bump

author: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-15 14:26:23 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-15 14:26:23 +0100
commit: 43d8e0394f38364a2bbecfd05d8ddde3763efdb7 (patch)
tree: dc3f81312ccb9ffefdae1f5bece37bdc4095d29c /hosts/surtr/email/default.nix
parent: a7e4275f432900ec7957d65f024cc9f7d5822b25 (diff)
download: nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar
nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar.gz
nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar.bz2
nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar.xz
nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.zip
1 files changed, 21 insertions, 44 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index b0e95a0e..4c7af0c3 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -21,18 +21,21 @@ let
  };
  ccert-policy-server =
-    with pkgs.poetry2nix;
+    let
-    mkPoetryApplication {
+      workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./ccert-policy-server; };
-      python = pkgs.python311;
+      pythonSet = flake.lib.pythonSet {
+        inherit pkgs;
-      projectDir = cleanPythonSources { src = ./ccert-policy-server; };
+        python = pkgs.python312;
+        overlay = workspace.mkPyprojectOverlay {
-      overrides = overrides.withDefaults (self: super: {
+          sourcePreference = "wheel";
-        systemd-python = super.systemd-python.overridePythonAttrs (oldAttrs: {
+        };
-          buildInputs = (oldAttrs.buildInputs or []) ++ [ super.setuptools ];
+      };
-        });
+      virtualEnv = pythonSet.mkVirtualEnv "ccert-policy-server-env" workspace.deps.default;
-      });
+    in virtualEnv.overrideAttrs (oldAttrs: {
-    };
+      meta = (oldAttrs.meta or {}) // {
+        mainProgram = "ccert-policy-server";
+      };
+    });
  internal-policy-server =
    let
      workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./internal-policy-server; };
@@ -138,9 +141,6 @@ in {
          "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
        ];
-        #the dh params
-        smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
-        smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
        #enable ECDH
        smtpd_tls_eecdh_grade = "strong";
        #enabled SSL protocols, don't allow SSLv2 and SSLv3
@@ -224,8 +224,8 @@ in {
        smtpd_client_event_limit_exceptions = "";
        milter_default_action = "accept";
-        smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];
+        smtpd_milters = ["local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];
-        non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];
+        non_smtpd_milters = ["local:/run/rspamd/rspamd-milter.sock"];
        alias_maps = "";
@@ -339,7 +339,6 @@ in {
            "-o" "unverified_sender_reject_code=550"
            "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
            "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
-            "-o" ''smtpd_milters=${config.services.opendkim.socket}''
          ];
        };
        "466" = {
@@ -369,7 +368,6 @@ in {
            "-o" "unverified_sender_reject_code=550"
            "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
            "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
-            "-o" ''smtpd_milters=${config.services.opendkim.socket}''
          ];
        };
        subcleanup = {
@@ -425,20 +423,6 @@ in {
      '';
    };
-    services.opendkim = {
-      enable = true;
-      user = "postfix"; group = "postfix";
-      socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
-      selector = "surtr";
-      configFile = builtins.toFile "opendkim.conf" ''
-        Syslog true
-        MTA surtr.yggdrasil.li
-        MTACommand ${config.security.wrapperDir}/sendmail
-        LogResults true
-      '';
-    };
    services.rspamd = {
      enable = true;
      workers = {
@@ -506,7 +490,10 @@ in {
        "redis.conf".text = ''
          servers = "${config.services.redis.servers.rspamd.unixSocket}";
        '';
-        "dkim_signing.conf".text = "enabled = false;";
+        "dkim_signing.conf".text = ''
+          path = "/var/lib/rspamd/dkim/$domain.key";
+          selector = "mail";
+        '';
        "neural.conf".text = "enabled = false;";
        "classifier-bayes.conf".text = ''
          enable = true;
@@ -776,16 +763,6 @@ in {
      '';
    };
-    security.dhparams = {
-      params = {
-        "postfix-512".bits = 512;
-        "postfix-1024".bits = 2048;
-        "postfix-smtps-512".bits = 512;
-        "postfix-smtps-1024".bits = 2048;
-      };
-    };
    security.acme.rfc2136Domains = {
      "surtr.yggdrasil.li" = {
        restartUnits = [ "postfix.service" "dovecot.service" ];
author	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-15 14:26:23 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-15 14:26:23 +0100
commit	43d8e0394f38364a2bbecfd05d8ddde3763efdb7 (patch)
tree	dc3f81312ccb9ffefdae1f5bece37bdc4095d29c /hosts/surtr/email/default.nix
parent	a7e4275f432900ec7957d65f024cc9f7d5822b25 (diff)
download	nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar.gz nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar.bz2 nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.tar.xz nixos-43d8e0394f38364a2bbecfd05d8ddde3763efdb7.zip

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index b0e95a0e..4c7af0c3 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -21,18 +21,21 @@ let
21	};	21	};
22		22
23	ccert-policy-server =	23	ccert-policy-server =
24	with pkgs.poetry2nix;	24	let
25	mkPoetryApplication {	25	workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./ccert-policy-server; };
26	python = pkgs.python311;	26	pythonSet = flake.lib.pythonSet {
27		27	inherit pkgs;
28	projectDir = cleanPythonSources { src = ./ccert-policy-server; };	28	python = pkgs.python312;
29		29	overlay = workspace.mkPyprojectOverlay {
30	overrides = overrides.withDefaults (self: super: {	30	sourcePreference = "wheel";
31	systemd-python = super.systemd-python.overridePythonAttrs (oldAttrs: {	31	};
32	buildInputs = (oldAttrs.buildInputs or []) ++ [ super.setuptools ];	32	};
33	});	33	virtualEnv = pythonSet.mkVirtualEnv "ccert-policy-server-env" workspace.deps.default;
34	});	34	in virtualEnv.overrideAttrs (oldAttrs: {
35	};	35	meta = (oldAttrs.meta or {}) // {
		36	mainProgram = "ccert-policy-server";
		37	};
		38	});
36	internal-policy-server =	39	internal-policy-server =
37	let	40	let
38	workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./internal-policy-server; };	41	workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./internal-policy-server; };
@@ -138,9 +141,6 @@ in {
138	"/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"	141	"/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem"
139	];	142	];
140		143
141	#the dh params
142	smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path;
143	smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path;
144	#enable ECDH	144	#enable ECDH
145	smtpd_tls_eecdh_grade = "strong";	145	smtpd_tls_eecdh_grade = "strong";
146	#enabled SSL protocols, don't allow SSLv2 and SSLv3	146	#enabled SSL protocols, don't allow SSLv2 and SSLv3
@@ -224,8 +224,8 @@ in {
224	smtpd_client_event_limit_exceptions = "";	224	smtpd_client_event_limit_exceptions = "";
225		225
226	milter_default_action = "accept";	226	milter_default_action = "accept";
227	smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];	227	smtpd_milters = ["local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"];
228	non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"];	228	non_smtpd_milters = ["local:/run/rspamd/rspamd-milter.sock"];
229		229
230	alias_maps = "";	230	alias_maps = "";
231		231
@@ -339,7 +339,6 @@ in {
339	"-o" "unverified_sender_reject_code=550"	339	"-o" "unverified_sender_reject_code=550"
340	"-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"	340	"-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
341	"-o" "milter_macro_daemon_name=surtr.yggdrasil.li"	341	"-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
342	"-o" ''smtpd_milters=${config.services.opendkim.socket}''
343	];	342	];
344	};	343	};
345	"466" = {	344	"466" = {
@@ -369,7 +368,6 @@ in {
369	"-o" "unverified_sender_reject_code=550"	368	"-o" "unverified_sender_reject_code=550"
370	"-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"	369	"-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
371	"-o" "milter_macro_daemon_name=surtr.yggdrasil.li"	370	"-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
372	"-o" ''smtpd_milters=${config.services.opendkim.socket}''
373	];	371	];
374	};	372	};
375	subcleanup = {	373	subcleanup = {
@@ -425,20 +423,6 @@ in {
425	'';	423	'';
426	};	424	};
427		425
428	services.opendkim = {
429	enable = true;
430	user = "postfix"; group = "postfix";
431	socket = "local:/run/opendkim/opendkim.sock";
432	domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}'';
433	selector = "surtr";
434	configFile = builtins.toFile "opendkim.conf" ''
435	Syslog true
436	MTA surtr.yggdrasil.li
437	MTACommand ${config.security.wrapperDir}/sendmail
438	LogResults true
439	'';
440	};
441
442	services.rspamd = {	426	services.rspamd = {
443	enable = true;	427	enable = true;
444	workers = {	428	workers = {
@@ -506,7 +490,10 @@ in {
506	"redis.conf".text = ''	490	"redis.conf".text = ''
507	servers = "${config.services.redis.servers.rspamd.unixSocket}";	491	servers = "${config.services.redis.servers.rspamd.unixSocket}";
508	'';	492	'';
509	"dkim_signing.conf".text = "enabled = false;";	493	"dkim_signing.conf".text = ''
		494	path = "/var/lib/rspamd/dkim/$domain.key";
		495	selector = "mail";
		496	'';
510	"neural.conf".text = "enabled = false;";	497	"neural.conf".text = "enabled = false;";
511	"classifier-bayes.conf".text = ''	498	"classifier-bayes.conf".text = ''
512	enable = true;	499	enable = true;
@@ -776,16 +763,6 @@ in {
776	'';	763	'';
777	};	764	};
778		765
779	security.dhparams = {
780	params = {
781	"postfix-512".bits = 512;
782	"postfix-1024".bits = 2048;
783
784	"postfix-smtps-512".bits = 512;
785	"postfix-smtps-1024".bits = 2048;
786	};
787	};
788
789	security.acme.rfc2136Domains = {	766	security.acme.rfc2136Domains = {
790	"surtr.yggdrasil.li" = {	767	"surtr.yggdrasil.li" = {
791	restartUnits = [ "postfix.service" "dovecot.service" ];	768	restartUnits = [ "postfix.service" "dovecot.service" ];