Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

declare dkim secrets

Browse Source
This commit is contained in:
andromeda
2026-01-12 13:30:25 +01:00
parent 3fa9a368bf
commit 4bd6ddece1
4 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/nixos/mailserver.nix
View File

@@ -2,10 +2,14 @@
mailserver = { mailserver = {
enable = true; enable = true;
stateVersion = 3; stateVersion = 3;
# domain bs
fqdn = "mail.${config.networking.domain}"; fqdn = "mail.${config.networking.domain}";
domains = ["${config.networking.domain}"]; domains = ["${config.networking.domain}"];
x509.useACMEHost = config.mailserver.fqdn; x509.useACMEHost = config.mailserver.fqdn;
loginAccounts = { loginAccounts = {
# test acc
"test@${config.networking.domain}" = { "test@${config.networking.domain}" = {
hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path; hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
}; };
@@ -15,6 +19,13 @@
}; };
}; };
}; };
# put dkim key into /etc for declarability
mailserver.dkimKeyDirectory = "/etc/dkim";
environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key".source =
config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
# does acme for me
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
@@ -28,9 +39,12 @@
acceptTerms = true; acceptTerms = true;
defaults.email = "mtgmonket@gmail.com"; defaults.email = "mtgmonket@gmail.com";
}; };
# persist directories per the backup guidelines
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = [ directories = [
"/var/dkim" # not needed bc the dkim dir is declared
# "/var/dkim"
"/var/vmail" "/var/vmail"
"/var/lib/redis-rspamd" "/var/lib/redis-rspamd"
"/var/lib/acme" "/var/lib/acme"

3
pub-keys.nix
View File

@@ -1,10 +1,11 @@
{ {
age.secrets = { age.secrets = {
andromeda-pw.file = ./secrets/andromeda-pw.age; andromeda-pw.file = ./secrets/andromeda-pw.age;
"dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age; mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age; mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age; mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
"mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age"; "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age; zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
zulip-camoKey.file = ./secrets/zulip-camoKey.age; zulip-camoKey.file = ./secrets/zulip-camoKey.age;
zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age; zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;

BIN
secrets/dkim-galaxious.de.mail.key.age Normal file
View File

Binary file not shown.

3
secrets/secrets.nix
View File

@@ -8,6 +8,9 @@ in {
"andromeda-pw.age".publicKeys = [andromeda lenovo]; "andromeda-pw.age".publicKeys = [andromeda lenovo];
"mtgmonkey-pw.age".publicKeys = [andromeda lenovo]; "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
# dkim private keys
"dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
# mail account passwords # mail account passwords
"mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
"mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];