about summary refs log tree commit diff
path: root/ops/nixos
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2020-06-13T01·11+0100
committertazjin <mail@tazj.in>2020-06-13T01·23+0000
commitc2a5073339a0f1fbba13648cb93579937c2519db (patch)
tree421d1d21f94f481f05b5d9270b53fa349bfa52a6 /ops/nixos
parentde4f540ed108996e82cf687c29aacf520dda7d11 (diff)
feat(nixos/smtprelay): Add derivation & module for SMTP relay r/924
This adds a little tool that can be used to relay mail to Gmail (and
other SMTP servers). It is intended to be used by Gerrit, which is
incompatible with Gmail's SMTP servers.

Configuration has been tested by performing a few sends through the
tvlbot@tazj.in account.

Note that this is using the standard Gmail SMTP server. Using the
smtp-relay server relies on IP whitelisting, but camden.tazj.in has a
larger number of IPv6 addresses than can be whitelisted (the maximum
is 65k). This means that we are limited to 2000 mails per recipient
per day, which should be fine.

Change-Id: Ie43564d753030f5c800a9cdb4ae98292877d80dc
Reviewed-on: https://cl.tvl.fyi/c/depot/+/101
Reviewed-by: edef <edef@edef.eu>
Diffstat (limited to 'ops/nixos')
-rw-r--r--ops/nixos/camden/default.nix12
-rw-r--r--ops/nixos/modules/smtprelay.nix52
2 files changed, 64 insertions, 0 deletions
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
index ea8f0f5ad25b..46e0a3981c8b 100644
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@@ -18,6 +18,7 @@ in lib.fix(self: {
     ../modules/depot.nix
     ../modules/hound.nix
     ../modules/monorepo-gerrit.nix
+    ../modules/smtprelay.nix
     ../modules/tvl-slapd/default.nix
     "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
   ];
@@ -277,6 +278,17 @@ in lib.fix(self: {
     };
   };
 
+  # Start a local SMTP relay to Gmail (used by gerrit)
+  services.depot.smtprelay = {
+    enable = true;
+    args = {
+      listen = ":2525";
+      remote_host = "smtp.gmail.com:587";
+      remote_auth = "plain";
+      remote_user = "tvlbot@tazj.in";
+    };
+  };
+
   # serve my website(s)
   services.nginx = {
     enable = true;
diff --git a/ops/nixos/modules/smtprelay.nix b/ops/nixos/modules/smtprelay.nix
new file mode 100644
index 000000000000..ca960f5190a8
--- /dev/null
+++ b/ops/nixos/modules/smtprelay.nix
@@ -0,0 +1,52 @@
+# NixOS module for configuring the simple SMTP relay.
+{ pkgs, config, lib, ... }:
+
+let
+  inherit (builtins) attrValues mapAttrs;
+  inherit (lib)
+    concatStringsSep
+    mkEnableOption
+    mkOption
+    types
+;
+
+  cfg = config.services.depot.smtprelay;
+  description = "Simple SMTP relay";
+
+  # Configuration values that are always overridden. In particular,
+  # `config` is specified to always load $StateDirectory/secure.config
+  # (so that passwords can be loaded from there) and logging is pinned
+  # to stdout for journald compatibility.
+  overrideArgs = {
+    logfile = "";
+    config = "/var/lib/smtprelay/secure.config";
+  };
+
+  # Creates the command line argument string for the service.
+  prepareArgs = args:
+    concatStringsSep " "
+      (attrValues (mapAttrs (key: value: "-${key} '${toString value}'")
+                            (args // overrideArgs)));
+in {
+  options.services.depot.smtprelay = {
+    enable = mkEnableOption description;
+    args = mkOption {
+      type = types.attrsOf types.str;
+      description = "Key value pairs for command line arguments";
+    };
+  };
+
+  config = {
+    systemd.services.smtprelay = {
+      inherit description;
+      script = "${config.depot.third_party.smtprelay}/bin/smtprelay ${prepareArgs cfg.args}";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Restart = "always";
+        StateDirectory = "smtprelay";
+        DynamicUser = true;
+      };
+    };
+  };
+}