Address first round of review

README.md

@@ -202,7 +202,8 @@ network configuration. And service configuration that are too closely interwoven
 mailserver configuration depends heavily on network settings). It also
 contains the root configuration for that machine called `configuration.nix`. This file usually only includes other modules.
 These `configuration.nix` files are almost usual nix configurations. The only difference is that they take as an extra argument
-the flake inputs. This allows them to load modules from these flakes. 
+the flake inputs. This allows them to load modules from these flakes. For example, nyarlathotep loads the simple-nixos-mailserver
+module that way.
 
 #### roles
 `nixos/roles` contains configuration that is potentially shared by some machines. It is expected that `nixos/roles/default.nix`

flake.lock

@@ -20,6 +20,22 @@
         "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
@@ -70,6 +86,27 @@
         "type": "github"
       }
     },
+    "nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": [],
+        "nixpkgs": [],
+        "nixpkgs-24_05": "nixpkgs-24_05"
+      },
+      "locked": {
+        "lastModified": 1722877200,
+        "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
+        "ref": "refs/heads/master",
+        "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
+        "revCount": 593,
+        "type": "git",
+        "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1732014248,
@@ -86,6 +123,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-24_05": {
+      "locked": {
+        "lastModified": 1717144377,
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1730504152,
@@ -168,6 +220,7 @@
         "alias-to-sieve": "alias-to-sieve",
         "flake-parts": "flake-parts_2",
         "impermanence": "impermanence",
+        "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs_3",
         "pre-commit-hooks": "pre-commit-hooks",
         "sops-nix": "sops-nix"

flake.nix

@@ -6,6 +6,13 @@
       url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve";
     };
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixos-mailserver = {
+      url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
+      inputs = {
+        flake-compat.follows = "";
+        nixpkgs.follows = "";
+      };
+    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";

nixos/machines/kaalut/allowlistPass.yaml

@@ -1,7 +1,7 @@
 allowlistPass:
     matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str]
-    mathebau: ENC[AES256_GCM,data:ZlIv0MrCVtsyF3t9Gr/zcg==,iv:ZdBlnx4/zQZjT75ssB0osfDlWVerUe6yvwbMxlXpHZs=,tag:ytlNq7zP2WtPafcSQFZ6RQ==,type:str]
-    mathechor: ENC[AES256_GCM,data:d5KyoD/P8/j+poJSGF1nDA==,iv:ayKtvj4EEqUtMLi/7njbxuUql1A58WNi729svHtZju4=,tag:JqWoxxMN5mVN+gaQTmBv1Q==,type:str]
+    mathebau: ENC[AES256_GCM,data:D8Ri3fI=,iv:usZ6UktgqOGqtWrJjeZsYhHo/01IzT0aw9Nxgmfe35o=,tag:2tQfIcDd9rPFW/7779HSNw==,type:str]
+    mathechor: ENC[AES256_GCM,data:3EILes4=,iv:e3Tjlk+BBi2GyPLvhUeshbL3IqKPKlqSjT6+CrgnjYQ=,tag:R5cpo1+2vxI+HfdOvu2WRw==,type:str]
     koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str]
 sops:
     kms: []
@@ -45,8 +45,8 @@ sops:
             bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR
             HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-05T13:49:19Z"
-    mac: ENC[AES256_GCM,data:i7t/Hb5aW0lIvPLk84geQ792uUGP25vX8FC7kK/3H19tz5i4zsIcvl1d+oB5gJ004gP5pRogcuKL1xHUUl+A0UXXNzRpxc0BBVZaxnIhjfPunORbmZeJQRP298tQpvYYqI/pGhjrlit37U9jecGf1l12Cgv97sGW42d2F+S2Soc=,iv:My21fMF3SEr6mg2+eh8KA6B8tzmQVEDy2BG3hfkafrU=,tag:xdU6j8ti8Z68rbiRxkj7Pw==,type:str]
+    lastmodified: "2024-12-14T15:53:00Z"
+    mac: ENC[AES256_GCM,data:q+Ad2f5ALcBK4/krvmOGXVfNS05vv138Qo4CqNO2hxzryUEzBe5PGYPcx2yExEOEopsv8NGcugNoGQ4nCgaMc7q+t1Feja6dWI85INUt+sE39ws7QAh9IFa2O06AX1WEsUEpnwl3xLWxyCHgKDoaaTfcUENEcPTSVnMwDr/HiwY=,iv:Z+hh06JAm6yfVkclRFfaPZhg0Gjbz0kFdPlYpvMWr+s=,tag:0QUt2WBubt1kKU0pRykfWQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2

nixos/modules/mail.nix

@@ -152,7 +152,7 @@ in {
             catch-all = true;
             relay = [
               {
-                "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP
+                "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'";
                 "then" = true;
               }
               {"else" = false;}