aboutsummaryrefslogtreecommitdiff
path: root/flakes
diff options
context:
space:
mode:
Diffstat (limited to 'flakes')
-rw-r--r--flakes/files-watcher/flake.nix58
-rw-r--r--flakes/lib/flake.lock26
-rw-r--r--flakes/lib/flake.nix28
-rw-r--r--flakes/private/openarc/flake.lock44
-rw-r--r--flakes/private/openarc/flake.nix69
-rw-r--r--flakes/private/opendmarc/flake.lock44
-rw-r--r--flakes/private/opendmarc/flake.nix95
7 files changed, 291 insertions, 73 deletions
diff --git a/flakes/files-watcher/flake.nix b/flakes/files-watcher/flake.nix
new file mode 100644
index 0000000..29ea428
--- /dev/null
+++ b/flakes/files-watcher/flake.nix
@@ -0,0 +1,58 @@
1{
2 description = "Module to watch fo file changes to force restart systemd service";
3 outputs = { self }: {
4 nixosModule = { config, lib, pkgs, ... }: let cfg = config.services.filesWatcher; in with lib; {
5 options = {
6 services.filesWatcher = with lib.types; mkOption {
7 default = {};
8 description = ''
9 Files to watch and trigger service reload or restart of service
10 when changed.
11 '';
12 type = attrsOf (submodule {
13 options = {
14 restart = mkEnableOption "Restart service rather than reloading it";
15 paths = mkOption {
16 type = listOf str;
17 description = ''
18 Paths to watch that should trigger a reload of the
19 service
20 '';
21 };
22 waitTime = mkOption {
23 type = int;
24 default = 5;
25 description = ''
26 Time to wait before reloading/restarting the service.
27 Set 0 to not wait.
28 '';
29 };
30 };
31 });
32 };
33 };
34
35 config = {
36 systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" {
37 description = "${name} reloader";
38 after = [ "network.target" ];
39 script = let
40 action = if icfg.restart then "restart" else "reload";
41 in ''
42 # Service may be stopped during file modification (e.g. activationScripts)
43 if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
44 ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
45 ${pkgs.systemd}/bin/systemctl ${action} ${name}.service
46 fi
47 '';
48 serviceConfig.Type = "oneshot";
49 }) cfg;
50
51 systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" {
52 wantedBy = [ "multi-user.target" ];
53 pathConfig.PathChanged = icfg.paths;
54 }) cfg;
55 };
56 };
57 };
58}
diff --git a/flakes/lib/flake.lock b/flakes/lib/flake.lock
new file mode 100644
index 0000000..3e0b21e
--- /dev/null
+++ b/flakes/lib/flake.lock
@@ -0,0 +1,26 @@
1{
2 "nodes": {
3 "nixpkgs": {
4 "locked": {
5 "lastModified": 1631570365,
6 "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
7 "owner": "NixOS",
8 "repo": "nixpkgs",
9 "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
10 "type": "github"
11 },
12 "original": {
13 "owner": "NixOS",
14 "repo": "nixpkgs",
15 "type": "github"
16 }
17 },
18 "root": {
19 "inputs": {
20 "nixpkgs": "nixpkgs"
21 }
22 }
23 },
24 "root": "root",
25 "version": 7
26}
diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix
new file mode 100644
index 0000000..8faa136
--- /dev/null
+++ b/flakes/lib/flake.nix
@@ -0,0 +1,28 @@
1{
2 inputs.nixpkgs.url = "github:NixOS/nixpkgs";
3
4 description = "Useful libs";
5 outputs = { self, nixpkgs }: {
6 lib = rec {
7 computeNarHash = path:
8 let pkgs = import nixpkgs {};
9 in
10 builtins.readFile (pkgs.runCommand "narHash" {
11 buildInputs = [ pkgs.nix ];
12 } "echo -n $(nix hash-path ${path}) > $out");
13
14 withNarKeyCompat = flakeCompat: path: moduleAttrs:
15 let module = (flakeCompat path).${moduleAttrs};
16 narHash = computeNarHash path;
17 in if builtins.isFunction module
18 then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; })
19 else module // { key = narHash; };
20
21 withNarKey = dep: moduleAttrs:
22 let module = dep.${moduleAttrs};
23 in if builtins.isFunction module
24 then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; })
25 else module // { key = dep.narHash; };
26 };
27 };
28}
diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock
index f15e441..76ddaed 100644
--- a/flakes/private/openarc/flake.lock
+++ b/flakes/private/openarc/flake.lock
@@ -1,5 +1,16 @@
1{ 1{
2 "nodes": { 2 "nodes": {
3 "files-watcher": {
4 "locked": {
5 "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=",
6 "path": "../../files-watcher",
7 "type": "path"
8 },
9 "original": {
10 "path": "../../files-watcher",
11 "type": "path"
12 }
13 },
3 "flake-utils": { 14 "flake-utils": {
4 "locked": { 15 "locked": {
5 "lastModified": 1609246779, 16 "lastModified": 1609246779,
@@ -15,6 +26,20 @@
15 "type": "github" 26 "type": "github"
16 } 27 }
17 }, 28 },
29 "my-lib": {
30 "inputs": {
31 "nixpkgs": "nixpkgs"
32 },
33 "locked": {
34 "narHash": "sha256-YJREl39cf4zrFdAULMu1Yjg7hIEZCLuCnP8qJvWbIvM=",
35 "path": "../../lib",
36 "type": "path"
37 },
38 "original": {
39 "path": "../../lib",
40 "type": "path"
41 }
42 },
18 "myuids": { 43 "myuids": {
19 "locked": { 44 "locked": {
20 "dir": "flakes/myuids", 45 "dir": "flakes/myuids",
@@ -49,6 +74,21 @@
49 }, 74 },
50 "nixpkgs": { 75 "nixpkgs": {
51 "locked": { 76 "locked": {
77 "lastModified": 1631570365,
78 "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
79 "owner": "NixOS",
80 "repo": "nixpkgs",
81 "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
82 "type": "github"
83 },
84 "original": {
85 "owner": "NixOS",
86 "repo": "nixpkgs",
87 "type": "github"
88 }
89 },
90 "nixpkgs_2": {
91 "locked": {
52 "lastModified": 1597943282, 92 "lastModified": 1597943282,
53 "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", 93 "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
54 "owner": "NixOS", 94 "owner": "NixOS",
@@ -66,7 +106,7 @@
66 "inputs": { 106 "inputs": {
67 "flake-utils": "flake-utils", 107 "flake-utils": "flake-utils",
68 "myuids": "myuids", 108 "myuids": "myuids",
69 "nixpkgs": "nixpkgs", 109 "nixpkgs": "nixpkgs_2",
70 "openarc": "openarc_2" 110 "openarc": "openarc_2"
71 }, 111 },
72 "locked": { 112 "locked": {
@@ -97,6 +137,8 @@
97 }, 137 },
98 "root": { 138 "root": {
99 "inputs": { 139 "inputs": {
140 "files-watcher": "files-watcher",
141 "my-lib": "my-lib",
100 "nix-lib": "nix-lib", 142 "nix-lib": "nix-lib",
101 "openarc": "openarc" 143 "openarc": "openarc"
102 } 144 }
diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix
index fd8ec56..9cc9aed 100644
--- a/flakes/private/openarc/flake.nix
+++ b/flakes/private/openarc/flake.nix
@@ -3,40 +3,51 @@
3 path = "../../openarc"; 3 path = "../../openarc";
4 type = "path"; 4 type = "path";
5 }; 5 };
6 inputs.files-watcher = {
7 path = "../../files-watcher";
8 type = "path";
9 };
10 inputs.my-lib = {
11 path = "../../lib";
12 type = "path";
13 };
6 inputs.nix-lib.url = "github:NixOS/nixpkgs"; 14 inputs.nix-lib.url = "github:NixOS/nixpkgs";
7 15
8 description = "Private configuration for openarc"; 16 description = "Private configuration for openarc";
9 outputs = { self, nix-lib, openarc }: 17 outputs = { self, nix-lib, my-lib, files-watcher, openarc }:
10 let 18 let
11 cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { 19 cfg = name': { config, lib, pkgs, name, ... }: {
12 services.openarc = { 20 imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ];
13 enable = true; 21 config = lib.mkIf (name == name') {
14 user = "opendkim"; 22 services.openarc = {
15 socket = "local:${config.myServices.mail.milters.sockets.openarc}"; 23 enable = true;
16 group = config.services.postfix.group; 24 user = "opendkim";
17 configFile = pkgs.writeText "openarc.conf" '' 25 socket = "local:${config.myServices.mail.milters.sockets.openarc}";
18 AuthservID mail.immae.eu 26 group = config.services.postfix.group;
19 Domain mail.immae.eu 27 configFile = pkgs.writeText "openarc.conf" ''
20 KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} 28 AuthservID mail.immae.eu
21 Mode sv 29 Domain mail.immae.eu
22 Selector eldiron 30 KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
23 SoftwareHeader yes 31 Mode sv
24 Syslog Yes 32 Selector eldiron
33 SoftwareHeader yes
34 Syslog Yes
35 '';
36 };
37 systemd.services.openarc.serviceConfig.Slice = "mail.slice";
38 systemd.services.openarc.postStart = lib.optionalString
39 (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
40 while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
41 sleep 0.5
42 done
43 chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
25 ''; 44 '';
26 }; 45 services.filesWatcher.openarc = {
27 systemd.services.openarc.serviceConfig.Slice = "mail.slice"; 46 restart = true;
28 systemd.services.openarc.postStart = lib.optionalString 47 paths = [
29 (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' 48 config.secrets.fullPaths."opendkim/eldiron.private"
30 while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do 49 ];
31 sleep 0.5 50 };
32 done
33 chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
34 '';
35 services.filesWatcher.openarc = {
36 restart = true;
37 paths = [
38 config.secrets.fullPaths."opendkim/eldiron.private"
39 ];
40 }; 51 };
41 }; 52 };
42 in 53 in
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock
index 33e00a4..ea056e5 100644
--- a/flakes/private/opendmarc/flake.lock
+++ b/flakes/private/opendmarc/flake.lock
@@ -1,5 +1,16 @@
1{ 1{
2 "nodes": { 2 "nodes": {
3 "files-watcher": {
4 "locked": {
5 "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=",
6 "path": "../../files-watcher",
7 "type": "path"
8 },
9 "original": {
10 "path": "../../files-watcher",
11 "type": "path"
12 }
13 },
3 "flake-utils": { 14 "flake-utils": {
4 "locked": { 15 "locked": {
5 "lastModified": 1609246779, 16 "lastModified": 1609246779,
@@ -15,6 +26,20 @@
15 "type": "github" 26 "type": "github"
16 } 27 }
17 }, 28 },
29 "my-lib": {
30 "inputs": {
31 "nixpkgs": "nixpkgs"
32 },
33 "locked": {
34 "narHash": "sha256-HGNP1eH7b42BxViYx/F3ZPO9CM1X+5qfA9JoP2ArN+s=",
35 "path": "../../lib",
36 "type": "path"
37 },
38 "original": {
39 "path": "../../lib",
40 "type": "path"
41 }
42 },
18 "myuids": { 43 "myuids": {
19 "locked": { 44 "locked": {
20 "dir": "flakes/myuids", 45 "dir": "flakes/myuids",
@@ -49,6 +74,21 @@
49 }, 74 },
50 "nixpkgs": { 75 "nixpkgs": {
51 "locked": { 76 "locked": {
77 "lastModified": 1631570365,
78 "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
79 "owner": "NixOS",
80 "repo": "nixpkgs",
81 "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
82 "type": "github"
83 },
84 "original": {
85 "owner": "NixOS",
86 "repo": "nixpkgs",
87 "type": "github"
88 }
89 },
90 "nixpkgs_2": {
91 "locked": {
52 "lastModified": 1597943282, 92 "lastModified": 1597943282,
53 "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", 93 "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
54 "owner": "NixOS", 94 "owner": "NixOS",
@@ -66,7 +106,7 @@
66 "inputs": { 106 "inputs": {
67 "flake-utils": "flake-utils", 107 "flake-utils": "flake-utils",
68 "myuids": "myuids", 108 "myuids": "myuids",
69 "nixpkgs": "nixpkgs" 109 "nixpkgs": "nixpkgs_2"
70 }, 110 },
71 "locked": { 111 "locked": {
72 "narHash": "sha256-eIe5hzNsp1zz5m4ZMzORwdHuLkhEsKkS7WMpPOJE4ok=", 112 "narHash": "sha256-eIe5hzNsp1zz5m4ZMzORwdHuLkhEsKkS7WMpPOJE4ok=",
@@ -80,6 +120,8 @@
80 }, 120 },
81 "root": { 121 "root": {
82 "inputs": { 122 "inputs": {
123 "files-watcher": "files-watcher",
124 "my-lib": "my-lib",
83 "nix-lib": "nix-lib", 125 "nix-lib": "nix-lib",
84 "opendmarc": "opendmarc" 126 "opendmarc": "opendmarc"
85 } 127 }
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix
index ae96c30..4b54ccf 100644
--- a/flakes/private/opendmarc/flake.nix
+++ b/flakes/private/opendmarc/flake.nix
@@ -3,54 +3,65 @@
3 path = "../../opendmarc"; 3 path = "../../opendmarc";
4 type = "path"; 4 type = "path";
5 }; 5 };
6 inputs.files-watcher = {
7 path = "../../files-watcher";
8 type = "path";
9 };
10 inputs.my-lib = {
11 path = "../../lib";
12 type = "path";
13 };
6 inputs.nix-lib.url = "github:NixOS/nixpkgs"; 14 inputs.nix-lib.url = "github:NixOS/nixpkgs";
7 15
8 description = "Private configuration for opendmarc"; 16 description = "Private configuration for opendmarc";
9 outputs = { self, nix-lib, opendmarc }: 17 outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }:
10 let 18 let
11 cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { 19 cfg = name': { config, lib, pkgs, name, ... }: {
12 users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; 20 imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ];
13 systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; 21 config = lib.mkIf (name == name') {
14 services.opendmarc = { 22 users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
15 enable = true; 23 systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
16 socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; 24 services.opendmarc = {
17 configFile = pkgs.writeText "opendmarc.conf" '' 25 enable = true;
18 AuthservID HOSTNAME 26 socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
19 FailureReports false 27 configFile = pkgs.writeText "opendmarc.conf" ''
20 FailureReportsBcc postmaster@immae.eu 28 AuthservID HOSTNAME
21 FailureReportsOnNone true 29 FailureReports false
22 FailureReportsSentBy postmaster@immae.eu 30 FailureReportsBcc postmaster@immae.eu
23 IgnoreAuthenticatedClients true 31 FailureReportsOnNone true
24 IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} 32 FailureReportsSentBy postmaster@immae.eu
25 SoftwareHeader true 33 IgnoreAuthenticatedClients true
26 SPFIgnoreResults true 34 IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
27 SPFSelfValidate true 35 SoftwareHeader true
28 UMask 002 36 SPFIgnoreResults true
29 ''; 37 SPFSelfValidate true
30 group = config.services.postfix.group; 38 UMask 002
31 }; 39 '';
32 services.filesWatcher.opendmarc = { 40 group = config.services.postfix.group;
33 restart = true; 41 };
34 paths = [ 42 services.filesWatcher.opendmarc = {
35 config.secrets.fullPaths."opendmarc/ignore.hosts" 43 restart = true;
44 paths = [
45 config.secrets.fullPaths."opendmarc/ignore.hosts"
46 ];
47 };
48 secrets.keys = [
49 {
50 dest = "opendmarc/ignore.hosts";
51 user = config.services.opendmarc.user;
52 group = config.services.opendmarc.group;
53 permissions = "0400";
54 text = let
55 mxes = lib.attrsets.filterAttrs
56 (n: v: v.mx.enable)
57 config.myEnv.servers;
58 in
59 builtins.concatStringsSep "\n" ([
60 config.myEnv.mail.dmarc.ignore_hosts
61 ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
62 }
36 ]; 63 ];
37 }; 64 };
38 secrets.keys = [
39 {
40 dest = "opendmarc/ignore.hosts";
41 user = config.services.opendmarc.user;
42 group = config.services.opendmarc.group;
43 permissions = "0400";
44 text = let
45 mxes = lib.attrsets.filterAttrs
46 (n: v: v.mx.enable)
47 config.myEnv.servers;
48 in
49 builtins.concatStringsSep "\n" ([
50 config.myEnv.mail.dmarc.ignore_hosts
51 ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
52 }
53 ];
54 }; 65 };
55 in 66 in
56 opendmarc.outputs // 67 opendmarc.outputs //