First try to install Stalwart as a mail software
This commit is contained in:
parent
7823d09292
commit
044326ad38
18 changed files with 960 additions and 30 deletions
|
@ -5,6 +5,7 @@ keys:
|
||||||
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
||||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||||
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
- &kaalut age1cwypena442n7kmlk6v7mazfskkswsaqu2y3cp5nuaq0he6hm9ugqvskhs3
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: nixos/machines/nyarlathotep/.*
|
- path_regex: nixos/machines/nyarlathotep/.*
|
||||||
|
@ -25,6 +26,12 @@ creation_rules:
|
||||||
- *nerf
|
- *nerf
|
||||||
- *gonne
|
- *gonne
|
||||||
- *lobon
|
- *lobon
|
||||||
|
- path_regex: nixos/machines/kaalut/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nerf
|
||||||
|
- *gonne
|
||||||
|
- *kaalut
|
||||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||||
# to machines
|
# to machines
|
||||||
- key_groups:
|
- key_groups:
|
||||||
|
|
|
@ -53,6 +53,12 @@
|
||||||
_module.args.pkgs = import inputs.nixpkgs {
|
_module.args.pkgs = import inputs.nixpkgs {
|
||||||
inherit system;
|
inherit system;
|
||||||
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
|
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
|
||||||
|
|
||||||
|
overlays = [
|
||||||
|
(_: _: {
|
||||||
|
alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine
|
||||||
|
})
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
144
flake.lock
144
flake.lock
|
@ -1,5 +1,25 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"alias-to-sieve": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-parts": "flake-parts",
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"rust-overlay": "rust-overlay"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1732282930,
|
||||||
|
"narHash": "sha256-hC3qssnwZ9buK61th2x/C+DEQ2yUws+5zLA5Ql7Xtvs=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "eef3728818c02aa6ba107825bdf45a88a544561e",
|
||||||
|
"revCount": 12,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
|
||||||
|
}
|
||||||
|
},
|
||||||
"blobs": {
|
"blobs": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -21,11 +41,29 @@
|
||||||
"nixpkgs-lib": "nixpkgs-lib"
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727826117,
|
"lastModified": 1730504689,
|
||||||
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
|
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
|
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-parts_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": "nixpkgs-lib_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730504689,
|
||||||
|
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -35,11 +73,11 @@
|
||||||
},
|
},
|
||||||
"impermanence": {
|
"impermanence": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729068498,
|
"lastModified": 1731242966,
|
||||||
"narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=",
|
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "impermanence",
|
"repo": "impermanence",
|
||||||
"rev": "e337457502571b23e449bf42153d7faa10c0a562",
|
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -71,15 +109,15 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729665710,
|
"lastModified": 1732014248,
|
||||||
"narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
|
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
|
||||||
"owner": "NixOS",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
|
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "nixos",
|
||||||
"ref": "nixos-unstable",
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
|
@ -102,28 +140,56 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727825735,
|
"lastModified": 1730504152,
|
||||||
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
|
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-lib_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729357638,
|
"lastModified": 1730504152,
|
||||||
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
|
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1728538411,
|
||||||
|
"narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
|
"rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-24.05",
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1732014248,
|
||||||
|
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -136,11 +202,11 @@
|
||||||
"nixpkgs-stable": []
|
"nixpkgs-stable": []
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729104314,
|
"lastModified": 1732021966,
|
||||||
"narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=",
|
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "pre-commit-hooks.nix",
|
"repo": "pre-commit-hooks.nix",
|
||||||
"rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
|
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -151,27 +217,45 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-parts": "flake-parts",
|
"alias-to-sieve": "alias-to-sieve",
|
||||||
|
"flake-parts": "flake-parts_2",
|
||||||
"impermanence": "impermanence",
|
"impermanence": "impermanence",
|
||||||
"nixos-mailserver": "nixos-mailserver",
|
"nixos-mailserver": "nixos-mailserver",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs_3",
|
||||||
"pre-commit-hooks": "pre-commit-hooks",
|
"pre-commit-hooks": "pre-commit-hooks",
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"rust-overlay": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1732242723,
|
||||||
|
"narHash": "sha256-NWI8csIK0ujFlFuEXKnoc+7hWoCiEtINK9r48LUUMeU=",
|
||||||
|
"owner": "oxalica",
|
||||||
|
"repo": "rust-overlay",
|
||||||
|
"rev": "a229311fcb45b88a95fdfa5cecd8349c809a272a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "oxalica",
|
||||||
|
"repo": "rust-overlay",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"sops-nix": {
|
"sops-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
]
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729931925,
|
"lastModified": 1732186149,
|
||||||
"narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=",
|
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e",
|
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
description = "Description for the project";
|
description = "Description for the project";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
|
alias-to-sieve = {
|
||||||
|
url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve";
|
||||||
|
};
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
nixos-mailserver = {
|
nixos-mailserver = {
|
||||||
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
|
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
|
||||||
|
|
39
nixos/machines/kaalut/allowlistPassKoMa.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassKoMa.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassKoMa: ENC[AES256_GCM,data:wsb7LkqKlYBs7wFI3B8kN/8=,iv:NrYRh0dxtFE24z3w0oqTZIsObdNArK6XT5jUmtDZMDM=,tag:A9xsxsL1pdhFjVHbpYLSbw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:10Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Li4aT/YxpbiH2Y3rlGzaJxRv84KElKYt0a8ggnmdzhNBHMRYuBGLrUZWCEFnLcJ3mwyNN3tVpRzNN+iHFpMu5FTdfnTyhXOQ7S46WJMKFSVRqKkRS876GN/UhDMdQnQ7NfcwADgkXwrv3BZKaDJuYNRKwJaYOU6DKGf59verguw=,iv:ETnAQF78r7UAYHh7BP5Hc09PV6KyCDRXQnplTThBt7w=,tag:9ZSSEqU8iMFSRFjITN5d7Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/allowlistPassMatheball.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassMatheball.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassMatheball: ENC[AES256_GCM,data:5bAT8zsYuvgc,iv:6ftGMZ36jfTawjxH2CFxefBmBVWJJ+26+HMpGU4tAJ8=,tag:qG6o6L9/zu15nsyTakFCiw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:13Z"
|
||||||
|
mac: ENC[AES256_GCM,data:VD+pb41S20hXLIn0IhVp3cuSB26D+DVXitrGG6/caVsK4Q1GLqh5kpsI3y9UKog3N0hl2qE1+uDWOkdQHrdVFUSBplxraP2dHCKjlU4lPz5nsprW8SA8TQrPrDEsX0aL+xKRDQMracmCskZcujaNsaqjPP3Uvw9e2vWekYdF3l0=,iv:qLUl8D1DDdPCWscELmjE75MfMwr1a7gAEFJka5lpGE8=,tag:W0//60tpXNQwPM1qV4VNrQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/allowlistPassMathebau.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassMathebau.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassMathebau: ENC[AES256_GCM,data:SPnAybYbTz3/,iv:dGf5kD5xqtQGuOgEwn51ZxIG4isUVPwjKM8Fkk4jzIU=,tag:MY+WnD6NCR0RjaHXPlYArQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:15Z"
|
||||||
|
mac: ENC[AES256_GCM,data:o9CWiR+010tZ8W+p+u0fy1wgE+ZgJYH4O4U7KLYjHQ7GPMOqViKVVw5DuWEHF/7uI8zhpMsMMRwUJmFas13uwdF0ckq/VMP1d0o31wOK8iJ0EudXMf9GQRH1KncOuQryDZ6CZKRKa/heNa5nn0pf5e0VfHq8S/h2YjBIl5zSbWY=,iv:5wd271XH9qrTbJgIPHu/33HQaU/tAMuf+ZGK5mnzv7M=,tag:42nXpz99MI+UnKC5QNWnhQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/allowlistPassMathechor.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassMathechor.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassMathechor: ENC[AES256_GCM,data:ll8NF4oldTUr,iv:WQYXNliuIEsZNRBvMC0OQmXER3sAUfcaLtdLQvaLLpY=,tag:Is2bj5c2PLUkztMvYdf+Ew==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:18Z"
|
||||||
|
mac: ENC[AES256_GCM,data:/KX/ck4aj/dtKl9LaFIfRBi6HbSJ4IEIPDTqlpwH0zfcm37yQPIUZEV4IS4cNqrQ7TZIkSFdE+f30PQbrF81yJ3vgtyvDRCm3IbUZM3SSsEeLvwTmpmU67bR0+bzXOFMYWbIJYZWM9Ucg/nzikRqKCvtSeSjvQOGd21cmwXPhEc=,iv:Os5YJWp3WBCfPPzG7pWAbLoXZPC3cGdYzRFy5OIJO2o=,tag:+f8bdCM8zMguOXhXDMupNQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/backupKey.yaml
Normal file
39
nixos/machines/kaalut/backupKey.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
backupKey: ENC[AES256_GCM,data:gRsJpwfsKhCxvePd1dFdqo6+aYarzUTP+Mp06BITUYfzvkYRk/406U0EfLHdw+kmg6sEch51deNCbMh5Q1OVHC1yRle+VscmvHTtWWd90KJlZxeN8nYPfkLZOb4mGYfBLGQ4UyFNptJ15FC9uaBN8i+g9jETyXZBXECNq4/rUmtgK/E/5zVytiXz9o7xCs64V0tk5MCe1UgeSmZvnAWXZzGVhm3Hrf4hBGpHk1RmyKS3CvWIxaGySPTjh+hUsJg5ml7PNB7V6IBIUacsLQkoZ2e0j+/MSd8ooUVl+143OO3HHGkqgnOj0YKvT6q7BW8rXvwwZgVE2GdrG45wyCXbxDy9jV+r9TqGP0s7m+4Ih+1QfqLBZEai+rJajJuYYGmf5pyT3pUcIXycQSTzPcE+vvIFNl0bbab9hmfkNV9cvfwtIxacFS9gw2lljhMmLxqwU2ld+IwtNGg7qL/ogsq6qHUPR1LWL5QoNCHRN1A4SZhMx4O3AG3052cH0Q6FsigbmbR5YkT+8sq/4cjHYgaS,iv:y2iDW/i4D46mE9f6MuTg91jPDi6L8YEpChIZPi0G9e0=,tag:2al2b0qk8WK6QfoVXNotxQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN
|
||||||
|
Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju
|
||||||
|
WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL
|
||||||
|
d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK
|
||||||
|
hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz
|
||||||
|
clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp
|
||||||
|
clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ
|
||||||
|
UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm
|
||||||
|
/0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu
|
||||||
|
Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0
|
||||||
|
a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT
|
||||||
|
Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc
|
||||||
|
00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:23Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Ie0k2AifhYuEs5ht3J0OuLCAEw9HdNDK70BjI4PZntAWgr5iu/dqUGb5xFb8sctbpyyfM0FMI64ds0YZPXZP+HnA/HGJ+O5k3YPTthVv+mXYtw29O60r00IwI1dMiJBTyviYhVRzvQwQ1I1d1G2upoTL+oXFD3PckU9re+6dagA=,iv:hyKAy6HyggkKxXm/mGskpNPSMvi9UkMuz+WypyVU0KQ=,tag:EW73paprAOEUPX8AmuXVpA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
100
nixos/machines/kaalut/configuration.nix
Normal file
100
nixos/machines/kaalut/configuration.nix
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
../../modules/mail.nix
|
||||||
|
../../roles
|
||||||
|
../../roles/vm.nix
|
||||||
|
../../modules/vmNetwork.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# System configuration here
|
||||||
|
services.mathebau-mail = {
|
||||||
|
enable = true;
|
||||||
|
domains = [
|
||||||
|
# lists.mathebau.de is forwarded to another VM and does not need to be listed here.
|
||||||
|
{
|
||||||
|
domain = "matheball.de";
|
||||||
|
allowlistPass = "/run/secrets/allowlistPassMatheball";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "mathebau.de";
|
||||||
|
allowlistPass = "/run/secrets/allowlistPassMathebau";
|
||||||
|
virt_aliases = "/run/secrets/mathebau.aliases";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "mathechor.de";
|
||||||
|
allowlistPass = "/run/secrets/allowlistPassMathechor";
|
||||||
|
virt_aliases = "/run/secrets/mathechor.aliases";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "koma89.tu-darmstadt.de";
|
||||||
|
allowlistPass = "/run/secrets/allowlistPassKoMa";
|
||||||
|
virt_aliases = "/run/secrets/koma.aliases";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "kaalut";
|
||||||
|
vmNetwork.ipv4 = "192.168.0.17";
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
# Password for the HRZ API that gets a list of mailaddresses that we serve
|
||||||
|
allowlistPassMatheball = {
|
||||||
|
sopsFile = ./allowlistPassMatheball.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
allowlistPassMathebau = {
|
||||||
|
sopsFile = ./allowlistPassMathebau.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
allowlistPassMathechor = {
|
||||||
|
sopsFile = ./allowlistPassMathechor.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
allowlistPassKoMa = {
|
||||||
|
sopsFile = ./allowlistPassKoMa.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
# Virtual alias file
|
||||||
|
"mathebau.aliases" = {
|
||||||
|
sopsFile = ./mathebau.aliases.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
"mathechor.aliases" = {
|
||||||
|
sopsFile = ./mathechor.aliases.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
"koma.aliases" = {
|
||||||
|
sopsFile = ./koma.aliases.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
# password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator
|
||||||
|
stalwartAdmin = {
|
||||||
|
sopsFile = ./stalwartAdmin.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
backupKey = {
|
||||||
|
sopsFile = ./backupKey.yaml;
|
||||||
|
owner = "root";
|
||||||
|
group = "root";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
30
nixos/machines/kaalut/hardware-configuration.nix
Normal file
30
nixos/machines/kaalut/hardware-configuration.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "root";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["size=1G" "mode=755"];
|
||||||
|
};
|
||||||
|
fileSystems."/persist" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=persist"];
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-label/boot";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
fileSystems."/nix" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=nix"];
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
39
nixos/machines/kaalut/koma.aliases.yaml
Normal file
39
nixos/machines/kaalut/koma.aliases.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
koma.aliases: ENC[AES256_GCM,data:a+oGvyMf2SPxCdMjdu61TEJCYTpOHnyizQi7cSDkhHF2q9YyuuMttHBn/YzOIkZxx9CQeRQhbK1CPmknUEv4oHpYP1TFCHlRhX08g4ZRKHUxMu5u1rK0rTRLiKcHmhQeHfAoVcfRXeURY879ltGYg7mYHdeLMKK0epYb5bM4tA==,iv:1Rgjwiv2XRePmE2UzYstABvQAIaSeOW87VsV29sJUFU=,tag:JcsLDZmsE2lPwxY56ujreg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2
|
||||||
|
aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy
|
||||||
|
Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4
|
||||||
|
bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy
|
||||||
|
MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3
|
||||||
|
QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45
|
||||||
|
c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu
|
||||||
|
NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR
|
||||||
|
io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC
|
||||||
|
RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv
|
||||||
|
K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy
|
||||||
|
VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI
|
||||||
|
N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:28Z"
|
||||||
|
mac: ENC[AES256_GCM,data:vK8UIeGZFUfVB3LpsvkFzYGgJSinvsWQDewKVqfAsC0yPHRBP+yCE3SXDeb01sl/ZGlw13o79AxRLBF0Z89QoljWtiWjWWgBnUBFAuURTtMmNBtpbfxgjevXJU9iZgIMAfd/DGuLE7HMLrqfzWOvuZNE9kSz//CkD9PQLorMfGI=,iv:E056ECSWlvSfe8VOQY1KAKyO1Tm3aRsYUCBy8KtLDxo=,tag:nVTmyUB3Pcvjpm1vECmZjw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/mailForwardSieve.yaml
Normal file
39
nixos/machines/kaalut/mailForwardSieve.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
mailForwardSieve: ENC[AES256_GCM,data:EYnhE0qs9mA1v+iyOLUu27CR7F0JIHA7lZ3qbXynnfDPjcCRTKBVB5bwcvXx/QKia7Dt7ECysr8XlcYFXsP37MU10daKM6PLkGP46kfN67Lv/IFmot3choWwxZMFSO2l5qwQUp/g0b8IWpWmBSngGcOpdzSt2y55NdSTjXjZGFXcH4mHl6xtSRZUaJsAIySSFXdGyyigHb5G9i3PTiChR4rs48UtXKyzs8cRyntaRlquduvJUfb9rC1eRnwncz+4gWrnnhCZr5Z4b0LHQf4npfaM3zPTUI1/9b7tOy9I+WPD4oIEkhpw64EjGVTHzq1qW5z4HRgEpTSKR9f3TGpoWEtzIBVhwYMn9lZ2pAXfvcfHfti4PGN5eVIk3asXw0OEHUqDe7AW0aRqokXUv5ocI+HD6Dt9+Y8QRkgyN7zGlhVs+YTlMQViBtXjVFzsr1HY1baCkcuUyr0F3pAmOk+749NpqIIQGEgFq4TzsPykyKTWDOMkB4AFIV+mw4ly3UYC+3c2986MV5YdoGJWmicMivHZpvDUEMnpr8/Qg5h8lYJdxlw2aKq1jIJzp+SthSZH+p1RgheIKi2uo1LKS+ZloWknjzqJgzDTpi0UHIJDRKAM1tfFE0/JJW5WBcwal7d2t4J4EmBMfpTfM6+vCyL9VqXtm5rZVO5yByrdJkFW7fyoNyQi9i/iKXW4iZhNbgFysNH/yi2gQ50Nm5Z9+NZLu4K0j2nHOAD8YSDwpO/PWu1zLKXC0mnwuMNOc0RzuWRc2Tsj1koY7F1bsITAY7U94zLMoyaAG/SpDdEKqPS1bXU0z1HZThMIyP/BqJt5zntrLhiFIWmHN3Kr+6qXA/ngMjVI+nrQs8JvaOQcHeHvyUSAwHklV/XguKB57sAdXbVvDgoM/NZn6qIsArwO4d7j3g954rYmI5eIMzeMfh4zGEUDIBTm+CNliSn4f063RmGp0W5+xyFFlpEpJdKJUJ/nJYBy4v+lZ03zEHccCHhvs7jrit6uz+iRuXuBJMF/wdWBlIosDFUlarSanqXqOo+3c1TM9ok7mk6MQttTvaUkEkVnwU5ZcvlRfL2taxtZFfF/odvTuVI9CFDpJBBYToitl1dD/UomSCkCZJ3E7Uk4JNCRr/c9X/Fsym3X5Ir7v+vfn2EuZ814w306NwsRhj/Zs9ZZwIZM3ejZt8tq6W8mnPovBMTXJrsvwmlPXqqL9ZT10FEFC7vaY2L7+7K4oax1KbpxYdDgYi1a1UJ3atkQCpRUbg2LwtbmGgtJQ8b+D3gxLzDSuoMIKBJoA9g82cr5fln9UNPSs7NHGR8Q2+RBYlwIq7S7gK+bIUJ+WT3BbXZJUZvRr9LK5+IQn+S5/EM8UbdSFVQp+ojka3lT+H/jn+sN6ZY5giDgtnKU/k50CG9F/lEqExKjIR8gQshhNBoPtasdhcvbaxVqrB/2sMk8IuoELfG/gayPmEZgNLhM3DuWAbhAu+UgsX4vmRjhISMEw30bJBTnZl89JndRLWsgynySD4relphQWOLLj/ZWSkC0MclHOZmAHoCGmyoOycKjJTZ5Fdkug8kb6lk8x6dgI5+cPHgDVxc3k9Rm5k+fkO6p1CgP+Sa9pmfLdcfaIZpogPAqO15kV0/zXnSl/OGOMaanUKLy3TolQSz6dLYwLAqOVCH92+lD2xtDmiyG44v5L+5xw1h1jwpmTuR4zFdP+E0z4rZ5YhJB7j1ll0yB2UcjBm5WSeFtZy3ZHe9poAznW6/OkXRP08Dtuk0JNZh9iwO/bsirs8T2oUiuJfd8AC7zCJhIOUDSxbmJFG+1J6mrTUKheH7WAvDkCbNpv5jiA9WUb8Z+rJ3tr+FJkYX2MR8=,iv:B4PggssYfBbZA+mEJOiTo8GYWSZxbl9wJIHjUlv6c2A=,tag:isO6wVZR6UOuDLGCA/tddg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2
|
||||||
|
QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2
|
||||||
|
ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3
|
||||||
|
bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ
|
||||||
|
LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81
|
||||||
|
bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04
|
||||||
|
Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm
|
||||||
|
Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd
|
||||||
|
WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn
|
||||||
|
QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV
|
||||||
|
R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy
|
||||||
|
VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs
|
||||||
|
lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:34Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Num40NAUnNFictwt1Nlo5cOgnLBeih7oqXxpRIvHm10bpqK3VI4oxwrPwSOXXqMIh24zYNe7vgc/laxiqI8HCQkP8InBR5iryL1326efqLrVFUkgBvwkPu1GvgwIpvn0lLRMyF8bYFmWZHN2i3k1pVgS1xtQxGecGosPwyxwO2c=,iv:cupUxpzJhmpZB43t1kFTFrTx0PSfKk5wS1xMa0owz+w=,tag:K+GhidGy66LuL7aL/T3NzA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/mathebau.aliases.yaml
Normal file
39
nixos/machines/kaalut/mathebau.aliases.yaml
Normal file
File diff suppressed because one or more lines are too long
39
nixos/machines/kaalut/mathechor.aliases.yaml
Normal file
39
nixos/machines/kaalut/mathechor.aliases.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
mathechor.aliases: ENC[AES256_GCM,data:jq9oLiCQmAWVcdH13YRmTvCC23dSOAsszwQEVzi1Ij125XlDgVeR1lDXjeVsubTAAd9P8LJFjliz1mL6nA5tP7QTgkygBhLqAP22bAE+L1mDNejYXki2NdOuy8HJgWElCjxFZLGrI7FU+b8zILGsNPEDKa25o3PJbd6dlQeJ7Q2s3bPQ2K/y6FC2RFjCBuGJuNAGAtC5l6ymvjKBdh70At/IZXqtk13vyHVJbMwB,iv:FsQeDq3LMH+hxKcthdQZmyPkLe7XBwiLqfB0Yt+s7r0=,tag:rKjphs1Tss2+3b5bWDzfUw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2
|
||||||
|
aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy
|
||||||
|
Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4
|
||||||
|
bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy
|
||||||
|
MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3
|
||||||
|
QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45
|
||||||
|
c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu
|
||||||
|
NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR
|
||||||
|
io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC
|
||||||
|
RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv
|
||||||
|
K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy
|
||||||
|
VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI
|
||||||
|
N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:43Z"
|
||||||
|
mac: ENC[AES256_GCM,data:2tceG586ydMqiNPkPbT7ZM4+zoGslbif9TuB26Pz2ji/KsLvnOSwPsmmilNST32Nz5RYym1JGbU0uVQMzBM6uaQvYoR6vVwgC95lEnkY5nenhh3Xhy/OLtXmRdmrIXvvyxWK/2Gtspyy3HR2yFV0Gw0PY5ODPxpxtrypE2N9YmY=,iv:4d7M/LF0UVkEicXRNUDEDKUldehav60nTCS1Jh/RvwU=,tag:mLOwUSE5osUwZp/8cUqClw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/stalwartAdmin.yaml
Normal file
39
nixos/machines/kaalut/stalwartAdmin.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
stalwartAdmin: ENC[AES256_GCM,data:lAd0XfikNLJxK5qMtrBkKdbhwZo=,iv:3H3E8JPGPg3af3doeTSD9cuq2+ZLBNK3g1cqiI1k5rw=,tag:Wa/Fsc00mxuFnzyKTQp7CQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr
|
||||||
|
MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt
|
||||||
|
U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv
|
||||||
|
L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt
|
||||||
|
C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO
|
||||||
|
bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov
|
||||||
|
RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR
|
||||||
|
MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR
|
||||||
|
Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz
|
||||||
|
d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H
|
||||||
|
VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi
|
||||||
|
dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs
|
||||||
|
JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-23T08:39:45Z"
|
||||||
|
mac: ENC[AES256_GCM,data:GGDnb19XQPXR3Apzn9oDFH03NjU9LR0HCHgtjLErJbmHZJl6wAmjST79cDpaDSWKtdT4KPrJLXCuRt1a/LbmqmTzegsfXsfmq881WwFJ1pyyrK9Z9kVxdNeXmb3GyGU7Mrg929O3V2xRhXgpTaOxNCWPWtZPITOE561sU8X0eb8=,iv:LNPIpNGWAP5VvFnLBAf8MPwMNfjwz1veazvlIw4r8JA=,tag:h4SAW6uIHpeRfYKLVSRPkA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
|
@ -76,6 +76,13 @@ in {
|
||||||
path = "/var/lib/backups/ithaqua";
|
path = "/var/lib/backups/ithaqua";
|
||||||
allowSubRepos = true;
|
allowSubRepos = true;
|
||||||
};
|
};
|
||||||
|
kaalut = {
|
||||||
|
authorizedKeysAppendOnly = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup"
|
||||||
|
];
|
||||||
|
path = "/var/lib/backups/kaalut";
|
||||||
|
allowSubRepos = true;
|
||||||
|
};
|
||||||
lobon = {
|
lobon = {
|
||||||
authorizedKeysAppendOnly = [
|
authorizedKeysAppendOnly = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
|
||||||
|
|
303
nixos/modules/mail.nix
Normal file
303
nixos/modules/mail.nix
Normal file
|
@ -0,0 +1,303 @@
|
||||||
|
/*
|
||||||
|
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
|
||||||
|
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
|
||||||
|
* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy.
|
||||||
|
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
|
||||||
|
* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
|
||||||
|
* and use your personal admin account or create one using the fallback admin password.
|
||||||
|
* Create users with mail boxes: Go to the admin interface and create them.
|
||||||
|
* Stalwart mailserver docs can be found at https://stalw.art/docs
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
inherit
|
||||||
|
(lib)
|
||||||
|
mkIf
|
||||||
|
mkEnableOption
|
||||||
|
mkOption
|
||||||
|
;
|
||||||
|
inherit (lib.types) listOf str;
|
||||||
|
cfg = config.services.mathebau-mail;
|
||||||
|
in {
|
||||||
|
options.services.mathebau-mail = {
|
||||||
|
enable = mkEnableOption "mathebau mail service";
|
||||||
|
domains = mkOption {
|
||||||
|
type = listOf (lib.types.submodule {
|
||||||
|
options = {
|
||||||
|
domain = mkOption {
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
allowlistPass = mkOption {
|
||||||
|
# Password for the HRZ API that gets a list of mailaddresses that we serve
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
virt_aliases = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = "";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts
|
||||||
|
|
||||||
|
services = {
|
||||||
|
stalwart-mail = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
|
||||||
|
listener = {
|
||||||
|
"smtp" = {
|
||||||
|
bind = ["[::]:25"];
|
||||||
|
protocol = "smtp";
|
||||||
|
};
|
||||||
|
"submissions" = {
|
||||||
|
# Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
|
||||||
|
bind = ["[::]:465"];
|
||||||
|
protocol = "smtp";
|
||||||
|
tls.implicit = true;
|
||||||
|
};
|
||||||
|
"imaptls" = {
|
||||||
|
bind = ["[::]:993"];
|
||||||
|
protocol = "imap";
|
||||||
|
tls.implicit = true;
|
||||||
|
};
|
||||||
|
"management" = {
|
||||||
|
bind = ["[::]:80"]; # This must also bind publically for ACME to work.
|
||||||
|
protocol = "http";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
acme.letsencrypt = {
|
||||||
|
directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated
|
||||||
|
challenge = "http-01";
|
||||||
|
contact = ["root@mathebau.de"];
|
||||||
|
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
|
||||||
|
auth = {
|
||||||
|
# TODO check if HRZ conforms to these standards and we can validate them strictly
|
||||||
|
dkim.verify = "relaxed";
|
||||||
|
arc.verify = "relaxed";
|
||||||
|
dmarc.verify = "relaxed";
|
||||||
|
iprev.verify = "relaxed";
|
||||||
|
spf.verify.ehlo = "relaxed";
|
||||||
|
spf.verify.mail-from = "relaxed";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Forward outgoing mail to HRZ or mail VMs.
|
||||||
|
# see https://stalw.art/docs/smtp/outbound/routing/ relay host example
|
||||||
|
queue.outbound = {
|
||||||
|
next-hop = [
|
||||||
|
{
|
||||||
|
"if" = "rcpt_domain = 'lists.mathebau.de'";
|
||||||
|
"then" = "'mailman'";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"if" = "is_local_domain('', rcpt_domain)";
|
||||||
|
"then" = "'local'";
|
||||||
|
}
|
||||||
|
{"else" = "'hrz'";}
|
||||||
|
];
|
||||||
|
tls = {
|
||||||
|
mta-sts = "disable";
|
||||||
|
dane = "disable";
|
||||||
|
starttls = "optional"; # e.g. Lobon does not offer starttls
|
||||||
|
};
|
||||||
|
};
|
||||||
|
remote."hrz" = {
|
||||||
|
address = "mailout.hrz.tu-darmstadt.de";
|
||||||
|
port = 25;
|
||||||
|
protocol = "smtp";
|
||||||
|
tls.implicit = false; # somehow this is needed here
|
||||||
|
};
|
||||||
|
remote."mailman" = {
|
||||||
|
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
|
||||||
|
port = 25;
|
||||||
|
protocol = "smtp";
|
||||||
|
tls.implicit = false; # somehow this is needed here
|
||||||
|
};
|
||||||
|
|
||||||
|
session.rcpt = {
|
||||||
|
# In order to accept mail that we only forward
|
||||||
|
# without having to generate an account.
|
||||||
|
# Invalid addresses are filtered by DFN beforehand.
|
||||||
|
catch-all = true;
|
||||||
|
relay = [
|
||||||
|
{
|
||||||
|
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'";
|
||||||
|
"then" = true;
|
||||||
|
}
|
||||||
|
{"else" = false;}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
config.local-keys =
|
||||||
|
[
|
||||||
|
"store.*"
|
||||||
|
"directory.*"
|
||||||
|
"tracer.*"
|
||||||
|
"server.*"
|
||||||
|
"!server.blocked-ip.*"
|
||||||
|
"authentication.fallback-admin.*"
|
||||||
|
"cluster.node-id"
|
||||||
|
"storage.data"
|
||||||
|
"storage.blob"
|
||||||
|
"storage.lookup"
|
||||||
|
"storage.fts"
|
||||||
|
"storage.directory"
|
||||||
|
"lookup.default.hostname"
|
||||||
|
"certificate.*"
|
||||||
|
] # the default ones
|
||||||
|
++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script
|
||||||
|
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
|
||||||
|
session.data.script = "'redirects'";
|
||||||
|
|
||||||
|
authentication.fallback-admin = {
|
||||||
|
user = "admin";
|
||||||
|
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
|
||||||
|
};
|
||||||
|
tracer.stdout.level = "debug";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.persistence.${config.impermanence.name} = {
|
||||||
|
directories = [
|
||||||
|
"/var/lib/stalwart-mail"
|
||||||
|
];
|
||||||
|
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||||
|
};
|
||||||
|
|
||||||
|
# Update HRZ allowlist
|
||||||
|
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||||
|
# will stop working if no valid TUIDs are associated to our domain.
|
||||||
|
systemd = {
|
||||||
|
timers."mailAllowlist" = {
|
||||||
|
wantedBy = ["timers.target"];
|
||||||
|
timerConfig = {
|
||||||
|
OnBootSec = "1h"; # Run every 5 minutes
|
||||||
|
OnUnitActiveSec = "1h";
|
||||||
|
RandomizedDelaySec = "10m"; # prevent overload on regular intervals
|
||||||
|
Unit = "mailAllowlist.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services = {
|
||||||
|
"mailAllowlist" = {
|
||||||
|
description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
|
||||||
|
script = let
|
||||||
|
scriptTemplate = {
|
||||||
|
domain,
|
||||||
|
allowlistPass,
|
||||||
|
...
|
||||||
|
}: ''
|
||||||
|
# Get the mail addresses' local-part
|
||||||
|
# TODO: These features have been removed from stalwart-cli and needs to be replaced by undocumented API calls.
|
||||||
|
# see https://github.com/stalwartlabs/mail-server/discussions/803
|
||||||
|
# ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses
|
||||||
|
# ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses
|
||||||
|
# ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses
|
||||||
|
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
|
||||||
|
# Post local-parts to HRZ
|
||||||
|
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
|
||||||
|
# Cleanup
|
||||||
|
rm /tmp/addresses
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
|
||||||
|
wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "stalwart-mail";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||||
|
PrivateTmp = false; # allow access to sieve script
|
||||||
|
ProtectHome = true;
|
||||||
|
ReadOnlyPaths = "/";
|
||||||
|
ReadWritePaths = "/tmp";
|
||||||
|
InaccessiblePaths = "-/lost+found";
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"stalwart-mail" = {
|
||||||
|
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
|
||||||
|
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
|
||||||
|
};
|
||||||
|
"virt-aliases-generator" = {
|
||||||
|
description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
|
||||||
|
script = let
|
||||||
|
scriptTemplate = {
|
||||||
|
domain,
|
||||||
|
virt_aliases,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
if virt_aliases != ""
|
||||||
|
then "${virt_aliases} ${domain} "
|
||||||
|
else "";
|
||||||
|
in
|
||||||
|
lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]);
|
||||||
|
wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "stalwart-mail";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||||
|
PrivateTmp = false;
|
||||||
|
ProtectHome = true;
|
||||||
|
ReadOnlyPaths = "/";
|
||||||
|
ReadWritePaths = "/tmp";
|
||||||
|
InaccessiblePaths = "-/lost+found";
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# Backups
|
||||||
|
services.borgbackup.jobs.mail = {
|
||||||
|
paths = [
|
||||||
|
"/var/lib/stalwart-mail/data"
|
||||||
|
];
|
||||||
|
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
|
||||||
|
environment = {
|
||||||
|
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
||||||
|
# “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
|
||||||
|
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
|
||||||
|
# We don't want this in order to not need to persist borg cache and simplify new deployments.
|
||||||
|
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||||
|
};
|
||||||
|
repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
|
||||||
|
startAt = "daily";
|
||||||
|
user = "root";
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue