feat(nixos/smtprelay): Add derivation & module for SMTP relay

This adds a little tool that can be used to relay mail to Gmail (and other SMTP servers). It is intended to be used by Gerrit, which is incompatible with Gmail's SMTP servers. Configuration has been tested by performing a few sends through the tvlbot@tazj.in account. Note that this is using the standard Gmail SMTP server. Using the smtp-relay server relies on IP whitelisting, but camden.tazj.in has a larger number of IPv6 addresses than can be whitelisted (the maximum is 65k). This means that we are limited to 2000 mails per recipient per day, which should be fine. Change-Id: Ie43564d753030f5c800a9cdb4ae98292877d80dc Reviewed-on: https://cl.tvl.fyi/c/depot/+/101 Reviewed-by: edef <edef@edef.eu>
2020-06-13 02:11:00 +01:00 · 2020-06-13 02:11:00 +01:00 · c2a5073339
commit c2a5073339
parent de4f540ed1
3 changed files with 84 additions and 0 deletions
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@ -18,6 +18,7 @@ in lib.fix(self: {
    ../modules/depot.nix
    ../modules/hound.nix
    ../modules/monorepo-gerrit.nix
+    ../modules/smtprelay.nix
    ../modules/tvl-slapd/default.nix
    "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
  ];
@ -277,6 +278,17 @@ in lib.fix(self: {
    };
  };

+  # Start a local SMTP relay to Gmail (used by gerrit)
+  services.depot.smtprelay = {
+    enable = true;
+    args = {
+      listen = ":2525";
+      remote_host = "smtp.gmail.com:587";
+      remote_auth = "plain";
+      remote_user = "tvlbot@tazj.in";
+    };
+  };
+
  # serve my website(s)
  services.nginx = {
    enable = true;
--- a/ops/nixos/modules/smtprelay.nix
+++ b/ops/nixos/modules/smtprelay.nix
@ -0,0 +1,52 @@
+# NixOS module for configuring the simple SMTP relay.
+{ pkgs, config, lib, ... }:
+
+let
+  inherit (builtins) attrValues mapAttrs;
+  inherit (lib)
+    concatStringsSep
+    mkEnableOption
+    mkOption
+    types
+;
+
+  cfg = config.services.depot.smtprelay;
+  description = "Simple SMTP relay";
+
+  # Configuration values that are always overridden. In particular,
+  # `config` is specified to always load $StateDirectory/secure.config
+  # (so that passwords can be loaded from there) and logging is pinned
+  # to stdout for journald compatibility.
+  overrideArgs = {
+    logfile = "";
+    config = "/var/lib/smtprelay/secure.config";
+  };
+
+  # Creates the command line argument string for the service.
+  prepareArgs = args:
+    concatStringsSep " "
+      (attrValues (mapAttrs (key: value: "-${key} '${toString value}'")
+                            (args // overrideArgs)));
+in {
+  options.services.depot.smtprelay = {
+    enable = mkEnableOption description;
+    args = mkOption {
+      type = types.attrsOf types.str;
+      description = "Key value pairs for command line arguments";
+    };
+  };
+
+  config = {
+    systemd.services.smtprelay = {
+      inherit description;
+      script = "${config.depot.third_party.smtprelay}/bin/smtprelay ${prepareArgs cfg.args}";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Restart = "always";
+        StateDirectory = "smtprelay";
+        DynamicUser = true;
+      };
+    };
+  };
+}
--- a/third_party/smtprelay/default.nix
+++ b/third_party/smtprelay/default.nix
@ -0,0 +1,20 @@
+# A simple SMTP relay without the kitchen sink.
+{ pkgs, lib, ... }:
+
+pkgs.buildGoModule {
+  name = "smtprelay";
+  vendorSha256 = "0kv9cv2jca2r90qsf40qmqpw84kgxvbxlf39bfw8rvs2lnmqc2dg";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "decke";
+    repo = "smtprelay";
+    rev = "ed1c3a98889e752291aaca6c64149e48452d0583";
+    sha256 = "16q2d2ja2cipjvsnfxmdzixkg85sh15rh9r95w6bw2r1gjqr65hr";
+  };
+
+  meta = with lib; {
+    description = "Simple Golang SMTP relay/proxy server";
+    homepage = https://github.com/decke/smtprelay;
+    license = licenses.mit;
+  };
+}