Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests Projects 1 Wiki Activity

Add pushing to hrz allowlist

Browse source
This commit is contained in:
Gonne 2024-03-31 16:26:11 +02:00
parent 41c99daad0
commit 9bd6258cfe
3 changed files with 68 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -4,6 +4,7 @@ keys:
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
creation_rules: creation_rules:
- path_regex: nixos/machines/nyarlathotep/.* - path_regex: nixos/machines/nyarlathotep/.*
@ -18,6 +19,12 @@ creation_rules:
- *nerf - *nerf
- *gonne - *gonne
- *bragi - *bragi
- path_regex: nixos/machines/lobon/.*
key_groups:
- age:
- *nerf
- *gonne
- *lobon
# this is the catchall clause if nothing above machtes. Encrypt to users but not # this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines # to machines
- key_groups: - key_groups:

28
nixos/machines/lobon/allowlistPass.yaml Normal file
View file

@ -0,0 +1,28 @@
{
"data": "ENC[AES256_GCM,data:H2J/Lfv0PjvDRinfIZfVUz8=,iv:zgu/5x2kugq5PHLze9js9kQQWNrgq07VKUUNdEXcZoE=,tag:o/oVShrYl2nTFFjvsyGC3g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByelVVT3hDcnczendsUUZl\nelArcW1yTHpnOE5KS0R5UEtEeTFoWFBWNVNjCkJIZTlZS1VZSXFUbmt5NTZwc1k2\nVmNMQTJPLzRxVXB6cGtiMXkvZXRyekUKLS0tIFZLdEdLUEZWM2pvMXpnbzFLZFov\nZkZGRVRnR2pqRy91SVYrbGt2UnZlckUKszynMc0Eci8N8E6CKCRVmry1IlvrikXo\nUEBsrCRQM44ABfkNPeci+8mtiM3cKanBkFSQWI8hymGF/Es2XK35Xg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRWo1NWZGMVI1RytXekJz\nais4cStCeVN3dGlMY2NvbmpTcmdNQ3ZjTWh3CitsaWEzUTR3T1dMZVNkQTBQc1B1\nWVU5bXlZUWNhMkNQN2Nuay9aUW1URzAKLS0tIHliOUFoVno5SHNRUWE4R0pGV0F4\nb3liS1ZpQmhoS0tTbE9UekNJNWNkSkEK82yDjqo089XMyi6mptGarErVjsRSZe0Q\nLSiNzNRyTjtII3FXx3xMvMajgH4xw9HZAKW9vGHlCJ9uDFT/O2UZFw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOTRpL1djYjVMaUZQVzZE\nckdIc1dxdW9Bckl0NFIycDNKL0RNeHRUZzNvCm5xTUVIQ3hnb2RPSEQxa3d3aWV3\ndnZhN1ovSVk3ODVMNFppdGptUVVoYnMKLS0tIDFiSEl6eTZFUkNwNnZoOEZWb1Nw\nZDRHWHJiNjRld2hZbm9mbUhYNzJjVUEKURXbmHjR20XyIoEZnTFc5X9s948tpLKF\ndo8Svj/GYRKmLiANUCUwTTbxDqZJwm0Xhw3FD7Q6MVYdU74fqLU4zA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-03-31T14:19:18Z",
"mac": "ENC[AES256_GCM,data:VBJFT6avZoJeh3JuXVxPWBMSPX5/pQUWYENhqjl2zAKwWZpe6CcRyrn1FSA+rcC0HGO1ZCo7koNt1HPYjEqAD9lkg90mC9o/f7kve0y/Zr/Dbd0sia1hcHXFgGWJt/goK0NvioNwCZCz1JgQB8mWHWiW7xJXJ8hRSLAlStEM/Ig=,iv:2I+cRgvisIJU7s9HeFopKTD3/GwTvbc2v/1puMXIttU=,tag:YKnf6dUfutBvOJWroqyuag==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
}

33
nixos/modules/mailman.nix
View file

@ -63,5 +63,38 @@ in {
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443]; networking.firewall.allowedTCPPorts = [25 80 443];
# Update HRZ allowlist
#
systemd.timers."mailAllowlist" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m"; # Run every 5 minutes
OnUnitActiveSec = "5m";
RandomizedDelaySec = "1m"; # Randomized delay
Unit = "mailAllowlist.service";
};
};
systemd.services."mailAllowlist" = {
description = "Post the mail addresses used by mailman to the HRZ allow list";
script = ''
# Parse addresses
awk '{print $1}' /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > addresses
# Post addresses to HRZ
curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@addresses -F meldungen=voll
# Cleanup
rm addresses
'';
serviceConfig = {
Type = "oneshot";
User = "mailman";
};
};
sops.secrets.allowlistPass = {
sopsFile = "../machines/lobon/allowlistPass.yaml";
owner = "mailman";
group = "mailman";
mode = "0400";
};
}; };
} }