feat: start migrating steveej-t14 and sj-vps-htz-0 to sops

2023-07-05 15:55:04 +02:00 · 2023-07-05 15:55:04 +02:00 · b481126ae2
commit b481126ae2
parent 6587a914e4
55 changed files with 877 additions and 452 deletions
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -1,4 +1,5 @@
 {
+  repoFlake,
  hostAddress,
  localAddress,
  imapsPort ? 993,
@ -7,10 +8,34 @@
 }: let
  passwords = import ../../variables/passwords.crypt.nix;
 in {
-  config = {pkgs, ...}: {
+  config = {
+    pkgs,
+    config,
+    ...
+  }: {
    system.stateVersion = "21.11"; # Did you read the comment?

-    imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
+    imports = [
+      ../profiles/containers/configuration.nix
+
+      repoFlake.inputs.sops-nix.nixosModules.sops
+      ../profiles/common/user.nix
+    ];
+
+    # sops.defaultSopsFile = ./mailserver_secrets.yaml;
+    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    sops.secrets.email_mailStefanjunkerDe = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.steveej.name;
+    };
+    sops.secrets.email_schtifATwebDe = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.steveej.name;
+    };
+    sops.secrets.email_dovecot_steveej = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.dovecot2.name;
+    };

    networking.firewall.enable = false;

@ -54,9 +79,10 @@ in {
      '';
    };

-    environment.etc."dovecot/users".text = ''
-      steveej:${passwords.email.steveej}
-    '';
+    # environment.etc."dovecot/users".text = ''
+    #   steveej:${passwords.email.steveej}
+    # '';
+    environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;

    systemd.services.steveej-getmail-stefanjunker = {
      enable = true;
@ -79,7 +105,7 @@ in {
          server = ssl0.ovh.net
          port = 993
          username = mail@stefanjunker.de
-          password = ${passwords.email.mailStefanjunkerDe}
+          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
          mailboxes = ('INBOX',)

          [destination]
@ -112,7 +138,7 @@ in {
          server = imap.web.de
          port = 993
          username = schtif
-          password = ${passwords.email.schtifATwebDe}
+          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
          mailboxes = ('INBOX',)

          [destination]
@ -128,6 +154,9 @@ in {
  inherit autoStart;

  bindMounts = {
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
+
    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
      isReadOnly = false;