lobon (Mailman-VM) #30

Merged
Gonne merged 5 commits from Gonne/nixConfig:lobon into main 2024-10-12 14:10:02 +00:00
Showing only changes of commit 101638c413 - Show all commits

View file

@ -29,8 +29,6 @@ in {
postfix = { postfix = {
enable = true; enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"]; relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
config = { config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
@ -48,25 +46,17 @@ in {
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise. # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
settings.mta.verp_confirmations = "no"; settings.mta.verp_confirmations = "no";
}; };
nginx.virtualHosts.${cfg.hostName} = {
enableACME = true; # Get certificates (primarily for postfix)
forceSSL = false; # Don't use HTTPS behind the proxy
};
}; };
environment.persistence.${config.impermanence.name} = { environment.persistence.${config.impermanence.name} = {
directories = [ directories = [
Gonne marked this conversation as resolved Outdated
Outdated
Review

I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one).
If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block?

Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?

I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one). If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block? Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?
Outdated
Review

“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme

I don't want to do DNS validation so this is the way. The services.mailman.serve.enable = true enables nginx anyway.

Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS).

On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.

“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme I don't want to do DNS validation so this is the way. The `services.mailman.serve.enable = true` enables nginx anyway. Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS). On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.
"/var/lib/acme" # Persist TLS keys and account
"/var/lib/mailman" "/var/lib/mailman"
"/var/lib/mailman-web" "/var/lib/mailman-web"
]; ];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
Gonne marked this conversation as resolved Outdated
Outdated
Review

TODO: Backups?

TODO: Backups?
Outdated
Review

Done for mailman data. The certificates can be regenerated on hardware failure.

Done for mailman data. The certificates can be regenerated on hardware failure.
}; };
security.acme.defaults.email = cfg.siteOwner; networking.firewall.allowedTCPPorts = [25 80];
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443];
# Update HRZ allowlist # Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/