From 2ba64b55c1a071d344cd5f14814e6ee57adc4eba Mon Sep 17 00:00:00 2001 From: Gonne Date: Sun, 31 Mar 2024 16:26:11 +0200 Subject: [PATCH] Add pushing to hrz allowlist --- .sops.yaml | 7 ++++++ nixos/machines/lobon/allowlistPass.yaml | 28 +++++++++++++++++++++ nixos/modules/mailman.nix | 33 +++++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 nixos/machines/lobon/allowlistPass.yaml diff --git a/.sops.yaml b/.sops.yaml index 6d555cf..10ec199 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe + - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -18,6 +19,12 @@ creation_rules: - *nerf - *gonne - *bragi + - path_regex: nixos/machines/lobon/.* + key_groups: + - age: + - *nerf + - *gonne + - *lobon # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/nixos/machines/lobon/allowlistPass.yaml b/nixos/machines/lobon/allowlistPass.yaml new file mode 100644 index 0000000..f78af8d --- /dev/null +++ b/nixos/machines/lobon/allowlistPass.yaml @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:H2J/Lfv0PjvDRinfIZfVUz8=,iv:zgu/5x2kugq5PHLze9js9kQQWNrgq07VKUUNdEXcZoE=,tag:o/oVShrYl2nTFFjvsyGC3g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByelVVT3hDcnczendsUUZl\nelArcW1yTHpnOE5KS0R5UEtEeTFoWFBWNVNjCkJIZTlZS1VZSXFUbmt5NTZwc1k2\nVmNMQTJPLzRxVXB6cGtiMXkvZXRyekUKLS0tIFZLdEdLUEZWM2pvMXpnbzFLZFov\nZkZGRVRnR2pqRy91SVYrbGt2UnZlckUKszynMc0Eci8N8E6CKCRVmry1IlvrikXo\nUEBsrCRQM44ABfkNPeci+8mtiM3cKanBkFSQWI8hymGF/Es2XK35Xg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRWo1NWZGMVI1RytXekJz\nais4cStCeVN3dGlMY2NvbmpTcmdNQ3ZjTWh3CitsaWEzUTR3T1dMZVNkQTBQc1B1\nWVU5bXlZUWNhMkNQN2Nuay9aUW1URzAKLS0tIHliOUFoVno5SHNRUWE4R0pGV0F4\nb3liS1ZpQmhoS0tTbE9UekNJNWNkSkEK82yDjqo089XMyi6mptGarErVjsRSZe0Q\nLSiNzNRyTjtII3FXx3xMvMajgH4xw9HZAKW9vGHlCJ9uDFT/O2UZFw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOTRpL1djYjVMaUZQVzZE\nckdIc1dxdW9Bckl0NFIycDNKL0RNeHRUZzNvCm5xTUVIQ3hnb2RPSEQxa3d3aWV3\ndnZhN1ovSVk3ODVMNFppdGptUVVoYnMKLS0tIDFiSEl6eTZFUkNwNnZoOEZWb1Nw\nZDRHWHJiNjRld2hZbm9mbUhYNzJjVUEKURXbmHjR20XyIoEZnTFc5X9s948tpLKF\ndo8Svj/GYRKmLiANUCUwTTbxDqZJwm0Xhw3FD7Q6MVYdU74fqLU4zA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-03-31T14:19:18Z", + "mac": "ENC[AES256_GCM,data:VBJFT6avZoJeh3JuXVxPWBMSPX5/pQUWYENhqjl2zAKwWZpe6CcRyrn1FSA+rcC0HGO1ZCo7koNt1HPYjEqAD9lkg90mC9o/f7kve0y/Zr/Dbd0sia1hcHXFgGWJt/goK0NvioNwCZCz1JgQB8mWHWiW7xJXJ8hRSLAlStEM/Ig=,iv:2I+cRgvisIJU7s9HeFopKTD3/GwTvbc2v/1puMXIttU=,tag:YKnf6dUfutBvOJWroqyuag==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 7241703..e6eb8f5 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -63,5 +63,38 @@ in { security.acme.acceptTerms = true; networking.firewall.allowedTCPPorts = [25 80 443]; + + # Update HRZ allowlist + # + systemd.timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; # Run every 5 minutes + OnUnitActiveSec = "5m"; + RandomizedDelaySec = "1m"; # Randomized delay + Unit = "mailAllowlist.service"; + }; + }; + systemd.services."mailAllowlist" = { + description = "Post the mail addresses used by mailman to the HRZ allow list"; + script = '' + # Parse addresses + awk '{print $1}' /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > addresses + # Post addresses to HRZ + curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@addresses -F meldungen=voll + # Cleanup + rm addresses + ''; + serviceConfig = { + Type = "oneshot"; + User = "mailman"; + }; + }; + sops.secrets.allowlistPass = { + sopsFile = ../machines/lobon/allowlistPass.yaml; + owner = "mailman"; + group = "mailman"; + mode = "0400"; + }; }; }