Move all flakes into modules/ and sep't, create deploy script for a1d2
Change-Id: Ie4d50fb8f16da193195beb139922a366b72b0b0a
diff --git a/modules/common/dmarc.nix b/modules/common/dmarc.nix
new file mode 100644
index 0000000..3266214
--- /dev/null
+++ b/modules/common/dmarc.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }: {
+ users.users.parsedmarc = {
+ isSystemUser = true;
+ createHome = true;
+ home = "/services/parsedmarc";
+ group = config.users.groups.clicks.name;
+ shell = pkgs.bashInteractive;
+ };
+ sops.secrets = lib.pipe [ "imap_password" "maxmind_license_key" ] [
+ (map (name: {
+ inherit name;
+ value = {
+ mode = "0400";
+ owner = config.users.users.parsedmarc.name;
+ group = config.users.users.parsedmarc.group;
+ sopsFile = ../../secrets/dmarc.json;
+ format = "json";
+ };
+ }))
+ builtins.listToAttrs
+ ];
+
+ services.parsedmarc = {
+ enable = true;
+ settings.imap = {
+ host = "mail.clicks.codes";
+ user = "dmarc@clicks.codes";
+ password = { _secret = config.sops.secrets.imap_password.path; };
+ };
+ settings.mailbox = {
+ watch = true;
+ delete = false;
+ };
+ };
+ services.geoipupdate.settings = {
+ AccountID = 863877;
+ LicenseKey = { _secret = config.sops.secrets.maxmind_license_key.path; };
+ };
+ systemd.services.geoipupdate-create-db-dir.script = lib.mkForce ''
+ set -o errexit -o pipefail -o nounset -o errtrace
+ shopt -s inherit_errexit
+
+ mkdir -p ${config.services.geoipupdate.settings.DatabaseDirectory}
+ chmod 0750 ${config.services.geoipupdate.settings.DatabaseDirectory}
+
+ chgrp clicks ${config.services.geoipupdate.settings.DatabaseDirectory}
+ # The license agreement does not allow us to let non-clicks users access the database
+ '';
+}