feat(mail): configure Postfix relay with SOPS encrypted secrets

Added configuration for Postfix to use an external SMTP relay with encrypted credentials managed by SOPS. Updated `mail.nix` to include relay settings and linked the secrets file for password storage.
2025-05-21 09:30:30 +02:00 · 2025-05-21 09:30:30 +02:00 · ac0eef954d
parent ab30ca1c6d
commit ac0eef954d
2 changed files with 53 additions and 3 deletions
--- a/.secrets/sgx/relay.yaml
+++ b/.secrets/sgx/relay.yaml
@ -0,0 +1,30 @@
+sasl_passwd: ENC[AES256_GCM,data:g2titpP1BJJVKtf28nNMMt0Ih07X7Hbo0X8WPM8vzx6elk9bg2F3zYeyL+3mX8TA5f0j5czaArdzImtV2yeP,iv:trWQ8dkgLlkt6ZEn+smGRCymwSQ1PT9/5+IDAA2dBBs=,tag:8m2kgVcozz/nXh1Pjux9tg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age149fqcw5jze00vd7jauylrp4j5xyv7amlu57jjfuzghkqtzlnxajs704uz3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R2VtQzk0b051NC9yRGh6
+            cWlUM2xDZkJGYWQvTDZneWVBYlJJNCtqV0VnCnY5NjJpZ2VBL215bWpHTWFicXVF
+            WDFsUnI2cU5BRi8vMWZrT3lKU25EbmsKLS0tIE9iVXNTK2laSEhMb0RDWmJoSEhF
+            SG8vblBGczBITUVCWlEwdCt6TExDb28KyNeytOtFgmCIb7guFaMkXscywFwMDgwH
+            eXAXxmyLytCD0BJzySOkiyVU3KBxLKR5dKmlXdP5nbYp490A2CFHrA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUm16d0NrUS95VVB3MmI4
+            WnZuaEZMZXlzcGZpU2xVREdWaG43UkZna1hJCnpSZHd1VjZENlRrNUJZY21lenJi
+            Vm42cThZY3Q1TVBuSTFMVzQ0VW9UZEUKLS0tIFpkYXNvOGhkdVBNTFY0cENoNWtI
+            TjBUM3NhdXdRNmE4S2hZZWdDNFhsKzgKhr/h3AB5QrXtw3cU8Uj05mUVvwiXWnkD
+            QGIUXkeYGRpydARKtqS+JRfhBEqNvbGA7ZQfRl6nthVQW6+Z4A/meA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-21T07:23:21Z"
+    mac: ENC[AES256_GCM,data:CYBVtcCA+9VnoywXYKDnwW4CQ+ej6Z1mJjXeVOa2QnTICLmjFYw8RXlq/MiXOICUUR14/f5MkEZ2cDpfT75VMtnR7H/8/fyztyhrqADE7Zq17I46OY/9DQSPVn0bIHkxIObMV4/zUZlKxEjPIqs5E9q3bYVbBNcvmFTatlwguuQ=,iv:33edv7Y0OIgrQqhW+K5EAZKqr+WRyJGG7EKBwNIAqSQ=,tag:udCcDkdNmPxLbcfXk2qfFA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/systems/x86_64-linux/sgx/mail.nix
+++ b/systems/x86_64-linux/sgx/mail.nix
@ -4,7 +4,27 @@
    mailutils
    mutt
  ];
-  services.postfix.enable = true;
-  services.postfix.rootAlias = config.metacfg.user.name;
-  services.postfix.extraAliases = "admin: root";
+
+  services.postfix = {
+    enable = true;
+    relayHost = "smtp.gmail.com";
+    relayPort = 587;
+    rootAlias = "harald.hoyer@gmail.com";
+    extraAliases = "admin: root";
+    config = {
+      smtp_use_tls = "yes";
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_security_options = "";
+      smtp_sasl_password_maps = "texthash:${config.sops.secrets.sasl_passwd.path}";
+      # optional: Forward mails to root (e.g. from cron jobs, smartd)
+      # to me privately and to my work email:
+      virtual_alias_maps = "inline:{ {root=you@gmail.com, you@work.com} }";
+    };
+  };
+
+  sops.secrets.sasl_passwd = {
+    sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file
+    owner = config.services.postfix.user;
+  };
+
 }