From 7f04383e716b8b5b67e28422d7d72896fb080918 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 11 Jul 2022 09:28:58 +0200 Subject: bouncy.email: MTA-STS --- _sources/generated.json | 20 +++++++++-- _sources/generated.nix | 14 ++++++-- flake.nix | 2 +- hosts/surtr/email/default.nix | 4 +++ modules/postfix-mta-sts-resolver.nix | 63 +++++++++++++++++++++++++++++++++++ nvfetcher.toml | 7 +++- overlays/postfix-mta-sts-resolver.nix | 25 ++++++++++++++ 7 files changed, 127 insertions(+), 8 deletions(-) create mode 100644 modules/postfix-mta-sts-resolver.nix create mode 100644 overlays/postfix-mta-sts-resolver.nix diff --git a/_sources/generated.json b/_sources/generated.json index c65147bb..be2bdcb0 100644 --- a/_sources/generated.json +++ b/_sources/generated.json @@ -67,12 +67,12 @@ "fetchSubmodules": false, "leaveDotGit": false, "name": null, - "rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0", - "sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=", + "rev": "586675942a4014fc2c277fd5c7ee44a1a20147fb", + "sha256": "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4=", "type": "git", "url": "https://github.com/FreeRDP/FreeRDP" }, - "version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0" + "version": "586675942a4014fc2c277fd5c7ee44a1a20147fb" }, "lesspipe": { "cargoLocks": null, @@ -182,6 +182,20 @@ }, "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92" }, + "postfix-mta-sts-resolver": { + "cargoLocks": null, + "extract": null, + "name": "postfix-mta-sts-resolver", + "passthru": null, + "pinned": false, + "src": { + "name": null, + "sha256": "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw=", + "type": "url", + "url": "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz" + }, + "version": "1.1.3" + }, "psql-versioning": { "cargoLocks": null, "extract": null, diff --git a/_sources/generated.nix b/_sources/generated.nix index b077edf5..488f0a68 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix @@ -38,14 +38,14 @@ }; freerdp = { pname = "freerdp"; - version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; + version = "586675942a4014fc2c277fd5c7ee44a1a20147fb"; src = fetchgit { url = "https://github.com/FreeRDP/FreeRDP"; - rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"; + rev = "586675942a4014fc2c277fd5c7ee44a1a20147fb"; fetchSubmodules = false; deepClone = false; leaveDotGit = false; - sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw="; + sha256 = "sha256-2nzZEapKaslPbcpIilJt/2T2uaHDsWZU6U9QtHb+tm4="; }; }; lesspipe = { @@ -112,6 +112,14 @@ sha256 = "sha256-+DoKPIulQA3VSeXo8DjoxnPwDfcuCO5YHpXmB+M7EWk="; }); }; + postfix-mta-sts-resolver = { + pname = "postfix-mta-sts-resolver"; + version = "1.1.3"; + src = fetchurl { + url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v1.1.3.tar.gz"; + sha256 = "sha256-snvUmKZVckDNt2nnFOEa4cbGLtm825UgvA3cBpoNGLw="; + }; + }; psql-versioning = { pname = "psql-versioning"; version = "3e578ff5e5aa6c7e5459dbfa842a64a1b2674b2e"; diff --git a/flake.nix b/flake.nix index 72c93162..e7557b2d 100644 --- a/flake.nix +++ b/flake.nix @@ -89,7 +89,7 @@ mkSources = pkgs: optionalAttrs (pathExists _sources/generated.nix) { sources = pkgs.callPackage _sources/generated.nix {}; }; - mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; } // mkSources prev); + mkOverlay = path: final: prev: import path ({ inherit final; inherit prev; flakeInputs = inputs; flake = self; } // mkSources prev); mkNixosConfiguration = addProfiles: dir: path: hostName: nixosSystem rec { specialArgs = { diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index d72a4465..9bdaac75 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -87,6 +87,8 @@ in { .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem ''}''; + smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; + local_recipient_maps = ""; # 10 GiB @@ -723,5 +725,7 @@ in { format = "binary"; sopsFile = ./spm-keys.json; }; + + services.postfix-mta-sts-resolver.enable = true; }; } diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..9e126361 --- /dev/null +++ b/modules/postfix-mta-sts-resolver.nix @@ -0,0 +1,63 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.postfix-mta-sts-resolver; +in { + options = { + services.postfix-mta-sts-resolver = { + enable = mkEnableOption "mta-sts-daemon"; + package = mkPackageOption pkgs "postfix-mta-sts-resolver"; + + redis = mkEnableOption "redis cache" // { default = true; example = false; }; + + settings = mkOption { + type = types.attrs; + }; + }; + }; + + config = mkIf cfg.enable { + services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock"; + services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660 + + services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis { + redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}"; + }; + + services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis { + enable = true; + }; + + users.users.postfix-mta-sts-resolver = { + isSystemUser = true; + group = "postfix-mta-sts-resolver"; + }; + users.groups.postfix-mta-sts-resolver = { + members = ["postfix"]; + }; + + systemd.services."postfix-mta-sts-resolver" = { + wantedBy = ["postfix.service"]; + before = ["postfix.service"]; + + serviceConfig = { + ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}"; + SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user; + RuntimeDirectory = "postfix-mta-sts-resolver"; + + User = "postfix-mta-sts-resolver"; + Group = "postfix-mta-sts-resolver"; + + RemoveIPC = true; + PrivateTmp = true; + NoNewPrivileges = true; + RestrictSUIDSGID = true; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"]; + }; + }; + }; +} diff --git a/nvfetcher.toml b/nvfetcher.toml index c723654e..cb87d2e1 100644 --- a/nvfetcher.toml +++ b/nvfetcher.toml @@ -57,4 +57,9 @@ fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz" [freerdp] src.git = "https://github.com/FreeRDP/FreeRDP" -fetch.git = "https://github.com/FreeRDP/FreeRDP" \ No newline at end of file +fetch.git = "https://github.com/FreeRDP/FreeRDP" + +[postfix-mta-sts-resolver] +src.github = "Snawoot/postfix-mta-sts-resolver" +src.prefix = "v" +fetch.url = "https://github.com/Snawoot/postfix-mta-sts-resolver/archive/refs/tags/v$ver.tar.gz" \ No newline at end of file diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..3f08920f --- /dev/null +++ b/overlays/postfix-mta-sts-resolver.nix @@ -0,0 +1,25 @@ +{ final, prev, flakeInputs, sources, ... }: +{ + postfix-mta-sts-resolver = flakeInputs.mach-nix.lib.${final.system}.buildPythonPackage { + inherit (sources.postfix-mta-sts-resolver) src pname version; + extras = "redis"; + ignoreDataOutdated = true; + + requirements = '' + redis>=4.2.0rc1 + aiodns>=1.1.1 + aiohttp>=3.4.4 + PyYAML>=3.12 + ''; + + providers._default = "nixpkgs,sdist"; + + overridesPost = [ + (self: super: { + frozenlist = super.frozenlist.overrideAttrs (oldAttrs: { + nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [ final.python310Packages.cython ]; + }); + }) + ]; + }; +} -- cgit v1.2.3