diff options
| author | andromeda <andromeda@lenovo> | 2026-01-12 13:30:25 +0100 |
|---|---|---|
| committer | andromeda <andromeda@lenovo> | 2026-01-12 13:30:25 +0100 |
| commit | 4bd6ddece1481557349f7d8eecc017ae4fd4ea85 (patch) | |
| tree | 62818402cb33871435a36becdac4e36472fd9428 | |
| parent | 3fa9a368bfbd12b362e3c197da3e82e9ed480246 (diff) | |
declare dkim secrets
| -rw-r--r-- | modules/nixos/mailserver.nix | 16 | ||||
| -rw-r--r-- | pub-keys.nix | 3 | ||||
| -rw-r--r-- | secrets/dkim-galaxious.de.mail.key.age | bin | 0 -> 2136 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 3 |
4 files changed, 20 insertions, 2 deletions
diff --git a/modules/nixos/mailserver.nix b/modules/nixos/mailserver.nix index 9ee8b10..767b13f 100644 --- a/modules/nixos/mailserver.nix +++ b/modules/nixos/mailserver.nix @@ -2,10 +2,14 @@ mailserver = { enable = true; stateVersion = 3; + + # domain bs fqdn = "mail.${config.networking.domain}"; domains = ["${config.networking.domain}"]; x509.useACMEHost = config.mailserver.fqdn; + loginAccounts = { + # test acc "test@${config.networking.domain}" = { hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path; }; @@ -15,6 +19,13 @@ }; }; }; + + # put dkim key into /etc for declarability + mailserver.dkimKeyDirectory = "/etc/dkim"; + environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key".source = + config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path; + + # does acme for me services.nginx = { enable = true; virtualHosts = { @@ -28,9 +39,12 @@ acceptTerms = true; defaults.email = "mtgmonket@gmail.com"; }; + + # persist directories per the backup guidelines environment.persistence."/persist" = { directories = [ - "/var/dkim" + # not needed bc the dkim dir is declared + # "/var/dkim" "/var/vmail" "/var/lib/redis-rspamd" "/var/lib/acme" diff --git a/pub-keys.nix b/pub-keys.nix index 1a316eb..1dc9073 100644 --- a/pub-keys.nix +++ b/pub-keys.nix @@ -1,10 +1,11 @@ { age.secrets = { andromeda-pw.file = ./secrets/andromeda-pw.age; + "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age; mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age; mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age; mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age; - "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age"; + "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age"; zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age; zulip-camoKey.file = ./secrets/zulip-camoKey.age; zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age; diff --git a/secrets/dkim-galaxious.de.mail.key.age b/secrets/dkim-galaxious.de.mail.key.age Binary files differnew file mode 100644 index 0000000..91b8019 --- /dev/null +++ b/secrets/dkim-galaxious.de.mail.key.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e4d6d7f..10b449b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,6 +8,9 @@ in { "andromeda-pw.age".publicKeys = [andromeda lenovo]; "mtgmonkey-pw.age".publicKeys = [andromeda lenovo]; + # dkim private keys + "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83]; + # mail account passwords "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; |