mirror of
https://git.sr.ht/~rouven/nixos-config
synced 2025-01-18 17:11:39 +01:00
mail: use rspamd for dkim
This commit is contained in:
parent
52788f10ea
commit
719ef1ba91
12 changed files with 145 additions and 102 deletions
36
flake.lock
36
flake.lock
|
@ -179,11 +179,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1699368917,
|
||||
"narHash": "sha256-nUtGIWf86BOkUbtksWtfglvCZ/otP0FTZlQH8Rzc7PA=",
|
||||
"lastModified": 1699783872,
|
||||
"narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "6a8444467c83c961e2f5ff64fb4f422e303c98d3",
|
||||
"rev": "280721186ab75a76537713ec310306f0eba3e407",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -280,11 +280,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1699156599,
|
||||
"narHash": "sha256-Qk9ZE/pG9lNIGUVNArJxL0Hc0Soa92eQPPIhcDwWinU=",
|
||||
"lastModified": 1699760693,
|
||||
"narHash": "sha256-u/gkNUHQR/q23voqE5J4xmEWQIAqR+g3lUnCtzn0k7Y=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "5388a4002179d6778d212dc2fdcc7ac3fdbd5b65",
|
||||
"rev": "8aff4ca3dee60d1422489fe8d52c2f837b3ad113",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -295,11 +295,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1699159446,
|
||||
"narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=",
|
||||
"lastModified": 1699997707,
|
||||
"narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "627bc9b88256379578885a7028c9e791c29fb581",
|
||||
"rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -309,11 +309,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1699099776,
|
||||
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
|
||||
"lastModified": 1699781429,
|
||||
"narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
|
||||
"rev": "e44462d6021bfe23dfb24b775cc7c390844f773d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -355,11 +355,11 @@
|
|||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1699110214,
|
||||
"narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
|
||||
"lastModified": 1699756042,
|
||||
"narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
|
||||
"rev": "9502d0245983bb233da8083b55d60d96fd3c29ff",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -489,11 +489,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1699311858,
|
||||
"narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
|
||||
"lastModified": 1699951338,
|
||||
"narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "664187539871f63857bda2d498f452792457b998",
|
||||
"rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -58,6 +58,7 @@
|
|||
ports = [ 2222 ];
|
||||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
programs.mosh.enable = true;
|
||||
security = {
|
||||
audit.enable = true;
|
||||
auditd.enable = true;
|
||||
|
|
|
@ -21,7 +21,6 @@ in
|
|||
993 # IMAP
|
||||
4190 # sieve
|
||||
];
|
||||
users.users.postfix.extraGroups = [ "opendkim" ];
|
||||
users.users.rouven = {
|
||||
description = "Rouven Seifert";
|
||||
isNormalUser = true;
|
||||
|
@ -98,8 +97,6 @@ in
|
|||
smtp_header_checks = "pcre:${header_cleanup}";
|
||||
|
||||
alias_maps = [ "hash:/etc/aliases" ];
|
||||
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
|
||||
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
|
||||
smtpd_sasl_auth_enable = true;
|
||||
smtpd_sasl_path = "/var/lib/postfix/auth";
|
||||
smtpd_sasl_type = "dovecot";
|
||||
|
@ -201,14 +198,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
opendkim = {
|
||||
enable = true;
|
||||
domains = "csl:${domain}";
|
||||
selector = "falkenstein";
|
||||
configFile = pkgs.writeText "opendkim-config" ''
|
||||
UMask 0117
|
||||
'';
|
||||
};
|
||||
rspamd = {
|
||||
enable = true;
|
||||
postfix.enable = true;
|
||||
|
@ -220,6 +209,9 @@ in
|
|||
read_servers = "127.0.0.1";
|
||||
write_servers = "127.0.0.1";
|
||||
'';
|
||||
"milter_headers.conf".text = ''
|
||||
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
|
||||
'';
|
||||
"dmarc.conf".text = ''
|
||||
reporting {
|
||||
# Required attributes
|
||||
|
@ -230,6 +222,16 @@ in
|
|||
from_name = 'DMARC Aggregate Report';
|
||||
}
|
||||
'';
|
||||
"dkim_signing.conf".text = ''
|
||||
selector = "rspamd";
|
||||
allow_username_mismatch = true;
|
||||
domain {
|
||||
rfive.de {
|
||||
path = /var/lib/rspamd/dkim/rfive.key;
|
||||
selector = "rspamd";
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
redis = {
|
||||
|
|
|
@ -1,46 +1,63 @@
|
|||
{ config, ... }:
|
||||
# matrix homeserver discovery
|
||||
let
|
||||
matrix_domain = "matrix.${config.networking.domain}";
|
||||
serverConfig = {
|
||||
"m.server" = "${matrix_domain}:443";
|
||||
};
|
||||
clientConfig = {
|
||||
"m.homeserver" = {
|
||||
base_url = "https://${matrix_domain}";
|
||||
# server_name = config.networking.domain;
|
||||
};
|
||||
"org.matrix.msc3575.proxy" = {
|
||||
url = "https://${matrix_domain}";
|
||||
};
|
||||
};
|
||||
mkWellKnown = data: ''
|
||||
add_header Content-Type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON data}';
|
||||
'';
|
||||
in
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
# set default options for virtualHosts
|
||||
options = with lib; {
|
||||
services.nginx.virtualHosts = mkOption {
|
||||
type = types.attrsOf (types.submodule
|
||||
({ name, ... }: {
|
||||
# split up nginx access logs per vhost
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/${name}_access.log;
|
||||
error_log /var/log/nginx/${name}_error.log;
|
||||
'';
|
||||
})
|
||||
);
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
# matrix homeserver discovery
|
||||
matrix_domain = "matrix.${config.networking.domain}";
|
||||
serverConfig = {
|
||||
"m.server" = "${matrix_domain}:443";
|
||||
};
|
||||
clientConfig = {
|
||||
"m.homeserver" = {
|
||||
base_url = "https://${matrix_domain}";
|
||||
# server_name = config.networking.domain;
|
||||
};
|
||||
"org.matrix.msc3575.proxy" = {
|
||||
url = "https://${matrix_domain}";
|
||||
};
|
||||
};
|
||||
mkWellKnown = data: ''
|
||||
add_header Content-Type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON data}';
|
||||
'';
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
virtualHosts."${config.networking.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/srv/web/${config.networking.domain}";
|
||||
locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
||||
locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
||||
virtualHosts."${config.networking.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/srv/web/${config.networking.domain}";
|
||||
locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
||||
locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "rouven@${config.networking.domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "rouven@${config.networking.domain}";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -70,6 +70,7 @@
|
|||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
programs.mosh.enable = true;
|
||||
security = {
|
||||
audit.enable = true;
|
||||
auditd.enable = true;
|
||||
|
|
|
@ -1,21 +1,34 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
v = (builtins.attrNames config.services.nginx.virtualHosts);
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
# virtualHosts = lib.genAttrs v (name: { extraConfig = " lohustuff goes ith ${name}"; });
|
||||
# set default options for virtualHosts
|
||||
options = with lib; {
|
||||
services.nginx.virtualHosts = mkOption {
|
||||
type = types.attrsOf (types.submodule
|
||||
({ name, ... }: {
|
||||
# split up nginx access logs per vhost
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/${name}_access.log;
|
||||
error_log /var/log/nginx/${name}_error.log;
|
||||
'';
|
||||
})
|
||||
);
|
||||
};
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "rouven@${config.networking.domain}";
|
||||
config = {
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
# virtualHosts = lib.genAttrs v (name: { extraConfig = " lohustuff goes ith ${name}"; });
|
||||
};
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "rouven@${config.networking.domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -200,6 +200,7 @@
|
|||
openssl
|
||||
cups
|
||||
agenix.packages.x86_64-linux.default
|
||||
mosh
|
||||
];
|
||||
|
||||
services.mysql = {
|
||||
|
|
0
recovery.bin
Normal file
0
recovery.bin
Normal file
|
@ -1,6 +1,6 @@
|
|||
wireless-env: ENC[AES256_GCM,data:IbvDlDV5Yg4rqqo5JIzX3eyR4c37BGsqzejBHvSWjk81hfxblhL2cBZcw1hlXW7Q5zjaD0eP9akdqG1RzhdH3iaIhaIVKO8LrXsbYI7fyG3OHCxZYZZ+5QA0LnASi9QD5Olxo0b0RIdomUehnWfTegBiVi8QshrfN+G1HOWL1YxuTv67DWMnA1/XCMOgYpznYS8wzRy7VM9PQWYYISqzoFbl1QIxTJEEVKEL529NzM7TBd4YU+NpcV/TQpy5qQ7F7hSVPxXx/m4RN+Km3EbM1q8Nr0Bckjc7GeDK/P0959ofSzwBzvQyZuQ3WrALqroI21wxQHO3HgDWJlPu7+aRTxPXE2SQka7gqDK4UnZU0GBxDRFi9GKWjhAsqQyKuRH6do9b,iv:t42Gu9j+Qe9TCnjbeH6o4pz1cc1IYHZoHbWOrfIpazA=,tag:68UhGtmx3gH0n9hTO1xalQ==,type:str]
|
||||
uni:
|
||||
zih: ENC[AES256_GCM,data:KoiT/w5SsUEFAC5beCs3R5o=,iv:qQRZfdtbiAIWUAkdgrpdR8AWDdedn9yl9NcRm0ymE2A=,tag:uyhy5n40PgsWuaEofJjmog==,type:str]
|
||||
zih: ENC[AES256_GCM,data:toYEAmGZPwwV7seHcC4oCvS3Q3FFxQ==,iv:iGvVTZstsebStrD40J6cULFg/I31ynHogYjl9irW0nI=,tag:zeoo2uFTcsL25mNwG2ZjHA==,type:str]
|
||||
wireguard:
|
||||
dorm:
|
||||
private: ENC[AES256_GCM,data:qZ8HCTv14z3+2AL1dHLd60MVUsUV458QdQteZJYQLVC1KMlzGe7KbgM1U8c=,iv:HMGxB4l7D/PL5Xt8A6jKIejJRL0QZF3x3eb2BtttXWM=,tag:KDyQWfk2EO5AR997JKdW+Q==,type:str]
|
||||
|
@ -23,8 +23,8 @@ sops:
|
|||
YW1scVZDOUFaNUJ4UkFNT2U4eFh6VGsKfv6BaEvr0ibn1cSqE9GeUe4BrYwY9RTB
|
||||
PNnqxnwBX01rCitKFfpNe1rBHazp+DDh9Dw2N+m/hH6gXvu7LjcwGQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-19T19:06:17Z"
|
||||
mac: ENC[AES256_GCM,data:SS7Q249lMciUL+lgHMqwDmLznzMB9NIBiO+Cn/j+o3ffmOrEhaho0dpNmoEXrDj5TTPQx4HkVkT/gypMbo3T9Z2mBOhnHY7NFWqgNatmhAfTHoqqiXJGNA6lS8xpBbUoJZ8gYIIqnBLVf/LirxM1l1KVc1sgJKPaMM2kswIytP0=,iv:JoaSBETswIdYaXdEi5qiSONuNb34EwFc1ZRPI7IEdSE=,tag:M4wd7ZTCQQBIwtKqrWjzKg==,type:str]
|
||||
lastmodified: "2023-11-10T22:08:45Z"
|
||||
mac: ENC[AES256_GCM,data:77bQVALWGfVS9/KXc6B2kQAGiPgcoIepyaJfIckimhMPUe8qiwypn1n0S+RD46alXq7yPTiYACRdTZVvBoEO2eNxdYH8Lha4k2WWBlfucyosfrw/CdzegQ0hGo12JYukDChHRuf7RRjmrvTZ/o4EBFOJoElhtW3Kq0PQLFewPTI=,iv:6HEiVBwwATGmUomKmBkBmk5nRGkhSVJu89foTthw++o=,tag:Zkf6Ljqhn9Tle44BfF2QEA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-02T14:13:52Z"
|
||||
enc: |-
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
la = "ls -a";
|
||||
less = "bat";
|
||||
update = "cd /etc/nixos && nix flake update";
|
||||
mosh = "f() {mosh $1 zsh};f";
|
||||
};
|
||||
histSize = 100000;
|
||||
histFile = "~/.local/share/zsh/history";
|
||||
|
|
|
@ -108,6 +108,16 @@ in
|
|||
farPattern = "Opal";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.FSR = {
|
||||
nearPattern = "FSR";
|
||||
farPattern = "FSR";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.unispam = {
|
||||
nearPattern = "Uni Spam";
|
||||
farPattern = "Uni Spam";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.trash = {
|
||||
nearPattern = "Trash";
|
||||
farPattern = "Gel&APY-schte Elemente";
|
||||
|
@ -235,11 +245,6 @@ in
|
|||
farPattern = "[Gmail]/Papierkorb";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.sent = {
|
||||
nearPattern = "Sent";
|
||||
farPattern = "[Gmail]/Gesendet";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.junk = {
|
||||
nearPattern = "Junk";
|
||||
farPattern = "[Gmail]/Spam";
|
||||
|
@ -250,6 +255,16 @@ in
|
|||
farPattern = "[Gmail]/Entw&APw-rfe";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.hetzner = {
|
||||
nearPattern = "Hetzner";
|
||||
farPattern = "Hetzner";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
channels.studentenwerk = {
|
||||
nearPattern = "Studentenwerk";
|
||||
farPattern = "Studentenwerk";
|
||||
extraConfig.Create = "near";
|
||||
};
|
||||
};
|
||||
extraConfig = {
|
||||
account = {
|
||||
|
|
|
@ -44,14 +44,6 @@ in
|
|||
"quitte" = {
|
||||
hostname = "quitte.ifsr.de";
|
||||
user = "root";
|
||||
extraOptions = {
|
||||
RequestTTY = "yes";
|
||||
RemoteCommand = "zsh -i";
|
||||
};
|
||||
};
|
||||
"quitte-notty" = {
|
||||
hostname = "quitte.ifsr.de";
|
||||
user = "root";
|
||||
};
|
||||
"tomate" = {
|
||||
hostname = "tomate.ifsr.de";
|
||||
|
|
Loading…
Reference in a new issue