rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-01-18 17:11:39 +01:00
Code Issues Projects Releases Packages Wiki Activity

mail: use rspamd for dkim

Browse source
This commit is contained in:
Rouven Seifert 2023-11-16 01:27:01 +01:00
parent 52788f10ea
commit 719ef1ba91
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
12 changed files with 145 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
flake.lock
View file

@ -179,11 +179,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1699368917, "lastModified": 1699783872,
"narHash": "sha256-nUtGIWf86BOkUbtksWtfglvCZ/otP0FTZlQH8Rzc7PA=", "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "6a8444467c83c961e2f5ff64fb4f422e303c98d3", "rev": "280721186ab75a76537713ec310306f0eba3e407",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -280,11 +280,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1699156599, "lastModified": 1699760693,
"narHash": "sha256-Qk9ZE/pG9lNIGUVNArJxL0Hc0Soa92eQPPIhcDwWinU=", "narHash": "sha256-u/gkNUHQR/q23voqE5J4xmEWQIAqR+g3lUnCtzn0k7Y=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "5388a4002179d6778d212dc2fdcc7ac3fdbd5b65", "rev": "8aff4ca3dee60d1422489fe8d52c2f837b3ad113",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -295,11 +295,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1699159446, "lastModified": 1699997707,
"narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=", "narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "627bc9b88256379578885a7028c9e791c29fb581", "rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -309,11 +309,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1699099776, "lastModified": 1699781429,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=", "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb", "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -355,11 +355,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1699110214, "lastModified": 1699756042,
"narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=", "narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee", "rev": "9502d0245983bb233da8083b55d60d96fd3c29ff",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -489,11 +489,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1699311858, "lastModified": 1699951338,
"narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=", "narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "664187539871f63857bda2d498f452792457b998", "rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/falkenstein-1/default.nix
View file

@ -58,6 +58,7 @@
ports = [ 2222 ]; ports = [ 2222 ];
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
}; };
programs.mosh.enable = true;
security = { security = {
audit.enable = true; audit.enable = true;
auditd.enable = true; auditd.enable = true;

24
hosts/falkenstein-1/modules/mail/default.nix
View file

@ -21,7 +21,6 @@ in
993 # IMAP 993 # IMAP
4190 # sieve 4190 # sieve
]; ];
users.users.postfix.extraGroups = [ "opendkim" ];
users.users.rouven = { users.users.rouven = {
description = "Rouven Seifert"; description = "Rouven Seifert";
isNormalUser = true; isNormalUser = true;
@ -98,8 +97,6 @@ in
smtp_header_checks = "pcre:${header_cleanup}"; smtp_header_checks = "pcre:${header_cleanup}";
alias_maps = [ "hash:/etc/aliases" ]; alias_maps = [ "hash:/etc/aliases" ];
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
smtpd_sasl_auth_enable = true; smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot"; smtpd_sasl_type = "dovecot";
@ -201,14 +198,6 @@ in
''; '';
}; };
opendkim = {
enable = true;
domains = "csl:${domain}";
selector = "falkenstein";
configFile = pkgs.writeText "opendkim-config" ''
UMask 0117
'';
};
rspamd = { rspamd = {
enable = true; enable = true;
postfix.enable = true; postfix.enable = true;
@ -220,6 +209,9 @@ in
read_servers = "127.0.0.1"; read_servers = "127.0.0.1";
write_servers = "127.0.0.1"; write_servers = "127.0.0.1";
''; '';
"milter_headers.conf".text = ''
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
'';
"dmarc.conf".text = '' "dmarc.conf".text = ''
reporting { reporting {
# Required attributes # Required attributes
@ -230,6 +222,16 @@ in
from_name = 'DMARC Aggregate Report'; from_name = 'DMARC Aggregate Report';
} }
''; '';
"dkim_signing.conf".text = ''
selector = "rspamd";
allow_username_mismatch = true;
domain {
rfive.de {
path = /var/lib/rspamd/dkim/rfive.key;
selector = "rspamd";
}
}
'';
}; };
}; };
redis = { redis = {

101
hosts/falkenstein-1/modules/nginx/default.nix
View file

@ -1,46 +1,63 @@
{ config, ... }: { config, lib, ... }:
# matrix homeserver discovery
let
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{ {
networking.firewall.allowedTCPPorts = [ 80 443 ]; # set default options for virtualHosts
services.nginx = { options = with lib; {
enable = true; services.nginx.virtualHosts = mkOption {
recommendedTlsSettings = true; type = types.attrsOf (types.submodule
recommendedProxySettings = true; ({ name, ... }: {
recommendedGzipSettings = true; # split up nginx access logs per vhost
recommendedOptimisation = true; extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
'';
})
);
};
};
config =
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."${config.networking.domain}" = { virtualHosts."${config.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/srv/web/${config.networking.domain}"; root = "/srv/web/${config.networking.domain}";
locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
};
}; };
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
};
} }

1
hosts/nuc/default.nix
View file

@ -70,6 +70,7 @@
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
programs.mosh.enable = true;
security = { security = {
audit.enable = true; audit.enable = true;
auditd.enable = true; auditd.enable = true;

43
hosts/nuc/modules/nginx/default.nix
View file

@ -1,21 +1,34 @@
{ lib, config, ... }: { lib, config, ... }:
let
v = (builtins.attrNames config.services.nginx.virtualHosts);
in
{ {
networking.firewall.allowedTCPPorts = [ 80 443 ]; # set default options for virtualHosts
services.nginx = { options = with lib; {
enable = true; services.nginx.virtualHosts = mkOption {
recommendedTlsSettings = true; type = types.attrsOf (types.submodule
recommendedProxySettings = true; ({ name, ... }: {
recommendedGzipSettings = true; # split up nginx access logs per vhost
recommendedOptimisation = true; extraConfig = ''
# virtualHosts = lib.genAttrs v (name: { extraConfig = " lohustuff goes ith ${name}"; }); access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
'';
})
);
};
}; };
security.acme = { config = {
acceptTerms = true; networking.firewall.allowedTCPPorts = [ 80 443 ];
defaults = { services.nginx = {
email = "rouven@${config.networking.domain}"; enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# virtualHosts = lib.genAttrs v (name: { extraConfig = " lohustuff goes ith ${name}"; });
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
}; };
}; };
} }

1
hosts/thinkpad/default.nix
View file

@ -200,6 +200,7 @@
openssl openssl
cups cups
agenix.packages.x86_64-linux.default agenix.packages.x86_64-linux.default
mosh
]; ];
services.mysql = { services.mysql = {

0
recovery.bin Normal file
View file

6
secrets/thinkpad.yaml
View file

@ -1,6 +1,6 @@
wireless-env: ENC[AES256_GCM,data:IbvDlDV5Yg4rqqo5JIzX3eyR4c37BGsqzejBHvSWjk81hfxblhL2cBZcw1hlXW7Q5zjaD0eP9akdqG1RzhdH3iaIhaIVKO8LrXsbYI7fyG3OHCxZYZZ+5QA0LnASi9QD5Olxo0b0RIdomUehnWfTegBiVi8QshrfN+G1HOWL1YxuTv67DWMnA1/XCMOgYpznYS8wzRy7VM9PQWYYISqzoFbl1QIxTJEEVKEL529NzM7TBd4YU+NpcV/TQpy5qQ7F7hSVPxXx/m4RN+Km3EbM1q8Nr0Bckjc7GeDK/P0959ofSzwBzvQyZuQ3WrALqroI21wxQHO3HgDWJlPu7+aRTxPXE2SQka7gqDK4UnZU0GBxDRFi9GKWjhAsqQyKuRH6do9b,iv:t42Gu9j+Qe9TCnjbeH6o4pz1cc1IYHZoHbWOrfIpazA=,tag:68UhGtmx3gH0n9hTO1xalQ==,type:str] wireless-env: ENC[AES256_GCM,data:IbvDlDV5Yg4rqqo5JIzX3eyR4c37BGsqzejBHvSWjk81hfxblhL2cBZcw1hlXW7Q5zjaD0eP9akdqG1RzhdH3iaIhaIVKO8LrXsbYI7fyG3OHCxZYZZ+5QA0LnASi9QD5Olxo0b0RIdomUehnWfTegBiVi8QshrfN+G1HOWL1YxuTv67DWMnA1/XCMOgYpznYS8wzRy7VM9PQWYYISqzoFbl1QIxTJEEVKEL529NzM7TBd4YU+NpcV/TQpy5qQ7F7hSVPxXx/m4RN+Km3EbM1q8Nr0Bckjc7GeDK/P0959ofSzwBzvQyZuQ3WrALqroI21wxQHO3HgDWJlPu7+aRTxPXE2SQka7gqDK4UnZU0GBxDRFi9GKWjhAsqQyKuRH6do9b,iv:t42Gu9j+Qe9TCnjbeH6o4pz1cc1IYHZoHbWOrfIpazA=,tag:68UhGtmx3gH0n9hTO1xalQ==,type:str]
uni: uni:
zih: ENC[AES256_GCM,data:KoiT/w5SsUEFAC5beCs3R5o=,iv:qQRZfdtbiAIWUAkdgrpdR8AWDdedn9yl9NcRm0ymE2A=,tag:uyhy5n40PgsWuaEofJjmog==,type:str] zih: ENC[AES256_GCM,data:toYEAmGZPwwV7seHcC4oCvS3Q3FFxQ==,iv:iGvVTZstsebStrD40J6cULFg/I31ynHogYjl9irW0nI=,tag:zeoo2uFTcsL25mNwG2ZjHA==,type:str]
wireguard: wireguard:
dorm: dorm:
private: ENC[AES256_GCM,data:qZ8HCTv14z3+2AL1dHLd60MVUsUV458QdQteZJYQLVC1KMlzGe7KbgM1U8c=,iv:HMGxB4l7D/PL5Xt8A6jKIejJRL0QZF3x3eb2BtttXWM=,tag:KDyQWfk2EO5AR997JKdW+Q==,type:str] private: ENC[AES256_GCM,data:qZ8HCTv14z3+2AL1dHLd60MVUsUV458QdQteZJYQLVC1KMlzGe7KbgM1U8c=,iv:HMGxB4l7D/PL5Xt8A6jKIejJRL0QZF3x3eb2BtttXWM=,tag:KDyQWfk2EO5AR997JKdW+Q==,type:str]
@ -23,8 +23,8 @@ sops:
YW1scVZDOUFaNUJ4UkFNT2U4eFh6VGsKfv6BaEvr0ibn1cSqE9GeUe4BrYwY9RTB YW1scVZDOUFaNUJ4UkFNT2U4eFh6VGsKfv6BaEvr0ibn1cSqE9GeUe4BrYwY9RTB
PNnqxnwBX01rCitKFfpNe1rBHazp+DDh9Dw2N+m/hH6gXvu7LjcwGQ== PNnqxnwBX01rCitKFfpNe1rBHazp+DDh9Dw2N+m/hH6gXvu7LjcwGQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-19T19:06:17Z" lastmodified: "2023-11-10T22:08:45Z"
mac: ENC[AES256_GCM,data:SS7Q249lMciUL+lgHMqwDmLznzMB9NIBiO+Cn/j+o3ffmOrEhaho0dpNmoEXrDj5TTPQx4HkVkT/gypMbo3T9Z2mBOhnHY7NFWqgNatmhAfTHoqqiXJGNA6lS8xpBbUoJZ8gYIIqnBLVf/LirxM1l1KVc1sgJKPaMM2kswIytP0=,iv:JoaSBETswIdYaXdEi5qiSONuNb34EwFc1ZRPI7IEdSE=,tag:M4wd7ZTCQQBIwtKqrWjzKg==,type:str] mac: ENC[AES256_GCM,data:77bQVALWGfVS9/KXc6B2kQAGiPgcoIepyaJfIckimhMPUe8qiwypn1n0S+RD46alXq7yPTiYACRdTZVvBoEO2eNxdYH8Lha4k2WWBlfucyosfrw/CdzegQ0hGo12JYukDChHRuf7RRjmrvTZ/o4EBFOJoElhtW3Kq0PQLFewPTI=,iv:6HEiVBwwATGmUomKmBkBmk5nRGkhSVJu89foTthw++o=,tag:Zkf6Ljqhn9Tle44BfF2QEA==,type:str]
pgp: pgp:
- created_at: "2023-08-02T14:13:52Z" - created_at: "2023-08-02T14:13:52Z"
enc: |- enc: |-

1
shared/zsh.nix
View file

@ -25,6 +25,7 @@
la = "ls -a"; la = "ls -a";
less = "bat"; less = "bat";
update = "cd /etc/nixos && nix flake update"; update = "cd /etc/nixos && nix flake update";
mosh = "f() {mosh $1 zsh};f";
}; };
histSize = 100000; histSize = 100000;
histFile = "~/.local/share/zsh/history"; histFile = "~/.local/share/zsh/history";

25
users/rouven/modules/accounts/default.nix
View file

@ -108,6 +108,16 @@ in
farPattern = "Opal"; farPattern = "Opal";
extraConfig.Create = "near"; extraConfig.Create = "near";
}; };
channels.FSR = {
nearPattern = "FSR";
farPattern = "FSR";
extraConfig.Create = "near";
};
channels.unispam = {
nearPattern = "Uni Spam";
farPattern = "Uni Spam";
extraConfig.Create = "near";
};
channels.trash = { channels.trash = {
nearPattern = "Trash"; nearPattern = "Trash";
farPattern = "Gel&APY-schte Elemente"; farPattern = "Gel&APY-schte Elemente";
@ -235,11 +245,6 @@ in
farPattern = "[Gmail]/Papierkorb"; farPattern = "[Gmail]/Papierkorb";
extraConfig.Create = "near"; extraConfig.Create = "near";
}; };
channels.sent = {
nearPattern = "Sent";
farPattern = "[Gmail]/Gesendet";
extraConfig.Create = "near";
};
channels.junk = { channels.junk = {
nearPattern = "Junk"; nearPattern = "Junk";
farPattern = "[Gmail]/Spam"; farPattern = "[Gmail]/Spam";
@ -250,6 +255,16 @@ in
farPattern = "[Gmail]/Entw&APw-rfe"; farPattern = "[Gmail]/Entw&APw-rfe";
extraConfig.Create = "near"; extraConfig.Create = "near";
}; };
channels.hetzner = {
nearPattern = "Hetzner";
farPattern = "Hetzner";
extraConfig.Create = "near";
};
channels.studentenwerk = {
nearPattern = "Studentenwerk";
farPattern = "Studentenwerk";
extraConfig.Create = "near";
};
}; };
extraConfig = { extraConfig = {
account = { account = {

8
users/rouven/modules/ssh/default.nix
View file

@ -44,14 +44,6 @@ in
"quitte" = { "quitte" = {
hostname = "quitte.ifsr.de"; hostname = "quitte.ifsr.de";
user = "root"; user = "root";
extraOptions = {
RequestTTY = "yes";
RemoteCommand = "zsh -i";
};
};
"quitte-notty" = {
hostname = "quitte.ifsr.de";
user = "root";
}; };
"tomate" = { "tomate" = {
hostname = "tomate.ifsr.de"; hostname = "tomate.ifsr.de";