Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests 2 Projects 1 Wiki Activity

lobon (Mailman-VM) #30

Open
Gonne wants to merge 4 commits from Gonne/nixConfig:lobon into main
pull from: Gonne/nixConfig:lobon
merge into: Fachschaft:main
Conversation 2 Commits 4 Files changed 7 +296
Gonne commented 2024-02-06 14:50:01 +00:00
Owner
Copy link

Mailman in einer eigenen VM. Die Mailinglisten enden jetzt auf @lists.mathebau.de.

Ausstehend zum Live-Betrieb sind noch:

  • Entsprechende Weiterleitung von Eihort
  • Reverse-Proxy in Cthulhu umstellen
  • Backups der Mailinglisten einrichten
  • HRZ Allowlisting einrichten

Basiert auf #26.

Mailman in einer eigenen VM. Die Mailinglisten enden jetzt auf @lists.mathebau.de. Ausstehend zum Live-Betrieb sind noch: - [x] Entsprechende Weiterleitung von Eihort - [x] Reverse-Proxy in Cthulhu umstellen - [x] Backups der Mailinglisten einrichten - [x] HRZ Allowlisting einrichten Basiert auf https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/26.
Gonne added 2 commits 2024-02-06 14:50:02 +00:00
Gonne reviewed 2024-02-06 14:53:22 +00:00
nixos/modules/mailman.nix Outdated
@ -0,0 +53,4 @@
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/acme" # Persist TLS keys and account
Gonne commented 2024-02-06 14:53:22 +00:00
Author
Owner
Copy link

TODO: Backups?

TODO: Backups?
Gonne commented 2024-04-02 16:49:08 +00:00
Author
Owner
Copy link

Done for mailman data. The certificates can be regenerated on hardware failure.

Done for mailman data. The certificates can be regenerated on hardware failure.
Gonne marked this conversation as resolved
Gonne force-pushed lobon from 1bd62a3d9f to 1b8909b6b4 2024-03-29 07:28:04 +00:00 Compare
Gonne force-pushed lobon from 1b8909b6b4 to 41c99daad0 2024-03-30 06:54:49 +00:00 Compare
Gonne added 1 commit 2024-03-31 14:26:45 +00:00
Gonne force-pushed lobon from 9bd6258cfe to 2ba64b55c1 2024-03-31 14:28:50 +00:00 Compare
Gonne force-pushed lobon from 2ba64b55c1 to 7b835efd46 2024-03-31 14:35:25 +00:00 Compare
Gonne force-pushed lobon from 7b835efd46 to 8f7ab3e36b 2024-03-31 15:12:09 +00:00 Compare
Gonne force-pushed lobon from 8f7ab3e36b to a89dab0dbd 2024-03-31 15:40:58 +00:00 Compare
Gonne force-pushed lobon from a89dab0dbd to 2673d101fb 2024-03-31 15:56:26 +00:00 Compare
Gonne force-pushed lobon from 2673d101fb to 5250a0fc93 2024-03-31 18:29:08 +00:00 Compare
Gonne changed title from WIP: lobon (Mailman-VM) to lobon (Mailman-VM) 2024-03-31 21:24:23 +00:00
Gonne commented 2024-03-31 21:24:47 +00:00
Author
Owner
Copy link

Seems to work now.

Seems to work now.
Gonne force-pushed lobon from 5250a0fc93 to 6009971ff5 2024-04-01 07:31:23 +00:00 Compare
Gonne force-pushed lobon from 6009971ff5 to 3a1e670c28 2024-04-01 13:41:54 +00:00 Compare
Gonne force-pushed lobon from 3a1e670c28 to eaf90b9a4a 2024-04-01 14:29:16 +00:00 Compare
Gonne force-pushed lobon from eaf90b9a4a to 4d965ba394 2024-04-01 14:31:35 +00:00 Compare
Gonne requested review from Server-Minions 2024-04-02 16:24:39 +00:00
Gonne added the
Kind/Feature
Priority
Medium
 labels 2024-04-02 16:48:15 +00:00
Gonne force-pushed lobon from 4d965ba394 to dcc055891f 2024-04-02 18:24:31 +00:00 Compare
Gonne commented 2024-04-02 18:25:46 +00:00
Author
Owner
Copy link

Gonne force-pushed lobon from 4d965ba394 to dcc055891f

I decided to include all of mailman's persistent state in the backups to include archives.

> Gonne force-pushed lobon from 4d965ba394 to dcc055891f I decided to include all of mailman's persistent state in the backups to include archives.
Gonne force-pushed lobon from dcc055891f to 354488c38d 2024-04-03 13:45:19 +00:00 Compare
Gonne force-pushed lobon from 354488c38d to 45a20b7f52 2024-04-03 14:00:00 +00:00 Compare
nerf reviewed 2024-04-04 14:01:42 +00:00
nixos/machines/lobon/allowlistPass.yaml Outdated
@ -0,0 +1,39 @@
allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
nerf commented 2024-04-03 14:06:29 +00:00
Owner
Copy link

See comment on the other sops file.

See comment on the other sops file.
nerf marked this conversation as resolved
nixos/machines/lobon/backupKey.yaml Outdated
@ -0,0 +1,39 @@
backupKey: ENC[AES256_GCM,data:/PErHUVZDTyqK+GKI2inDoEBQpSmezeBTgXWnrthc8IPtUFn4Ur2CkDo+MqfiAlSn9vT2ksHmyS5qmoGANG01e1Cm50qpt/BdoC2hh15jOVuc0uUBNOq7f5YBVeYtbemwjPcmbF7dgUeRlEAvxhqtX3/ntzxSB1inew/SsEgPrU4Yl0FF+CHhqgbeB/NJOhQY29/3hBGwMksfTUDymUmX6pUgIN1M26crIKFCn5IyqAXl10F+zL4PThZPnhmks7Y8BsGUbKkiE6ghdaUjEjBjGOGgbaGAjolG+nJ17xyM1Pc2speT4E/3VgAC34dpaByveGcf2SfsXir0KavcI86mUkjzaNF9u7GjGO0Szn742/aqbdUoOkJl41unb0Enf2/D4Up3fy6LrUqVqrHIM4Dea9WLQd0poD0FWSN12IKh+ylkouMkmhwLXUXFzIHOePS92/MsPM+9fLhH4cU64qxr9UzmfYRnNBpAHrjlxdkK9WZ1Oj4mdtu6R20vYkYcMIQgU38FvSN6uWGvPxJj+Ij,iv:ghvgkC6qFO/0tvsc7igCoZy7am8eNsd21WYCSAKiZDs=,tag:MFnk/Nnw+cloN+x7sd4LLg==,type:str]
nerf commented 2024-04-03 14:05:59 +00:00
Owner
Copy link

Hmm, I didn't have thought about the following:

Which secrets get different sops files and which go into the same file?
can we put both of this secrets into the same yaml, is this desirable?

Hmm, I didn't have thought about the following: Which secrets get different sops files and which go into the same file? can we put both of this secrets into the same yaml, is this desirable?
Gonne commented 2024-04-04 14:22:20 +00:00
Author
Owner
Copy link

I think splitting per desired system user is useful (might even be necessary). Apart from that it feels more about conventions which I don't know.

Currently the secrets are used by root and mailman but giving the backup service root-access in itself feels like a mistake.

I think splitting per desired system user is useful (might even be necessary). Apart from that it feels more about conventions which I don't know. Currently the secrets are used by `root` and `mailman` but giving the backup service `root`-access in itself feels like a mistake.
nerf commented 2024-04-04 14:44:36 +00:00
Owner
Copy link

refactoring the backup process sounds like something, that we should do uniform across all VM. So I think we should do that
in a dedicated pull request. I will open an issue for that. Finding a solution for this is probably out of scope here.

refactoring the backup process sounds like something, that we should do uniform across all VM. So I think we should do that in a dedicated pull request. I will open an issue for that. Finding a solution for this is probably out of scope here.
nerf marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +93,4 @@
serviceConfig = {
Type = "oneshot";
User = "mailman";
PrivateTmp = true;
nerf commented 2024-04-04 14:01:17 +00:00
Owner
Copy link

can we set NoNewPrivileges = true;? or does it break the service?

And one could read the Sandboxing part of systemd.exec(5)

can we set `NoNewPrivileges = true;`? or does it break the service? And one could read the Sandboxing part of `systemd.exec(5)`
Gonne commented 2024-04-04 15:19:15 +00:00
Author
Owner
Copy link

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out ExecPaths= and NoExecPaths= because the correct values are unclear to me.

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out `ExecPaths=` and `NoExecPaths=` because the correct values are unclear to me.
nerf reviewed 2024-04-04 14:42:26 +00:00
nixos/modules/mailman.nix Outdated
@ -0,0 +113,4 @@
};
repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily";
user = "root";
nerf commented 2024-04-04 14:42:26 +00:00
Owner
Copy link

This is probably a bigger refactoring pull request and outside the scope of this one.
We could think making it easier configurable that backups are made by a user that can
basically read everything but not write.

This is probably a bigger refactoring pull request and outside the scope of this one. We could think making it easier configurable that backups are made by a user that can basically read everything but not write.
👍 1
nerf marked this conversation as resolved
Gonne added 1 commit 2024-04-04 15:13:54 +00:00
Gonne force-pushed lobon from 6b0a230d7e to f2b83cf5d8 2024-04-04 15:17:42 +00:00 Compare
Gonne force-pushed lobon from f2b83cf5d8 to 4b684bc1e6 2024-04-04 15:35:39 +00:00 Compare
Gonne force-pushed lobon from 4b684bc1e6 to f334e00d01 2024-04-04 15:45:59 +00:00 Compare
Gonne force-pushed lobon from f334e00d01 to 146a904259 2024-04-26 16:21:11 +00:00 Compare
Gonne force-pushed lobon from 146a904259 to d03291bb5d 2024-04-26 17:02:09 +00:00 Compare
This pull request doesn't have enough approvals yet. 0 of 1 approvals granted.
You are not authorized to merge this pull request.
View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u lobon:Gonne-lobon
git checkout Gonne-lobon
Sign in to join this conversation.
Reviewers
No reviewers
Fachschaft/Server-Minions
Labels
Clear labels   
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Fachschaft/nixConfig#30
No description provided.
Delete branch "Gonne/nixConfig:lobon"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?