From ae2f945f421843c8836b6e734f4435bdab964233 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 29 Jan 2023 02:39:19 +0100 Subject: [PATCH 01/21] devshell: remove unnecessary input See: https://github.com/divnix/digga/commit/7646c7dac4167a3da62d6f92d1d67618529b42e5 --- shell/devos.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shell/devos.nix b/shell/devos.nix index 5a922b4b..c216f3b9 100644 --- a/shell/devos.nix +++ b/shell/devos.nix @@ -17,6 +17,7 @@ shellcheck shfmt treefmt + nixos-generators ; inherit @@ -62,7 +63,7 @@ in { (devos cachix) ] ++ lib.optionals (pkgs.stdenv.hostPlatform.isLinux && !pkgs.stdenv.buildPlatform.isDarwin) [ - (devos inputs.nixos-generators.defaultPackage.${pkgs.system}) + (devos nixos-generators) (devos deploy-rs) ]; } From 158f336517aeede79b8fdaa25b460519a6a051f7 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 29 Jan 2023 02:40:14 +0100 Subject: [PATCH 02/21] base-user: fix home-manager stateVersion See: https://github.com/divnix/digga/commit/bca4b89f497b8553dd9c0006e85c65e3e2937743 --- flake.lock | 151 ++++++------------------------------ flake.nix | 11 ++- profiles/base-user/home.nix | 10 --- 3 files changed, 30 insertions(+), 142 deletions(-) diff --git a/flake.lock b/flake.lock index f62e3e63..80352d50 100644 --- a/flake.lock +++ b/flake.lock @@ -20,21 +20,6 @@ "type": "github" } }, - "blank": { - "locked": { - "lastModified": 1625557891, - "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", - "owner": "divnix", - "repo": "blank", - "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "blank", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -63,11 +48,11 @@ ] }, "locked": { - "lastModified": 1651916036, - "narHash": "sha256-UuD9keUGm4IuVEV6wdSYbuRm7CwfXE63hVkzKDjVsh4=", + "lastModified": 1672753581, + "narHash": "sha256-EIi2tqHoje5cE9WqH23ZghW28NOOWSUM7tcxKE1U9KI=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "2f2bdf658d2b79bada78dc914af99c53cad37cba", + "rev": "3db1d870b04b13411f56ab1a50cd32b001f56433", "type": "github" }, "original": { @@ -107,11 +92,11 @@ ] }, "locked": { - "lastModified": 1655976588, - "narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=", + "lastModified": 1671489820, + "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=", "owner": "numtide", "repo": "devshell", - "rev": "899ca4629020592a13a46783587f6e674179d1db", + "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634", "type": "github" }, "original": { @@ -122,18 +107,17 @@ }, "digga": { "inputs": { - "blank": "blank", "darwin": "darwin_2", "deploy": [ "deploy" ], "devshell": "devshell", "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "flake-utils-plus": "flake-utils-plus", "home-manager": [ "home" ], - "latest": "latest", "nixlib": [ "nixos" ], @@ -143,11 +127,11 @@ "nixpkgs-unstable": "nixpkgs-unstable" }, "locked": { - "lastModified": 1661600857, - "narHash": "sha256-KfQCcTtfvU0PXV4fD9XKIMcKx9lUUR0xWJoBgc12fKE=", + "lastModified": 1674947971, + "narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=", "owner": "pub-solar", "repo": "digga", - "rev": "c902b3ef0aa45cb4f336c390f647bb182c38a221", + "rev": "2da608bd8afb48afef82c6b1b6d852a36094a497", "type": "github" }, "original": { @@ -176,11 +160,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", "type": "github" }, "original": { @@ -222,7 +206,10 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_2" + "flake-utils": [ + "digga", + "flake-utils" + ] }, "locked": { "lastModified": 1654029967, @@ -241,11 +228,11 @@ }, "flake-utils_2": { "locked": { - "lastModified": 1644229661, - "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -277,22 +264,6 @@ } }, "latest": { - "locked": { - "lastModified": 1657265485, - "narHash": "sha256-PUQ9C7mfi0/BnaAUX2R/PIkoNCb/Jtx9EpnhMBNrO/o=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b39924fc7764c08ae3b51beef9a3518c414cdb7d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "latest_2": { "locked": { "lastModified": 1674641431, "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", @@ -308,41 +279,6 @@ "type": "github" } }, - "naersk": { - "inputs": { - "nixpkgs": [ - "nixos" - ] - }, - "locked": { - "lastModified": 1671096816, - "narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=", - "owner": "nmattia", - "repo": "naersk", - "rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114", - "type": "github" - }, - "original": { - "owner": "nmattia", - "repo": "naersk", - "type": "github" - } - }, - "nixlib": { - "locked": { - "lastModified": 1636849918, - "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixos": { "locked": { "lastModified": 1674868155, @@ -359,25 +295,6 @@ "type": "github" } }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1674666581, - "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, "nixos-hardware": { "locked": { "lastModified": 1674550793, @@ -393,34 +310,18 @@ "type": "github" } }, - "nixpkgs": { - "locked": { - "lastModified": 1637186689, - "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { - "lastModified": 1657292830, - "narHash": "sha256-ldfVSTveWceDCmW6gf3B4kR6vwmz/XS80y5wsLLHFJU=", + "lastModified": 1672791794, + "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "334ec8b503c3981e37a04b817a70e8d026ea9e84", + "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -445,10 +346,8 @@ "digga": "digga", "flake-compat": "flake-compat_3", "home": "home", - "latest": "latest_2", - "naersk": "naersk", + "latest": "latest", "nixos": "nixos", - "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nur": "nur" } diff --git a/flake.nix b/flake.nix index 33ce736f..7bec396d 100644 --- a/flake.nix +++ b/flake.nix @@ -31,12 +31,7 @@ agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixos"; - naersk.url = "github:nmattia/naersk"; - naersk.inputs.nixpkgs.follows = "nixos"; - nixos-hardware.url = "github:nixos/nixos-hardware"; - - nixos-generators.url = "github:nix-community/nixos-generators"; }; outputs = { @@ -144,7 +139,11 @@ }; }; users = { - pub-solar = {suites, ...}: {imports = suites.base;}; + pub-solar = {suites, ...}: { + imports = suites.base; + + home.stateVersion = "21.03"; + }; }; # digga.lib.importers.rakeLeaves ./users/hm; }; diff --git a/profiles/base-user/home.nix b/profiles/base-user/home.nix index 27a7c32c..9c964515 100644 --- a/profiles/base-user/home.nix +++ b/profiles/base-user/home.nix @@ -88,15 +88,5 @@ in { # Allow unfree packages only on a user basis, not on a system-wide basis xdg.configFile."nixpkgs/config.nix".text = " { allowUnfree = true; } "; - - # This value determines the Home Manager release that your - # configuration is compatible with. This helps avoid breakage - # when a new Home Manager release introduces backwards - # incompatible changes. - # - # You can update Home Manager without changing this value. See - # the Home Manager release notes for a list of state version - # changes in each release. - home.stateVersion = "21.03"; }; } From 155237dec79045be6d287922d40dcf90f514f3b9 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 29 Jan 2023 02:46:53 +0100 Subject: [PATCH 03/21] drone: add --accept-flake-config flag --- .drone.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.drone.yml b/.drone.yml index b4d4bb92..10c3f4ee 100644 --- a/.drone.yml +++ b/.drone.yml @@ -11,7 +11,7 @@ steps: event: - pull_request environment: - NIX_FLAGS: "--print-build-logs --verbose" + NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config" commands: - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS' - nix $$NIX_FLAGS develop --command nix flake show @@ -27,7 +27,7 @@ node: steps: - name: "Tests" environment: - NIX_FLAGS: "--print-build-logs --verbose" + NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config" commands: - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS' - nix $$NIX_FLAGS build ".#checks.x86_64-linux.customTestFor-PubSolarOS-firstTest" @@ -93,7 +93,7 @@ steps: - name: "Build ISO" image: docker.nix-community.org/nixpkgs/nix-flakes:latest environment: - NIX_FLAGS: "--print-build-logs --verbose" + NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config" volumes: - name: file-exchange path: /var/nix/iso-cache @@ -148,6 +148,6 @@ volumes: --- kind: signature -hmac: 291be33bbf2954d1f5e4bf569679e24a773e7d6f90db4765fb9dacb3686a825e +hmac: f388f4c8d7722725140a201f8f86dd9baa480e66d495d2ad26e075ae1c2012db ... From 164c0f8fb33b1c4520da9e080100add4324ddebd Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 29 Jan 2023 17:38:00 +0100 Subject: [PATCH 04/21] drone: fix path for ISO upload on flora-6 --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 10c3f4ee..2a9c496d 100644 --- a/.drone.yml +++ b/.drone.yml @@ -126,7 +126,7 @@ steps: from_secret: iso_web_ssh_port key: from_secret: iso_web_ssh_key - target: /srv/os/download + target: /srv/www/os/download source: - /var/nix/iso-cache/*.iso - /var/nix/iso-cache/*.iso.sha256 @@ -148,6 +148,6 @@ volumes: --- kind: signature -hmac: f388f4c8d7722725140a201f8f86dd9baa480e66d495d2ad26e075ae1c2012db +hmac: 0c0994f0878cdb49172772f78c9a772f5c75830b49c1c22bd15db385fe857e17 ... From 289b58198c489fc20d0f3a546f5aa058b56d0457 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Sat, 22 Oct 2022 14:57:40 +0200 Subject: [PATCH 05/21] NixOS module for a drone ci runner in docker --- modules/docker-ci-runner/default.nix | 105 +++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 modules/docker-ci-runner/default.nix diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix new file mode 100644 index 00000000..2a32b8fa --- /dev/null +++ b/modules/docker-ci-runner/default.nix @@ -0,0 +1,105 @@ +{ lib, config, pkgs, self, ... }: + +with lib; +let + bootstrap = pkgs.writeScript "bootstrap.sh" '' + #!/usr/bin/env bash + + set -e + + apt update + apt install --yes curl git sudo xz-utils + + adduser --system --uid 999 build + chown build /nix + + sudo -u build curl -L https://nixos.org/nix/install > install + sudo -u build sh install + + echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile + + mkdir /etc/nix + echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf + + export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json" + mkdir -p $(dirname \\$nix_user_config_file) + echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file + chown -R build /home/build/ + + curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz + sudo install -t /usr/local/bin drone-runner-exec + + if [ ! -f /run/vars ]; then + exit 1 + fi + + cp -a /run/vars /run/runtime-vars + env | grep "DRONE" >> /run/runtime-vars + + su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars" + ''; + psCfg = config.pub-solar; + cfg = config.pub-solar.docker-ci-runner; +in +{ + options.pub-solar.docker-ci-runner = { + enable = lib.mkEnableOption "Enables a systemd service that runs drone-ci-runner"; + + enableKvm = lib.mkOption { + description = '' + Enable kvm support. + ''; + default = true; + type = types.bool; + }; + + nixCacheLocation = lib.mkOption { + description = '' + Location of nix cache that is shared between builds + ''; + type = types.path; + }; + + runnerEnvironment = lib.mkOption { + description = '' + Additional environment vars added to the vars file on container runtime + ''; + default = {}; + }; + + runnerVarsFile = lib.mkOption { + description = '' + Location of vars file passed to drone runner + ''; + type = types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + }; + + oci-containers = { + backend = "docker"; + containers."drone-exec-runner" = { + image = "debian"; + autoStart = true; + entrypoint = "bash"; + cmd = [ "/bootstrap.sh" ]; + + volumes = [ + "${cfg.runnerVarsFile}:/run/vars" + "${cfg.nixCacheLocation}:/nix" + "${bootstrap}:/bootstrap.sh" + ]; + + environment = cfg.runnerEnvironment; + + extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; + }; + }; + }; + }; +} From 5f6988291c0737ad229aac63c07554e5ca83d536 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Wed, 26 Oct 2022 22:04:48 +0200 Subject: [PATCH 06/21] Fix wording --- modules/docker-ci-runner/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix index 2a32b8fa..be7ecc47 100644 --- a/modules/docker-ci-runner/default.nix +++ b/modules/docker-ci-runner/default.nix @@ -43,7 +43,7 @@ let in { options.pub-solar.docker-ci-runner = { - enable = lib.mkEnableOption "Enables a systemd service that runs drone-ci-runner"; + enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user."; enableKvm = lib.mkOption { description = '' @@ -88,7 +88,7 @@ in autoStart = true; entrypoint = "bash"; cmd = [ "/bootstrap.sh" ]; - + volumes = [ "${cfg.runnerVarsFile}:/run/vars" "${cfg.nixCacheLocation}:/nix" @@ -96,7 +96,7 @@ in ]; environment = cfg.runnerEnvironment; - + extraOptions = lib.mkIf cfg.enableKvm [ "--device=/dev/kvm" ]; }; }; From 25ad234f2a1336e2d50a6a61165bb32b37756cdd Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Sun, 30 Oct 2022 21:37:24 +0100 Subject: [PATCH 07/21] add default for nix store path --- modules/docker-ci-runner/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix index be7ecc47..11998fd9 100644 --- a/modules/docker-ci-runner/default.nix +++ b/modules/docker-ci-runner/default.nix @@ -57,6 +57,7 @@ in description = '' Location of nix cache that is shared between builds ''; + default = "/var/lib/docker-ci-runner"; type = types.path; }; From 26318bcafcf98f72916774d92f9920d861964b11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Tue, 31 Jan 2023 21:25:45 +0100 Subject: [PATCH 08/21] feat/mailman: Add flora-6 config for mailman --- hosts/flora-6/caddy.nix | 13 ++++ hosts/flora-6/flora-6.nix | 1 + hosts/flora-6/mailman.nix | 114 +++++++++++++++++++++++++++++++ secrets/mailman-core-secrets.age | Bin 0 -> 1373 bytes secrets/mailman-db-secrets.age | 23 +++++++ secrets/mailman-web-secrets.age | Bin 0 -> 1383 bytes secrets/secrets.nix | 21 ++++-- 7 files changed, 167 insertions(+), 5 deletions(-) create mode 100644 hosts/flora-6/mailman.nix create mode 100644 secrets/mailman-core-secrets.age create mode 100644 secrets/mailman-db-secrets.age create mode 100644 secrets/mailman-web-secrets.age diff --git a/hosts/flora-6/caddy.nix b/hosts/flora-6/caddy.nix index cd90d4ef..648bfe33 100644 --- a/hosts/flora-6/caddy.nix +++ b/hosts/flora-6/caddy.nix @@ -72,6 +72,19 @@ reverse_proxy :4000 ''; }; + "list.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + handle_path /static/* { + root * /var/lib/mailman/web + file_server + } + + reverse_proxy :8000 + ''; + }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index f25f89dc..08af3d5d 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -19,6 +19,7 @@ in { ./drone.nix ./keycloak.nix ./gitea.nix + ./mailman.nix profiles.base-user profiles.users.root # make sure to configure ssh keys diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix new file mode 100644 index 00000000..340d3e03 --- /dev/null +++ b/hosts/flora-6/mailman.nix @@ -0,0 +1,114 @@ +{ + config, + lib, + pkgs, + self, + ... +}: { + system.activationScripts.mkMailmanNet = let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in '' + ${dockerBin} network inspect mailman-net >/dev/null 2>&1 || ${dockerBin} network create mailman-net --subnet 172.20.1.0/24 + ''; + + users.users.mailman = { + description = "Mailman Service"; + home = "/var/lib/mailman"; + useDefaultShell = true; + uid = 993; + # Group hakkonaut so caddy can serve the static files from mailman-web directly + group = "hakkonaut"; + isSystemUser = true; + }; + + age.secrets.mailman-core-secrets = { + file = "${self}/secrets/mailman-core-secrets.age"; + mode = "600"; + owner = "mailman"; + }; + + age.secrets.mailman-web-secrets = { + file = "${self}/secrets/mailman-web-secrets.age"; + mode = "600"; + owner = "mailman"; + }; + + age.secrets.mailman-db-secrets = { + file = "${self}/secrets/mailman-db-secrets.age"; + mode = "600"; + owner = "mailman"; + }; + + virtualisation = { + docker = { + enable = true; + }; + + oci-containers = { + backend = "docker"; + containers."mailman-core" = { + image = "maxking/mailman-core:0.4"; + autoStart = true; + user = 993; + volumes = [ + "/var/lib/mailman/core:/opt/mailman/" + ]; + extraOptions = [ + "--network=mailman-net" + ]; + environment = { + DATABASE_TYPE = "postgres"; + DATABASE_CLASS = "mailman.database.postgresql.PostgreSQLDatabase"; + }; + environmentFiles = [ + config.age.secrets.mailman-core-secrets.path + ]; + ports = [ + "127.0.0.1:8001:8001" # API + "127.0.0.1:8024:8024" # LMTP - incoming emails + ]; + }; + + containers."mailman-web" = { + image = "maxking/mailman-web:0.4"; + autoStart = true; + user = 993; + volumes = [ + "/var/lib/mailman/web:/opt/mailman-web-data"; + ]; + extraOptions = [ + "--network=mailman-net" + ]; + environment = { + DATABASE_TYPE = "postgres"; + SERVE_FROM_DOMAIN = "list.pub.solar"; + MAILMAN_ADMIN_USER: "admin"; + MAILMAN_ADMIN_EMAIL: "admins@pub.solar"; + }; + environmentFiles = [ + config.age.secrets.mailman-web-secrets.path + ]; + ports = [ + "127.0.0.1:8000:8000" # HTTP + # "127.0.0.1:8080:8080" # uwsgi + ]; + }; + + containers."mailman-db" = { + image = "postgres:14-alpine"; + autoStart = true; + user = 993; + extraOptions = [ + "--network=mailman-net" + ]; + volumes = [ + "/var/lib/mailman/database:/var/lib/postgresql/data"; + ]; + environmentFiles = [ + config.age.secrets.mailman-db-secrets.path + }; + }; + }; + }; +} diff --git a/secrets/mailman-core-secrets.age b/secrets/mailman-core-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..294bcd9d2f0d18f9115f22455f37b0bdf24e7ea1 GIT binary patch literal 1373 zcmZ9~dx+Zv0LO6=wn=a>aYG#&cBtDl)~4+xO*S`7(ma|reWvN-hL|R4(j;x#q)n5` z9CIgZ&hx<-s5smZK^-`iA?k5DADptMiaHf1inj-B>Tc>7PSEoY|MB17Kc7E-UrAHL zYDad0Zog%B?y(&$;zfb*#*pjkVO5F2a1;yGpn6>z&QC>|=5$z2n`VK9xSF7+NTSlA z3ms9t3nAj<<7t5(1cou$xTs?ce6awVIE0^Mvmax?3b8I>ZFypd32RrCKE zA-aKphw5Sr)F24*7=b{NZ5j0CA&nzR4I4SNREcHF5Us1FfuK=9yq+GKt*RsRgQg1` zzCgd{s;Ae49+nbvTDpJ=K^;K?TN?~U3~2LlK;$%!6VQxQwxlAQv|W4%$56P@ z6?}ng#UUluRz%v7L8`}4Nt`7b=^{bq3guKGpU5X*K!V0lB_U)pmAsdZF}6s8q#-rf zW5*-F&SDR9!lb0U%Tn1sL# zF`l+K-%$oW)$?%}Vd4!-W-3jjkOt!|k*Ro)5y2cDU;{fwTis~3!<7qOE-=&OL4*|Q z1;+~DluM^FGYs6zW0vh$l#b(>k(658)OCXbQ>^Wg@E&)JQa0?vDgarw7dv zPSd>Tjo|8tmK>@-jKN?(j_^{QQThR0chyeG?rSmy^qFjb&nmk}jLLnt4^ zc^H%e5RDlSmLYmDY*hUyn!?8PG7{AACaPO#K=~a&^;kzs4o$XYv}mX|>SXFh5etHP zpB6{Sk{Un}C^P1p@Bl>!jLuM~gBEO2Msz5v7rH7S`o)S+PpB<6N}?W^7+MZK)^XcO zqAeITlqs?nktpjPVrQZ;ES`4ba<(C>5iXJ}^Zt+lN|x621Q8OHR_7`{3l)JPr?$OvNh=2N`KMU9gorjX zpM5wS>I4l#F+~#TQfWQ{H3dVe)QPMp~K*vl6Wu9}@Yvi3J~;lv*$ZxykjH2KE)1^fP741Hexf_XUi|GTdh$wX(J$cXSMK;~+t$Np|30~XdoZ~$boP;9@u%mE8TAOf@yt^iv*L-+ zsW(+)e?VT@JSW~a-JjkeUAi_D`Ec8=L!a$^i;!>W+?hLg-RzF34G4Dq*v*??c;>Yq z_8)5;Tk_EHH4k2;XHK6yU0=L=X2JMT@`G35v;5Tk&%cCzEiOkleZ1>|^u)Q%KzPr@ z?DQf4U$gG=nYr-Qots`?6zYCAmM3R7RhPcwX2zGT*z;a0a%}1NuZJ#j;Mo-UVPMkV$`N>NQ{sC;3^(p`W literal 0 HcmV?d00001 diff --git a/secrets/mailman-db-secrets.age b/secrets/mailman-db-secrets.age new file mode 100644 index 00000000..c2a0ab33 --- /dev/null +++ b/secrets/mailman-db-secrets.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw WqfbigFDHy0nh/B8SjJk2MCKKRQ1Jt/gXxRz2neNvlc +5wJjaxa1sOPPQfg4n6n6HurhkN/+ARVhthxoK8bzOWE +-> ssh-ed25519 BVsyTA Lvki0R7gZediS9KnQGerUtVZQ7qZYUXaUbPvqv2zmgM +YTLaJM1UqpL+avMZz0mMKz1i9LSalbTQkC6xFbYbyAw +-> ssh-rsa kFDS0A +Xcm7KqiO5yK5RUwhJPrJ3fk/GTVK0OJlsGouc71p35o5AgqBrbW0HiNBGMl24oUP +jMU9nSlATq4VaQWKHCqnGOeJCw83C1AON7sVHhoT3vzFWKs9TO0TDR0Gm0fCBTm1 +hk2fQZ/sMe8lGuSyISDg1QmEkC7ow/FwXmMlW5xw0honj1ca+mZ8w5YeWVCMLpGg +pob/79odfVMtlk4uqcjboto6X6aY/W43yG8VQUJwZ3hK/4wVn16Os+RlNH6GAFr0 +aZ6SS4cJR9uTd/y9rQIg9rgQ95qTusg66ClBRdMCy7fvXbfMAMvmtmwBQJQdpO2q +tURAN4Id3+j+vuqk0nqnj0oXx61mIlutbADbkoRlhB9VFVffSu/KeMFVOtSMD0AN +Sp0q4nhv5BSaOP/D0YwOMPmCuS2M6aVfWvPQvrQ5YE4MEWK2qs4A3vZRn2d8o5hh +mvH+y+Foxt69D+k32DWFMCbZCSxlBKW1aGZ6AexFXx6zYyzBoYE9zB6QSI8ZbqN0 +LfBpz2YNCix+6y5qUsCYsY9aa9m4azpsKD7M5IFgmkLqUGvsH7Xx7PC/Z9B4zTgs +MHMJPPR/yRZ8PzbnXIUen4/PnO4j7AbgYDv4FCAAfWJjufC7v+vTI0m80Y/7uZCu +dk6DPZaUMbJFYXPNUNODP/6Dn5RL8hy74IjdLtNIbzg +-> ejJ:5Us-grease +fWwlxnUaotXS0iwGa0zkPyoHuNjTBBgFJUO8cVMNfB2vxoPKraJ+weyTXbu8Fa7i +WVehDudiKTfaK4Ruy6hbUZBjZ+Aq3LDpezw +--- XjN/bkA+YEfIro1w01fcKA7n0xMq6raWxpXoedRIw/g +ECdtya(Qq.jH 6i[M +sm0 ])ձTTo=̢ 7DA}&H=OR6>?$Om͸g괖AFYqܰ~ki2iu1!U?2<ĩ$e63 \ No newline at end of file diff --git a/secrets/mailman-web-secrets.age b/secrets/mailman-web-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..fe6c8d5f3e96766f0724a196883eaa6bde1fa168 GIT binary patch literal 1383 zcmZA0+pp6E0Dy6cMq`mn3_K9goQR3Q7~R^nTLB5}x^CT0*LB_6u0S|l*R@+O>uqhf z$b-fp#z3M`q6mozps2)P;)A{z2{C~vmlG8U`rsv^F-ibKFo;BbGVw3?eJ`J)YiZ3< z{fQe6M$Ys%6K?#IESsZpG=u4Iqn8YXQUw9u#P$K9YfC4ljCr3QERA zh8Lk}hb9NQ$qhr?mkF?x;0iyD_&)EXtf*#_0NfUfHbKx8u;ij6RP$V;ja%Z7qal*Njk@TuM!3T6@R2y-iCCFh^ zLcv+HEI6=K;M5{UqGJwY$CMz>x(eAaRTao^Ne3^3c|KEW+IWR5Bq$lv30r6cwE>zf zixs%;RzZ1)gD6gQ`@=y?LC9IY+KXWW#(hAc^CZ>?;a-%<4tN|#a2v`FA~qFLWQuN8 z3vr@bAvz)%D91^|ia743SYJkx5+l)E-Urw&s>%%3N>Id#SArP4 z)K<~HYdNyeMgrQGc^Slec~2RRlB}Xb9YCp?EuZc1ExpyRxPq7IiwrxBU2x2hb~i`U zXd$ek-PlWDv)0O?!ycD}jLda>vZ)a~4)nWpAjq~7N=Bt6c1DDZDe#0I*^xYw`V)dH zmSng-MD$RKNt!TNvCA}tmKbIoN=`BmP%M;+L}#KDZOrxqJ0s4HSqsYrnq%~0GEYUi zmvO`zVfyC3*F3SA#nZa4DS-xPl>!mDELJQ@W+x$Xw2Z+eBNlQ=D)PF0b`};?tj1Bg z6!bN@Y@*eo$4u)e3age^q%EN6_Z68&8vzHT)9INBRz?bSmG2vcB9G*zTc<%g3e5poV}SFuchRjUmVA72{g!R`hsW>UduPX%msjok{?M}Vi}0=;ca<(& ze>(h>IeTL6^t`w9A*9Gxl_yUHP0!BKe%(6KK9*DUv0T?yZ%P$v8%f` zoV|4LNpzK^@0~8cJon~%N7oeWyH@O Date: Tue, 31 Jan 2023 21:29:02 +0100 Subject: [PATCH 09/21] Remove broken semicolon --- hosts/flora-6/mailman.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix index 340d3e03..318b1cd0 100644 --- a/hosts/flora-6/mailman.nix +++ b/hosts/flora-6/mailman.nix @@ -103,7 +103,7 @@ "--network=mailman-net" ]; volumes = [ - "/var/lib/mailman/database:/var/lib/postgresql/data"; + "/var/lib/mailman/database:/var/lib/postgresql/data" ]; environmentFiles = [ config.age.secrets.mailman-db-secrets.path From 8f0cde4c3dc315efffaf4da50d767f5f1d3a08c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Tue, 31 Jan 2023 21:30:43 +0100 Subject: [PATCH 10/21] Remove broken semicolon --- hosts/flora-6/mailman.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix index 318b1cd0..e75aecda 100644 --- a/hosts/flora-6/mailman.nix +++ b/hosts/flora-6/mailman.nix @@ -75,7 +75,7 @@ autoStart = true; user = 993; volumes = [ - "/var/lib/mailman/web:/opt/mailman-web-data"; + "/var/lib/mailman/web:/opt/mailman-web-data" ]; extraOptions = [ "--network=mailman-net" From 5ade1c028ff92b167e6aa34ebcc7ba6a6fb858e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Tue, 31 Jan 2023 21:32:16 +0100 Subject: [PATCH 11/21] Build works --- hosts/flora-6/mailman.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix index e75aecda..9c7708ca 100644 --- a/hosts/flora-6/mailman.nix +++ b/hosts/flora-6/mailman.nix @@ -50,7 +50,7 @@ containers."mailman-core" = { image = "maxking/mailman-core:0.4"; autoStart = true; - user = 993; + user = "993"; volumes = [ "/var/lib/mailman/core:/opt/mailman/" ]; @@ -73,7 +73,7 @@ containers."mailman-web" = { image = "maxking/mailman-web:0.4"; autoStart = true; - user = 993; + user = "993"; volumes = [ "/var/lib/mailman/web:/opt/mailman-web-data" ]; @@ -83,8 +83,8 @@ environment = { DATABASE_TYPE = "postgres"; SERVE_FROM_DOMAIN = "list.pub.solar"; - MAILMAN_ADMIN_USER: "admin"; - MAILMAN_ADMIN_EMAIL: "admins@pub.solar"; + MAILMAN_ADMIN_USER = "admin"; + MAILMAN_ADMIN_EMAIL = "admins@pub.solar"; }; environmentFiles = [ config.age.secrets.mailman-web-secrets.path @@ -98,7 +98,7 @@ containers."mailman-db" = { image = "postgres:14-alpine"; autoStart = true; - user = 993; + user = "993"; extraOptions = [ "--network=mailman-net" ]; @@ -107,7 +107,7 @@ ]; environmentFiles = [ config.age.secrets.mailman-db-secrets.path - }; + ]; }; }; }; From db7f5c5254c55ccc1cc587672cf9afd4ad0d236e Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 31 Jan 2023 21:35:29 +0100 Subject: [PATCH 12/21] secrets: rekey for b12f-bbcom --- secrets/drone-db-secrets.age | Bin 489 -> 1149 bytes secrets/drone-secrets.age | Bin 774 -> 1480 bytes secrets/gitea-database-password.age | Bin 510 -> 1119 bytes secrets/gitea-mailer-password.age | Bin 472 -> 1110 bytes secrets/keycloak-database-password.age | Bin 469 -> 1158 bytes secrets/mailman-core-secrets.age | Bin 1373 -> 1453 bytes secrets/mailman-db-secrets.age | Bin 1279 -> 1184 bytes secrets/mailman-web-secrets.age | Bin 1383 -> 1370 bytes 8 files changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/drone-db-secrets.age b/secrets/drone-db-secrets.age index 35b78569976cfb9c76c91089d15156a4e7dd59d3..769002b02987d08be418ad99e5473d59fe004251 100644 GIT binary patch literal 1149 zcmZ9~yUXJQ003}sI3BnxsjSG_N*MxEs$w z5gp}FLl716UEhYP$v}yad8m`#mC^{U+`OgUK~xLBB+O|P0Ql4tYfH0fXR)E zrb#AIh~hXxT{y7odZ!C75{E@}q@dc;ifH97v%2iVJf=f^b9B0GbX1qg1`p?_45+fx zl5Me#iRy-2QrJR1nu<$gPFZi})7dbXoe}y{E^)#CHO6d)4Si84{%k}{g$c)~+;foz zd-|HP5L7Z1$PMs=c2L0m`n)Uxz>G@9wu}*VeLLVcN&woe#kbbBJg}hZEoRlW)=M5? z+3kN?-FO!n&lxZcB&3z0C`^ph!>z2p{^!uZ+l2o&X+0`^&VW=ZftXjd$imh~%)P>eg!Xl*#c;=^!m-@4S z$V-o#iNMaS$&D&ZVIDcu1qEW2r&GNcg{w|I&G%?1rh*t8S#%WY>B2&1!byU$v$A8` z&^nQ4z&-DWbA|+7Z0=McT2O00Pgms+dfA_#r&S;@}MYzVXWdmwnw3377&( z8PN`I3?kEA7=~%H*mvVd5fy4Ur@+@bGMx(E4w|OO6y=?*;5brSNAhOTSXjwAM?mu+ zLqnGpOfo!^Ec%GVteI_(%HV7*a3MABI<|!sF2lu z-?pz5w=UVY-mA0^{=D<;AHRR-{B^&4_oeT;%bRb1no*Bjzk2<}uW#SD_V`2hw4d@M zeDt|bzBHct;x_pse)F?8-URPGc;cJtnOC2_eD+TL{VneEyZ6(}k%3 delta 455 zcmV;&0XY8s2 zQg%s3V+wO?XLC?!HDqB@R&G~TZ**EYR!43{RZcQ!OLAyWVlilCbYe&|Swc;EGzu*~ zAaiqQEoEdfH8n9gAVOAic~n6lMpAM)OmBK&MtV_0cQ12JM}IX%MQm|bMN4N^adbF1 zW?E@^OmtOcSVd@63TJXxWokA}Pg+MZD{xXoLt{{PQde+lQ(;(RMPyPpcXvuSWo<`G zd1O>~3N1b$F<>oca%Ew2Wgv25WGGw;cx^dIS9y79csOxkM@C0&Pb+9+Y%e%9a!PAf zXkkZmIZIMcOn)(AHAYuePD5*PcWqWVMM7h6M+z-1Eg)rDMr~yfmf0kFfICXK0G?;899o;8*49NWs$Kv9 diff --git a/secrets/drone-secrets.age b/secrets/drone-secrets.age index 3832733219b5c8c57a879973b238e653074bc5f0..80a14ef4ea7ec3125b6dfbabe1b9cb7a2354ba68 100644 GIT binary patch literal 1480 zcmZ9LTd3Ov0EYEUr)CHabwj74OhslrYtpnys#Djr=`HCcX_}^Gu;rdMNz){4ZlWM~ znGTt#AP$BOFB8-`&;vTD+LTHjC_}17^zhctZT&hI3xT z<`ZJs_V8lA3$sPFK5FF01IE?ZJg`%uCLQ3Cr4LeF+ls*)ouzTf zQO8hb+_Lk2AwNdSFc(cbtVL$Pl-8+XHZ5Q>QU$84P^yCj+a~H#)M8_cvgt<0^&~f~ z1Sr;RIT6MuRg|p;VP8+Ri=a~AY|AYZMgw&QT|hq)h^ka z^l)w{n>vP=1fNS22CrJ4JjO=`Ce&Rd$4wO)pin66#p+NP2zai}v*j|#3`ELA{X#P8 zc}}uGjB{#fltQOnhB7A2p*8KwM2jEO%(T%Q13HXSwMs}uKFm$&ZX7~>yPpIZKchl% zpOV1xSR3MTKU*iugFKB+IjB|Onvo#&+C~hP09Vqcm3kSD2SbbYN~Xmja7c)#7y6+{ zVI|KHn$5g|6(KUT%VrLXs+~xXt137eA_&g|{WL7s^oti6*J2E}YfPOD0BI&cWtn|KngHybesq73#vex#&j1p=MTN1t=Ln{uEh79z4;H|;16;B#&CYy ziR;!$o9-2NUwOpcUU}3$diHSU`0kB6)x+Y>T{o$zcNZP1RnMKi_1XQ~f4#7G%?rct z4&6V$U|;L8PnPU>;+2O95vo%rNEYj4?gRS2}n zw;^Klnrr7)p1I=HGyCtjZ-qNQb7YUTZq3WgnV(>I zIdoDxxqj#Tm4Cgxana(+cv^9GMs0XYLr{5hI9hr( zT2^jV3N1b$BQ0lgWnpt=AVMHeS!8P|Vl^N{Tr41ZCNoxfcR6(mYf5fea8f}wVN5h) zQBgrOX=q6`Vt+<#G%{@N5 zU{1AvDY)ScD#q7HEts6t9OSZN!l)m!ZIVzGMPypCd>FLEM)5{8g9jE9@`1DngWj#Z zkTB#xx0*K)qJ%q7`*-6#=+yTJQo1@y8$qUtGY`Yq8c+RV<1l-Z%yX9W2b)JWPs_@$ zF?nRX9)E>p4eR?Z@MG|f0rsvx>w6lixpxTe!|{Nt@!6(YM=6Mh55HN_4V zo68Z1ss|#}-6P;MEKfnUWeOi7k6i`3bBr#0h+$`_i1$krhEdL_O%I}^o-g5J3f}JI zcf!EDaO!Y9l<3cTT*#Zr*7QiL@ZywL@d)&wOO*(2b5S&m)z Y42PidZdR1(=MqXH>Q;uS<|~_3?-)Zf!TqY8yk1;l;(-#dWo0s5i(8cc$AoOoc7KMEZt4EK+V@ZNtLWfoT6{ zt7>UXl~QsX%?EiNr-wXBn55n*hDiht3;E?p^j1GO3O`X;?v`% zhXD`?7%GQ+lf5ZXMR4hs9^(|qMQD}1cRuzA3nd1cn9)!xXgVb{B$q3K3|xt$4k!(D zSyah#C!;9ij?u~XKnM{fgxzE?=AShy?;%K;Mog;DPbrshaS88IDE5YqA}j{u=&hpiIZ{}i!;~vJ8##MKv@Hvq`GE;8 z>U7PevUYBr)uAd%PFHP0wYC`AgSdH^d+U<66^k;89!4lFY2;>qbY;avEMPTU_7o9Y zMGvmm@|@S)lfR`SxUUk^jXJVeXI@Cr<$xHi9JWW9G$IN%WJjtFy~Ha(W5J7{WfAhE zC%i5Y1p(2yB02Ol81`H;pykcnV8?{&vA|SHpb%V1)#|+F5x7J16M#EJ<+)bsT?l+E zN(pDjl>|mZail73e~IYUAaYU_N>l##$FFU!;Q1`9e7E)iSHEGi*#yo&?6kFeXrqkP zV%-Totge_NFAAh4n49jb0?rKhuPNJ@w8L@BjSE_m95){Q3j*`t@(_-F^1M2k(A1T>p6Y f_b>3<*bl~=FTZly+qZ5#_TA*(qX$1#e|-86t15w| delta 476 zcmV<20VDq32>t_*EPrH6VlPucZ9z;mO*Ka`bZ}-xHEncla(FO9L3Jx;F=ApxIcYFc zPfBq!X9{R*NHa@kc~~zrWo2wMba6FgVp2#rZct4!HF$A&c}sIkcxP&OQ$$)XK?*HC zAaiqQEoEdfH8n9gAVOAic~n6lGBa*5a$!$MH8nwHdNMM4NPjqZZ!cA1VoFy=bT2h> zYfM8lL_tDTM=xqH3R6yKRBSY9S!s1OOh|f5Mn)@dcUMPvP&I07b!T`-WN&0KN-tMe zOl@{a3N1b$ELK7%TVEnAXL4m>b7cxybwVq4dT2B?M>jA{c{ONqY;P-UbVyfgOK(?1 zXKgliQ)yRXLVtNyb5S*KGb>_iY%(@PHEl#^XfR=CbY(_#3Rq8RV^C&eb4X29Pf15B zQh8%Jc{FS?S3@&uMOkq~YgR-|L048Z3N0-yAW&#iWpHk1d3khkVt7wdXmT%jOln6< zP&rIvW@|)jc}rM!bu?&XIc-yK3LNC(haiNh&#JCm{8egfrjAow@N>VtIF@m+nhEQ# z(Gao-<3E!USs`^uu$fXoBDqzB^n)DGn1wV0#)phu55Jo_@vR-c84JuvI=k6jR__O} SHzodxc@rG=O8_vpp`&~%LaIgp diff --git a/secrets/gitea-mailer-password.age b/secrets/gitea-mailer-password.age index 31402acd0197189aae6b9c22648ef06a1e8ab85f..8677fa145006268ff3c4a70f3e23825d60dfa2f7 100644 GIT binary patch literal 1110 zcmZ9~yAG>l0KjphIf-HL1x!o_7ei{fmpW*m@bLjHrQE@ZmbP5V^`lUD5|gvI90zqd zlkp^uE*cYeAHf`-K^9e}}wC--Jfy9=dFAz$XmxN+jabsJlpech{JK8IaKke8v%T(BHvVE4L4(23Zx2@#n z#ZDzAIXqrd2$XK%yfl-yELExI(ZM-}cC3!2!-g_9CQk=@EDtRJE_J+S2PNzdt3CfH zz0t5EM|V}VEflFJD)oT3hpQ#>Dl{_P7(J4$YN_;z(8Sz|3^u+6PMv3n*C=KHRL)No zL}+?)FIW8uY;jo}sstv$uJt72ha$Tc6ed`z9w>#a#Wn@NO+93qHB(RL7>gB0;MyGk z9)~)5a))3}CbC|gj{jYp@BQ-atG8c#_s)>NTKw?##aBQ6?Em%|_2Tv4fq89F delta 438 zcmWm9J&%)M007{@<-(+igUcD5xgH-ah1cOCrF;}hIa;8U#Gx;|<$!)d`Dl~7u8wzc za5rw6xH&pp;$JYDIC{T8hf7@4U-0Dldi3qV^~qtf*hHe(PE0<8dN|ygL1kzQ*;Uz@ zS3-6=wBVq+kPLCy!hBc`5s`$#!r$i_M+0#_Np$lZGPBTV@fPV2>n;Rd8%(gq8J_1C z4HPmgO9Q;)<~v)!CxWf6C|gaOrPHcA5_xdeV|rc|-n`G(OvuMT2fV3>)7rr(x}dB~ zNxb;HvUfZ(W|T**+C@oFU9HPWW0dSs+D}~A`_G{lXT&qqh%z+I5&n|Vqf2gq7fjcG zjx`mrL#sk%bqb589Zi`6uUZaj?m)qVK=l6@R|}1@YdL_W%F@ diff --git a/secrets/keycloak-database-password.age b/secrets/keycloak-database-password.age index 3fb2c130dc7e98e8cb2875e5eab14610a3e316ce..17a0c6dc8981805607711ad69b71f697a6236229 100644 GIT binary patch literal 1158 zcmZ9~y9?uV0KoA*gNq>eKnf}jvDfC=)Im-2Y?7u;^K1qoucmplc{lwlj3xxsN=~QfyOV5 zn&vQ$LX;qo`DizFU9TUJv_B(>8j%m-MpujD2GI3p?ajGzEhDicBI^mdJPO5`QfprG{1FCh0I}Ax+FD8TdHZV)QwXQ5~()W#YdTW1Lsb2&W-#?VYo=0 z+KF_L7EH7)LJc}qa zl=$J)`;a!b;7w?|l2R4EU*P_6n4Ju)QgeMqv}IsrC{Oo|x}A@vjaVY zwgC{MozQAbB*QD&obNo_tywqa)4rr<#l^}NLPk0v8P?XmpSG*6cFMZzmP6AQs0Jl{ zs0(TX=;Ml(mj!LtDY$e_5yo_%B$N~@^&DI7Gp<`}lVs2|qLCPWgKK!XnCRyWqJTi6 z`+e?7WK^o1EU*7rs=f^*KTD$(s^VzMNPkj2@@Ysj%-+1P)7e9aV?YDltdgq0^`1y6@#v7mf ORDX8w@AT2=W9uJ(+>%`Y delta 435 zcmZqUyvjU5r#?3&%0oM#%%He3IM>k2(%U06#WT~b(97M@ILa-mz$m*kpvuK7J3JuB zk;}{1&BQX@Dbw9A%d9M?JTt9SJKZnECA1{c(9px%(ksn1BPGzQB)Kr%lS|i5p}06h zH#Nn`)YQ;Y!6~e`GQ?4#*d(nuS>GVNyv)$uBey86ygo%=Kgrz5JSROjpgi2bHPX4r z(l6WJ$=#@!D={kABQw$?)GaE+!_>eeAXh&s!Y|1%%gxE#FQhEW*te=IH7U$bJ0;%$ zWSyCFT6(ohrK@gwQEFmwszN|sb#_FuZ>&PDLRv^@xSAJNWm1`wet=g>lBK_ar)5O3 zvq56Lw~L{dc2!w=QErxtVNsBKaC&k?lv$!B&K4hb?JzCYD2qFQB3XOOk!GxKxVt|nL`4u3oI@r%$ixYXsEmOVr-Dpn>fCfFsPl4A!3zwhPJHmiU+}$r>eyH@yiu6V zV$1ig^TTm50fCj9mZNC0V(4WE0@3ARNm0~v8LzeF38~R;#;aNEmd1M0E~{u#V3n#L z=>$QSo3p&om(nrNAN6?}FH2A*26ctN+yUFyAUI(nywLUrb8PCv&K&eXcKUw}7o)6? zEl&(Lme80T4^h4ky-_g^{{ECF?>71H=U)v@uXOQ?72n-M|`^swTq96S&m& zV}yvCI5%=CDr8xah!ZZQ8Vv3>M+Mme$oN|90O54oZfft8}nseHmHW|0l?85~j) z)$*gF;Bb0tE=CX)R#0nNDGbfjjSp^`lc-`jTtno;s3J7lPJy&^5w9~CG>cih zCKA1wX7l9+p_;7_jhf87-+^RB(gbfr5joH_ML|t{GZxP>*`Y8}F~D#f?4fDZMU zoi|yR8TCUEnUCi35bO{n7-=!?ccppJMuDu?X0gtM@40h6vn9>*t)f$&)Y7uwFmt!W z^ysEgWXlvXjyi;;Aw*Y*N0~B5a4zpnRG{JwL*A#|6i0?EE;~393TW4v2f?sl2t7lQ z#X(o@I+@rqRajCStH+6R42q=U@r^v=nkc~z4H7Tq<&H%5f>M%AzyfGj z-5z0UMva-##bHu`$Z$eY!2qgK6%y#Rq_pahF09W}FLn$b8$q&QiXLeBLdN+zEL7t# zcWAWU9w;`?u~;kjFMSQoZlYWg&r)-N-IWwVy zg@^q67$&w(w*+CfG7b$jG61>3F)$fAxyGX=?U!drK@}Lal-RLT=`6|`s)JG3wPM54 z7D)#(?ID#G8K~DwHKvbOf$DS;n*kQuXbEkB9E#C#0Oze)!RQ&It^+qbL*=EW#g2iM zm6c@;?x+h%GoWP3p;pr9m7!@vHmEKPhgPd!b1BF3ae9C%V_?In7iXuv|NV)Rm$K`= zKKS>E*N>jJ=cC=qV|Q*kvgzzkUfpzRYx(#iJC7X;*LLr@k}Lu37u@Xmm)_jueg5+f zeQC+tyY9yCk6ixgN3Y%e`>mS~pRup9?RNOK-@S*<&yW9b=;)*1ORt}^?rh+PE!!`y zuZG`d_f^k*ci+oTeJnOa?)aZqJpR+t!+Cb^=LdFPFx-`%q;IaT?|=B+q4uF$jzmvx z=I)`XNk29C!W6d(JMb3CL8yDar&tj*WUo2amz2? z2zP9FZd+l?#y!gywgCUlACIqY-L^s2K7)_l|4#VCAJ(VWBL{w6evsaO(b8q~B^%!h zj-0&a%x4F`eYt+ecKx2+YkxiX@v8WTxAm0=_OW|sf9>COUORhZ|Mm|azHIHlTL+b^ fq0Q?q9UQ!N^(yX=EYFr!4?liZ3p)JmT`&9tpHmwE literal 1373 zcmZ9~dx+Zv0LO6=wn=a>aYG#&cBtDl)~4+xO*S`7(ma|reWvN-hL|R4(j;x#q)n5` z9CIgZ&hx<-s5smZK^-`iA?k5DADptMiaHf1inj-B>Tc>7PSEoY|MB17Kc7E-UrAHL zYDad0Zog%B?y(&$;zfb*#*pjkVO5F2a1;yGpn6>z&QC>|=5$z2n`VK9xSF7+NTSlA z3ms9t3nAj<<7t5(1cou$xTs?ce6awVIE0^Mvmax?3b8I>ZFypd32RrCKE zA-aKphw5Sr)F24*7=b{NZ5j0CA&nzR4I4SNREcHF5Us1FfuK=9yq+GKt*RsRgQg1` zzCgd{s;Ae49+nbvTDpJ=K^;K?TN?~U3~2LlK;$%!6VQxQwxlAQv|W4%$56P@ z6?}ng#UUluRz%v7L8`}4Nt`7b=^{bq3guKGpU5X*K!V0lB_U)pmAsdZF}6s8q#-rf zW5*-F&SDR9!lb0U%Tn1sL# zF`l+K-%$oW)$?%}Vd4!-W-3jjkOt!|k*Ro)5y2cDU;{fwTis~3!<7qOE-=&OL4*|Q z1;+~DluM^FGYs6zW0vh$l#b(>k(658)OCXbQ>^Wg@E&)JQa0?vDgarw7dv zPSd>Tjo|8tmK>@-jKN?(j_^{QQThR0chyeG?rSmy^qFjb&nmk}jLLnt4^ zc^H%e5RDlSmLYmDY*hUyn!?8PG7{AACaPO#K=~a&^;kzs4o$XYv}mX|>SXFh5etHP zpB6{Sk{Un}C^P1p@Bl>!jLuM~gBEO2Msz5v7rH7S`o)S+PpB<6N}?W^7+MZK)^XcO zqAeITlqs?nktpjPVrQZ;ES`4ba<(C>5iXJ}^Zt+lN|x621Q8OHR_7`{3l)JPr?$OvNh=2N`KMU9gorjX zpM5wS>I4l#F+~#TQfWQ{H3dVe)QPMp~K*vl6Wu9}@Yvi3J~;lv*$ZxykjH2KE)1^fP741Hexf_XUi|GTdh$wX(J$cXSMK;~+t$Np|30~XdoZ~$boP;9@u%mE8TAOf@yt^iv*L-+ zsW(+)e?VT@JSW~a-JjkeUAi_D`Ec8=L!a$^i;!>W+?hLg-RzF34G4Dq*v*??c;>Yq z_8)5;Tk_EHH4k2;XHK6yU0=L=X2JMT@`G35v;5Tk&%cCzEiOkleZ1>|^u)Q%KzPr@ z?DQf4U$gG=nYr-Qots`?6zYCAmM3R7RhPcwX2zGT*z;a0a%}1NuZJ#j;Mo-UVPMkV$`N>NQ{sC;3^(p`W diff --git a/secrets/mailman-db-secrets.age b/secrets/mailman-db-secrets.age index c2a0ab33d20503ca20dfb214f4a26c3e6f5735e7..9a8581be6771e7706973ebc9d7339f5dbe05b22e 100644 GIT binary patch literal 1184 zcmZ9K%j??&0LNu`7(o;fbrWSp-59@Gn`e_KsAMtfrfJ%|+dK|)V+g`P zCmuXZoDWbOZXkG6*~x=2r;}ZG@Gy^pD1!~udGO*t@cDe;`?Y)*ODZQDgXaZBL)C4XmTIxLv%=6Zetu|EVxEO zMKKrzc7Rg<*|OYjg+oRKDL_o>qK?)CvNT6lCe12#G0WXVqvwIRNJnr|qjAsTRkEJ3 zfgjgqf4>uUxipaZ*>G7IfN#*-M8ySkmdTl93G8&j@0kHNiq;c4E(e)vvFo`b6dWuSOqAr}uFx}Q@+iWPjn+pR14 z_E6RtO)D=&)sg{Hi5+7iE=y3g)=JyOh5{W`5IYcMydtrXjX{@_m}#LU&}Prl3~iL7 zAuFQ<4s8=21Oj^uRXexcrV$CznI60b=OQZUEZ6XMY$J3;B{&7)s;kx_&ZJ4sn{=^N zM*9hD(hdwHj00M0%~rR2uXL2u8*_AqG|Qd1q>JT_&{;%~1GgQ*rHCr7wOkU&RG5iz zf$U4kEdeGBV_u&Vi$LHxf7$2vImp|Xi3Kh)(Z&YLYSVHL~htMzyV`DpR>x&(^ zMtifF0oa;qk@>a(6$nlPa=Of#hVKe^vYN1=->AK*wb_M8PnyOIFY%SU6N9ua{Uw0~ zOuCQ&FLsqe+sUM!;8;?(6VSL{Z#5)^w@utw^+ia8v6&Xw<-b3kA?uExd3Nr#4puE8 z0Qdp~I-O1nx<8wmv};b*D_ROL&~_IfWo=cmf!xY3wwalXbJ|mpF%Y(Iod5WV_YZaZ zh5Ni@|9$PJ@~gMP4=zs*|0beu-#Pok>7(aPo`39Wc>UftN1i!!Apdgn^siUXy!-5d z^OAY|@h?6*{^K>{=&4JOEdF}o!h5IQ_~X{$!^m~RyZhzkcfP(m(l5V!<8|ftYp?xz z@Z6IpPMlG@pMG2430{5k;=?s?^VaRB9;!Zi`s~Szf%U+ZM~@x3usZk2=igm=@cUyQ K-eYh7%>M)a%a=_6 literal 1279 zcmZ9LNvqrh0DwY&eBs^ z5rQ=g9Gy8V%jn2o4N(*(4sFPB+~&~A18*I&%(R2j2&Bf^hKq*+&GV`Pb9*pcv}!+0 zeX-sy0kq*ZZtKFOB+E(=A}N+))2fJK5gd@J8SSGsb zj=x%K1fMDszcBWuqu{w?8w=O)7%-5 zExsgl3DOxAnj}y_Q+fgeQ9KM32P_4Dyq#29H`AC9R+8hG#eJ3OctULcS{ zo$Ql_QaEL`lZH94H&jwYW~4kpwxRD{UxXt{GUhtki{q+Q*1+Z1KaqM95L? zsOfMu&d?|Vl6pGm25i>uF@hPyqakCl0_{1p)@~`@g58OOk$%hGR_g7pr!xDP=qXIm zW@E?8MF^M&)UF@eBE4=0Scm3DN!z7OxGs?(Zoeye1{cs78z%8QHzsvC#TP9u)1X68 zNUw(_AWQ{LmQ}D*ow3||>0)O1DFVu=glurq3vH%GSehgQi`!HIjn{)(pFznOvO&CZ z=n7cH7$ZBbA$S~XFJ#dWB}N7@CPmfxIO=d@wpq>h;>_#Ae>?U!+~cTG9)*SPmOcKzS3~9VH1u>w8b(_h2;c|n<@AQRNjae681D5GW zOto6`df@ViT6I|D84k5^24p^(GdsV(z0c9n;bJ3#UQ7<`<6u@~a09`?k|*&LYK0st zT&vwJGJmDc8ZZQo=@)+caCOJNbANu|{G&?#)v3(~)4LwRzBu>dd+VnJpgjB8YxiAE zpnLDW`1E7nUe;gLPyCR5{>q)FKRti#{QdX*_!fR}fw@J#|IIU(ADQ0x{`7%#Q~e3M za^{^&PriKX# zy=XY@y3RV+v%m=q%*-ZyzcXX#DGY;&gaWCm7AD*fQ5nY23Y0czTSOOy$K63J^?5Yn zYGAt1rX@2b+pQkb04Qgw^|MHj0Yy~BjkHzN9jI6lroA)~MmAj&VV@);GhQdEfD*-|e+Cdte;54k$eH1W^Y@gwSJnHsR7y(Tj z327SOfG!||I*+`H*D!UX5SIGJ;N&#@sIXOn!bm$ZhJ zY+r9lZNZ-+j9aWm0!i7b!`nQAc1wY*(6~r*5HJZsX<8MsL}g-0xeVC{CAZe<7=tkr z$9)rq^@0eMi$1EC>XDo2`jA4a^&Vc5EeqwS3c!y`zSU=41QN7zqdMuypxN;nqDQLa zH1G@<%jIhwq~5aFR&EeGBGYH(m=;D6fhh&32*?d6PfZ=h=E}UOFmjaZxlAQ4gRNA( zk->@@udrfECI%_Fo|*^_Hr5!b*!A3GH{ToOe4xQe+Js5xTVtISlU=rd1S4Y)+2Lkw%7Z@6Y<@{t@($kz1b5amb$wEj4 zj61NrbQfi6iW!>CZrVyUBf2ibb-h)Q1sh{T0RTsQ27^4aQvvI(T&iZb5mjv@Z7N@8 z29gtXFee(t6TIaYYFxI%DfWaxu%VtFcE?3r8UrJu(Lj?uIn!ov3-sDyRvCjGXi)LO zVN`+jVLLT$z*7`3DX83zOS2UK^~V;Z7h^S zBA%EjEgMm!K8!R1G326Ou4x&LNL8xfKM&5#BuJOZvYuaza~#$1LnXvhPBv(ZQbQR; zIaI{`d+MCemO0%aYmKo$IG(-+Jdy>TLhV#}B@K;+~_&F1$Qm zzkto{J8V~_8T;~$Bl4YF&Le|McP!m-<_vO9<$inR%jc(yp51O^mv+4U?ytL!SLt2i z%@=J9m^;7orUGw$^e<@dnF;mkW3Mf~cADLTA6dPFUG~Z4OE=E#I&gpM)Gs_Ry}oX`Rta1 MEB5ChDY-TAHy20r761SM literal 1383 zcmZA0+pp6E0Dy6cMq`mn3_K9goQR3Q7~R^nTLB5}x^CT0*LB_6u0S|l*R@+O>uqhf z$b-fp#z3M`q6mozps2)P;)A{z2{C~vmlG8U`rsv^F-ibKFo;BbGVw3?eJ`J)YiZ3< z{fQe6M$Ys%6K?#IESsZpG=u4Iqn8YXQUw9u#P$K9YfC4ljCr3QERA zh8Lk}hb9NQ$qhr?mkF?x;0iyD_&)EXtf*#_0NfUfHbKx8u;ij6RP$V;ja%Z7qal*Njk@TuM!3T6@R2y-iCCFh^ zLcv+HEI6=K;M5{UqGJwY$CMz>x(eAaRTao^Ne3^3c|KEW+IWR5Bq$lv30r6cwE>zf zixs%;RzZ1)gD6gQ`@=y?LC9IY+KXWW#(hAc^CZ>?;a-%<4tN|#a2v`FA~qFLWQuN8 z3vr@bAvz)%D91^|ia743SYJkx5+l)E-Urw&s>%%3N>Id#SArP4 z)K<~HYdNyeMgrQGc^Slec~2RRlB}Xb9YCp?EuZc1ExpyRxPq7IiwrxBU2x2hb~i`U zXd$ek-PlWDv)0O?!ycD}jLda>vZ)a~4)nWpAjq~7N=Bt6c1DDZDe#0I*^xYw`V)dH zmSng-MD$RKNt!TNvCA}tmKbIoN=`BmP%M;+L}#KDZOrxqJ0s4HSqsYrnq%~0GEYUi zmvO`zVfyC3*F3SA#nZa4DS-xPl>!mDELJQ@W+x$Xw2Z+eBNlQ=D)PF0b`};?tj1Bg z6!bN@Y@*eo$4u)e3age^q%EN6_Z68&8vzHT)9INBRz?bSmG2vcB9G*zTc<%g3e5poV}SFuchRjUmVA72{g!R`hsW>UduPX%msjok{?M}Vi}0=;ca<(& ze>(h>IeTL6^t`w9A*9Gxl_yUHP0!BKe%(6KK9*DUv0T?yZ%P$v8%f` zoV|4LNpzK^@0~8cJon~%N7oeWyH@O Date: Tue, 31 Jan 2023 22:43:59 +0100 Subject: [PATCH 13/21] Add postfix to flora-6 --- hosts/flora-6/mailman.nix | 27 +- hosts/flora-6/postfix/main.cf | 692 ++++++++++++++++++++++++++++++++++ 2 files changed, 718 insertions(+), 1 deletion(-) create mode 100644 hosts/flora-6/postfix/main.cf diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix index 9c7708ca..c41a29ce 100644 --- a/hosts/flora-6/mailman.nix +++ b/hosts/flora-6/mailman.nix @@ -4,7 +4,12 @@ pkgs, self, ... -}: { +}: let + postfixConfig = pkgs.writeTextFile { + name = "main.cf"; + text = builtins.readFile ./postfix/main.cf; + }; +in { system.activationScripts.mkMailmanNet = let docker = config.virtualisation.oci-containers.backend; dockerBin = "${pkgs.${docker}}/bin/${docker}"; @@ -60,6 +65,7 @@ environment = { DATABASE_TYPE = "postgres"; DATABASE_CLASS = "mailman.database.postgresql.PostgreSQLDatabase"; + MTA = "postfix"; }; environmentFiles = [ config.age.secrets.mailman-core-secrets.path @@ -109,6 +115,25 @@ config.age.secrets.mailman-db-secrets.path ]; }; + + containers."mailman-postfix" = { + image = "mailu/postfix:1.9.46"; + autoStart = true; + user = "993"; + extraOptions = [ + "--network=mailman-net" + ]; + volumes = [ + "/var/lib/mailman/postfix/overrides:/overrides:ro" + "/var/lib/mailman/postfix/mailqueue:/var/spool/postfix" + "/var/lib/mailman/postfix/data:/var/lib/postfix" + "/var/lib/mailman/core:/var/lib/mailman/core" + "${postfixConfig}/bin/main.cf:/etc/postfix/main.cf" + ]; + environmentFiles = [ + config.age.secrets.mailman-db-secrets.path + ]; + }; }; }; } diff --git a/hosts/flora-6/postfix/main.cf b/hosts/flora-6/postfix/main.cf new file mode 100644 index 00000000..56fb7947 --- /dev/null +++ b/hosts/flora-6/postfix/main.cf @@ -0,0 +1,692 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 3.6 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/libexec/postfix + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +myhostname = list.pub.solar +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +# unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +mynetworks = mailman-core,mailman-web +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix/readme +inet_protocols = ipv4 +meta_directory = /etc/postfix +shlib_directory = /usr/lib/postfix + + +# Config below taken and adapted from +# https://github.com/maxking/docker-mailman#postfix +recipient_delimiter = + +unknown_local_recipient_reject_code = 550 +owner_request_special = no + +transport_maps = + regexp:/var/lib/mailman/core/var/data/postfix_lmtp +local_recipient_maps = + regexp:/var/lib/mailman/core/var/data/postfix_lmtp +relay_domains = + regexp:/var/lib/mailman/core/var/data/postfix_domains From f49bc2b4b23f679d7f935b620deb8b3c251de44a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 11:14:50 +0100 Subject: [PATCH 14/21] Bump flake.lock, fix agenix overlay agenix now uses overlays.default to export its overlay --- flake.lock | 126 +++++++++++++++++++++++++---------------------------- flake.nix | 2 +- 2 files changed, 61 insertions(+), 67 deletions(-) diff --git a/flake.lock b/flake.lock index f00a8e15..bb079220 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,17 @@ "nodes": { "agenix": { "inputs": { + "darwin": "darwin", "nixpkgs": [ "nixos" ] }, "locked": { - "lastModified": 1673301561, - "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "lastModified": 1675176355, + "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=", "owner": "ryantm", "repo": "agenix", - "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28", "type": "github" }, "original": { @@ -20,22 +21,29 @@ "type": "github" } }, - "blank": { - "locked": { - "lastModified": 1625557891, - "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", - "owner": "divnix", - "repo": "blank", - "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "blank", - "type": "github" - } - }, "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "darwin_2": { "inputs": { "nixpkgs": [ "nixos" @@ -55,7 +63,7 @@ "type": "github" } }, - "darwin_2": { + "darwin_3": { "inputs": { "nixpkgs": [ "digga", @@ -63,11 +71,11 @@ ] }, "locked": { - "lastModified": 1651916036, - "narHash": "sha256-UuD9keUGm4IuVEV6wdSYbuRm7CwfXE63hVkzKDjVsh4=", + "lastModified": 1672753581, + "narHash": "sha256-EIi2tqHoje5cE9WqH23ZghW28NOOWSUM7tcxKE1U9KI=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "2f2bdf658d2b79bada78dc914af99c53cad37cba", + "rev": "3db1d870b04b13411f56ab1a50cd32b001f56433", "type": "github" }, "original": { @@ -107,11 +115,11 @@ ] }, "locked": { - "lastModified": 1655976588, - "narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=", + "lastModified": 1671489820, + "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=", "owner": "numtide", "repo": "devshell", - "rev": "899ca4629020592a13a46783587f6e674179d1db", + "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634", "type": "github" }, "original": { @@ -147,18 +155,17 @@ }, "digga": { "inputs": { - "blank": "blank", - "darwin": "darwin_2", + "darwin": "darwin_3", "deploy": [ "deploy" ], "devshell": "devshell", "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "flake-utils-plus": "flake-utils-plus", "home-manager": [ "home" ], - "latest": "latest", "nixlib": [ "nixos" ], @@ -168,11 +175,11 @@ "nixpkgs-unstable": "nixpkgs-unstable" }, "locked": { - "lastModified": 1661600857, - "narHash": "sha256-KfQCcTtfvU0PXV4fD9XKIMcKx9lUUR0xWJoBgc12fKE=", + "lastModified": 1674947971, + "narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=", "owner": "pub-solar", "repo": "digga", - "rev": "c902b3ef0aa45cb4f336c390f647bb182c38a221", + "rev": "2da608bd8afb48afef82c6b1b6d852a36094a497", "type": "github" }, "original": { @@ -201,11 +208,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", "type": "github" }, "original": { @@ -247,7 +254,10 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_2" + "flake-utils": [ + "digga", + "flake-utils" + ] }, "locked": { "lastModified": 1654029967, @@ -266,11 +276,11 @@ }, "flake-utils_2": { "locked": { - "lastModified": 1644229661, - "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -356,27 +366,11 @@ }, "latest": { "locked": { - "lastModified": 1657265485, - "narHash": "sha256-PUQ9C7mfi0/BnaAUX2R/PIkoNCb/Jtx9EpnhMBNrO/o=", + "lastModified": 1675115703, + "narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b39924fc7764c08ae3b51beef9a3518c414cdb7d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "latest_2": { - "locked": { - "lastModified": 1674641431, - "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc", + "rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44", "type": "github" }, "original": { @@ -388,11 +382,11 @@ }, "nixos": { "locked": { - "lastModified": 1674781052, - "narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=", + "lastModified": 1675154384, + "narHash": "sha256-gUXzyTS3WsO3g2Rz0qOYR2a26whkyL2UfTr1oPH9mm8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b", + "rev": "0218941ea68b4c625533bead7bbb94ccce52dceb", "type": "github" }, "original": { @@ -419,16 +413,16 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1657292830, - "narHash": "sha256-ldfVSTveWceDCmW6gf3B4kR6vwmz/XS80y5wsLLHFJU=", + "lastModified": 1672791794, + "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "334ec8b503c3981e37a04b817a70e8d026ea9e84", + "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -448,13 +442,13 @@ "root": { "inputs": { "agenix": "agenix", - "darwin": "darwin", + "darwin": "darwin_2", "deploy": "deploy", "digga": "digga", "flake-compat": "flake-compat_3", "home": "home", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar", - "latest": "latest_2", + "latest": "latest", "nixos": "nixos", "nixos-hardware": "nixos-hardware", "nur": "nur", diff --git a/flake.nix b/flake.nix index 53d547d3..a7ec80db 100644 --- a/flake.nix +++ b/flake.nix @@ -81,7 +81,7 @@ }); }) nur.overlay - agenix.overlay + agenix.overlays.default (import ./pkgs) ]; From 9f0dcb8ed821f85c5f108eebf56e048c703ec7c2 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 11:15:58 +0100 Subject: [PATCH 15/21] Use nix version from 22.11, prevent nvfetcher from rebuilding so much: it has nix as a dependency and won't find its hash in the binary cache if we override our nix version with the one from nixos-unstable. 22.11 has 2.11.1 which should be recent enough for us. --- overlays/overrides.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/overlays/overrides.nix b/overlays/overrides.nix index 177971e8..5650deda 100644 --- a/overlays/overrides.nix +++ b/overlays/overrides.nix @@ -14,7 +14,6 @@ channels: final: prev: { signal-desktop starship deploy-rs - nix tdesktop arduino arduino-cli From 8ef082756535090605b0c23a849f2b499b977e81 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 11:14:50 +0100 Subject: [PATCH 16/21] Bump flake.lock, fix agenix overlay agenix now uses overlays.default to export its overlay See: https://github.com/ryantm/agenix/commit/64b05745148c72a1740a54418d1f91b9b361f323 --- flake.lock | 47 +++++++++++++++++++++++++++++++++++------------ flake.nix | 2 +- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index 80352d50..9b431f33 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,17 @@ "nodes": { "agenix": { "inputs": { + "darwin": "darwin", "nixpkgs": [ "nixos" ] }, "locked": { - "lastModified": 1673301561, - "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "lastModified": 1675176355, + "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=", "owner": "ryantm", "repo": "agenix", - "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28", "type": "github" }, "original": { @@ -21,6 +22,28 @@ } }, "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "darwin_2": { "inputs": { "nixpkgs": [ "nixos" @@ -40,7 +63,7 @@ "type": "github" } }, - "darwin_2": { + "darwin_3": { "inputs": { "nixpkgs": [ "digga", @@ -107,7 +130,7 @@ }, "digga": { "inputs": { - "darwin": "darwin_2", + "darwin": "darwin_3", "deploy": [ "deploy" ], @@ -265,11 +288,11 @@ }, "latest": { "locked": { - "lastModified": 1674641431, - "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", + "lastModified": 1675115703, + "narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc", + "rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44", "type": "github" }, "original": { @@ -281,11 +304,11 @@ }, "nixos": { "locked": { - "lastModified": 1674868155, - "narHash": "sha256-eFNm2h6fNbgD7ZpO4MHikCB5pSnCJ7DTmwPisjetmwc=", + "lastModified": 1675154384, + "narHash": "sha256-gUXzyTS3WsO3g2Rz0qOYR2a26whkyL2UfTr1oPH9mm8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ce20e9ebe1903ea2ba1ab006ec63093020c761cb", + "rev": "0218941ea68b4c625533bead7bbb94ccce52dceb", "type": "github" }, "original": { @@ -341,7 +364,7 @@ "root": { "inputs": { "agenix": "agenix", - "darwin": "darwin", + "darwin": "darwin_2", "deploy": "deploy", "digga": "digga", "flake-compat": "flake-compat_3", diff --git a/flake.nix b/flake.nix index 7bec396d..022d54af 100644 --- a/flake.nix +++ b/flake.nix @@ -73,7 +73,7 @@ }); }) nur.overlay - agenix.overlay + agenix.overlays.default (import ./pkgs) ]; From edc7335d48dd3236dc75b765a4b928fe3ffe20af Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 11:15:58 +0100 Subject: [PATCH 17/21] Use nix version from 22.11, prevent nvfetcher from rebuilding so much: it has nix as a dependency and won't find its hash in the binary cache if we override our nix version with the one from nixos-unstable. 22.11 has 2.11.1 which should be recent enough for us. --- overlays/overrides.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/overlays/overrides.nix b/overlays/overrides.nix index 574f19c0..839426d0 100644 --- a/overlays/overrides.nix +++ b/overlays/overrides.nix @@ -14,7 +14,6 @@ channels: final: prev: { signal-desktop starship deploy-rs - nix tdesktop arduino arduino-cli From 2ed21e3b946ec1940405c45e0ee954d83953df77 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 11:29:34 +0100 Subject: [PATCH 18/21] flake: make digga, deploy, agenix follow existing inputs This should reduce merge conflicts in the flake.lock file by reducing the number of locked inputs --- flake.lock | 95 ++++++++---------------------------------------------- flake.nix | 4 +++ 2 files changed, 18 insertions(+), 81 deletions(-) diff --git a/flake.lock b/flake.lock index 9b431f33..9602605f 100644 --- a/flake.lock +++ b/flake.lock @@ -2,7 +2,9 @@ "nodes": { "agenix": { "inputs": { - "darwin": "darwin", + "darwin": [ + "darwin" + ], "nixpkgs": [ "nixos" ] @@ -22,28 +24,6 @@ } }, "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, - "darwin_2": { "inputs": { "nixpkgs": [ "nixos" @@ -63,30 +43,11 @@ "type": "github" } }, - "darwin_3": { - "inputs": { - "nixpkgs": [ - "digga", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1672753581, - "narHash": "sha256-EIi2tqHoje5cE9WqH23ZghW28NOOWSUM7tcxKE1U9KI=", - "owner": "LnL7", - "repo": "nix-darwin", - "rev": "3db1d870b04b13411f56ab1a50cd32b001f56433", - "type": "github" - }, - "original": { - "owner": "LnL7", - "repo": "nix-darwin", - "type": "github" - } - }, "deploy": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": [ + "flake-compat" + ], "nixpkgs": [ "nixos" ], @@ -130,12 +91,16 @@ }, "digga": { "inputs": { - "darwin": "darwin_3", + "darwin": [ + "darwin" + ], "deploy": [ "deploy" ], "devshell": "devshell", - "flake-compat": "flake-compat_2", + "flake-compat": [ + "flake-compat" + ], "flake-utils": "flake-utils_2", "flake-utils-plus": "flake-utils-plus", "home-manager": [ @@ -165,38 +130,6 @@ } }, "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { "flake": false, "locked": { "lastModified": 1673956053, @@ -364,10 +297,10 @@ "root": { "inputs": { "agenix": "agenix", - "darwin": "darwin_2", + "darwin": "darwin", "deploy": "deploy", "digga": "digga", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat", "home": "home", "latest": "latest", "nixos": "nixos", diff --git a/flake.nix b/flake.nix index 022d54af..d1f2599b 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,8 @@ digga.inputs.nixlib.follows = "nixos"; digga.inputs.home-manager.follows = "home"; digga.inputs.deploy.follows = "deploy"; + digga.inputs.darwin.follows = "darwin"; + digga.inputs.flake-compat.follows = "flake-compat"; home.url = "github:nix-community/home-manager/release-22.11"; home.inputs.nixpkgs.follows = "nixos"; @@ -27,9 +29,11 @@ deploy.url = "github:serokell/deploy-rs"; deploy.inputs.nixpkgs.follows = "nixos"; + deploy.inputs.flake-compat.follows = "flake-compat"; agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixos"; + agenix.inputs.darwin.follows = "darwin"; nixos-hardware.url = "github:nixos/nixos-hardware"; }; From 8fb6ba33b2cbac3274558433c964f84f5da52a54 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 12:27:05 +0100 Subject: [PATCH 19/21] ci: check build of flora-6 in infra branch --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 093f50e4..d1696240 100644 --- a/.drone.yml +++ b/.drone.yml @@ -15,7 +15,7 @@ steps: commands: - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS' - nix $$NIX_FLAGS develop --command nix flake show - - nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel" + - nix $$NIX_FLAGS build ".#nixosConfigurations.flora-6.config.system.build.toplevel" --- kind: pipeline @@ -148,6 +148,6 @@ volumes: --- kind: signature -hmac: 67d75675e20adcbdeff528915795d39b7b80575be92c08ec332ffdc63437aa61 +hmac: 59c35601e641341216eaba764756a96dfe9137f7c6255aa889b12c73af77f244 ... From b6ebd71c6125b9536f023a14cf5dc96f270f3007 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 13:15:30 +0100 Subject: [PATCH 20/21] keycloak: use version 20.0.3 from nixos-22.11 It's the same version as on nixos-unstable --- hosts/flora-6/flora-6.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index 08af3d5d..d7c59716 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -25,11 +25,9 @@ in { profiles.users.root # make sure to configure ssh keys profiles.users.barkeeper - "${latestModulesPath}/services/web-apps/keycloak.nix" "${latestModulesPath}/services/misc/gitea.nix" ]; disabledModules = [ - "services/web-apps/keycloak.nix" "services/misc/gitea.nix" ]; From 3c422fee62ac295498dac6d3a9892da91c87b5f2 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 1 Feb 2023 13:17:04 +0100 Subject: [PATCH 21/21] mailmain: fix postfix main.cf path --- hosts/flora-6/mailman.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix index c41a29ce..eb4ed151 100644 --- a/hosts/flora-6/mailman.nix +++ b/hosts/flora-6/mailman.nix @@ -128,7 +128,7 @@ in { "/var/lib/mailman/postfix/mailqueue:/var/spool/postfix" "/var/lib/mailman/postfix/data:/var/lib/postfix" "/var/lib/mailman/core:/var/lib/mailman/core" - "${postfixConfig}/bin/main.cf:/etc/postfix/main.cf" + "${postfixConfig}:/etc/postfix/main.cf" ]; environmentFiles = [ config.age.secrets.mailman-db-secrets.path