Harald Hoyer
01f42c0851
Wire up restartUnits on secrets whose consumers cache them in memory (daemons read at startup), so sops-nix restarts the affected unit on activation when the decrypted content changes: - firefly: app_key → phpfpm-firefly-iii; auto_import_secret + access_token → phpfpm-firefly-iii-data-importer - searx: secret_key → uwsgi - opencode: web password → opencode-serve - mail: sasl_passwd → postfix - forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy token, restic backup creds, acme dns creds, wg conf) are left as-is.
27 lines
781 B
Nix
27 lines
781 B
Nix
{ pkgs, config, ... }:
|
|
{
|
|
environment.systemPackages = with pkgs; [
|
|
mailutils
|
|
mutt
|
|
];
|
|
|
|
services.postfix = {
|
|
enable = true;
|
|
settings.main = {
|
|
relayhost = [ "[smtp.gmail.com]:587" ];
|
|
smtp_use_tls = "yes";
|
|
smtp_sasl_auth_enable = "yes";
|
|
smtp_sasl_security_options = "";
|
|
smtp_sasl_password_maps = "texthash:${config.sops.secrets.sasl_passwd.path}";
|
|
# optional: Forward mails to root (e.g. from cron jobs, smartd)
|
|
virtual_alias_maps = "inline:{ root=harald.hoyer@gmail.com, admin=harald.hoyer@gmail.com }";
|
|
};
|
|
};
|
|
|
|
sops.secrets.sasl_passwd = {
|
|
sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file
|
|
owner = config.services.postfix.user;
|
|
restartUnits = [ "postfix.service" ];
|
|
};
|
|
|
|
}
|