diff options
Diffstat (limited to 'hosts/sif')
| -rw-r--r-- | hosts/sif/default.nix | 50 | ||||
| -rw-r--r-- | hosts/sif/email/default.nix | 110 | ||||
| -rw-r--r-- | hosts/sif/email/relay.crt | 11 | ||||
| -rw-r--r-- | hosts/sif/email/relay.key | 19 | ||||
| -rw-r--r-- | hosts/sif/email/secrets.yaml (renamed from hosts/sif/mail/secrets.yaml) | 0 | ||||
| -rw-r--r-- | hosts/sif/mail/default.nix | 70 |
6 files changed, 152 insertions, 108 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index f4de24e8..b0d2fd78 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -12,7 +12,7 @@ let | |||
| 12 | in { | 12 | in { |
| 13 | imports = with flake.nixosModules.systemProfiles; [ | 13 | imports = with flake.nixosModules.systemProfiles; [ |
| 14 | ./hw.nix | 14 | ./hw.nix |
| 15 | ./mail ./libvirt ./greetd | 15 | ./email ./libvirt ./greetd |
| 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager | 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager |
| 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 | 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 |
| 18 | flakeInputs.impermanence.nixosModules.impermanence | 18 | flakeInputs.impermanence.nixosModules.impermanence |
| @@ -98,6 +98,8 @@ in { | |||
| 98 | server ptbtime2.ptb.de prefer iburst nts | 98 | server ptbtime2.ptb.de prefer iburst nts |
| 99 | server ptbtime3.ptb.de prefer iburst nts | 99 | server ptbtime3.ptb.de prefer iburst nts |
| 100 | server ptbtime4.ptb.de prefer iburst nts | 100 | server ptbtime4.ptb.de prefer iburst nts |
| 101 | pool ntppool1.time.nl prefer iburst nts | ||
| 102 | pool ntppool2.time.nl prefer iburst nts | ||
| 101 | 103 | ||
| 102 | authselectmode require | 104 | authselectmode require |
| 103 | minsources 3 | 105 | minsources 3 |
| @@ -130,6 +132,12 @@ in { | |||
| 130 | useNetworkd = true; | 132 | useNetworkd = true; |
| 131 | }; | 133 | }; |
| 132 | 134 | ||
| 135 | environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = { | ||
| 136 | text = '' | ||
| 137 | conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf | ||
| 138 | dnssec | ||
| 139 | ''; | ||
| 140 | }; | ||
| 133 | environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { | 141 | environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { |
| 134 | text = '' | 142 | text = '' |
| 135 | except-interface=virbr0 | 143 | except-interface=virbr0 |
| @@ -372,19 +380,6 @@ in { | |||
| 372 | ]; | 380 | ]; |
| 373 | 381 | ||
| 374 | services = { | 382 | services = { |
| 375 | uucp = { | ||
| 376 | enable = true; | ||
| 377 | nodeName = "sif"; | ||
| 378 | remoteNodes = { | ||
| 379 | "ymir" = { | ||
| 380 | publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"]; | ||
| 381 | hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
| 382 | }; | ||
| 383 | }; | ||
| 384 | |||
| 385 | defaultCommands = lib.mkForce []; | ||
| 386 | }; | ||
| 387 | |||
| 388 | avahi.enable = true; | 383 | avahi.enable = true; |
| 389 | 384 | ||
| 390 | fwupd.enable = true; | 385 | fwupd.enable = true; |
| @@ -403,8 +398,8 @@ in { | |||
| 403 | 398 | ||
| 404 | logind = { | 399 | logind = { |
| 405 | lidSwitch = "suspend"; | 400 | lidSwitch = "suspend"; |
| 406 | lidSwitchDocked = "lock"; | 401 | lidSwitchDocked = "ignore"; |
| 407 | lidSwitchExternalPower = "lock"; | 402 | lidSwitchExternalPower = "ignore"; |
| 408 | }; | 403 | }; |
| 409 | 404 | ||
| 410 | atd = { | 405 | atd = { |
| @@ -610,25 +605,6 @@ in { | |||
| 610 | 605 | ||
| 611 | environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; | 606 | environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; |
| 612 | 607 | ||
| 613 | systemd.services."ac-plugged" = { | ||
| 614 | description = "Inhibit handling of lid-switch and sleep"; | ||
| 615 | |||
| 616 | path = with pkgs; [ systemd coreutils ]; | ||
| 617 | |||
| 618 | script = '' | ||
| 619 | exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity | ||
| 620 | ''; | ||
| 621 | |||
| 622 | serviceConfig = { | ||
| 623 | Type = "simple"; | ||
| 624 | }; | ||
| 625 | }; | ||
| 626 | |||
| 627 | services.udev.extraRules = with pkgs; lib.mkAfter '' | ||
| 628 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" | ||
| 629 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" | ||
| 630 | ''; | ||
| 631 | |||
| 632 | systemd.services."nix-daemon".serviceConfig = { | 608 | systemd.services."nix-daemon".serviceConfig = { |
| 633 | MemoryAccounting = true; | 609 | MemoryAccounting = true; |
| 634 | MemoryHigh = "50%"; | 610 | MemoryHigh = "50%"; |
| @@ -688,7 +664,7 @@ in { | |||
| 688 | directories = [ | 664 | directories = [ |
| 689 | "/nix" | 665 | "/nix" |
| 690 | "/root" | 666 | "/root" |
| 691 | "/home" | 667 | "/home" |
| 692 | "/var/log" | 668 | "/var/log" |
| 693 | "/var/lib/sops-nix" | 669 | "/var/lib/sops-nix" |
| 694 | "/var/lib/nixos" | 670 | "/var/lib/nixos" |
| @@ -699,8 +675,6 @@ in { | |||
| 699 | "/var/lib/upower" | 675 | "/var/lib/upower" |
| 700 | "/var/lib/postfix" | 676 | "/var/lib/postfix" |
| 701 | "/etc/NetworkManager/system-connections" | 677 | "/etc/NetworkManager/system-connections" |
| 702 | { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } | ||
| 703 | { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; } | ||
| 704 | ]; | 678 | ]; |
| 705 | files = [ | 679 | files = [ |
| 706 | ]; | 680 | ]; |
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix new file mode 100644 index 00000000..4eda236e --- /dev/null +++ b/hosts/sif/email/default.nix | |||
| @@ -0,0 +1,110 @@ | |||
| 1 | { config, lib, pkgs, ... }: | ||
| 2 | { | ||
| 3 | services.postfix = { | ||
| 4 | enable = true; | ||
| 5 | enableSmtp = false; | ||
| 6 | enableSubmission = false; | ||
| 7 | setSendmail = true; | ||
| 8 | networksStyle = "host"; | ||
| 9 | hostname = "sif.midgard.yggdrasil"; | ||
| 10 | destination = []; | ||
| 11 | recipientDelimiter = "+"; | ||
| 12 | config = { | ||
| 13 | mydomain = "yggdrasil.li"; | ||
| 14 | |||
| 15 | local_transport = "error:5.1.1 No local delivery"; | ||
| 16 | alias_database = []; | ||
| 17 | alias_maps = []; | ||
| 18 | local_recipient_maps = []; | ||
| 19 | |||
| 20 | inet_interfaces = "loopback-only"; | ||
| 21 | |||
| 22 | message_size_limit = "0"; | ||
| 23 | |||
| 24 | authorized_submit_users = "inline:{ gkleen= }"; | ||
| 25 | authorized_flush_users = "inline:{ gkleen= }"; | ||
| 26 | authorized_mailq_users = "inline:{ gkleen= }"; | ||
| 27 | |||
| 28 | smtp_generic_maps = "inline:{ root=root+sif }"; | ||
| 29 | |||
| 30 | mynetworks = ["127.0.0.0/8" "[::1]/128"]; | ||
| 31 | smtpd_client_restrictions = ["permit_mynetworks" "reject"]; | ||
| 32 | smtpd_relay_restrictions = ["permit_mynetworks" "reject"]; | ||
| 33 | |||
| 34 | sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' | ||
| 35 | /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de | ||
| 36 | /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 | ||
| 37 | /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465 | ||
| 38 | /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de | ||
| 39 | ''}''; | ||
| 40 | sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" '' | ||
| 41 | /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de | ||
| 42 | /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de | ||
| 43 | ''}''; | ||
| 44 | relayhost = "[surtr.yggdrasil.li]:465"; | ||
| 45 | default_transport = "relay"; | ||
| 46 | |||
| 47 | smtp_sasl_auth_enable = true; | ||
| 48 | smtp_sender_dependent_authentication = true; | ||
| 49 | smtp_sasl_tls_security_options = "noanonymous"; | ||
| 50 | smtp_sasl_mechanism_filter = ["plain"]; | ||
| 51 | smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd"; | ||
| 52 | smtp_cname_overrides_servername = false; | ||
| 53 | smtp_always_send_ehlo = true; | ||
| 54 | smtp_tls_security_level = "dane"; | ||
| 55 | |||
| 56 | smtp_tls_loglevel = "1"; | ||
| 57 | smtp_dns_support_level = "dnssec"; | ||
| 58 | }; | ||
| 59 | masterConfig = { | ||
| 60 | submission = { | ||
| 61 | type = "inet"; | ||
| 62 | private = false; | ||
| 63 | command = "smtpd"; | ||
| 64 | args = [ | ||
| 65 | "-o" "syslog_name=postfix/$service_name" | ||
| 66 | ]; | ||
| 67 | }; | ||
| 68 | smtp = { }; | ||
| 69 | smtps = { | ||
| 70 | type = "unix"; | ||
| 71 | private = true; | ||
| 72 | privileged = true; | ||
| 73 | chroot = false; | ||
| 74 | command = "smtp"; | ||
| 75 | args = [ | ||
| 76 | "-o" "smtp_tls_wrappermode=yes" | ||
| 77 | "-o" "smtp_tls_security_level=encrypt" | ||
| 78 | ]; | ||
| 79 | }; | ||
| 80 | relay = { | ||
| 81 | command = "smtp"; | ||
| 82 | args = [ | ||
| 83 | "-o" "smtp_fallback_relay=" | ||
| 84 | "-o" "smtp_tls_security_level=verify" | ||
| 85 | "-o" "smtp_tls_wrappermode=yes" | ||
| 86 | "-o" "smtp_tls_cert_file=${./relay.crt}" | ||
| 87 | "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key" | ||
| 88 | ]; | ||
| 89 | }; | ||
| 90 | }; | ||
| 91 | }; | ||
| 92 | |||
| 93 | systemd.services.postfix = { | ||
| 94 | serviceConfig.LoadCredential = [ | ||
| 95 | "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}" | ||
| 96 | "relay.key:${config.sops.secrets."relay-key".path}" | ||
| 97 | ]; | ||
| 98 | }; | ||
| 99 | |||
| 100 | sops.secrets = { | ||
| 101 | postfix-sasl-passwd = { | ||
| 102 | key = "sasl-passwd"; | ||
| 103 | sopsFile = ./secrets.yaml; | ||
| 104 | }; | ||
| 105 | relay-key = { | ||
| 106 | format = "binary"; | ||
| 107 | sopsFile = ./relay.key; | ||
| 108 | }; | ||
| 109 | }; | ||
| 110 | } | ||
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt new file mode 100644 index 00000000..ac13e7cb --- /dev/null +++ b/hosts/sif/email/relay.crt | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | -----BEGIN CERTIFICATE----- | ||
| 2 | MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD | ||
| 3 | DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR | ||
| 4 | MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a | ||
| 5 | m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn | ||
| 6 | l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID | ||
| 7 | 6DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0 | ||
| 8 | 0UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq | ||
| 9 | kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav | ||
| 10 | yauId0cXHvN6g5RLAMsMAA== | ||
| 11 | -----END CERTIFICATE----- | ||
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key new file mode 100644 index 00000000..412a44e0 --- /dev/null +++ b/hosts/sif/email/relay.key | |||
| @@ -0,0 +1,19 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "age": [ | ||
| 5 | { | ||
| 6 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 8 | }, | ||
| 9 | { | ||
| 10 | "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | } | ||
| 13 | ], | ||
| 14 | "lastmodified": "2025-04-25T12:14:44Z", | ||
| 15 | "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]", | ||
| 16 | "unencrypted_suffix": "_unencrypted", | ||
| 17 | "version": "3.10.2" | ||
| 18 | } | ||
| 19 | } | ||
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml index 3c74b710..3c74b710 100644 --- a/hosts/sif/mail/secrets.yaml +++ b/hosts/sif/email/secrets.yaml | |||
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix deleted file mode 100644 index 8d6cd705..00000000 --- a/hosts/sif/mail/default.nix +++ /dev/null | |||
| @@ -1,70 +0,0 @@ | |||
| 1 | { config, lib, pkgs, ... }: | ||
| 2 | { | ||
| 3 | services.postfix = { | ||
| 4 | enable = true; | ||
| 5 | enableSmtp = true; | ||
| 6 | enableSubmission = false; | ||
| 7 | setSendmail = true; | ||
| 8 | networksStyle = "host"; | ||
| 9 | hostname = "sif.midgard.yggdrasil"; | ||
| 10 | destination = []; | ||
| 11 | relayHost = "uucp:ymir"; | ||
| 12 | recipientDelimiter = "+"; | ||
| 13 | masterConfig = { | ||
| 14 | uucp = { | ||
| 15 | type = "unix"; | ||
| 16 | private = true; | ||
| 17 | privileged = true; | ||
| 18 | chroot = false; | ||
| 19 | command = "pipe"; | ||
| 20 | args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ]; | ||
| 21 | }; | ||
| 22 | smtps = { | ||
| 23 | type = "unix"; | ||
| 24 | private = true; | ||
| 25 | privileged = true; | ||
| 26 | chroot = false; | ||
| 27 | command = "smtp"; | ||
| 28 | args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ]; | ||
| 29 | }; | ||
| 30 | }; | ||
| 31 | config = { | ||
| 32 | default_transport = "uucp:ymir"; | ||
| 33 | |||
| 34 | inet_interfaces = "loopback-only"; | ||
| 35 | |||
| 36 | authorized_submit_users = ["!uucp" "static:anyone"]; | ||
| 37 | message_size_limit = "0"; | ||
| 38 | |||
| 39 | sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' | ||
| 40 | /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de | ||
| 41 | /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 | ||
| 42 | /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465 | ||
| 43 | /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de | ||
| 44 | ''}''; | ||
| 45 | sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" '' | ||
| 46 | /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de | ||
| 47 | /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de | ||
| 48 | ''}''; | ||
| 49 | |||
| 50 | smtp_sasl_auth_enable = true; | ||
| 51 | smtp_sender_dependent_authentication = true; | ||
| 52 | smtp_sasl_tls_security_options = "noanonymous"; | ||
| 53 | smtp_sasl_mechanism_filter = ["plain"]; | ||
| 54 | smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd"; | ||
| 55 | smtp_cname_overrides_servername = false; | ||
| 56 | smtp_always_send_ehlo = true; | ||
| 57 | smtp_tls_security_level = "dane"; | ||
| 58 | |||
| 59 | smtp_tls_loglevel = "1"; | ||
| 60 | smtp_dns_support_level = "dnssec"; | ||
| 61 | }; | ||
| 62 | }; | ||
| 63 | |||
| 64 | sops.secrets.postfix-sasl-passwd = { | ||
| 65 | key = "sasl-passwd"; | ||
| 66 | path = "/var/db/postfix/sasl_passwd"; | ||
| 67 | owner = "postfix"; | ||
| 68 | sopsFile = ./secrets.yaml; | ||
| 69 | }; | ||
| 70 | } | ||