diff --git a/.reuse/dep5 b/.reuse/dep5 index 682cda5..9e1742c 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -7,6 +7,7 @@ Source: https://git.sbruder.de/simon/nixos-config Files: .git-crypt/keys/default/0/*.gpg secrets.yaml + secrets/*.yaml **/secrets.yaml keys/*/*.asc machines/*/secrets/*.nix diff --git a/.sops.yaml b/.sops.yaml index 56000dc..9d16b30 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: CC0-1.0 -keys: +keys: &all-keys # sops does not (yet) support ADSKs, # so all encryption subkeys have to be added manually - &simon 6CD375BD0741F67E5A289BC333A01CBE0554C763 # offline @@ -135,3 +135,6 @@ creation_rules: - *renge - *koyomi - *hiroshi + - path_regex: secrets/local-mail\.yaml$ + key_groups: + - pgp: *all-keys diff --git a/machines/vueko/secrets/mail-users.nix b/machines/vueko/secrets/mail-users.nix index 8299121..664b239 100644 Binary files a/machines/vueko/secrets/mail-users.nix and b/machines/vueko/secrets/mail-users.nix differ diff --git a/modules/default.nix b/modules/default.nix index 2f2ae46..eaa1455 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -41,6 +41,7 @@ ./gui.nix ./infovhost.nix ./initrd-ssh.nix + ./local-mail.nix ./locales.nix ./logitech.nix ./mailserver diff --git a/modules/local-mail.nix b/modules/local-mail.nix new file mode 100644 index 0000000..176a11a --- /dev/null +++ b/modules/local-mail.nix @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later +{ config, pkgs, ... }: + +{ + sops.secrets.system-mail.sopsFile = ../secrets/local-mail.yaml; + + programs.msmtp = { + enable = true; + setSendmail = true; + accounts.default = { + host = "vueko.sbruder.de"; + port = "465"; + tls = "on"; + tls_starttls = "off"; + from = ''"system+%U@%H"@sbruder.de''; + allow_from_override = "off"; + auth = "on"; + user = "system@sbruder.de"; + passwordeval = "cat ${config.sops.secrets.system-mail.path}"; + aliases = pkgs.writeText "msmtp-aliases" '' + default: simon@sbruder.de + ''; + }; + }; + + boot.swraid.mdadmConf = '' + MAILFROM "mdadm on ${config.networking.hostName}" <"system+root@${config.networking.hostName}"@sbruder.de> + MAILADDR simon@sbruder.de + ''; +} diff --git a/modules/mailserver/postfix.nix b/modules/mailserver/postfix.nix index 13a9533..1fa6dbc 100644 --- a/modules/mailserver/postfix.nix +++ b/modules/mailserver/postfix.nix @@ -42,6 +42,8 @@ lib.mkIf cfg.enable { services.postfix = { enable = true; + setSendmail = lib.mkForce false; + enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions) enableSubmissions = true; # submission with implicit TLS (TCP/465) diff --git a/secrets.yaml b/secrets.yaml index bd65fda..e6523a1 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -11,8 +11,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-12-28T16:12:09Z" - mac: ENC[AES256_GCM,data:f7gcMjAEMU6uOeS7x2zvtyu+7DvPOCbtBy+zStALFou6B2rMBuqzJC1CynFh1f+NAKGtv1P3sMdag5Es5xsRHjFqQ0FfWceAB2anTsqW3ZLu+ZKS02p03lR5Tz59GQgS1MHcNkEovY2qZ/Mk/BODJzKYjqmb7ItjXTcSAGII5vg=,iv:gZE0w3Ih5x8xJ0x7sU+ZWo289PIaBUn/y8y78QDqidQ=,tag:cxlGk81xQGifm3IyE5ypwg==,type:str] + lastmodified: "2024-08-28T20:20:46Z" + mac: ENC[AES256_GCM,data:i6AZEdSTH6Ig74wX6kdemIIzd2v0VbuKmhYRDEchVHg+4UmL/PoLwPCv9As4toFvHp0dWE2p9tarOirkbraoFKVB0MeDRdKE0WEBu5biY4ZPTufHPUKyQ5v2VkFkBhAmI/hYPgHXwfzKt3vTDBJtfcYUl9+GqITerF7JDTYXngk=,iv:nbR4eGBEK+YQKS8MmFuz4LWApaHs2YwxvJcQgDkpdE4=,tag:OF+tq5AlE4RtuMqwmRy4jg==,type:str] pgp: - created_at: "2024-08-20T22:32:59Z" enc: |- diff --git a/secrets/local-mail.yaml b/secrets/local-mail.yaml new file mode 100644 index 0000000..fe76ae3 Binary files /dev/null and b/secrets/local-mail.yaml differ