fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrate mail-1 to sops-nix

Browse source
This commit is contained in:
Fiona Grzebien 2026-05-24 02:23:59 +02:00
commit e35aa9aabd
Signed by: fi
SSH key fingerprint: SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
4 changed files with 130 additions and 122 deletions
Download patch file Download diff file Expand all files Collapse all files

17
config/hosts/mail-1/configuration.nix
View file

@ -51,11 +51,11 @@
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
PrivateKeyFile = "/run/secrets/wireguard-mail-1-wg0-privatekey";
};
wireguardPeers = [{
PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
PresharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-mail-1-psk";
Endpoint = "212.53.203.19:51822";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
@ -77,5 +77,18 @@
wireguard-tools
];
sops.secrets."wireguard-valkyrie-mail-1-mail-1-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-mail-1-wg0-privatekey" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
system.stateVersion = "23.05";
}

109
config/hosts/mail-1/secrets.nix
View file

@ -1,109 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-mail-1-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fiona-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-yuri-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-mio-vs-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fubuki-wg-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-cloud-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-status-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-matrix-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-nekomesh-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-id-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-forgejo-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

37
config/hosts/mail-1/secrets.yaml Normal file
View file

@ -0,0 +1,37 @@
wireguard-valkyrie-mail-1-mail-1-psk: ENC[AES256_GCM,data:qlmzG+qatZCGFqD2Yf9Nlc7tUUMr5JGIvwFcaBqmgwSFoRjVpObjpTn9h6Q=,iv:8kukGi7FyKY7Un5bfmD+xOrt57Zr4uGEho3GGFyy8KY=,tag:0SqD/4OCYC1gRcsDAK8oBw==,type:str]
wireguard-mail-1-wg0-privatekey: ENC[AES256_GCM,data:oI3NZ3QBaGsWPx8ajLtP2MUdVTpWlnmOF1j3aex+0rI5fixwtNwJvUZD3mA=,iv:ecO78C4upN99mm9ZosIxXR0RsZJRsL97FFvh6ktpczA=,tag:obxoVfxh49XznQykp1ROuA==,type:str]
mail-fiona-grzb-de: ENC[AES256_GCM,data:igpnhygXhe1kIMc+Dvj0LB+PFrJOJu53ZS5svt+B2qpXAk5kD9zQIRoU5TdHLyOdIOSSb2XBPkKgbShv,iv:MPgHxNvZGZ/NtflrxpazgryT+T1Qy/5z0klZ/BQ/mGA=,tag:8huvfd1eLJTQrKdDxFDsDw==,type:str]
mail-yuri-nekover-se: ENC[AES256_GCM,data:XsFmWttVmDnI9+q/7ZN0bDlRiYue1XPonQTfWMkkHfZ7mk1ZXlDjC3oYR3V3a3yEQrS4Jz0fAc/N4lnR,iv:RPqs8Q3QSGSJ0zSClKyIo5JmW5UEE6xYjEnqvmFE5C8=,tag:DZaDfFc+3RG9L0oIpj9f3Q==,type:str]
mail-mio-vs-grzb-de: ENC[AES256_GCM,data:R+eq1w3a6NLD20sMBejlnQ9asEGOxGBgPqQ+oLTwfryYu0b0by3rF0a7StCtSzsFMkzpAWw+En4Zreuw,iv:r7VLjix8sRSXbnpRS+9XzXI0qjklOXuQU77kU2LF7zA=,tag:BhqSLiMvnGHagq9Jg5852A==,type:str]
mail-fubuki-wg-grzb-de: ENC[AES256_GCM,data:pFPmrMtF33P3ANpnWB+qcTfEfAMJ0w4/fE/zAsVYKjEO1nhZtWSMQfyorYSq5GdbXuitIYdjx/IBCj0r,iv:FZtnyp90pB9R0nYaHsudnE7IyDi26UE+vxIpzZm0Q4s=,tag:XJcIP9LyYwbzw21QLpHfCA==,type:str]
mail-cloud-nekover-se: ENC[AES256_GCM,data:lY7ufbNOS+GPHAi1fJGhZNT0dMv1B7k+6BzGTb1IxWvvHmFv7u6NKGBmyQQD57Qvt2EwdtnGDJ2XugCD,iv:NZLdBFNHSkSj9pau0vWQzwznOjkFvhZcGalcfWoKI9w=,tag:8dn5ULJzaTYtnT3CBfpp8g==,type:str]
mail-status-nekover-se: ENC[AES256_GCM,data:blaHK5q8mJKQMo/UYf2NG2x7IsIkZD5cxaVv56Z7PFrn+pua821j8pwNGXCnmuGJFhDj16PkvfOuRXU7,iv:+Q2J73Af27qjta5xYtuF/mrwL45fyTV+K5GDpnA11Lo=,tag:OKhLFQfgKTAvg5wvID5RGA==,type:str]
mail-matrix-nekover-se: ENC[AES256_GCM,data:9Fs5Un2DI2ZHm1zLkbAsQ3tsuff9LjvuJkysxVWc1pdQuQsMHCNTHfioBMqJ1dH1E8ilkqCqljEmHh9+,iv:F73WEWyq7o06n0zkuu2cNYWUdmpX7YX4BGcR4Hgep2Y=,tag:+7BPbiCNM0QdBTBx6RKkHQ==,type:str]
mail-nekomesh-nekover-se: ENC[AES256_GCM,data:k25S+W3t4gn8HuUs4xge5iLjxtayB82y9PNs3lxxg3En7W4CbiSt1ccoiP4h9v9iN5rMHqiF8wg2ONlBJwQ6qA==,iv:LqjOUza0cioak0qeuBBkmRl3Kg8z05kqTeZCrgEX9qY=,tag:NkqrRxJp0c+h/C0+jfiQqg==,type:str]
mail-social-nekover-se: ENC[AES256_GCM,data:b+7hmL8yiqABkf5NFUQVTSBmj1EjImzB58Q0xpDkxSU9DVkhhURTzoi+HdgFgOOzDtkegzprokXA+I+j,iv:LtOn8+dx5Nhes4t5qpqWsnaOfD07IBZEaCXKIniJlJc=,tag:ipLZNPRN7YCkvVJYKonXmQ==,type:str]
mail-id-nekover-se: ENC[AES256_GCM,data:5odIPSrJEVoT95hch48lu4pmb0PVnjtTUOo3eohfbX1I8CNpwIuhz4Mjk5lam5q3toIKtXMhtA73RAup,iv:bvpCkS4Tz0/oorStgip0XXnsxkBMAoFJrTFAzrjPLYU=,tag:KOVNkURmuwb+8VRxfTxEDQ==,type:str]
mail-forgejo-nekover-se: ENC[AES256_GCM,data:PLZFl5aokzJorTCKD8/qJs0N1BlDLPl1tW23roMMCRkn9tAupaNwZASp1pKrPJBVBCAH4Ijj84WDIhsHdQzNhg==,iv:CExDJ2uwe0juL0f+SCyTGOfUHuEwPTHduHUkh8WAQMo=,tag:pf0QArVKBNh1F4TMxsJyRA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1ppWG1iZzJaaTJxMi9I
MTNvWUFWU1JRakpWbGxYQU9zdk5rVWMzZHdzCktRL1NEN01EY0lvVVJuQ3V2eTBZ
OFVnN1FiVTJndHZZeDBNQmloNndLY1EKLS0tIE5Lc0NqYzI4U29zamJaK2FiL1BZ
UTc2MkpZRmpVVVpvVSsxUkdpdVMzYW8KnCIMs31S6/SSx+vUAOYfjO21pGl/AMQa
iunevrTybuTFB2F/xePkdeIVvXLTLcj0XiAIw+qzAl/GvIWp7DDnTw==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZVdRK214bVQyNVRWMXVI
dmNOWk9VMXRUWnpZaXRJQVIydmRTeDJrUzMwCi95VWVGU2t3U0dqTHVWbTVjakh6
a2luYVZVdlFpVDRKeWpUZnpTY1J0eEkKLS0tIEtqTjBMY3UxU09jN2RuSzNGU3hX
UndxdWMyTVkzTUYzU3h6VjlyMjl6emsKNs+ED4FRI/+wrD3TUsQYyzuFvVEyrnBD
dsyjzSv8WubSloRUHkV7hwfHxgVzg37A5nlQo/qSdJC6TtfWmoXpsg==
-----END AGE ENCRYPTED FILE-----
recipient: age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp
lastmodified: "2026-05-24T00:23:52Z"
mac: ENC[AES256_GCM,data:QH4MalhMoA5CyNmGPksMRzn6LOfxxRSBlufJ6ejcDx+l6owNT3xqKAYE9EfIUMh8z7Sw+btHhn8q02K2FnWlYD2FUY187cCcoykGRU+juJEDZH6yQ5PCqrBKXDB0wv8IBI/xTeFS7mUOzlvZfHtnLKULNZBfojN9f9jDoZCUhYo=,iv:S0AU8Ox62kk3nwL31QzYT0CGDaYNYbG/ONaQhiUbGD4=,tag:qKUkkxNouKaDb/1ptXSobg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

89
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -15,55 +15,55 @@
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = {
"fiona@grzb.de" = {
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
hashedPasswordFile = "/run/secrets/mail-fiona-grzb-de";
aliases = [ "@grzb.de" ];
catchAll = [ "grzb.de" ];
};
"yuri@nekover.se" = {
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-yuri-nekover-se";
aliases = [ "@nekover.se" ];
catchAll = [ "nekover.se" ];
};
"mio@vs.grzb.de" = {
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
hashedPasswordFile = "/run/secrets/mail-mio-vs-grzb-de";
sendOnly = true;
aliases = [ "root@vs.grzb.de" ];
};
"fubuki@wg.grzb.de" = {
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
hashedPasswordFile = "/run/secrets/mail-fubuki-wg-grzb-de";
sendOnly = true;
aliases = [ "root@wg.grzb.de" ];
};
"cloud@nekover.se" = {
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-cloud-nekover-se";
sendOnly = true;
};
"status@nekover.se" = {
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-status-nekover-se";
sendOnly = true;
};
"matrix@nekover.se" = {
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-matrix-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"nekomesh@nekover.se" = {
hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-nekomesh-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-social-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"id@nekover.se" = {
hashedPasswordFile = "/secrets/mail-id-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-id-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"forgejo@nekover.se" = {
hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret";
hashedPasswordFile = "/run/secrets/mail-forgejo-nekover-se";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
@ -79,4 +79,71 @@
proxy_interfaces = "212.53.203.19";
};
};
sops.secrets."mail-fiona-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-yuri-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-mio-vs-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-fubuki-wg-grzb-de" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-cloud-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-status-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-matrix-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-nekomesh-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-social-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-id-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
sops.secrets."mail-forgejo-nekover-se" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "postfix.service" ];
};
}