From 5c1a2451b1f12744a509fffbb0a3be2aa69fa346 Mon Sep 17 00:00:00 2001 From: Gonne Date: Sun, 31 Mar 2024 16:26:11 +0200 Subject: [PATCH] Add pushing to hrz allowlist --- .sops.yaml | 7 ++++ nixos/machines/lobon/allowlistPass.yaml | 39 ++++++++++++++++++++++ nixos/modules/mailman.nix | 44 +++++++++++++++++++++++-- 3 files changed, 87 insertions(+), 3 deletions(-) create mode 100644 nixos/machines/lobon/allowlistPass.yaml diff --git a/.sops.yaml b/.sops.yaml index 6f01614..bc5cfc6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe + - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -18,6 +19,12 @@ creation_rules: - *nerf - *gonne - *bragi + - path_regex: nixos/machines/lobon/.* + key_groups: + - age: + - *nerf + - *gonne + - *lobon # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/nixos/machines/lobon/allowlistPass.yaml b/nixos/machines/lobon/allowlistPass.yaml new file mode 100644 index 0000000..c8d4d98 --- /dev/null +++ b/nixos/machines/lobon/allowlistPass.yaml @@ -0,0 +1,39 @@ +allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh + NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i + Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR + Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl + ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx + QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv + SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv + NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD + G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm + TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ + VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1 + Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC + uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-31T14:34:54Z" + mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 7241703..7d233fd 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -2,6 +2,7 @@ { config, lib, + pkgs, ... }: let inherit @@ -36,7 +37,7 @@ in { proxy_interfaces = "130.83.2.184"; smtputf8_enable = "no"; # HRZ does not know SMTPUTF8 }; - relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ + relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) }; mailman = { enable = true; @@ -44,10 +45,12 @@ in { hyperkitty.enable = true; webHosts = [cfg.hostName]; serve.enable = true; # + # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise. + settings.mta.verp_confirmations = "no"; }; nginx.virtualHosts.${cfg.hostName} = { - enableACME = true; - forceSSL = false; + enableACME = true; # Get certificates (primarily for postfix) + forceSSL = false; # Don't use HTTPS behind the proxy }; }; @@ -63,5 +66,40 @@ in { security.acme.acceptTerms = true; networking.firewall.allowedTCPPorts = [25 80 443]; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd.timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; # Run every 5 minutes + OnUnitActiveSec = "5m"; + RandomizedDelaySec = "2m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + systemd.services."mailAllowlist" = { + description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist"; + script = '' + # Get the mail addresses' local-part + cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + serviceConfig = { + Type = "oneshot"; + User = "mailman"; + PrivateTmp = true; + }; + }; + sops.secrets.allowlistPass = { + sopsFile = ../machines/lobon/allowlistPass.yaml; + owner = "mailman"; + group = "mailman"; + mode = "0400"; + }; }; }