rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-01-18 17:11:39 +01:00
Code Issues Projects Releases Packages Wiki Activity

mail: use rspamd for dkim

Browse source
This commit is contained in:
Rouven Seifert 2023-11-16 01:27:01 +01:00
parent 52788f10ea
commit 719ef1ba91
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
12 changed files with 145 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
flake.lock
View file

@ -179,11 +179,11 @@
]
},
"locked": {
"lastModified": 1699368917,
"narHash": "sha256-nUtGIWf86BOkUbtksWtfglvCZ/otP0FTZlQH8Rzc7PA=",
"lastModified": 1699783872,
"narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6a8444467c83c961e2f5ff64fb4f422e303c98d3",
"rev": "280721186ab75a76537713ec310306f0eba3e407",
"type": "github"
},
"original": {
@ -280,11 +280,11 @@
]
},
"locked": {
"lastModified": 1699156599,
"narHash": "sha256-Qk9ZE/pG9lNIGUVNArJxL0Hc0Soa92eQPPIhcDwWinU=",
"lastModified": 1699760693,
"narHash": "sha256-u/gkNUHQR/q23voqE5J4xmEWQIAqR+g3lUnCtzn0k7Y=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "5388a4002179d6778d212dc2fdcc7ac3fdbd5b65",
"rev": "8aff4ca3dee60d1422489fe8d52c2f837b3ad113",
"type": "github"
},
"original": {
@ -295,11 +295,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1699159446,
"narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=",
"lastModified": 1699997707,
"narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "627bc9b88256379578885a7028c9e791c29fb581",
"rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9",
"type": "github"
},
"original": {
@ -309,11 +309,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"lastModified": 1699781429,
"narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"rev": "e44462d6021bfe23dfb24b775cc7c390844f773d",
"type": "github"
},
"original": {
@ -355,11 +355,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1699110214,
"narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
"lastModified": 1699756042,
"narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
"rev": "9502d0245983bb233da8083b55d60d96fd3c29ff",
"type": "github"
},
"original": {
@ -489,11 +489,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1699311858,
"narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
"lastModified": 1699951338,
"narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "664187539871f63857bda2d498f452792457b998",
"rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46",
"type": "github"
},
"original": {

1
hosts/falkenstein-1/default.nix
View file

@ -58,6 +58,7 @@
ports = [ 2222 ];
settings.PasswordAuthentication = false;
};
programs.mosh.enable = true;
security = {
audit.enable = true;
auditd.enable = true;

24
hosts/falkenstein-1/modules/mail/default.nix
View file

@ -21,7 +21,6 @@ in
993 # IMAP
4190 # sieve
];
users.users.postfix.extraGroups = [ "opendkim" ];
users.users.rouven = {
description = "Rouven Seifert";
isNormalUser = true;
@ -98,8 +97,6 @@ in
smtp_header_checks = "pcre:${header_cleanup}";
alias_maps = [ "hash:/etc/aliases" ];
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth";
smtpd_sasl_type = "dovecot";
@ -201,14 +198,6 @@ in
'';
};
opendkim = {
enable = true;
domains = "csl:${domain}";
selector = "falkenstein";
configFile = pkgs.writeText "opendkim-config" ''
UMask 0117
'';
};
rspamd = {
enable = true;
postfix.enable = true;
@ -220,6 +209,9 @@ in
read_servers = "127.0.0.1";
write_servers = "127.0.0.1";
'';
"milter_headers.conf".text = ''
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
'';
"dmarc.conf".text = ''
reporting {
# Required attributes
@ -230,6 +222,16 @@ in
from_name = 'DMARC Aggregate Report';
}
'';
"dkim_signing.conf".text = ''
selector = "rspamd";
allow_username_mismatch = true;
domain {
rfive.de {
path = /var/lib/rspamd/dkim/rfive.key;
selector = "rspamd";
}
}
'';
};
};
redis = {

27
hosts/falkenstein-1/modules/nginx/default.nix
View file

@ -1,6 +1,22 @@
{ config, ... }:
# matrix homeserver discovery
let
{ config, lib, ... }:
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
'';
})
);
};
};
config =
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
@ -19,8 +35,8 @@ let
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
@ -43,4 +59,5 @@ in
email = "rouven@${config.networking.domain}";
};
};
};
}

1
hosts/nuc/default.nix
View file

@ -70,6 +70,7 @@
# Enable the OpenSSH daemon.
services.openssh.enable = true;
programs.mosh.enable = true;
security = {
audit.enable = true;
auditd.enable = true;

19
hosts/nuc/modules/nginx/default.nix
View file

@ -1,8 +1,20 @@
{ lib, config, ... }:
let
v = (builtins.attrNames config.services.nginx.virtualHosts);
in
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
'';
})
);
};
};
config = {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
@ -18,4 +30,5 @@ in
email = "rouven@${config.networking.domain}";
};
};
};
}

1
hosts/thinkpad/default.nix
View file

@ -200,6 +200,7 @@
openssl
cups
agenix.packages.x86_64-linux.default
mosh
];
services.mysql = {

0
recovery.bin Normal file
View file

6
secrets/thinkpad.yaml
View file

@ -1,6 +1,6 @@
wireless-env: ENC[AES256_GCM,data:IbvDlDV5Yg4rqqo5JIzX3eyR4c37BGsqzejBHvSWjk81hfxblhL2cBZcw1hlXW7Q5zjaD0eP9akdqG1RzhdH3iaIhaIVKO8LrXsbYI7fyG3OHCxZYZZ+5QA0LnASi9QD5Olxo0b0RIdomUehnWfTegBiVi8QshrfN+G1HOWL1YxuTv67DWMnA1/XCMOgYpznYS8wzRy7VM9PQWYYISqzoFbl1QIxTJEEVKEL529NzM7TBd4YU+NpcV/TQpy5qQ7F7hSVPxXx/m4RN+Km3EbM1q8Nr0Bckjc7GeDK/P0959ofSzwBzvQyZuQ3WrALqroI21wxQHO3HgDWJlPu7+aRTxPXE2SQka7gqDK4UnZU0GBxDRFi9GKWjhAsqQyKuRH6do9b,iv:t42Gu9j+Qe9TCnjbeH6o4pz1cc1IYHZoHbWOrfIpazA=,tag:68UhGtmx3gH0n9hTO1xalQ==,type:str]
uni:
zih: ENC[AES256_GCM,data:KoiT/w5SsUEFAC5beCs3R5o=,iv:qQRZfdtbiAIWUAkdgrpdR8AWDdedn9yl9NcRm0ymE2A=,tag:uyhy5n40PgsWuaEofJjmog==,type:str]
zih: ENC[AES256_GCM,data:toYEAmGZPwwV7seHcC4oCvS3Q3FFxQ==,iv:iGvVTZstsebStrD40J6cULFg/I31ynHogYjl9irW0nI=,tag:zeoo2uFTcsL25mNwG2ZjHA==,type:str]
wireguard:
dorm:
private: ENC[AES256_GCM,data:qZ8HCTv14z3+2AL1dHLd60MVUsUV458QdQteZJYQLVC1KMlzGe7KbgM1U8c=,iv:HMGxB4l7D/PL5Xt8A6jKIejJRL0QZF3x3eb2BtttXWM=,tag:KDyQWfk2EO5AR997JKdW+Q==,type:str]
@ -23,8 +23,8 @@ sops:
YW1scVZDOUFaNUJ4UkFNT2U4eFh6VGsKfv6BaEvr0ibn1cSqE9GeUe4BrYwY9RTB
PNnqxnwBX01rCitKFfpNe1rBHazp+DDh9Dw2N+m/hH6gXvu7LjcwGQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-19T19:06:17Z"
mac: ENC[AES256_GCM,data:SS7Q249lMciUL+lgHMqwDmLznzMB9NIBiO+Cn/j+o3ffmOrEhaho0dpNmoEXrDj5TTPQx4HkVkT/gypMbo3T9Z2mBOhnHY7NFWqgNatmhAfTHoqqiXJGNA6lS8xpBbUoJZ8gYIIqnBLVf/LirxM1l1KVc1sgJKPaMM2kswIytP0=,iv:JoaSBETswIdYaXdEi5qiSONuNb34EwFc1ZRPI7IEdSE=,tag:M4wd7ZTCQQBIwtKqrWjzKg==,type:str]
lastmodified: "2023-11-10T22:08:45Z"
mac: ENC[AES256_GCM,data:77bQVALWGfVS9/KXc6B2kQAGiPgcoIepyaJfIckimhMPUe8qiwypn1n0S+RD46alXq7yPTiYACRdTZVvBoEO2eNxdYH8Lha4k2WWBlfucyosfrw/CdzegQ0hGo12JYukDChHRuf7RRjmrvTZ/o4EBFOJoElhtW3Kq0PQLFewPTI=,iv:6HEiVBwwATGmUomKmBkBmk5nRGkhSVJu89foTthw++o=,tag:Zkf6Ljqhn9Tle44BfF2QEA==,type:str]
pgp:
- created_at: "2023-08-02T14:13:52Z"
enc: |-

1
shared/zsh.nix
View file

@ -25,6 +25,7 @@
la = "ls -a";
less = "bat";
update = "cd /etc/nixos && nix flake update";
mosh = "f() {mosh $1 zsh};f";
};
histSize = 100000;
histFile = "~/.local/share/zsh/history";

25
users/rouven/modules/accounts/default.nix
View file

@ -108,6 +108,16 @@ in
farPattern = "Opal";
extraConfig.Create = "near";
};
channels.FSR = {
nearPattern = "FSR";
farPattern = "FSR";
extraConfig.Create = "near";
};
channels.unispam = {
nearPattern = "Uni Spam";
farPattern = "Uni Spam";
extraConfig.Create = "near";
};
channels.trash = {
nearPattern = "Trash";
farPattern = "Gel&APY-schte Elemente";
@ -235,11 +245,6 @@ in
farPattern = "[Gmail]/Papierkorb";
extraConfig.Create = "near";
};
channels.sent = {
nearPattern = "Sent";
farPattern = "[Gmail]/Gesendet";
extraConfig.Create = "near";
};
channels.junk = {
nearPattern = "Junk";
farPattern = "[Gmail]/Spam";
@ -250,6 +255,16 @@ in
farPattern = "[Gmail]/Entw&APw-rfe";
extraConfig.Create = "near";
};
channels.hetzner = {
nearPattern = "Hetzner";
farPattern = "Hetzner";
extraConfig.Create = "near";
};
channels.studentenwerk = {
nearPattern = "Studentenwerk";
farPattern = "Studentenwerk";
extraConfig.Create = "near";
};
};
extraConfig = {
account = {

8
users/rouven/modules/ssh/default.nix
View file

@ -44,14 +44,6 @@ in
"quitte" = {
hostname = "quitte.ifsr.de";
user = "root";
extraOptions = {
RequestTTY = "yes";
RemoteCommand = "zsh -i";
};
};
"quitte-notty" = {
hostname = "quitte.ifsr.de";
user = "root";
};
"tomate" = {
hostname = "tomate.ifsr.de";