From 4bd6ddece1481557349f7d8eecc017ae4fd4ea85 Mon Sep 17 00:00:00 2001
From: andromeda <andromeda@lenovo>
Date: Mon, 12 Jan 2026 13:30:25 +0100
Subject: [PATCH] declare dkim secrets

---
 modules/nixos/mailserver.nix           |  16 +++++++++++++++-
 pub-keys.nix                           |   3 ++-
 secrets/dkim-galaxious.de.mail.key.age | Bin 0 -> 2136 bytes
 secrets/secrets.nix                    |   3 +++
 4 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 secrets/dkim-galaxious.de.mail.key.age

diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix
index 9ee8b10..767b13f 100644
--- a/modules/nixos/mailserver.nix
+++ b/modules/nixos/mailserver.nix
@@ -2,10 +2,14 @@
   mailserver = {
     enable = true;
     stateVersion = 3;
+
+    # domain bs
     fqdn = "mail.${config.networking.domain}";
     domains = ["${config.networking.domain}"];
     x509.useACMEHost = config.mailserver.fqdn;
+
     loginAccounts = {
+      # test acc
       "test@${config.networking.domain}" = {
         hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
       };
@@ -15,6 +19,13 @@
       };
     };
   };
+
+  # put dkim key into /etc for declarability
+  mailserver.dkimKeyDirectory = "/etc/dkim";
+  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key".source =
+    config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+
+  # does acme for me
   services.nginx = {
     enable = true;
     virtualHosts = {
@@ -28,9 +39,12 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+
+  # persist directories per the backup guidelines
   environment.persistence."/persist" = {
     directories = [
-      "/var/dkim"
+      # not needed bc the dkim dir is declared
+      # "/var/dkim"
       "/var/vmail"
       "/var/lib/redis-rspamd"
       "/var/lib/acme"
diff --git a/pub-keys.nix b/pub-keys.nix
index 1a316eb..1dc9073 100644
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -1,10 +1,11 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
+    "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
     mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
-    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
+    "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
     zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
     zulip-camoKey.file = ./secrets/zulip-camoKey.age;
     zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;
diff --git a/secrets/dkim-galaxious.de.mail.key.age b/secrets/dkim-galaxious.de.mail.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..91b80196e0b047ed6fa8cee74f461706f0c4a2b2
GIT binary patch
literal 2136
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjk(F@(E1w
zG1K=A4-C&P$qtV)b<7CMa`g@OG<Ne2NKG`#$u@NMFE=hXOy=@2DJu?f%Qbcls4&PX
z^Q_8^N-qm{&dVq@C{BsA$P9D~clR<)_AB=bFhI90)T1J;%u&H2(x))Uz#~9E+c;N0
zveLsRwJbd<yELlM-7_SmOxrZ4G}FvDDJ|0|#FZ;FximjNw;<TPti&SM-=fSbHLx-~
zEzHd;E7jl6yDBkD+oIIZB)HVWI27Hs$_N*4M@NNlBmdy+0H;d#KzDbK?7-Cg?1HGg
z9QR7&2vcpBP_yE&@?a0|^qeT)aucos&z#VxETdpYk1VIGQ0-EG{}MCz?0`u9uwWCv
z^c0T(pCa?fiu}~Pyg)8pU0sEMlyG<dBu^*p2#d0U)R2_&iU6O))O>wUgCH+ocb^=`
za{U0y@B&{GZC9@2!4odrZp&cuH4zj#c|-aBpY`22)0^h0Y4F@xacbs)WZiv!EBSse
zh}PZTIrm=i!z%YbK37$oU8fbE=YCdaw((#~-UO9Lzr$1X@^7l&UVAS=+-HBW!Gb9n
zsmq+Fss0va-`m~f_0}v{<x+P+tJjt1b01h*b!5$cFMnc3%*6jSW)HbfI{1kkslRo>
zTwR4-N$S(gX=x&=+V$4#S$>mR_s{vcb4A88DWB-Jc43~?{D16s=cZ`n8fkyB>f?7j
z|B{pInTq=H8Vli9eGzM}XZ4&8ol&B;^<M4gEewk%)rgB;Q0~zFcUh(O;nj%pEf=5u
zf3%e2Hp9Eqye69!Kk98gExd<=xoBUK@f(Tlvi>zXk8WG-xPIfI_$K-9jky;do?SfS
zWy#A#4X1b8t{lDB<@?ukvtEPMmx~>1-ZwZkC%;+ktlQJ)*naFms|o)m_AKA<{q-MK
zi1{RjGwV0SZk<rsRa$3ZF=6@x(Iua_@2gI_ws>Op#M8W9TN;1PVVd`F+OD@eN*;VC
z{iZ*jEOqmX?hDOHkN?>#Ckacws%GA<@O55Pyli;}Pk#QkJdfGJ^9r85_uJUa5El4o
z!u<QQylZ;5yy9eINGgk(9C2;xuboGnKCSSOo4zdGJMUo2mbu#^4=&SZ{St6>`M#u9
z*WF?F4g`4Q-%X5uSh(?w&<mbmjp*z33u4Z$Tq?Isf^SFbmM_m0qqn?YC2{CN>HB+S
z=UE+p1Qi$_>^WMjI%8|{#rNxGY*?Zn)_P&nHL>L<9R7aVz{R&^-=0%_`pve2(#3CW
zS4*#2?<F#Q=Uwlz>_e~D7#&l1ZuZ2C&AsFAvgort%EqV4*;zlI)AXMAX>(I<#Vdz}
z57vJ8b8$gcc*QICBT3EfDf?f&ZP<1zO1~-MZ^V<h8_Rjh?w8jUr#6`G=9FK3VM}nI
zrb_O$*Ojtr7k*9H^!Q+;%U-)vXS2-be`8w2>7BA^&zhc3kLHT&aRseO$!WZixxH-G
ztvhGVd`f*_uzA7qpU;>ViYXjOnk@P8nzgsS|D?NY_anM(3@=XlY&(0+j!F4~Z)^Dr
zmsjVr1Rs)()?~4EaDEu5=_+;m=@q>#dXxHWA4D<l{LaDP7w-9|_ioIS%D$AW()sJv
zrbPZT+Oq%D<P9<bzCQI`oQ7Qsv|nuPPd)qVp7~ie{hf`y3$#whtj}?7deqN;=iQu!
zJLZkq6WwP=KHTp&UGamNo6GCjk+!8C6M}<_Upe@itkl{as>OM2exbr~?gy;}S5~gG
zu56sS?V!)H>ac}NrRun!f8%`f_~#Op!@l?CCGh><`}3pS(YzeZ*~X<&yc_n|^UCjH
zKlV^Hv1s@AcfuSmf~$4UZSa|pwNzL2O~$*&ALW%rPV$*AGKgdqc;|8b|0i}0M_JcX
zduFOBzMGZM;kxzgy}!4k<$Ml$zIqmSpljLO*}q~Yoes`AK0kfV57j3E|5_QjcQdc9
zS*mt?d(ltFIyK$wEob#ZvNkn(vMfAcWUo}8r?vEY>p!_Q+`mJ2*SDXT6ILg*f&2Fx
zcmMp})yH3M=damxGOp_L+U+N%FZ#dgn5D$_hOhm%bH1fqQwUo2*Vut^MF{(u3lC3Z
zUu|Xg%_;fu*=8==wIyE0f$J9S@)p1SV*dMc%3I$5>Tr5vI-5z+hC5=u?D{r4w{@2o
z^?SbNDFk_C`FK?=d-=dp?$}+c=$j5QQL}2d^69WyrK+BZx;*3ImHLvx^ZOPo@h;<I
z@jSZg;g9b(3m4s(c=&Ca>Zfegz`|(-r9XZ3_SP&r^YHqrbI&&(=NC<Gc{M?e>*evM
z2|f#izW$DPbCu_FuFIa?d$uhnEViI$b9aeQXrt&#?VEBFCjGChy6^bvKt+j;?V)Xk
z59`e~*ZLpQQa|XO!R{5sbzj{|sc@UYXVJg|>X&q;%fG)^x8~=bik4+&dtP31(T+&y
z%IWr<US#Vy?S2cdSWW!2J&zp>Wsg3)vR5wX&#y}w8?6_9Kj`^f_hZ=flKF01nUDUg
z)lNJc$8A~IB3<%FUsYSz>JQ_4X49C5{Bv6_p1OQtizHugd}FU^Xp7k@l{X!luB8tT
zJzBZFL%-PUMo>oB<#Q`uTA$@UzO|A^wDZu$^G}>#iFQuBBD>%;XICosdWo<bn|Tvg
z>a5#2gY{$Z-^+XczleSQ@cY@N%kD@o(Y8&iT3dAU<kE&&$rE%Ez6KXFPy55S#%r-?
zshy$cE0*&oTAeSs-JepVyl;a+hJmZFW#Yl*X9Trcw9-skMCzXgePf+{_3D$tyd8%H
z8ZR<3)qif4nzPb8y6;4^Q1o=|3CcDXH>f?_<GbU&PULIRzgx~Nd)MYyy}|Zi{lT|h
d=XB(`>-AVpO>El0!P0H@c%jH{uH8|>Y5*JL?Lq(m

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e4d6d7f..10b449b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,6 +8,9 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
+  # dkim private keys
+  "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
   # mail account passwords
   "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
   "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];