summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/exim-retiolum.nix2
-rw-r--r--krebs/3modules/exim-smarthost.nix63
-rw-r--r--krebs/3modules/git.nix6
-rw-r--r--krebs/3modules/nginx.nix1
-rw-r--r--krebs/3modules/os-release.nix28
6 files changed, 90 insertions, 11 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 186469e97..bdd9049cb 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -23,6 +23,7 @@ let
./lib.nix
./nginx.nix
./nixpkgs.nix
+ ./os-release.nix
./per-user.nix
./Reaktor.nix
./realwallpaper.nix
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 6e6928f89..696c48baf 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -39,6 +39,8 @@ let
# TODO modular configuration
assert config.krebs.retiolum.enable;
''
+ keep_environment =
+
primary_hostname = ${cfg.primary_hostname}
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index c976e89de..cee10ce7d 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -12,6 +12,29 @@ let
api = {
enable = mkEnableOption "krebs.exim-smarthost";
+ dkim = mkOption {
+ type = types.listOf (types.submodule ({ config, ... }: {
+ options = {
+ domain = mkOption {
+ type = types.str;
+ };
+ private_key = mkOption {
+ type = types.secret-file;
+ default = {
+ path = "/run/krebs.secret/${config.domain}.dkim_private_key";
+ owner.name = "exim";
+ source-path = toString <secrets> + "/${config.domain}.dkim.priv";
+ };
+ };
+ selector = mkOption {
+ type = types.str;
+ default = "default";
+ };
+ };
+ }));
+ default = [];
+ };
+
internet-aliases = mkOption {
type = types.listOf (types.submodule ({
options = {
@@ -72,9 +95,21 @@ let
};
imp = {
+ krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: {
+ name = "exim.dkim_private_key/${dkim.domain}";
+ value = dkim.private_key;
+ }));
+ systemd.services = mkIf (cfg.dkim != []) {
+ exim = {
+ after = [ "secret.service" ];
+ requires = [ "secret.service" ];
+ };
+ };
services.exim = {
enable = true;
config = ''
+ keep_environment =
+
primary_hostname = ${cfg.primary_hostname}
# HOST_REDIR contains the real destinations for "local_domains".
@@ -191,6 +226,12 @@ let
remote_smtp:
driver = smtp
+ ${optionalString (cfg.dkim != []) ''
+ dkim_canon = relaxed
+ dkim_domain = $sender_address_domain
+ dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
+ dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
+ ''}
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
{$acl_m_special_dom} }
@@ -219,12 +260,20 @@ let
};
- lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) {
+ lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) ({
inherit (cfg) internet-aliases;
inherit (cfg) system-aliases;
- };
-
- to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}");
-
-in
-out
+ } // optionalAttrs (cfg.dkim != []) {
+ dkim_private_key = flip map cfg.dkim (dkim: {
+ from = dkim.domain;
+ to = dkim.private_key.path;
+ });
+ dkim_selector = flip map cfg.dkim (dkim: {
+ from = dkim.domain;
+ to = dkim.selector;
+ });
+ });
+
+ to-lsearch = concatMapStrings ({ from, to, ... }: "${from}: ${to}\n");
+
+in out
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 0cc2f11c9..d2d73ba3d 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -400,7 +400,7 @@ let
#! /bin/sh
set -euf
- PATH=${makeSearchPath "bin" (with pkgs; [
+ PATH=${makeBinPath (with pkgs; [
coreutils
git
gnugrep
@@ -451,7 +451,7 @@ let
#! /bin/sh
set -euf
- PATH=${makeSearchPath "bin" (with pkgs; [
+ PATH=${makeBinPath (with pkgs; [
coreutils
findutils
gawk
@@ -511,7 +511,7 @@ let
#! /bin/sh
set -euf
- PATH=${makeSearchPath "bin" (with pkgs; [
+ PATH=${makeBinPath (with pkgs; [
coreutils # env
git
systemd
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 023988dd5..196a6eae7 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -77,7 +77,6 @@ let
services.nginx = {
enable = true;
httpConfig = ''
- include ${pkgs.nginx}/conf/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
diff --git a/krebs/3modules/os-release.nix b/krebs/3modules/os-release.nix
new file mode 100644
index 000000000..4c803fff8
--- /dev/null
+++ b/krebs/3modules/os-release.nix
@@ -0,0 +1,28 @@
+{ config, ... }:
+with config.krebs.lib;
+let
+ nixos-version-id = "${config.system.nixosVersion}";
+ nixos-version = "${nixos-version-id} (${config.system.nixosCodeName})";
+ nixos-pretty-name = "NixOS ${nixos-version}";
+
+ stockholm-version-id = maybeEnv "STOCKHOLM_VERSION" "unknown";
+ stockholm-version = "${stockholm-version-id}";
+ stockholm-pretty-name = "stockholm ${stockholm-version}";
+
+ version = "${stockholm-version}/${nixos-version}";
+ version-id = "${stockholm-version-id}/${nixos-version-id}";
+ pretty-name = "${stockholm-pretty-name} / ${nixos-pretty-name}";
+
+ home-url = http://cgit.cd.krebsco.de/stockholm;
+in
+{
+ # http://0pointer.de/public/systemd-man/os-release.html
+ environment.etc."os-release".text = mkForce ''
+ NAME="stockholm/NixOS"
+ ID=stockholm
+ VERSION="${version}"
+ VERSION_ID="${version-id}"
+ PRETTY_NAME="${pretty-name}"
+ HOME_URL="${home-url}"
+ '';
+}