From ef43c36272ca539cbfe803ded03949451b17b679 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 21 Jan 2021 09:56:28 +0100 Subject: [PATCH] Add private flake for openarc and opendmarc --- flakes/openarc/flake.nix | 1 - flakes/opendmarc/flake.nix | 1 - flakes/private/openarc.nix | 35 ------- flakes/private/openarc/flake.lock | 113 +++++++++++++++++++++ flakes/private/openarc/flake.nix | 46 +++++++++ flakes/private/opendmarc.nix | 49 --------- flakes/private/opendmarc/flake.lock | 148 ++++++++++++++++++++++++++++ flakes/private/opendmarc/flake.nix | 60 +++++++++++ modules/private/mail/milters.nix | 4 +- 9 files changed, 369 insertions(+), 88 deletions(-) delete mode 100644 flakes/private/openarc.nix create mode 100644 flakes/private/openarc/flake.lock create mode 100644 flakes/private/openarc/flake.nix delete mode 100644 flakes/private/opendmarc.nix create mode 100644 flakes/private/opendmarc/flake.lock create mode 100644 flakes/private/opendmarc/flake.nix diff --git a/flakes/openarc/flake.nix b/flakes/openarc/flake.nix index d313f8e..fbb7fb1 100644 --- a/flakes/openarc/flake.nix +++ b/flakes/openarc/flake.nix @@ -75,7 +75,6 @@ }; }; }) // { - nixosModules = (if builtins.pathExists ../private/openarc.nix then import ../private/openarc.nix nixpkgs else {}); nixosModule = { config, lib, pkgs, ... }: let cfg = config.services.openarc; diff --git a/flakes/opendmarc/flake.nix b/flakes/opendmarc/flake.nix index 4d6354b..e80376f 100644 --- a/flakes/opendmarc/flake.nix +++ b/flakes/opendmarc/flake.nix @@ -70,7 +70,6 @@ }; }; }) // { - nixosModules = (if builtins.pathExists ../private/opendmarc.nix then import ../private/opendmarc.nix nixpkgs else {}); nixosModule = { config, lib, pkgs, ... }: let cfg = config.services.opendmarc; diff --git a/flakes/private/openarc.nix b/flakes/private/openarc.nix deleted file mode 100644 index 5244ca9..0000000 --- a/flakes/private/openarc.nix +++ /dev/null @@ -1,35 +0,0 @@ -pkgs: -let - cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { - services.openarc = { - enable = true; - user = "opendkim"; - socket = "local:${config.myServices.mail.milters.sockets.openarc}"; - group = config.services.postfix.group; - configFile = pkgs.writeText "openarc.conf" '' - AuthservID mail.immae.eu - Domain mail.immae.eu - KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} - Mode sv - Selector eldiron - SoftwareHeader yes - Syslog Yes - ''; - }; - systemd.services.openarc.serviceConfig.Slice = "mail.slice"; - systemd.services.openarc.postStart = lib.optionalString - (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' - while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do - sleep 0.5 - done - chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} - ''; - services.filesWatcher.openarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendkim/eldiron.private" - ]; - }; - }; -in - pkgs.lib.genAttrs ["eldiron" "backup-2"] cfg diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock new file mode 100644 index 0000000..69186fb --- /dev/null +++ b/flakes/private/openarc/flake.lock @@ -0,0 +1,113 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1609246779, + "narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "myuids": { + "locked": { + "dir": "flakes/myuids", + "lastModified": 1609281959, + "narHash": "sha256-SYNlHeobQAzTzK0pM5AqMn7M2WbTuzBeoD+Q3Mu+sho=", + "ref": "master", + "rev": "1be9e64bb4556676f65e6e5044e04426848849c0", + "revCount": 791, + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + }, + "original": { + "dir": "flakes/myuids", + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1611218116, + "narHash": "sha256-CcyGZ8cLlHgiViWyBjRIjdsdRZxJjP2MgtWeuqSv3CE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "30ab92ea31f6b7e9095b1e7e4b56a5000823efdf", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1597943282, + "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "openarc": { + "inputs": { + "flake-utils": "flake-utils", + "myuids": "myuids", + "nixpkgs": "nixpkgs_2", + "openarc": "openarc_2" + }, + "locked": { + "dir": "flakes/openarc", + "lastModified": 1611091761, + "narHash": "sha256-fE3FBeUxVaMezKjEpepdQW9apOza+0AfBALFhaaD0VA=", + "ref": "master", + "rev": "23f9fdf03a6673dbe334ae33be4f498cc4753191", + "revCount": 802, + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + }, + "original": { + "dir": "flakes/openarc", + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + } + }, + "openarc_2": { + "flake": false, + "locked": { + "lastModified": 1537545083, + "narHash": "sha256-xUSRARC7875vFjtZ66t8KBlKmkEdIZblWHc4zqGZAQQ=", + "owner": "trusteddomainproject", + "repo": "OpenARC", + "rev": "355ee2a1ca85acccce494478991983b54f794f4e", + "type": "github" + }, + "original": { + "owner": "trusteddomainproject", + "repo": "OpenARC", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "openarc": "openarc" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix new file mode 100644 index 0000000..6a2518b --- /dev/null +++ b/flakes/private/openarc/flake.nix @@ -0,0 +1,46 @@ +{ + inputs.openarc = { + url = "https://git.immae.eu/perso/Immae/Config/Nix.git"; + type = "git"; + dir = "flakes/openarc"; + }; + inputs.nixpkgs.url = "github:NixOS/nixpkgs"; + + description = "Private configuration for openarc"; + outputs = { self, nixpkgs, openarc }: + let + cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { + services.openarc = { + enable = true; + user = "opendkim"; + socket = "local:${config.myServices.mail.milters.sockets.openarc}"; + group = config.services.postfix.group; + configFile = pkgs.writeText "openarc.conf" '' + AuthservID mail.immae.eu + Domain mail.immae.eu + KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} + Mode sv + Selector eldiron + SoftwareHeader yes + Syslog Yes + ''; + }; + systemd.services.openarc.serviceConfig.Slice = "mail.slice"; + systemd.services.openarc.postStart = lib.optionalString + (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' + while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do + sleep 0.5 + done + chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} + ''; + services.filesWatcher.openarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendkim/eldiron.private" + ]; + }; + }; + in + openarc.outputs // + { nixosModules = openarc.nixosModules or {} // nixpkgs.lib.genAttrs ["eldiron" "backup-2"] cfg; }; +} diff --git a/flakes/private/opendmarc.nix b/flakes/private/opendmarc.nix deleted file mode 100644 index d6e8920..0000000 --- a/flakes/private/opendmarc.nix +++ /dev/null @@ -1,49 +0,0 @@ -pkgs: -let - cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { - users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; - systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; - services.opendmarc = { - enable = true; - socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; - configFile = pkgs.writeText "opendmarc.conf" '' - AuthservID HOSTNAME - FailureReports false - FailureReportsBcc postmaster@immae.eu - FailureReportsOnNone true - FailureReportsSentBy postmaster@immae.eu - IgnoreAuthenticatedClients true - IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} - SoftwareHeader true - SPFIgnoreResults true - SPFSelfValidate true - UMask 002 - ''; - group = config.services.postfix.group; - }; - services.filesWatcher.opendmarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendmarc/ignore.hosts" - ]; - }; - secrets.keys = [ - { - dest = "opendmarc/ignore.hosts"; - user = config.services.opendmarc.user; - group = config.services.opendmarc.group; - permissions = "0400"; - text = let - mxes = lib.attrsets.filterAttrs - (n: v: v.mx.enable) - config.myEnv.servers; - in - builtins.concatStringsSep "\n" ([ - config.myEnv.mail.dmarc.ignore_hosts - ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); - } - ]; - }; -in - pkgs.lib.genAttrs ["eldiron" "backup-2"] cfg - diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock new file mode 100644 index 0000000..867dcbc --- /dev/null +++ b/flakes/private/opendmarc/flake.lock @@ -0,0 +1,148 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1609246779, + "narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1609246779, + "narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "libspf2": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "dir": "flakes/libspf2", + "lastModified": 1609548509, + "narHash": "sha256-d9gssVdKV0EaeDU/L5QgQpQwFuxWMbwNQ71i7z4LdDs=", + "ref": "master", + "rev": "749623765bef80615fc21e73aff89521d262e277", + "revCount": 796, + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + }, + "original": { + "dir": "flakes/libspf2", + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + } + }, + "myuids": { + "locked": { + "dir": "flakes/myuids", + "lastModified": 1609548509, + "narHash": "sha256-d9gssVdKV0EaeDU/L5QgQpQwFuxWMbwNQ71i7z4LdDs=", + "ref": "master", + "rev": "749623765bef80615fc21e73aff89521d262e277", + "revCount": 796, + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + }, + "original": { + "dir": "flakes/myuids", + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1611218116, + "narHash": "sha256-CcyGZ8cLlHgiViWyBjRIjdsdRZxJjP2MgtWeuqSv3CE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "30ab92ea31f6b7e9095b1e7e4b56a5000823efdf", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1597943282, + "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1597943282, + "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "opendmarc": { + "inputs": { + "flake-utils": "flake-utils", + "libspf2": "libspf2", + "myuids": "myuids", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "dir": "flakes/opendmarc", + "lastModified": 1611091761, + "narHash": "sha256-fE3FBeUxVaMezKjEpepdQW9apOza+0AfBALFhaaD0VA=", + "ref": "master", + "rev": "23f9fdf03a6673dbe334ae33be4f498cc4753191", + "revCount": 802, + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + }, + "original": { + "dir": "flakes/opendmarc", + "type": "git", + "url": "https://git.immae.eu/perso/Immae/Config/Nix.git" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "opendmarc": "opendmarc" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix new file mode 100644 index 0000000..9aeb3db --- /dev/null +++ b/flakes/private/opendmarc/flake.nix @@ -0,0 +1,60 @@ +{ + inputs.opendmarc = { + url = "https://git.immae.eu/perso/Immae/Config/Nix.git"; + type = "git"; + dir = "flakes/opendmarc"; + }; + inputs.nixpkgs.url = "github:NixOS/nixpkgs"; + + description = "Private configuration for opendmarc"; + outputs = { self, nixpkgs, opendmarc }: + let + cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { + users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; + systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; + services.opendmarc = { + enable = true; + socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; + configFile = pkgs.writeText "opendmarc.conf" '' + AuthservID HOSTNAME + FailureReports false + FailureReportsBcc postmaster@immae.eu + FailureReportsOnNone true + FailureReportsSentBy postmaster@immae.eu + IgnoreAuthenticatedClients true + IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} + SoftwareHeader true + SPFIgnoreResults true + SPFSelfValidate true + UMask 002 + ''; + group = config.services.postfix.group; + }; + services.filesWatcher.opendmarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendmarc/ignore.hosts" + ]; + }; + secrets.keys = [ + { + dest = "opendmarc/ignore.hosts"; + user = config.services.opendmarc.user; + group = config.services.opendmarc.group; + permissions = "0400"; + text = let + mxes = lib.attrsets.filterAttrs + (n: v: v.mx.enable) + config.myEnv.servers; + in + builtins.concatStringsSep "\n" ([ + config.myEnv.mail.dmarc.ignore_hosts + ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); + } + ]; + }; + in + opendmarc.outputs // + { nixosModules = opendmarc.nixosModules or {} // nixpkgs.lib.genAttrs ["eldiron" "backup-2"] cfg; }; +} + diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 49c5dfd..e00a2f3 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -1,8 +1,8 @@ { lib, pkgs, config, name, ... }: { imports = - builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules - ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/opendmarc).nixosModules; + builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/openarc).nixosModules + ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/opendmarc).nixosModules; options.myServices.mail.milters.sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; -- 2.41.0