Add pushing to hrz allowlist
This commit is contained in:
parent
41c99daad0
commit
2ba64b55c1
3 changed files with 68 additions and 0 deletions
|
@ -4,6 +4,7 @@ keys:
|
||||||
|
|
||||||
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
||||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||||
|
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: nixos/machines/nyarlathotep/.*
|
- path_regex: nixos/machines/nyarlathotep/.*
|
||||||
|
@ -18,6 +19,12 @@ creation_rules:
|
||||||
- *nerf
|
- *nerf
|
||||||
- *gonne
|
- *gonne
|
||||||
- *bragi
|
- *bragi
|
||||||
|
- path_regex: nixos/machines/lobon/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nerf
|
||||||
|
- *gonne
|
||||||
|
- *lobon
|
||||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||||
# to machines
|
# to machines
|
||||||
- key_groups:
|
- key_groups:
|
||||||
|
|
28
nixos/machines/lobon/allowlistPass.yaml
Normal file
28
nixos/machines/lobon/allowlistPass.yaml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:H2J/Lfv0PjvDRinfIZfVUz8=,iv:zgu/5x2kugq5PHLze9js9kQQWNrgq07VKUUNdEXcZoE=,tag:o/oVShrYl2nTFFjvsyGC3g==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"kms": null,
|
||||||
|
"gcp_kms": null,
|
||||||
|
"azure_kv": null,
|
||||||
|
"hc_vault": null,
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByelVVT3hDcnczendsUUZl\nelArcW1yTHpnOE5KS0R5UEtEeTFoWFBWNVNjCkJIZTlZS1VZSXFUbmt5NTZwc1k2\nVmNMQTJPLzRxVXB6cGtiMXkvZXRyekUKLS0tIFZLdEdLUEZWM2pvMXpnbzFLZFov\nZkZGRVRnR2pqRy91SVYrbGt2UnZlckUKszynMc0Eci8N8E6CKCRVmry1IlvrikXo\nUEBsrCRQM44ABfkNPeci+8mtiM3cKanBkFSQWI8hymGF/Es2XK35Xg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRWo1NWZGMVI1RytXekJz\nais4cStCeVN3dGlMY2NvbmpTcmdNQ3ZjTWh3CitsaWEzUTR3T1dMZVNkQTBQc1B1\nWVU5bXlZUWNhMkNQN2Nuay9aUW1URzAKLS0tIHliOUFoVno5SHNRUWE4R0pGV0F4\nb3liS1ZpQmhoS0tTbE9UekNJNWNkSkEK82yDjqo089XMyi6mptGarErVjsRSZe0Q\nLSiNzNRyTjtII3FXx3xMvMajgH4xw9HZAKW9vGHlCJ9uDFT/O2UZFw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOTRpL1djYjVMaUZQVzZE\nckdIc1dxdW9Bckl0NFIycDNKL0RNeHRUZzNvCm5xTUVIQ3hnb2RPSEQxa3d3aWV3\ndnZhN1ovSVk3ODVMNFppdGptUVVoYnMKLS0tIDFiSEl6eTZFUkNwNnZoOEZWb1Nw\nZDRHWHJiNjRld2hZbm9mbUhYNzJjVUEKURXbmHjR20XyIoEZnTFc5X9s948tpLKF\ndo8Svj/GYRKmLiANUCUwTTbxDqZJwm0Xhw3FD7Q6MVYdU74fqLU4zA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2024-03-31T14:19:18Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:VBJFT6avZoJeh3JuXVxPWBMSPX5/pQUWYENhqjl2zAKwWZpe6CcRyrn1FSA+rcC0HGO1ZCo7koNt1HPYjEqAD9lkg90mC9o/f7kve0y/Zr/Dbd0sia1hcHXFgGWJt/goK0NvioNwCZCz1JgQB8mWHWiW7xJXJ8hRSLAlStEM/Ig=,iv:2I+cRgvisIJU7s9HeFopKTD3/GwTvbc2v/1puMXIttU=,tag:YKnf6dUfutBvOJWroqyuag==,type:str]",
|
||||||
|
"pgp": null,
|
||||||
|
"unencrypted_suffix": "_unencrypted",
|
||||||
|
"version": "3.8.1"
|
||||||
|
}
|
||||||
|
}
|
|
@ -63,5 +63,38 @@ in {
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
networking.firewall.allowedTCPPorts = [25 80 443];
|
||||||
|
|
||||||
|
# Update HRZ allowlist
|
||||||
|
#
|
||||||
|
systemd.timers."mailAllowlist" = {
|
||||||
|
wantedBy = ["timers.target"];
|
||||||
|
timerConfig = {
|
||||||
|
OnBootSec = "5m"; # Run every 5 minutes
|
||||||
|
OnUnitActiveSec = "5m";
|
||||||
|
RandomizedDelaySec = "1m"; # Randomized delay
|
||||||
|
Unit = "mailAllowlist.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services."mailAllowlist" = {
|
||||||
|
description = "Post the mail addresses used by mailman to the HRZ allow list";
|
||||||
|
script = ''
|
||||||
|
# Parse addresses
|
||||||
|
awk '{print $1}' /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > addresses
|
||||||
|
# Post addresses to HRZ
|
||||||
|
curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@addresses -F meldungen=voll
|
||||||
|
# Cleanup
|
||||||
|
rm addresses
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "mailman";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
sops.secrets.allowlistPass = {
|
||||||
|
sopsFile = ../machines/lobon/allowlistPass.yaml;
|
||||||
|
owner = "mailman";
|
||||||
|
group = "mailman";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue