diff --git a/flake.lock b/flake.lock index a5b8d00..44eb3c7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,23 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1620877075, + "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -33,18 +51,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1625748371, - "narHash": "sha256-gJbFBcYWwv7EXUHjOdatjTxeW/wwXQWQq8naHx+GNv8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a6e07df310eddcd037969a0d433b1259b64c3660", - "type": "github" + "lastModified": 1618628710, + "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=", + "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source", + "rev": "7919518f0235106d050c77837df5e338fb94de5d", + "type": "path" }, "original": { - "owner": "NixOS", - "ref": "nixos-21.05-small", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs-21_05": { @@ -62,9 +77,26 @@ "type": "indirect" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1625748371, + "narHash": "sha256-gJbFBcYWwv7EXUHjOdatjTxeW/wwXQWQq8naHx+GNv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a6e07df310eddcd037969a0d433b1259b64c3660", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs", + "agenix": "agenix", + "nixpkgs": "nixpkgs_2", "snm": "snm", "utils": "utils_2" } diff --git a/flake.nix b/flake.nix index f81c0f9..60e43c0 100644 --- a/flake.nix +++ b/flake.nix @@ -3,13 +3,17 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05-small"; utils.url = "github:gytis-ivaskevicius/flake-utils-plus/staging"; + # simple mailserver snm = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "utils/flake-utils"; }; + + # age for nix to store encrypted passwords conveniently + agenix.url = "github:ryantm/agenix"; }; - outputs = { self, nixpkgs, ... }@inputs: { + outputs = { self, nixpkgs, agenix, ... }@inputs: { inherit self inputs; nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -17,6 +21,7 @@ inputs.snm.nixosModule ./modules/security.nix ./hosts/thrall + agenix.nixosModules.age ]; }; }; diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix index dc8948d..e884e73 100644 --- a/hosts/thrall/default.nix +++ b/hosts/thrall/default.nix @@ -100,6 +100,8 @@ tmux git + + #agenix.defaultPackage.x86_64-linux ]; # Some programs need SUID wrappers, can be configured further or are @@ -139,12 +141,26 @@ }; }; + age.secrets = { + mailPass.file = ../../secrets/mailPass.age; + }; + mailserver = { enable = true; fqdn = "thrall.failco.de"; domains = [ "failco.de" ]; - loginAccounts = {}; + loginAccounts = { + "me@failco.de" = { + hashedPasswordFile = config.age.secrets.mailPass.path; + + aliases = [ + "jakalx@failco.de" + ]; + + catchAll = [ "failco.de" ]; + }; + }; certificateScheme = 3; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3cc3cf7..7774e2e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,5 +5,5 @@ let users = []; in { - "mailPass.age".publicKeys = users + systems; + "mailPass.age".publicKeys = users ++ systems; }