First try to install Stalwart as a mail software

This commit is contained in:
Gonne 2024-07-10 22:56:46 +02:00
parent 7823d09292
commit 044326ad38
18 changed files with 960 additions and 30 deletions

View file

@ -5,6 +5,7 @@ keys:
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
- &kaalut age1cwypena442n7kmlk6v7mazfskkswsaqu2y3cp5nuaq0he6hm9ugqvskhs3
creation_rules:
- path_regex: nixos/machines/nyarlathotep/.*
@ -25,6 +26,12 @@ creation_rules:
- *nerf
- *gonne
- *lobon
- path_regex: nixos/machines/kaalut/.*
key_groups:
- age:
- *nerf
- *gonne
- *kaalut
# this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines
- key_groups:

View file

@ -53,6 +53,12 @@
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
overlays = [
(_: _: {
alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine
})
];
};
};

View file

@ -1,5 +1,25 @@
{
"nodes": {
"alias-to-sieve": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1732282930,
"narHash": "sha256-hC3qssnwZ9buK61th2x/C+DEQ2yUws+5zLA5Ql7Xtvs=",
"ref": "refs/heads/main",
"rev": "eef3728818c02aa6ba107825bdf45a88a544561e",
"revCount": 12,
"type": "git",
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
},
"original": {
"type": "git",
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
}
},
"blobs": {
"flake": false,
"locked": {
@ -21,11 +41,29 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -35,11 +73,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1729068498,
"narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=",
"lastModified": 1731242966,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "e337457502571b23e449bf42153d7faa10c0a562",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"type": "github"
},
"original": {
@ -71,15 +109,15 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1729665710,
"narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
"owner": "NixOS",
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"type": "github"
},
"original": {
"owner": "NixOS",
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
@ -102,28 +140,56 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"lastModified": 1730504152,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}
},
"nixpkgs-stable": {
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1729357638,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
"lastModified": 1730504152,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728538411,
"narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
"rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -136,11 +202,11 @@
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1729104314,
"narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=",
"lastModified": 1732021966,
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
"type": "github"
},
"original": {
@ -151,27 +217,45 @@
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"alias-to-sieve": "alias-to-sieve",
"flake-parts": "flake-parts_2",
"impermanence": "impermanence",
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_3",
"pre-commit-hooks": "pre-commit-hooks",
"sops-nix": "sops-nix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1732242723,
"narHash": "sha256-NWI8csIK0ujFlFuEXKnoc+7hWoCiEtINK9r48LUUMeU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a229311fcb45b88a95fdfa5cecd8349c809a272a",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
]
},
"locked": {
"lastModified": 1729931925,
"narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=",
"lastModified": 1732186149,
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e",
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
"type": "github"
},
"original": {

View file

@ -2,6 +2,9 @@
description = "Description for the project";
inputs = {
alias-to-sieve = {
url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixos-mailserver = {
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";

View file

@ -0,0 +1,39 @@
allowlistPassKoMa: ENC[AES256_GCM,data:wsb7LkqKlYBs7wFI3B8kN/8=,iv:NrYRh0dxtFE24z3w0oqTZIsObdNArK6XT5jUmtDZMDM=,tag:A9xsxsL1pdhFjVHbpYLSbw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:10Z"
mac: ENC[AES256_GCM,data:Li4aT/YxpbiH2Y3rlGzaJxRv84KElKYt0a8ggnmdzhNBHMRYuBGLrUZWCEFnLcJ3mwyNN3tVpRzNN+iHFpMu5FTdfnTyhXOQ7S46WJMKFSVRqKkRS876GN/UhDMdQnQ7NfcwADgkXwrv3BZKaDJuYNRKwJaYOU6DKGf59verguw=,iv:ETnAQF78r7UAYHh7BP5Hc09PV6KyCDRXQnplTThBt7w=,tag:9ZSSEqU8iMFSRFjITN5d7Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,39 @@
allowlistPassMatheball: ENC[AES256_GCM,data:5bAT8zsYuvgc,iv:6ftGMZ36jfTawjxH2CFxefBmBVWJJ+26+HMpGU4tAJ8=,tag:qG6o6L9/zu15nsyTakFCiw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:13Z"
mac: ENC[AES256_GCM,data:VD+pb41S20hXLIn0IhVp3cuSB26D+DVXitrGG6/caVsK4Q1GLqh5kpsI3y9UKog3N0hl2qE1+uDWOkdQHrdVFUSBplxraP2dHCKjlU4lPz5nsprW8SA8TQrPrDEsX0aL+xKRDQMracmCskZcujaNsaqjPP3Uvw9e2vWekYdF3l0=,iv:qLUl8D1DDdPCWscELmjE75MfMwr1a7gAEFJka5lpGE8=,tag:W0//60tpXNQwPM1qV4VNrQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,39 @@
allowlistPassMathebau: ENC[AES256_GCM,data:SPnAybYbTz3/,iv:dGf5kD5xqtQGuOgEwn51ZxIG4isUVPwjKM8Fkk4jzIU=,tag:MY+WnD6NCR0RjaHXPlYArQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:15Z"
mac: ENC[AES256_GCM,data:o9CWiR+010tZ8W+p+u0fy1wgE+ZgJYH4O4U7KLYjHQ7GPMOqViKVVw5DuWEHF/7uI8zhpMsMMRwUJmFas13uwdF0ckq/VMP1d0o31wOK8iJ0EudXMf9GQRH1KncOuQryDZ6CZKRKa/heNa5nn0pf5e0VfHq8S/h2YjBIl5zSbWY=,iv:5wd271XH9qrTbJgIPHu/33HQaU/tAMuf+ZGK5mnzv7M=,tag:42nXpz99MI+UnKC5QNWnhQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,39 @@
allowlistPassMathechor: ENC[AES256_GCM,data:ll8NF4oldTUr,iv:WQYXNliuIEsZNRBvMC0OQmXER3sAUfcaLtdLQvaLLpY=,tag:Is2bj5c2PLUkztMvYdf+Ew==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:18Z"
mac: ENC[AES256_GCM,data:/KX/ck4aj/dtKl9LaFIfRBi6HbSJ4IEIPDTqlpwH0zfcm37yQPIUZEV4IS4cNqrQ7TZIkSFdE+f30PQbrF81yJ3vgtyvDRCm3IbUZM3SSsEeLvwTmpmU67bR0+bzXOFMYWbIJYZWM9Ucg/nzikRqKCvtSeSjvQOGd21cmwXPhEc=,iv:Os5YJWp3WBCfPPzG7pWAbLoXZPC3cGdYzRFy5OIJO2o=,tag:+f8bdCM8zMguOXhXDMupNQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,39 @@
backupKey: ENC[AES256_GCM,data:gRsJpwfsKhCxvePd1dFdqo6+aYarzUTP+Mp06BITUYfzvkYRk/406U0EfLHdw+kmg6sEch51deNCbMh5Q1OVHC1yRle+VscmvHTtWWd90KJlZxeN8nYPfkLZOb4mGYfBLGQ4UyFNptJ15FC9uaBN8i+g9jETyXZBXECNq4/rUmtgK/E/5zVytiXz9o7xCs64V0tk5MCe1UgeSmZvnAWXZzGVhm3Hrf4hBGpHk1RmyKS3CvWIxaGySPTjh+hUsJg5ml7PNB7V6IBIUacsLQkoZ2e0j+/MSd8ooUVl+143OO3HHGkqgnOj0YKvT6q7BW8rXvwwZgVE2GdrG45wyCXbxDy9jV+r9TqGP0s7m+4Ih+1QfqLBZEai+rJajJuYYGmf5pyT3pUcIXycQSTzPcE+vvIFNl0bbab9hmfkNV9cvfwtIxacFS9gw2lljhMmLxqwU2ld+IwtNGg7qL/ogsq6qHUPR1LWL5QoNCHRN1A4SZhMx4O3AG3052cH0Q6FsigbmbR5YkT+8sq/4cjHYgaS,iv:y2iDW/i4D46mE9f6MuTg91jPDi6L8YEpChIZPi0G9e0=,tag:2al2b0qk8WK6QfoVXNotxQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN
Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju
WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL
d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK
hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz
clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp
clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ
UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm
/0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu
Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0
a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT
Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc
00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:23Z"
mac: ENC[AES256_GCM,data:Ie0k2AifhYuEs5ht3J0OuLCAEw9HdNDK70BjI4PZntAWgr5iu/dqUGb5xFb8sctbpyyfM0FMI64ds0YZPXZP+HnA/HGJ+O5k3YPTthVv+mXYtw29O60r00IwI1dMiJBTyviYhVRzvQwQ1I1d1G2upoTL+oXFD3PckU9re+6dagA=,iv:hyKAy6HyggkKxXm/mGskpNPSMvi9UkMuz+WypyVU0KQ=,tag:EW73paprAOEUPX8AmuXVpA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,100 @@
{
imports = [
./hardware-configuration.nix
../../modules/mail.nix
../../roles
../../roles/vm.nix
../../modules/vmNetwork.nix
];
# System configuration here
services.mathebau-mail = {
enable = true;
domains = [
# lists.mathebau.de is forwarded to another VM and does not need to be listed here.
{
domain = "matheball.de";
allowlistPass = "/run/secrets/allowlistPassMatheball";
}
{
domain = "mathebau.de";
allowlistPass = "/run/secrets/allowlistPassMathebau";
virt_aliases = "/run/secrets/mathebau.aliases";
}
{
domain = "mathechor.de";
allowlistPass = "/run/secrets/allowlistPassMathechor";
virt_aliases = "/run/secrets/mathechor.aliases";
}
{
domain = "koma89.tu-darmstadt.de";
allowlistPass = "/run/secrets/allowlistPassKoMa";
virt_aliases = "/run/secrets/koma.aliases";
}
];
};
networking.hostName = "kaalut";
vmNetwork.ipv4 = "192.168.0.17";
system.stateVersion = "24.05";
sops.secrets = {
# Password for the HRZ API that gets a list of mailaddresses that we serve
allowlistPassMatheball = {
sopsFile = ./allowlistPassMatheball.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
allowlistPassMathebau = {
sopsFile = ./allowlistPassMathebau.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
allowlistPassMathechor = {
sopsFile = ./allowlistPassMathechor.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
allowlistPassKoMa = {
sopsFile = ./allowlistPassKoMa.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
# Virtual alias file
"mathebau.aliases" = {
sopsFile = ./mathebau.aliases.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0440";
};
"mathechor.aliases" = {
sopsFile = ./mathechor.aliases.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0440";
};
"koma.aliases" = {
sopsFile = ./koma.aliases.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0440";
};
# password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator
stalwartAdmin = {
sopsFile = ./stalwartAdmin.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
backupKey = {
sopsFile = ./backupKey.yaml;
owner = "root";
group = "root";
mode = "0400";
};
};
}

View file

@ -0,0 +1,30 @@
{
lib,
pkgs,
...
}: {
imports = [];
fileSystems."/" = {
device = "root";
fsType = "tmpfs";
options = ["size=1G" "mode=755"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=persist"];
neededForBoot = true;
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix"];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,39 @@
koma.aliases: ENC[AES256_GCM,data:a+oGvyMf2SPxCdMjdu61TEJCYTpOHnyizQi7cSDkhHF2q9YyuuMttHBn/YzOIkZxx9CQeRQhbK1CPmknUEv4oHpYP1TFCHlRhX08g4ZRKHUxMu5u1rK0rTRLiKcHmhQeHfAoVcfRXeURY879ltGYg7mYHdeLMKK0epYb5bM4tA==,iv:1Rgjwiv2XRePmE2UzYstABvQAIaSeOW87VsV29sJUFU=,tag:JcsLDZmsE2lPwxY56ujreg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2
aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy
Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4
bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy
MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3
QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45
c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu
NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR
io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC
RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv
K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy
VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI
N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:28Z"
mac: ENC[AES256_GCM,data:vK8UIeGZFUfVB3LpsvkFzYGgJSinvsWQDewKVqfAsC0yPHRBP+yCE3SXDeb01sl/ZGlw13o79AxRLBF0Z89QoljWtiWjWWgBnUBFAuURTtMmNBtpbfxgjevXJU9iZgIMAfd/DGuLE7HMLrqfzWOvuZNE9kSz//CkD9PQLorMfGI=,iv:E056ECSWlvSfe8VOQY1KAKyO1Tm3aRsYUCBy8KtLDxo=,tag:nVTmyUB3Pcvjpm1vECmZjw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,39 @@
mailForwardSieve: ENC[AES256_GCM,data:EYnhE0qs9mA1v+iyOLUu27CR7F0JIHA7lZ3qbXynnfDPjcCRTKBVB5bwcvXx/QKia7Dt7ECysr8XlcYFXsP37MU10daKM6PLkGP46kfN67Lv/IFmot3choWwxZMFSO2l5qwQUp/g0b8IWpWmBSngGcOpdzSt2y55NdSTjXjZGFXcH4mHl6xtSRZUaJsAIySSFXdGyyigHb5G9i3PTiChR4rs48UtXKyzs8cRyntaRlquduvJUfb9rC1eRnwncz+4gWrnnhCZr5Z4b0LHQf4npfaM3zPTUI1/9b7tOy9I+WPD4oIEkhpw64EjGVTHzq1qW5z4HRgEpTSKR9f3TGpoWEtzIBVhwYMn9lZ2pAXfvcfHfti4PGN5eVIk3asXw0OEHUqDe7AW0aRqokXUv5ocI+HD6Dt9+Y8QRkgyN7zGlhVs+YTlMQViBtXjVFzsr1HY1baCkcuUyr0F3pAmOk+749NpqIIQGEgFq4TzsPykyKTWDOMkB4AFIV+mw4ly3UYC+3c2986MV5YdoGJWmicMivHZpvDUEMnpr8/Qg5h8lYJdxlw2aKq1jIJzp+SthSZH+p1RgheIKi2uo1LKS+ZloWknjzqJgzDTpi0UHIJDRKAM1tfFE0/JJW5WBcwal7d2t4J4EmBMfpTfM6+vCyL9VqXtm5rZVO5yByrdJkFW7fyoNyQi9i/iKXW4iZhNbgFysNH/yi2gQ50Nm5Z9+NZLu4K0j2nHOAD8YSDwpO/PWu1zLKXC0mnwuMNOc0RzuWRc2Tsj1koY7F1bsITAY7U94zLMoyaAG/SpDdEKqPS1bXU0z1HZThMIyP/BqJt5zntrLhiFIWmHN3Kr+6qXA/ngMjVI+nrQs8JvaOQcHeHvyUSAwHklV/XguKB57sAdXbVvDgoM/NZn6qIsArwO4d7j3g954rYmI5eIMzeMfh4zGEUDIBTm+CNliSn4f063RmGp0W5+xyFFlpEpJdKJUJ/nJYBy4v+lZ03zEHccCHhvs7jrit6uz+iRuXuBJMF/wdWBlIosDFUlarSanqXqOo+3c1TM9ok7mk6MQttTvaUkEkVnwU5ZcvlRfL2taxtZFfF/odvTuVI9CFDpJBBYToitl1dD/UomSCkCZJ3E7Uk4JNCRr/c9X/Fsym3X5Ir7v+vfn2EuZ814w306NwsRhj/Zs9ZZwIZM3ejZt8tq6W8mnPovBMTXJrsvwmlPXqqL9ZT10FEFC7vaY2L7+7K4oax1KbpxYdDgYi1a1UJ3atkQCpRUbg2LwtbmGgtJQ8b+D3gxLzDSuoMIKBJoA9g82cr5fln9UNPSs7NHGR8Q2+RBYlwIq7S7gK+bIUJ+WT3BbXZJUZvRr9LK5+IQn+S5/EM8UbdSFVQp+ojka3lT+H/jn+sN6ZY5giDgtnKU/k50CG9F/lEqExKjIR8gQshhNBoPtasdhcvbaxVqrB/2sMk8IuoELfG/gayPmEZgNLhM3DuWAbhAu+UgsX4vmRjhISMEw30bJBTnZl89JndRLWsgynySD4relphQWOLLj/ZWSkC0MclHOZmAHoCGmyoOycKjJTZ5Fdkug8kb6lk8x6dgI5+cPHgDVxc3k9Rm5k+fkO6p1CgP+Sa9pmfLdcfaIZpogPAqO15kV0/zXnSl/OGOMaanUKLy3TolQSz6dLYwLAqOVCH92+lD2xtDmiyG44v5L+5xw1h1jwpmTuR4zFdP+E0z4rZ5YhJB7j1ll0yB2UcjBm5WSeFtZy3ZHe9poAznW6/OkXRP08Dtuk0JNZh9iwO/bsirs8T2oUiuJfd8AC7zCJhIOUDSxbmJFG+1J6mrTUKheH7WAvDkCbNpv5jiA9WUb8Z+rJ3tr+FJkYX2MR8=,iv:B4PggssYfBbZA+mEJOiTo8GYWSZxbl9wJIHjUlv6c2A=,tag:isO6wVZR6UOuDLGCA/tddg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2
QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2
ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3
bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ
LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81
bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04
Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm
Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd
WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn
QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV
R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy
VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs
lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:34Z"
mac: ENC[AES256_GCM,data:Num40NAUnNFictwt1Nlo5cOgnLBeih7oqXxpRIvHm10bpqK3VI4oxwrPwSOXXqMIh24zYNe7vgc/laxiqI8HCQkP8InBR5iryL1326efqLrVFUkgBvwkPu1GvgwIpvn0lLRMyF8bYFmWZHN2i3k1pVgS1xtQxGecGosPwyxwO2c=,iv:cupUxpzJhmpZB43t1kFTFrTx0PSfKk5wS1xMa0owz+w=,tag:K+GhidGy66LuL7aL/T3NzA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,39 @@
mathechor.aliases: ENC[AES256_GCM,data:jq9oLiCQmAWVcdH13YRmTvCC23dSOAsszwQEVzi1Ij125XlDgVeR1lDXjeVsubTAAd9P8LJFjliz1mL6nA5tP7QTgkygBhLqAP22bAE+L1mDNejYXki2NdOuy8HJgWElCjxFZLGrI7FU+b8zILGsNPEDKa25o3PJbd6dlQeJ7Q2s3bPQ2K/y6FC2RFjCBuGJuNAGAtC5l6ymvjKBdh70At/IZXqtk13vyHVJbMwB,iv:FsQeDq3LMH+hxKcthdQZmyPkLe7XBwiLqfB0Yt+s7r0=,tag:rKjphs1Tss2+3b5bWDzfUw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2
aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy
Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4
bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy
MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3
QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45
c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu
NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR
io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC
RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv
K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy
VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI
N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:43Z"
mac: ENC[AES256_GCM,data:2tceG586ydMqiNPkPbT7ZM4+zoGslbif9TuB26Pz2ji/KsLvnOSwPsmmilNST32Nz5RYym1JGbU0uVQMzBM6uaQvYoR6vVwgC95lEnkY5nenhh3Xhy/OLtXmRdmrIXvvyxWK/2Gtspyy3HR2yFV0Gw0PY5ODPxpxtrypE2N9YmY=,iv:4d7M/LF0UVkEicXRNUDEDKUldehav60nTCS1Jh/RvwU=,tag:mLOwUSE5osUwZp/8cUqClw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -0,0 +1,39 @@
stalwartAdmin: ENC[AES256_GCM,data:lAd0XfikNLJxK5qMtrBkKdbhwZo=,iv:3H3E8JPGPg3af3doeTSD9cuq2+ZLBNK3g1cqiI1k5rw=,tag:Wa/Fsc00mxuFnzyKTQp7CQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr
MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt
U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv
L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt
C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO
bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov
RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR
MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR
Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz
d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H
VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi
dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs
JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-23T08:39:45Z"
mac: ENC[AES256_GCM,data:GGDnb19XQPXR3Apzn9oDFH03NjU9LR0HCHgtjLErJbmHZJl6wAmjST79cDpaDSWKtdT4KPrJLXCuRt1a/LbmqmTzegsfXsfmq881WwFJ1pyyrK9Z9kVxdNeXmb3GyGU7Mrg929O3V2xRhXgpTaOxNCWPWtZPITOE561sU8X0eb8=,iv:LNPIpNGWAP5VvFnLBAf8MPwMNfjwz1veazvlIw4r8JA=,tag:h4SAW6uIHpeRfYKLVSRPkA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -76,6 +76,13 @@ in {
path = "/var/lib/backups/ithaqua";
allowSubRepos = true;
};
kaalut = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup"
];
path = "/var/lib/backups/kaalut";
allowSubRepos = true;
};
lobon = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"

303
nixos/modules/mail.nix Normal file
View file

@ -0,0 +1,303 @@
/*
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy.
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
* and use your personal admin account or create one using the fallback admin password.
* Create users with mail boxes: Go to the admin interface and create them.
* Stalwart mailserver docs can be found at https://stalw.art/docs
*/
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkIf
mkEnableOption
mkOption
;
inherit (lib.types) listOf str;
cfg = config.services.mathebau-mail;
in {
options.services.mathebau-mail = {
enable = mkEnableOption "mathebau mail service";
domains = mkOption {
type = listOf (lib.types.submodule {
options = {
domain = mkOption {
type = str;
};
allowlistPass = mkOption {
# Password for the HRZ API that gets a list of mailaddresses that we serve
type = str;
};
virt_aliases = mkOption {
type = str;
default = "";
};
};
});
};
};
config = mkIf cfg.enable {
environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts
services = {
stalwart-mail = {
enable = true;
openFirewall = true;
settings = {
server = {
lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
listener = {
"smtp" = {
bind = ["[::]:25"];
protocol = "smtp";
};
"submissions" = {
# Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
bind = ["[::]:465"];
protocol = "smtp";
tls.implicit = true;
};
"imaptls" = {
bind = ["[::]:993"];
protocol = "imap";
tls.implicit = true;
};
"management" = {
bind = ["[::]:80"]; # This must also bind publically for ACME to work.
protocol = "http";
};
};
};
acme.letsencrypt = {
directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated
challenge = "http-01";
contact = ["root@mathebau.de"];
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
default = true;
};
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = {
# TODO check if HRZ conforms to these standards and we can validate them strictly
dkim.verify = "relaxed";
arc.verify = "relaxed";
dmarc.verify = "relaxed";
iprev.verify = "relaxed";
spf.verify.ehlo = "relaxed";
spf.verify.mail-from = "relaxed";
};
# Forward outgoing mail to HRZ or mail VMs.
# see https://stalw.art/docs/smtp/outbound/routing/ relay host example
queue.outbound = {
next-hop = [
{
"if" = "rcpt_domain = 'lists.mathebau.de'";
"then" = "'mailman'";
}
{
"if" = "is_local_domain('', rcpt_domain)";
"then" = "'local'";
}
{"else" = "'hrz'";}
];
tls = {
mta-sts = "disable";
dane = "disable";
starttls = "optional"; # e.g. Lobon does not offer starttls
};
};
remote."hrz" = {
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false; # somehow this is needed here
};
remote."mailman" = {
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
port = 25;
protocol = "smtp";
tls.implicit = false; # somehow this is needed here
};
session.rcpt = {
# In order to accept mail that we only forward
# without having to generate an account.
# Invalid addresses are filtered by DFN beforehand.
catch-all = true;
relay = [
{
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'";
"then" = true;
}
{"else" = false;}
];
};
config.local-keys =
[
"store.*"
"directory.*"
"tracer.*"
"server.*"
"!server.blocked-ip.*"
"authentication.fallback-admin.*"
"cluster.node-id"
"storage.data"
"storage.blob"
"storage.lookup"
"storage.fts"
"storage.directory"
"lookup.default.hostname"
"certificate.*"
] # the default ones
++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
session.data.script = "'redirects'";
authentication.fallback-admin = {
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
};
tracer.stdout.level = "debug";
};
};
};
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/stalwart-mail"
];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
};
# Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
# will stop working if no valid TUIDs are associated to our domain.
systemd = {
timers."mailAllowlist" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "1h"; # Run every 5 minutes
OnUnitActiveSec = "1h";
RandomizedDelaySec = "10m"; # prevent overload on regular intervals
Unit = "mailAllowlist.service";
};
};
services = {
"mailAllowlist" = {
description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
script = let
scriptTemplate = {
domain,
allowlistPass,
...
}: ''
# Get the mail addresses' local-part
# TODO: These features have been removed from stalwart-cli and needs to be replaced by undocumented API calls.
# see https://github.com/stalwartlabs/mail-server/discussions/803
# ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses
# ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses
# ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
# Post local-parts to HRZ
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
# Cleanup
rm /tmp/addresses
'';
in
lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
serviceConfig = {
Type = "oneshot";
User = "stalwart-mail";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = false; # allow access to sieve script
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
"stalwart-mail" = {
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
};
"virt-aliases-generator" = {
description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
script = let
scriptTemplate = {
domain,
virt_aliases,
...
}:
if virt_aliases != ""
then "${virt_aliases} ${domain} "
else "";
in
lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]);
wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
serviceConfig = {
Type = "oneshot";
User = "stalwart-mail";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = false;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
};
};
# Backups
services.borgbackup.jobs.mail = {
paths = [
"/var/lib/stalwart-mail/data"
];
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
# “Borg ensures that backups are not created on random drives that just happen to contain a Borg repository.”
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
# We don't want this in order to not need to persist borg cache and simplify new deployments.
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily";
user = "root";
group = "root";
};
};
}