ''} | 112 | ''} |
| 82 | ''; | 113 | ''; |
| 83 | }; | 114 | }; |