feat: migrate all containers and hosts to sops
nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions
This commit is contained in:
parent
4e0d0c3abd
commit
ea7caae226
25 changed files with 241 additions and 180 deletions
|
|
@ -5,9 +5,7 @@
|
|||
imapsPort ? 993,
|
||||
sievePort ? 4190,
|
||||
autoStart ? false,
|
||||
}: let
|
||||
passwords = import ../../variables/passwords.crypt.nix;
|
||||
in {
|
||||
}: {
|
||||
config = {
|
||||
pkgs,
|
||||
config,
|
||||
|
|
@ -22,7 +20,9 @@ in {
|
|||
../profiles/common/user.nix
|
||||
];
|
||||
|
||||
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
|
||||
# sops.defaultSopsFile = ./mailserver_secrets.yaml;
|
||||
|
||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||
sops.secrets.email_mailStefanjunkerDe = {
|
||||
sopsFile = ./mailserver_secrets.yaml;
|
||||
|
|
@ -44,6 +44,15 @@ in {
|
|||
domain = "mailserver.svc.stefanjunker.de";
|
||||
};
|
||||
|
||||
# TODO: switch to a let's encrypt certificate
|
||||
sops.secrets.dovecotSslServerCert = {
|
||||
sopsFile = ./mailserver_secrets.yaml;
|
||||
owner = config.users.users.dovecot2.name;
|
||||
};
|
||||
sops.secrets.dovecotSslServerKey = {
|
||||
sopsFile = ./mailserver_secrets.yaml;
|
||||
owner = config.users.users.dovecot2.name;
|
||||
};
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
|
||||
|
|
@ -55,8 +64,8 @@ in {
|
|||
enablePAM = true;
|
||||
showPAMFailure = true;
|
||||
mailLocation = "maildir:~/.maildir";
|
||||
sslServerCert = "/etc/secrets/server.pem";
|
||||
sslServerKey = "/etc/secrets/server.key";
|
||||
sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
|
||||
sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
|
||||
|
||||
#configFile = "/etc/dovecot/dovecot2_manual.conf";
|
||||
extraConfig = ''
|
||||
|
|
@ -79,9 +88,6 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
# environment.etc."dovecot/users".text = ''
|
||||
# steveej:${passwords.email.steveej}
|
||||
# '';
|
||||
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
|
||||
|
||||
systemd.services.steveej-getmail-stefanjunker = {
|
||||
|
|
@ -154,14 +160,10 @@ in {
|
|||
inherit autoStart;
|
||||
|
||||
bindMounts = {
|
||||
# FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
|
||||
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
|
||||
|
||||
"/etc/secrets/" = {
|
||||
hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
"/home" = {
|
||||
hostPath = "/var/lib/container-volumes/mailserver/home";
|
||||
isReadOnly = false;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue