nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Begin reverting back to simple-nixos-mailserver
Some checks failed
/ dev-shell (push) Successful in 1m8s
Details
/ check (push) Failing after 1m29s
Details
/ systems (push) Failing after 33s
Details
/ rust-packages (push) Successful in 3m40s
Details
/ terraform-providers (push) Successful in 5m13s
Details

Browse source 
It appears I can get app passwords with kanidm and ldap
so just going to a more stable, probably supported setup,
should be good.
This commit is contained in:
Kaare Hoff Skovgaard 2025-07-28 12:02:24 +02:00
parent c97b19c495
commit cd8a0db1b6
Signed by: khs
GPG key ID: C7D890804F01E9F0
21 changed files with 814 additions and 250 deletions
Download patch file Download diff file Expand all files Collapse all files

82
nix/modules/nixos/infrastructure/mailserver/dkim.nix
View file

@ -1,5 +1,4 @@
{
pkgs,
lib,
config,
...
@ -52,37 +51,6 @@ in
};
};
config = lib.mkIf (cfg.enable) {
# mailserver = {
# dkimSigning = false;
# };
# services.rspamd.locals."dkim_signing.conf" = lib.mkForce {
# text = ''
# enabled = true;
# domain {
# ${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)}
# }
# '';
# };
# systemd.services.rspamd = {
# unitConfig = {
# ConditionPathExists = domainKeyPaths;
# };
# };
# systemd.services.postfix = {
# unitConfig = {
# ConditionPathExists = domainKeyPaths;
# };
# };
systemd.services.stalwart-mail = {
unitConfig = {
ConditionPathExists = domainKeyPaths;
};
serviceConfig = {
ReadOnlyPaths = [
"/run/secret/dkim"
];
};
};
khscodes.infrastructure.vault-server-approle.policy = {
"${cfg.dkim.vault.mount}/data/${cfg.dkim.vault.prefixPath}/*" = {
capabilities = [ "read" ];
@ -90,7 +58,7 @@ in
};
khscodes.infrastructure.provisioning.pre.modules = [
(
{ config, ... }:
{ ... }:
{
terraform.required_providers.tls = {
source = "hashicorp/tls";
@ -128,16 +96,6 @@ in
fqdn = "snm_ed25519._domainkey.${domain}";
content = ''"''${ join("\" \"", regexall(".{1,255}", "v=DKIM1;k=ed25519;p=${dkimPublicKey "tls_private_key.${lib.khscodes.sanitize-terraform-name domain}_dkim_ed25519"}" )) }"'';
ttl = 600;
}) cfg.domains)
++ (lib.lists.map (domain: {
fqdn = domain;
content = ''"v=spf1 mx -all"'';
ttl = 600;
}) cfg.domains)
++ (lib.lists.map (domain: {
fqdn = "_dmarc.${domain}";
content = ''"v=DMARC1; p=reject; adkim=s; aspf=s;"'';
ttl = 600;
}) cfg.domains);
resource.vault_kv_secret_v2 =
@ -168,11 +126,6 @@ in
}
)
];
systemd.services.stalwart-mail.serviceConfig = {
ReadWritePaths = [
"/run/secret/dkim"
];
};
khscodes.services.vault-agent.templates = lib.lists.flatten (
lib.lists.map (domain: [
{
@ -183,10 +136,10 @@ in
'';
destination = rsaKeyPath domain;
perms = "0600";
owner = "stalwart-mail";
group = "stalwart-mail";
owner = "rspamd";
group = "rspamd";
restartUnits = [
"stalwart-mail.service"
"rspamd.service"
];
}
{
@ -197,13 +150,34 @@ in
'';
destination = ed25519KeyPath domain;
perms = "0600";
owner = "stalwart-mail";
group = "stalwart-mail";
owner = "rspamd";
group = "rspamd";
restartUnits = [
"stalwart-mail.service"
"rspamd.service"
];
}
]) cfg.domains
);
mailserver = {
dkimSigning = false;
};
services.rspamd.locals."dkim_signing.conf" = lib.mkForce {
text = ''
enabled = true;
domain {
${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)}
}
'';
};
systemd.services.rspamd = {
unitConfig = {
ConditionPathExists = domainKeyPaths;
};
};
systemd.services.postfix = {
unitConfig = {
ConditionPathExists = domainKeyPaths;
};
};
};
}