Add pushing to hrz allowlist

.sops.yaml

@@ -4,6 +4,7 @@ keys:
 
   - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
   - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
+  - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
 
 creation_rules:
   - path_regex: nixos/machines/nyarlathotep/.*
@@ -18,6 +19,12 @@ creation_rules:
         - *nerf
         - *gonne
         - *bragi
+  - path_regex: nixos/machines/lobon/.*
+    key_groups:
+      - age:
+        - *nerf
+        - *gonne
+        - *lobon
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:

nixos/machines/lobon/allowlistPass.yaml

@@ -0,0 +1,39 @@
+allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
+            NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
+            Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
+            Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
+            ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
+            QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
+            SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
+            NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
+            G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
+            TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
+            VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
+            Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
+            uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-31T14:34:54Z"
+    mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixos/modules/mailman.nix

@@ -2,6 +2,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
   inherit
@@ -36,7 +37,7 @@ in {
           proxy_interfaces = "130.83.2.184";
           smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
         };
-        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
+        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
       };
       mailman = {
         enable = true;
@@ -44,10 +45,12 @@ in {
         hyperkitty.enable = true;
         webHosts = [cfg.hostName];
         serve.enable = true; #
+        # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
+        settings.mta.verp_confirmations = "no";
       };
       nginx.virtualHosts.${cfg.hostName} = {
-        enableACME = true;
-        forceSSL = false;
+        enableACME = true; # Get certificates (primarily for postfix)
+        forceSSL = false; # Don't use HTTPS behind the proxy
       };
     };
 
@@ -63,5 +66,40 @@ in {
     security.acme.acceptTerms = true;
 
     networking.firewall.allowedTCPPorts = [25 80 443];
+
+    # Update HRZ allowlist
+    # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
+    # will stop working if no valid TUIDs are associated to our domain.
+    systemd.timers."mailAllowlist" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5m"; # Run every 5 minutes
+        OnUnitActiveSec = "5m";
+        RandomizedDelaySec = "2m"; # prevent overload on regular intervals
+        Unit = "mailAllowlist.service";
+      };
+    };
+    systemd.services."mailAllowlist" = {
+      description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
+      script = ''
+        # Get the mail addresses' local-part
+        cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
+        # Post local-parts to HRZ
+        ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
+        # Cleanup
+        rm /tmp/addresses
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "mailman";
+        PrivateTmp = true;
+      };
+    };
+    sops.secrets.allowlistPass = {
+      sopsFile = ../machines/lobon/allowlistPass.yaml;
+      owner = "mailman";
+      group = "mailman";
+      mode = "0400";
+    };
   };
 }