Add pushing to hrz allowlist
This commit is contained in:
parent
8906e6c766
commit
67083126be
3 changed files with 87 additions and 3 deletions
|
@ -4,6 +4,7 @@ keys:
|
||||||
|
|
||||||
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
||||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||||
|
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: nixos/machines/nyarlathotep/.*
|
- path_regex: nixos/machines/nyarlathotep/.*
|
||||||
|
@ -18,6 +19,12 @@ creation_rules:
|
||||||
- *nerf
|
- *nerf
|
||||||
- *gonne
|
- *gonne
|
||||||
- *bragi
|
- *bragi
|
||||||
|
- path_regex: nixos/machines/lobon/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nerf
|
||||||
|
- *gonne
|
||||||
|
- *lobon
|
||||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||||
# to machines
|
# to machines
|
||||||
- key_groups:
|
- key_groups:
|
||||||
|
|
39
nixos/machines/lobon/allowlistPass.yaml
Normal file
39
nixos/machines/lobon/allowlistPass.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
|
||||||
|
NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
|
||||||
|
Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
|
||||||
|
Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
|
||||||
|
ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
|
||||||
|
QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
|
||||||
|
SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
|
||||||
|
NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
|
||||||
|
G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
|
||||||
|
TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
|
||||||
|
VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
|
||||||
|
Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
|
||||||
|
uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-03-31T14:34:54Z"
|
||||||
|
mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -2,6 +2,7 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
inherit
|
inherit
|
||||||
|
@ -36,7 +37,7 @@ in {
|
||||||
proxy_interfaces = "130.83.2.184";
|
proxy_interfaces = "130.83.2.184";
|
||||||
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
||||||
};
|
};
|
||||||
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
|
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
|
||||||
};
|
};
|
||||||
mailman = {
|
mailman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -44,10 +45,12 @@ in {
|
||||||
hyperkitty.enable = true;
|
hyperkitty.enable = true;
|
||||||
webHosts = [cfg.hostName];
|
webHosts = [cfg.hostName];
|
||||||
serve.enable = true; #
|
serve.enable = true; #
|
||||||
|
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
||||||
|
settings.mta.verp_confirmations = "no";
|
||||||
};
|
};
|
||||||
nginx.virtualHosts.${cfg.hostName} = {
|
nginx.virtualHosts.${cfg.hostName} = {
|
||||||
enableACME = true;
|
enableACME = true; # Get certificates (primarily for postfix)
|
||||||
forceSSL = false;
|
forceSSL = false; # Don't use HTTPS behind the proxy
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -63,5 +66,40 @@ in {
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
networking.firewall.allowedTCPPorts = [25 80 443];
|
||||||
|
|
||||||
|
# Update HRZ allowlist
|
||||||
|
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||||
|
# will stop working if no valid TUIDs are associated to our domain.
|
||||||
|
systemd.timers."mailAllowlist" = {
|
||||||
|
wantedBy = ["timers.target"];
|
||||||
|
timerConfig = {
|
||||||
|
OnBootSec = "5m"; # Run every 5 minutes
|
||||||
|
OnUnitActiveSec = "5m";
|
||||||
|
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
|
||||||
|
Unit = "mailAllowlist.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services."mailAllowlist" = {
|
||||||
|
description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
|
||||||
|
script = ''
|
||||||
|
# Get the mail addresses' local-part
|
||||||
|
cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
|
||||||
|
# Post local-parts to HRZ
|
||||||
|
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
|
||||||
|
# Cleanup
|
||||||
|
rm /tmp/addresses
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "mailman";
|
||||||
|
PrivateTmp = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
sops.secrets.allowlistPass = {
|
||||||
|
sopsFile = ../machines/lobon/allowlistPass.yaml;
|
||||||
|
owner = "mailman";
|
||||||
|
group = "mailman";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue