7 files changed, 127 insertions, 8 deletions
diff --git a/_sources/generated.json b/_sources/generated.json
index c65147bb..be2bdcb0 100644
--- a/_sources/generated.json
+++ b/_sources/generated.json
@@ -67,12 +67,12 @@
            "fetchSubmodules": false,
            "leaveDotGit": false,
            "name": null,
-            "rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0",
+            "rev": "586675942a4014fc2c277fd5c7ee44a1a20147fb",
-            "sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=",
+            "sha256": "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=",
            "type": "git",
            "url": "https://github.com/FreeRDP/FreeRDP"
        },
-        "version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"
+        "version": "586675942a4014fc2c277fd5c7ee44a1a20147fb"
    },
    "lesspipe": {
        "cargoLocks": null,
@@ -182,6 +182,20 @@
        },
        "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92"
    },
+    "postfix-mta-sts-resolver": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "postfix-mta-sts-resolver",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "name": null,
+            "sha256": "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=",
+            "type": "url",
+            "url": "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz"
+        },
+        "version": "1.1.3"
+    },
    "psql-versioning": {
        "cargoLocks": null,
        "extract": null,
diff --git a/_sources/generated.nix b/_sources/generated.nix
index b077edf5..488f0a68 100644
--- a/_sources/generated.nix
+++ b/_sources/generated.nix
@@ -38,14 +38,14 @@
  };
  freerdp = {
    pname = "freerdp";
-    version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0";
+    version = "586675942a4014fc2c277fd5c7ee44a1a20147fb";
    src = fetchgit {
      url = "https://github.com/FreeRDP/FreeRDP";
-      rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0";
+      rev = "586675942a4014fc2c277fd5c7ee44a1a20147fb";
      fetchSubmodules = false;
      deepClone = false;
      leaveDotGit = false;
-      sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=";
+      sha256 = "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=";
    };
  };
  lesspipe = {
@@ -112,6 +112,14 @@
      sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk=";
    });
  };
+  postfix-mta-sts-resolver = {
+    pname = "postfix-mta-sts-resolver";
+    version = "1.1.3";
+    src = fetchurl {
+      url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz";
+      sha256 = "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=";
+    };
+  };
  psql-versioning = {
    pname = "psql-versioning";
    version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e";
diff --git a/flake.nix b/flake.nix
index 72c93162..e7557b2d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -89,7 +89,7 @@
      mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; };
-      mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; } // mkSources prev);
+      mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; flakeInputs = inputs; flake = self; } // mkSources prev);
      mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec {
        specialArgs = {
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index d72a4465..9bdaac75 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -87,6 +87,8 @@ in {
          .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
        ''}'';
+        smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
        local_recipient_maps = "";
        # 10 GiB
@@ -723,5 +725,7 @@ in {
      format = "binary";
      sopsFile = ./spm-keys.json;
    };
+    services.postfix-mta-sts-resolver.enable = true;
  };
 }
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix
new file mode 100644
index 00000000..9e126361
--- /dev/null
+++ b/modules/postfix-mta-sts-resolver.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.services.postfix-mta-sts-resolver;
+in {
+  options = {
+    services.postfix-mta-sts-resolver = {
+      enable = mkEnableOption "mta-sts-daemon";
+      package = mkPackageOption pkgs "postfix-mta-sts-resolver";
+      redis = mkEnableOption "redis cache" // { default = true; example = false; };
+      settings = mkOption {
+        type = types.attrs;
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock";
+    services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660
+    
+    services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis {
+      redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}";
+    };
+    services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis {
+      enable = true;
+    };
+    users.users.postfix-mta-sts-resolver = {
+      isSystemUser = true;
+      group = "postfix-mta-sts-resolver";
+    };
+    users.groups.postfix-mta-sts-resolver = {
+      members = ["postfix"];
+    };
+    systemd.services."postfix-mta-sts-resolver" = {
+      wantedBy = ["postfix.service"];
+      before = ["postfix.service"];
+      serviceConfig = {
+        ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}";
+        SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user;
+        RuntimeDirectory = "postfix-mta-sts-resolver";
+        User = "postfix-mta-sts-resolver";
+        Group = "postfix-mta-sts-resolver";
+        RemoveIPC = true;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        RestrictSUIDSGID = true;
+        ProtectSystem = "strict";
+        ProtectHome = "read-only";
+        ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"];
+      };
+    };
+  };
+}
diff --git a/nvfetcher.toml b/nvfetcher.toml
index c723654e..cb87d2e1 100644
--- a/nvfetcher.toml
+++ b/nvfetcher.toml
@@ -57,4 +57,9 @@ fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz"
 [freerdp]
 src.git = "https://github.com/FreeRDP/FreeRDP"
-fetch.git = "https://github.com/FreeRDP/FreeRDP"
-\ No newline at end of file
+fetch.git = "https://github.com/FreeRDP/FreeRDP"
+[postfix-mta-sts-resolver]
+src.github = "Snawoot/postfix-mta-sts-resolver"
+src.prefix = "v"
+fetch.url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v$ver.tar.gz"
+\ No newline at end of file
diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix
new file mode 100644
index 00000000..3f08920f
--- /dev/null
+++ b/overlays/postfix-mta-sts-resolver.nix
@@ -0,0 +1,25 @@
+{ final, prev, flakeInputs, sources, ... }:
+{
+  postfix-mta-sts-resolver = flakeInputs.mach-nix.lib.${final.system}.buildPythonPackage {
+    inherit (sources.postfix-mta-sts-resolver) src pname version;
+    extras = "redis";
+    ignoreDataOutdated = true;
+    requirements = ''
+      redis>=4.2.0rc1
+      aiodns>=1.1.1
+      aiohttp>=3.4.4
+      PyYAML>=3.12
+    '';
+    providers._default = "nixpkgs,sdist";
+    overridesPost = [
+      (self: super: {
+        frozenlist = super.frozenlist.overrideAttrs (oldAttrs: {
+          nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ final.python310Packages.cython ];
+        });
+      })
+    ];
+  };
+}

diff --git a/_sources/generated.json b/_sources/generated.json index c65147bb..be2bdcb0 100644 --- a/_sources/generated.json +++ b/_sources/generated.json
@@ -67,12 +67,12 @@
67	"fetchSubmodules": false,	67	"fetchSubmodules": false,
68	"leaveDotGit": false,	68	"leaveDotGit": false,
69	"name": null,	69	"name": null,
70	"rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0",	70	"rev": "586675942a4014fc2c277fd5c7ee44a1a20147fb",
71	"sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=",	71	"sha256": "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=",
72	"type": "git",	72	"type": "git",
73	"url": "https://github.com/FreeRDP/FreeRDP"	73	"url": "https://github.com/FreeRDP/FreeRDP"
74	},	74	},
75	"version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"	75	"version": "586675942a4014fc2c277fd5c7ee44a1a20147fb"
76	},	76	},
77	"lesspipe": {	77	"lesspipe": {
78	"cargoLocks": null,	78	"cargoLocks": null,
@@ -182,6 +182,20 @@
182	},	182	},
183	"version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92"	183	"version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92"
184	},	184	},
		185	"postfix-mta-sts-resolver": {
		186	"cargoLocks": null,
		187	"extract": null,
		188	"name": "postfix-mta-sts-resolver",
		189	"passthru": null,
		190	"pinned": false,
		191	"src": {
		192	"name": null,
		193	"sha256": "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=",
		194	"type": "url",
		195	"url": "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz"
		196	},
		197	"version": "1.1.3"
		198	},
185	"psql-versioning": {	199	"psql-versioning": {
186	"cargoLocks": null,	200	"cargoLocks": null,
187	"extract": null,	201	"extract": null,


diff --git a/_sources/generated.nix b/_sources/generated.nix index b077edf5..488f0a68 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix
@@ -38,14 +38,14 @@
38	};	38	};
39	freerdp = {	39	freerdp = {
40	pname = "freerdp";	40	pname = "freerdp";
41	version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0";	41	version = "586675942a4014fc2c277fd5c7ee44a1a20147fb";
42	src = fetchgit {	42	src = fetchgit {
43	url = "https://github.com/FreeRDP/FreeRDP";	43	url = "https://github.com/FreeRDP/FreeRDP";
44	rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0";	44	rev = "586675942a4014fc2c277fd5c7ee44a1a20147fb";
45	fetchSubmodules = false;	45	fetchSubmodules = false;
46	deepClone = false;	46	deepClone = false;
47	leaveDotGit = false;	47	leaveDotGit = false;
48	sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=";	48	sha256 = "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=";
49	};	49	};
50	};	50	};
51	lesspipe = {	51	lesspipe = {
@@ -112,6 +112,14 @@
112	sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk=";	112	sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk=";
113	});	113	});
114	};	114	};
		115	postfix-mta-sts-resolver = {
		116	pname = "postfix-mta-sts-resolver";
		117	version = "1.1.3";
		118	src = fetchurl {
		119	url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz";
		120	sha256 = "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=";
		121	};
		122	};
115	psql-versioning = {	123	psql-versioning = {
116	pname = "psql-versioning";	124	pname = "psql-versioning";
117	version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e";	125	version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e";


diff --git a/flake.nix b/flake.nix index 72c93162..e7557b2d 100644 --- a/flake.nix +++ b/flake.nix
@@ -89,7 +89,7 @@
89		89
90	mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; };	90	mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; };
91		91
92	mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; } // mkSources prev);	92	mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; flakeInputs = inputs; flake = self; } // mkSources prev);
93		93
94	mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec {	94	mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec {
95	specialArgs = {	95	specialArgs = {


diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index d72a4465..9bdaac75 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -87,6 +87,8 @@ in {
87	.bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem	87	.bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
88	''}'';	88	''}'';
89		89
		90	smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
		91
90	local_recipient_maps = "";	92	local_recipient_maps = "";
91		93
92	# 10 GiB	94	# 10 GiB
@@ -723,5 +725,7 @@ in {
723	format = "binary";	725	format = "binary";
724	sopsFile = ./spm-keys.json;	726	sopsFile = ./spm-keys.json;
725	};	727	};
		728
		729	services.postfix-mta-sts-resolver.enable = true;
726	};	730	};
727	}	731	}


diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..9e126361 --- /dev/null +++ b/modules/postfix-mta-sts-resolver.nix
@@ -0,0 +1,63 @@
		1	{ config, pkgs, lib, ... }:
		2
		3	with lib;
		4
		5	let
		6	cfg = config.services.postfix-mta-sts-resolver;
		7	in {
		8	options = {
		9	services.postfix-mta-sts-resolver = {
		10	enable = mkEnableOption "mta-sts-daemon";
		11	package = mkPackageOption pkgs "postfix-mta-sts-resolver";
		12
		13	redis = mkEnableOption "redis cache" // { default = true; example = false; };
		14
		15	settings = mkOption {
		16	type = types.attrs;
		17	};
		18	};
		19	};
		20
		21	config = mkIf cfg.enable {
		22	services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock";
		23	services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660
		24
		25	services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis {
		26	redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}";
		27	};
		28
		29	services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis {
		30	enable = true;
		31	};
		32
		33	users.users.postfix-mta-sts-resolver = {
		34	isSystemUser = true;
		35	group = "postfix-mta-sts-resolver";
		36	};
		37	users.groups.postfix-mta-sts-resolver = {
		38	members = ["postfix"];
		39	};
		40
		41	systemd.services."postfix-mta-sts-resolver" = {
		42	wantedBy = ["postfix.service"];
		43	before = ["postfix.service"];
		44
		45	serviceConfig = {
		46	ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}";
		47	SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user;
		48	RuntimeDirectory = "postfix-mta-sts-resolver";
		49
		50	User = "postfix-mta-sts-resolver";
		51	Group = "postfix-mta-sts-resolver";
		52
		53	RemoveIPC = true;
		54	PrivateTmp = true;
		55	NoNewPrivileges = true;
		56	RestrictSUIDSGID = true;
		57	ProtectSystem = "strict";
		58	ProtectHome = "read-only";
		59	ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"];
		60	};
		61	};
		62	};
		63	}


diff --git a/nvfetcher.toml b/nvfetcher.toml index c723654e..cb87d2e1 100644 --- a/nvfetcher.toml +++ b/nvfetcher.toml
@@ -57,4 +57,9 @@ fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz"
57		57
58	[freerdp]	58	[freerdp]
59	src.git = "https://github.com/FreeRDP/FreeRDP"	59	src.git = "https://github.com/FreeRDP/FreeRDP"
60	fetch.git = "https://github.com/FreeRDP/FreeRDP" \ No newline at end of file	60	fetch.git = "https://github.com/FreeRDP/FreeRDP"
		61
		62	[postfix-mta-sts-resolver]
		63	src.github = "Snawoot/postfix-mta-sts-resolver"
		64	src.prefix = "v"
		65	fetch.url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v$ver.tar.gz" \ No newline at end of file


diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..3f08920f --- /dev/null +++ b/overlays/postfix-mta-sts-resolver.nix
@@ -0,0 +1,25 @@
		1	{ final, prev, flakeInputs, sources, ... }:
		2	{
		3	postfix-mta-sts-resolver = flakeInputs.mach-nix.lib.${final.system}.buildPythonPackage {
		4	inherit (sources.postfix-mta-sts-resolver) src pname version;
		5	extras = "redis";
		6	ignoreDataOutdated = true;
		7
		8	requirements = ''
		9	redis>=4.2.0rc1
		10	aiodns>=1.1.1
		11	aiohttp>=3.4.4
		12	PyYAML>=3.12
		13	'';
		14
		15	providers._default = "nixpkgs,sdist";
		16
		17	overridesPost = [
		18	(self: super: {
		19	frozenlist = super.frozenlist.overrideAttrs (oldAttrs: {
		20	nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ final.python310Packages.cython ];
		21	});
		22	})
		23	];
		24	};
		25	}