colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

postfix/dovecot: convert secrets to sops

Browse Source
This commit is contained in:
Colin
2022-06-08 15:59:02 -07:00
parent 85f16d9732
commit e188db9344
3 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
machines/uninsane/services/postfix.nix
View File

@@ -1,4 +1,4 @@
{ lib, secrets, ... }: { config, lib, ... }:
let let
submissionOptions = { submissionOptions = {
@@ -82,10 +82,7 @@ in
services.dovecot2.enablePAM = false; services.dovecot2.enablePAM = false;
services.dovecot2.extraConfig = services.dovecot2.extraConfig =
let let
passwdFile = builtins.toFile "dovecot-passwd-file" '' passwdFile = config.sops.secrets.dovecot_passwd.path;
colin:${secrets.dovecot.hashedPasswd.colin}:1000:1000::/var/mail/colin/run/current-system/sw/bin/nologin:
matrix-synapse:${secrets.dovecot.hashedPasswd.matrix-synapse}:224:224::/var/mail/colin:/run/current-system/sw/bin/nologin:
'';
in in
'' ''
passdb { passdb {
@@ -133,4 +130,11 @@ in
# pattern = "/^Subject:.*activate your account/"; # pattern = "/^Subject:.*activate your account/";
# } # }
]; ];
sops.secrets.dovecot_passwd = {
sopsFile = ../../../secrets/uninsane.yaml;
owner = config.users.users.dovecot2.name;
# TODO: debug why mail can't be sent without this being world-readable
mode = "0444";
};
} }

5
secrets/default.nix
View File

@@ -10,11 +10,6 @@
# keep this synchronized with the dovecot auth # keep this synchronized with the dovecot auth
matrix-synapse.smtp_pass = "<REPLACEME>"; matrix-synapse.smtp_pass = "<REPLACEME>";
# passwd file looks like /etc/passwd.
# use nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "my passwd" to generate the password
dovecot.hashedPasswd.colin = "<REPLACEME>";
dovecot.hashedPasswd.matrix-synapse = "<REPLACEME>";
# generate with nix-store --generate-binary-cache-key nixcache.uninsane.org cache-priv-key.pem cache-pub-key.pem # generate with nix-store --generate-binary-cache-key nixcache.uninsane.org cache-priv-key.pem cache-pub-key.pem
nix-serve.cache-priv-key = "<REPLACEME>"; nix-serve.cache-priv-key = "<REPLACEME>";
} // import ./local.nix } // import ./local.nix

7
secrets/uninsane.yaml
View File

@@ -9,6 +9,9 @@ ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU
#ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment] #ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
#ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment] #ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment]
wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2HjeGdaD7LxPud1VvfM=,iv:Rf647IlLImPu7l2CHqetjs0y6QkWdqXUO70OKfcII00=,tag:ykvKJ9BeTDbQqR7K5S6Rfw==,type:str] wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2HjeGdaD7LxPud1VvfM=,iv:Rf647IlLImPu7l2CHqetjs0y6QkWdqXUO70OKfcII00=,tag:ykvKJ9BeTDbQqR7K5S6Rfw==,type:str]
#ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
#ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -42,8 +45,8 @@ sops:
U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-08T21:36:06Z" lastmodified: "2022-06-08T22:19:57Z"
mac: ENC[AES256_GCM,data:ltEq12b57ounT4w8BVrL5aRMGrmuCHt8eg7XXXO3CXKLJ6qK5UJvIc+63A77i+TlzuV0AUMyya3DBXOoPFF6UDl46YabBUDLUR6x9igGgW332uYXVn/qhOzwZXRMociaIjwohH+QqVm9t1F8nqdbmB6g1pLkpWKQ8DQJ8G3KZ8U=,iv:b4jQj/75eB2Nkm1LvubHQ0CFsTmMk0OKVcc0ZW2IrtI=,tag:rE2e9Ba+2DBVn/nspmJjoA==,type:str] mac: ENC[AES256_GCM,data:is+X0WOPSehNSjHzMInBtn0Sjzv11SDWL+JMc5Pj0i0GsM8ogSlpPCEsi0HiTMSnEZIvMQf83WRe7oRymUDPdmkz0XRGTBYuLGAd/IOMKEeKe8L8+kDeiWu6d9XgA5TaNxEdj0xUYZ4sC/PZo0pG/NuzMOeTtzK8WFOTy69R+oM=,iv:LnHLL0sucI0NeQu9waHV23/HHZCbk2kTXYq0sPC1n0o=,tag:abLJvbCZeYHl8/2rb/aVGA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3