diff options
Diffstat (limited to 'flakes')
-rw-r--r-- | flakes/files-watcher/flake.nix | 58 | ||||
-rw-r--r-- | flakes/lib/flake.lock | 26 | ||||
-rw-r--r-- | flakes/lib/flake.nix | 28 | ||||
-rw-r--r-- | flakes/private/openarc/flake.lock | 44 | ||||
-rw-r--r-- | flakes/private/openarc/flake.nix | 69 | ||||
-rw-r--r-- | flakes/private/opendmarc/flake.lock | 44 | ||||
-rw-r--r-- | flakes/private/opendmarc/flake.nix | 95 |
7 files changed, 291 insertions, 73 deletions
diff --git a/flakes/files-watcher/flake.nix b/flakes/files-watcher/flake.nix new file mode 100644 index 0000000..29ea428 --- /dev/null +++ b/flakes/files-watcher/flake.nix | |||
@@ -0,0 +1,58 @@ | |||
1 | { | ||
2 | description = "Module to watch fo file changes to force restart systemd service"; | ||
3 | outputs = { self }: { | ||
4 | nixosModule = { config, lib, pkgs, ... }: let cfg = config.services.filesWatcher; in with lib; { | ||
5 | options = { | ||
6 | services.filesWatcher = with lib.types; mkOption { | ||
7 | default = {}; | ||
8 | description = '' | ||
9 | Files to watch and trigger service reload or restart of service | ||
10 | when changed. | ||
11 | ''; | ||
12 | type = attrsOf (submodule { | ||
13 | options = { | ||
14 | restart = mkEnableOption "Restart service rather than reloading it"; | ||
15 | paths = mkOption { | ||
16 | type = listOf str; | ||
17 | description = '' | ||
18 | Paths to watch that should trigger a reload of the | ||
19 | service | ||
20 | ''; | ||
21 | }; | ||
22 | waitTime = mkOption { | ||
23 | type = int; | ||
24 | default = 5; | ||
25 | description = '' | ||
26 | Time to wait before reloading/restarting the service. | ||
27 | Set 0 to not wait. | ||
28 | ''; | ||
29 | }; | ||
30 | }; | ||
31 | }); | ||
32 | }; | ||
33 | }; | ||
34 | |||
35 | config = { | ||
36 | systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" { | ||
37 | description = "${name} reloader"; | ||
38 | after = [ "network.target" ]; | ||
39 | script = let | ||
40 | action = if icfg.restart then "restart" else "reload"; | ||
41 | in '' | ||
42 | # Service may be stopped during file modification (e.g. activationScripts) | ||
43 | if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then | ||
44 | ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime} | ||
45 | ${pkgs.systemd}/bin/systemctl ${action} ${name}.service | ||
46 | fi | ||
47 | ''; | ||
48 | serviceConfig.Type = "oneshot"; | ||
49 | }) cfg; | ||
50 | |||
51 | systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair "${name}Watcher" { | ||
52 | wantedBy = [ "multi-user.target" ]; | ||
53 | pathConfig.PathChanged = icfg.paths; | ||
54 | }) cfg; | ||
55 | }; | ||
56 | }; | ||
57 | }; | ||
58 | } | ||
diff --git a/flakes/lib/flake.lock b/flakes/lib/flake.lock new file mode 100644 index 0000000..3e0b21e --- /dev/null +++ b/flakes/lib/flake.lock | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "nodes": { | ||
3 | "nixpkgs": { | ||
4 | "locked": { | ||
5 | "lastModified": 1631570365, | ||
6 | "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", | ||
7 | "owner": "NixOS", | ||
8 | "repo": "nixpkgs", | ||
9 | "rev": "df7113c0727881519248d4c7d080324e0ee3327b", | ||
10 | "type": "github" | ||
11 | }, | ||
12 | "original": { | ||
13 | "owner": "NixOS", | ||
14 | "repo": "nixpkgs", | ||
15 | "type": "github" | ||
16 | } | ||
17 | }, | ||
18 | "root": { | ||
19 | "inputs": { | ||
20 | "nixpkgs": "nixpkgs" | ||
21 | } | ||
22 | } | ||
23 | }, | ||
24 | "root": "root", | ||
25 | "version": 7 | ||
26 | } | ||
diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix new file mode 100644 index 0000000..8faa136 --- /dev/null +++ b/flakes/lib/flake.nix | |||
@@ -0,0 +1,28 @@ | |||
1 | { | ||
2 | inputs.nixpkgs.url = "github:NixOS/nixpkgs"; | ||
3 | |||
4 | description = "Useful libs"; | ||
5 | outputs = { self, nixpkgs }: { | ||
6 | lib = rec { | ||
7 | computeNarHash = path: | ||
8 | let pkgs = import nixpkgs {}; | ||
9 | in | ||
10 | builtins.readFile (pkgs.runCommand "narHash" { | ||
11 | buildInputs = [ pkgs.nix ]; | ||
12 | } "echo -n $(nix hash-path ${path}) > $out"); | ||
13 | |||
14 | withNarKeyCompat = flakeCompat: path: moduleAttrs: | ||
15 | let module = (flakeCompat path).${moduleAttrs}; | ||
16 | narHash = computeNarHash path; | ||
17 | in if builtins.isFunction module | ||
18 | then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; }) | ||
19 | else module // { key = narHash; }; | ||
20 | |||
21 | withNarKey = dep: moduleAttrs: | ||
22 | let module = dep.${moduleAttrs}; | ||
23 | in if builtins.isFunction module | ||
24 | then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; }) | ||
25 | else module // { key = dep.narHash; }; | ||
26 | }; | ||
27 | }; | ||
28 | } | ||
diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock index f15e441..76ddaed 100644 --- a/flakes/private/openarc/flake.lock +++ b/flakes/private/openarc/flake.lock | |||
@@ -1,5 +1,16 @@ | |||
1 | { | 1 | { |
2 | "nodes": { | 2 | "nodes": { |
3 | "files-watcher": { | ||
4 | "locked": { | ||
5 | "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=", | ||
6 | "path": "../../files-watcher", | ||
7 | "type": "path" | ||
8 | }, | ||
9 | "original": { | ||
10 | "path": "../../files-watcher", | ||
11 | "type": "path" | ||
12 | } | ||
13 | }, | ||
3 | "flake-utils": { | 14 | "flake-utils": { |
4 | "locked": { | 15 | "locked": { |
5 | "lastModified": 1609246779, | 16 | "lastModified": 1609246779, |
@@ -15,6 +26,20 @@ | |||
15 | "type": "github" | 26 | "type": "github" |
16 | } | 27 | } |
17 | }, | 28 | }, |
29 | "my-lib": { | ||
30 | "inputs": { | ||
31 | "nixpkgs": "nixpkgs" | ||
32 | }, | ||
33 | "locked": { | ||
34 | "narHash": "sha256-YJREl39cf4zrFdAULMu1Yjg7hIEZCLuCnP8qJvWbIvM=", | ||
35 | "path": "../../lib", | ||
36 | "type": "path" | ||
37 | }, | ||
38 | "original": { | ||
39 | "path": "../../lib", | ||
40 | "type": "path" | ||
41 | } | ||
42 | }, | ||
18 | "myuids": { | 43 | "myuids": { |
19 | "locked": { | 44 | "locked": { |
20 | "dir": "flakes/myuids", | 45 | "dir": "flakes/myuids", |
@@ -49,6 +74,21 @@ | |||
49 | }, | 74 | }, |
50 | "nixpkgs": { | 75 | "nixpkgs": { |
51 | "locked": { | 76 | "locked": { |
77 | "lastModified": 1631570365, | ||
78 | "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", | ||
79 | "owner": "NixOS", | ||
80 | "repo": "nixpkgs", | ||
81 | "rev": "df7113c0727881519248d4c7d080324e0ee3327b", | ||
82 | "type": "github" | ||
83 | }, | ||
84 | "original": { | ||
85 | "owner": "NixOS", | ||
86 | "repo": "nixpkgs", | ||
87 | "type": "github" | ||
88 | } | ||
89 | }, | ||
90 | "nixpkgs_2": { | ||
91 | "locked": { | ||
52 | "lastModified": 1597943282, | 92 | "lastModified": 1597943282, |
53 | "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", | 93 | "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", |
54 | "owner": "NixOS", | 94 | "owner": "NixOS", |
@@ -66,7 +106,7 @@ | |||
66 | "inputs": { | 106 | "inputs": { |
67 | "flake-utils": "flake-utils", | 107 | "flake-utils": "flake-utils", |
68 | "myuids": "myuids", | 108 | "myuids": "myuids", |
69 | "nixpkgs": "nixpkgs", | 109 | "nixpkgs": "nixpkgs_2", |
70 | "openarc": "openarc_2" | 110 | "openarc": "openarc_2" |
71 | }, | 111 | }, |
72 | "locked": { | 112 | "locked": { |
@@ -97,6 +137,8 @@ | |||
97 | }, | 137 | }, |
98 | "root": { | 138 | "root": { |
99 | "inputs": { | 139 | "inputs": { |
140 | "files-watcher": "files-watcher", | ||
141 | "my-lib": "my-lib", | ||
100 | "nix-lib": "nix-lib", | 142 | "nix-lib": "nix-lib", |
101 | "openarc": "openarc" | 143 | "openarc": "openarc" |
102 | } | 144 | } |
diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix index fd8ec56..9cc9aed 100644 --- a/flakes/private/openarc/flake.nix +++ b/flakes/private/openarc/flake.nix | |||
@@ -3,40 +3,51 @@ | |||
3 | path = "../../openarc"; | 3 | path = "../../openarc"; |
4 | type = "path"; | 4 | type = "path"; |
5 | }; | 5 | }; |
6 | inputs.files-watcher = { | ||
7 | path = "../../files-watcher"; | ||
8 | type = "path"; | ||
9 | }; | ||
10 | inputs.my-lib = { | ||
11 | path = "../../lib"; | ||
12 | type = "path"; | ||
13 | }; | ||
6 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; | 14 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; |
7 | 15 | ||
8 | description = "Private configuration for openarc"; | 16 | description = "Private configuration for openarc"; |
9 | outputs = { self, nix-lib, openarc }: | 17 | outputs = { self, nix-lib, my-lib, files-watcher, openarc }: |
10 | let | 18 | let |
11 | cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { | 19 | cfg = name': { config, lib, pkgs, name, ... }: { |
12 | services.openarc = { | 20 | imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ]; |
13 | enable = true; | 21 | config = lib.mkIf (name == name') { |
14 | user = "opendkim"; | 22 | services.openarc = { |
15 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; | 23 | enable = true; |
16 | group = config.services.postfix.group; | 24 | user = "opendkim"; |
17 | configFile = pkgs.writeText "openarc.conf" '' | 25 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; |
18 | AuthservID mail.immae.eu | 26 | group = config.services.postfix.group; |
19 | Domain mail.immae.eu | 27 | configFile = pkgs.writeText "openarc.conf" '' |
20 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} | 28 | AuthservID mail.immae.eu |
21 | Mode sv | 29 | Domain mail.immae.eu |
22 | Selector eldiron | 30 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} |
23 | SoftwareHeader yes | 31 | Mode sv |
24 | Syslog Yes | 32 | Selector eldiron |
33 | SoftwareHeader yes | ||
34 | Syslog Yes | ||
35 | ''; | ||
36 | }; | ||
37 | systemd.services.openarc.serviceConfig.Slice = "mail.slice"; | ||
38 | systemd.services.openarc.postStart = lib.optionalString | ||
39 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | ||
40 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | ||
41 | sleep 0.5 | ||
42 | done | ||
43 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | ||
25 | ''; | 44 | ''; |
26 | }; | 45 | services.filesWatcher.openarc = { |
27 | systemd.services.openarc.serviceConfig.Slice = "mail.slice"; | 46 | restart = true; |
28 | systemd.services.openarc.postStart = lib.optionalString | 47 | paths = [ |
29 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | 48 | config.secrets.fullPaths."opendkim/eldiron.private" |
30 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | 49 | ]; |
31 | sleep 0.5 | 50 | }; |
32 | done | ||
33 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | ||
34 | ''; | ||
35 | services.filesWatcher.openarc = { | ||
36 | restart = true; | ||
37 | paths = [ | ||
38 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
39 | ]; | ||
40 | }; | 51 | }; |
41 | }; | 52 | }; |
42 | in | 53 | in |
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index 33e00a4..ea056e5 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock | |||
@@ -1,5 +1,16 @@ | |||
1 | { | 1 | { |
2 | "nodes": { | 2 | "nodes": { |
3 | "files-watcher": { | ||
4 | "locked": { | ||
5 | "narHash": "sha256-6urOJuzXsu4HJHyVmrZHd40SMzzTeHiOiDOM40q53Y0=", | ||
6 | "path": "../../files-watcher", | ||
7 | "type": "path" | ||
8 | }, | ||
9 | "original": { | ||
10 | "path": "../../files-watcher", | ||
11 | "type": "path" | ||
12 | } | ||
13 | }, | ||
3 | "flake-utils": { | 14 | "flake-utils": { |
4 | "locked": { | 15 | "locked": { |
5 | "lastModified": 1609246779, | 16 | "lastModified": 1609246779, |
@@ -15,6 +26,20 @@ | |||
15 | "type": "github" | 26 | "type": "github" |
16 | } | 27 | } |
17 | }, | 28 | }, |
29 | "my-lib": { | ||
30 | "inputs": { | ||
31 | "nixpkgs": "nixpkgs" | ||
32 | }, | ||
33 | "locked": { | ||
34 | "narHash": "sha256-HGNP1eH7b42BxViYx/F3ZPO9CM1X+5qfA9JoP2ArN+s=", | ||
35 | "path": "../../lib", | ||
36 | "type": "path" | ||
37 | }, | ||
38 | "original": { | ||
39 | "path": "../../lib", | ||
40 | "type": "path" | ||
41 | } | ||
42 | }, | ||
18 | "myuids": { | 43 | "myuids": { |
19 | "locked": { | 44 | "locked": { |
20 | "dir": "flakes/myuids", | 45 | "dir": "flakes/myuids", |
@@ -49,6 +74,21 @@ | |||
49 | }, | 74 | }, |
50 | "nixpkgs": { | 75 | "nixpkgs": { |
51 | "locked": { | 76 | "locked": { |
77 | "lastModified": 1631570365, | ||
78 | "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", | ||
79 | "owner": "NixOS", | ||
80 | "repo": "nixpkgs", | ||
81 | "rev": "df7113c0727881519248d4c7d080324e0ee3327b", | ||
82 | "type": "github" | ||
83 | }, | ||
84 | "original": { | ||
85 | "owner": "NixOS", | ||
86 | "repo": "nixpkgs", | ||
87 | "type": "github" | ||
88 | } | ||
89 | }, | ||
90 | "nixpkgs_2": { | ||
91 | "locked": { | ||
52 | "lastModified": 1597943282, | 92 | "lastModified": 1597943282, |
53 | "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", | 93 | "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=", |
54 | "owner": "NixOS", | 94 | "owner": "NixOS", |
@@ -66,7 +106,7 @@ | |||
66 | "inputs": { | 106 | "inputs": { |
67 | "flake-utils": "flake-utils", | 107 | "flake-utils": "flake-utils", |
68 | "myuids": "myuids", | 108 | "myuids": "myuids", |
69 | "nixpkgs": "nixpkgs" | 109 | "nixpkgs": "nixpkgs_2" |
70 | }, | 110 | }, |
71 | "locked": { | 111 | "locked": { |
72 | "narHash": "sha256-eIe5hzNsp1zz5m4ZMzORwdHuLkhEsKkS7WMpPOJE4ok=", | 112 | "narHash": "sha256-eIe5hzNsp1zz5m4ZMzORwdHuLkhEsKkS7WMpPOJE4ok=", |
@@ -80,6 +120,8 @@ | |||
80 | }, | 120 | }, |
81 | "root": { | 121 | "root": { |
82 | "inputs": { | 122 | "inputs": { |
123 | "files-watcher": "files-watcher", | ||
124 | "my-lib": "my-lib", | ||
83 | "nix-lib": "nix-lib", | 125 | "nix-lib": "nix-lib", |
84 | "opendmarc": "opendmarc" | 126 | "opendmarc": "opendmarc" |
85 | } | 127 | } |
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index ae96c30..4b54ccf 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix | |||
@@ -3,54 +3,65 @@ | |||
3 | path = "../../opendmarc"; | 3 | path = "../../opendmarc"; |
4 | type = "path"; | 4 | type = "path"; |
5 | }; | 5 | }; |
6 | inputs.files-watcher = { | ||
7 | path = "../../files-watcher"; | ||
8 | type = "path"; | ||
9 | }; | ||
10 | inputs.my-lib = { | ||
11 | path = "../../lib"; | ||
12 | type = "path"; | ||
13 | }; | ||
6 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; | 14 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; |
7 | 15 | ||
8 | description = "Private configuration for opendmarc"; | 16 | description = "Private configuration for opendmarc"; |
9 | outputs = { self, nix-lib, opendmarc }: | 17 | outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }: |
10 | let | 18 | let |
11 | cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { | 19 | cfg = name': { config, lib, pkgs, name, ... }: { |
12 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | 20 | imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ]; |
13 | systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; | 21 | config = lib.mkIf (name == name') { |
14 | services.opendmarc = { | 22 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; |
15 | enable = true; | 23 | systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; |
16 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | 24 | services.opendmarc = { |
17 | configFile = pkgs.writeText "opendmarc.conf" '' | 25 | enable = true; |
18 | AuthservID HOSTNAME | 26 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; |
19 | FailureReports false | 27 | configFile = pkgs.writeText "opendmarc.conf" '' |
20 | FailureReportsBcc postmaster@immae.eu | 28 | AuthservID HOSTNAME |
21 | FailureReportsOnNone true | 29 | FailureReports false |
22 | FailureReportsSentBy postmaster@immae.eu | 30 | FailureReportsBcc postmaster@immae.eu |
23 | IgnoreAuthenticatedClients true | 31 | FailureReportsOnNone true |
24 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | 32 | FailureReportsSentBy postmaster@immae.eu |
25 | SoftwareHeader true | 33 | IgnoreAuthenticatedClients true |
26 | SPFIgnoreResults true | 34 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} |
27 | SPFSelfValidate true | 35 | SoftwareHeader true |
28 | UMask 002 | 36 | SPFIgnoreResults true |
29 | ''; | 37 | SPFSelfValidate true |
30 | group = config.services.postfix.group; | 38 | UMask 002 |
31 | }; | 39 | ''; |
32 | services.filesWatcher.opendmarc = { | 40 | group = config.services.postfix.group; |
33 | restart = true; | 41 | }; |
34 | paths = [ | 42 | services.filesWatcher.opendmarc = { |
35 | config.secrets.fullPaths."opendmarc/ignore.hosts" | 43 | restart = true; |
44 | paths = [ | ||
45 | config.secrets.fullPaths."opendmarc/ignore.hosts" | ||
46 | ]; | ||
47 | }; | ||
48 | secrets.keys = [ | ||
49 | { | ||
50 | dest = "opendmarc/ignore.hosts"; | ||
51 | user = config.services.opendmarc.user; | ||
52 | group = config.services.opendmarc.group; | ||
53 | permissions = "0400"; | ||
54 | text = let | ||
55 | mxes = lib.attrsets.filterAttrs | ||
56 | (n: v: v.mx.enable) | ||
57 | config.myEnv.servers; | ||
58 | in | ||
59 | builtins.concatStringsSep "\n" ([ | ||
60 | config.myEnv.mail.dmarc.ignore_hosts | ||
61 | ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); | ||
62 | } | ||
36 | ]; | 63 | ]; |
37 | }; | 64 | }; |
38 | secrets.keys = [ | ||
39 | { | ||
40 | dest = "opendmarc/ignore.hosts"; | ||
41 | user = config.services.opendmarc.user; | ||
42 | group = config.services.opendmarc.group; | ||
43 | permissions = "0400"; | ||
44 | text = let | ||
45 | mxes = lib.attrsets.filterAttrs | ||
46 | (n: v: v.mx.enable) | ||
47 | config.myEnv.servers; | ||
48 | in | ||
49 | builtins.concatStringsSep "\n" ([ | ||
50 | config.myEnv.mail.dmarc.ignore_hosts | ||
51 | ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); | ||
52 | } | ||
53 | ]; | ||
54 | }; | 65 | }; |
55 | in | 66 | in |
56 | opendmarc.outputs // | 67 | opendmarc.outputs // |