diff --git a/machines/uninsane/services/postfix.nix b/machines/uninsane/services/postfix.nix index 69acf52bd..3b291b896 100644 --- a/machines/uninsane/services/postfix.nix +++ b/machines/uninsane/services/postfix.nix @@ -1,4 +1,4 @@ -{ lib, secrets, ... }: +{ config, lib, ... }: let submissionOptions = { @@ -82,10 +82,7 @@ in services.dovecot2.enablePAM = false; services.dovecot2.extraConfig = let - passwdFile = builtins.toFile "dovecot-passwd-file" '' - colin:${secrets.dovecot.hashedPasswd.colin}:1000:1000::/var/mail/colin/run/current-system/sw/bin/nologin: - matrix-synapse:${secrets.dovecot.hashedPasswd.matrix-synapse}:224:224::/var/mail/colin:/run/current-system/sw/bin/nologin: - ''; + passwdFile = config.sops.secrets.dovecot_passwd.path; in '' passdb { @@ -133,4 +130,11 @@ in # pattern = "/^Subject:.*activate your account/"; # } ]; + + sops.secrets.dovecot_passwd = { + sopsFile = ../../../secrets/uninsane.yaml; + owner = config.users.users.dovecot2.name; + # TODO: debug why mail can't be sent without this being world-readable + mode = "0444"; + }; } diff --git a/secrets/default.nix b/secrets/default.nix index 6fabcc84e..2fe7bc6b8 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -10,11 +10,6 @@ # keep this synchronized with the dovecot auth matrix-synapse.smtp_pass = ""; - # passwd file looks like /etc/passwd. - # use nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "my passwd" to generate the password - dovecot.hashedPasswd.colin = ""; - dovecot.hashedPasswd.matrix-synapse = ""; - # generate with nix-store --generate-binary-cache-key nixcache.uninsane.org cache-priv-key.pem cache-pub-key.pem nix-serve.cache-priv-key = ""; } // import ./local.nix diff --git a/secrets/uninsane.yaml b/secrets/uninsane.yaml index ad9b28451..055ee2c1e 100644 --- a/secrets/uninsane.yaml +++ b/secrets/uninsane.yaml @@ -9,6 +9,9 @@ ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU #ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment] #ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment] wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2HjeGdaD7LxPud1VvfM=,iv:Rf647IlLImPu7l2CHqetjs0y6QkWdqXUO70OKfcII00=,tag:ykvKJ9BeTDbQqR7K5S6Rfw==,type:str] +#ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment] +#ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment] +dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str] sops: kms: [] gcp_kms: [] @@ -42,8 +45,8 @@ sops: U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-08T21:36:06Z" - mac: ENC[AES256_GCM,data:ltEq12b57ounT4w8BVrL5aRMGrmuCHt8eg7XXXO3CXKLJ6qK5UJvIc+63A77i+TlzuV0AUMyya3DBXOoPFF6UDl46YabBUDLUR6x9igGgW332uYXVn/qhOzwZXRMociaIjwohH+QqVm9t1F8nqdbmB6g1pLkpWKQ8DQJ8G3KZ8U=,iv:b4jQj/75eB2Nkm1LvubHQ0CFsTmMk0OKVcc0ZW2IrtI=,tag:rE2e9Ba+2DBVn/nspmJjoA==,type:str] + lastmodified: "2022-06-08T22:19:57Z" + mac: ENC[AES256_GCM,data:is+X0WOPSehNSjHzMInBtn0Sjzv11SDWL+JMc5Pj0i0GsM8ogSlpPCEsi0HiTMSnEZIvMQf83WRe7oRymUDPdmkz0XRGTBYuLGAd/IOMKEeKe8L8+kDeiWu6d9XgA5TaNxEdj0xUYZ4sC/PZo0pG/NuzMOeTtzK8WFOTy69R+oM=,iv:LnHLL0sucI0NeQu9waHV23/HHZCbk2kTXYq0sPC1n0o=,tag:abLJvbCZeYHl8/2rb/aVGA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3