From 43d8e0394f38364a2bbecfd05d8ddde3763efdb7 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 15 Mar 2026 14:26:23 +0100 Subject: bump --- hosts/surtr/email/default.nix | 65 ++++++++++++++----------------------------- 1 file changed, 21 insertions(+), 44 deletions(-) (limited to 'hosts/surtr/email/default.nix') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index b0e95a0e..4c7af0c3 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -21,18 +21,21 @@ let }; ccert-policy-server = - with pkgs.poetry2nix; - mkPoetryApplication { - python = pkgs.python311; - - projectDir = cleanPythonSources { src = ./ccert-policy-server; }; - - overrides = overrides.withDefaults (self: super: { - systemd-python = super.systemd-python.overridePythonAttrs (oldAttrs: { - buildInputs = (oldAttrs.buildInputs or []) ++ [ super.setuptools ]; - }); - }); - }; + let + workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./ccert-policy-server; }; + pythonSet = flake.lib.pythonSet { + inherit pkgs; + python = pkgs.python312; + overlay = workspace.mkPyprojectOverlay { + sourcePreference = "wheel"; + }; + }; + virtualEnv = pythonSet.mkVirtualEnv "ccert-policy-server-env" workspace.deps.default; + in virtualEnv.overrideAttrs (oldAttrs: { + meta = (oldAttrs.meta or {}) // { + mainProgram = "ccert-policy-server"; + }; + }); internal-policy-server = let workspace = flakeInputs.uv2nix.lib.workspace.loadWorkspace { workspaceRoot = ./internal-policy-server; }; @@ -138,9 +141,6 @@ in { "/run/credentials/postfix.service/surtr.yggdrasil.li.full.pem" ]; - #the dh params - smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; - smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; #enable ECDH smtpd_tls_eecdh_grade = "strong"; #enabled SSL protocols, don't allow SSLv2 and SSLv3 @@ -224,8 +224,8 @@ in { smtpd_client_event_limit_exceptions = ""; milter_default_action = "accept"; - smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"]; - non_smtpd_milters = [config.services.opendkim.socket "local:/run/rspamd/rspamd-milter.sock"]; + smtpd_milters = ["local:/run/rspamd/rspamd-milter.sock" "local:/run/postsrsd/postsrsd-milter.sock"]; + non_smtpd_milters = ["local:/run/rspamd/rspamd-milter.sock"]; alias_maps = ""; @@ -339,7 +339,6 @@ in { "-o" "unverified_sender_reject_code=550" "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" - "-o" ''smtpd_milters=${config.services.opendkim.socket}'' ]; }; "466" = { @@ -369,7 +368,6 @@ in { "-o" "unverified_sender_reject_code=550" "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" - "-o" ''smtpd_milters=${config.services.opendkim.socket}'' ]; }; subcleanup = { @@ -425,20 +423,6 @@ in { ''; }; - services.opendkim = { - enable = true; - user = "postfix"; group = "postfix"; - socket = "local:/run/opendkim/opendkim.sock"; - domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li" "yggdrasil.li" "141.li" "kleen.li" "synapse.li" "praseodym.org"] ++ emailDomains)}''; - selector = "surtr"; - configFile = builtins.toFile "opendkim.conf" '' - Syslog true - MTA surtr.yggdrasil.li - MTACommand ${config.security.wrapperDir}/sendmail - LogResults true - ''; - }; - services.rspamd = { enable = true; workers = { @@ -506,7 +490,10 @@ in { "redis.conf".text = '' servers = "${config.services.redis.servers.rspamd.unixSocket}"; ''; - "dkim_signing.conf".text = "enabled = false;"; + "dkim_signing.conf".text = '' + path = "/var/lib/rspamd/dkim/$domain.key"; + selector = "mail"; + ''; "neural.conf".text = "enabled = false;"; "classifier-bayes.conf".text = '' enable = true; @@ -776,16 +763,6 @@ in { ''; }; - security.dhparams = { - params = { - "postfix-512".bits = 512; - "postfix-1024".bits = 2048; - - "postfix-smtps-512".bits = 512; - "postfix-smtps-1024".bits = 2048; - }; - }; - security.acme.rfc2136Domains = { "surtr.yggdrasil.li" = { restartUnits = [ "postfix.service" "dovecot.service" ]; -- cgit v1.2.3