lobon (Mailman-VM) #30
|
@ -4,6 +4,7 @@ keys:
|
||||||
|
|
||||||
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
||||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||||
|
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: nixos/machines/nyarlathotep/.*
|
- path_regex: nixos/machines/nyarlathotep/.*
|
||||||
|
@ -18,6 +19,12 @@ creation_rules:
|
||||||
- *nerf
|
- *nerf
|
||||||
- *gonne
|
- *gonne
|
||||||
- *bragi
|
- *bragi
|
||||||
|
- path_regex: nixos/machines/lobon/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nerf
|
||||||
|
- *gonne
|
||||||
|
- *lobon
|
||||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||||
# to machines
|
# to machines
|
||||||
- key_groups:
|
- key_groups:
|
||||||
|
|
39
nixos/machines/lobon/allowlistPass.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
|
||||||
nerf marked this conversation as resolved
Outdated
|
|||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
|
||||||
|
NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
|
||||||
|
Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
|
||||||
|
Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
|
||||||
|
ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
|
||||||
|
QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
|
||||||
|
SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
|
||||||
|
NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
|
||||||
|
G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
|
||||||
|
TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
|
||||||
|
VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
|
||||||
|
Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
|
||||||
|
uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-03-31T14:34:54Z"
|
||||||
|
mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -2,6 +2,7 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
inherit
|
inherit
|
||||||
|
@ -36,7 +37,7 @@ in {
|
||||||
proxy_interfaces = "130.83.2.184";
|
proxy_interfaces = "130.83.2.184";
|
||||||
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
m( m(
|
|||||||
};
|
};
|
||||||
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
|
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
|
||||||
};
|
};
|
||||||
mailman = {
|
mailman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -44,10 +45,12 @@ in {
|
||||||
hyperkitty.enable = true;
|
hyperkitty.enable = true;
|
||||||
webHosts = [cfg.hostName];
|
webHosts = [cfg.hostName];
|
||||||
serve.enable = true; #
|
serve.enable = true; #
|
||||||
|
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
||||||
|
settings.mta.verp_confirmations = "no";
|
||||||
};
|
};
|
||||||
nginx.virtualHosts.${cfg.hostName} = {
|
nginx.virtualHosts.${cfg.hostName} = {
|
||||||
enableACME = true;
|
enableACME = true; # Get certificates (primarily for postfix)
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one). Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs? I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one).
If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block?
Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?
Gonne
commented
“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme I don't want to do DNS validation so this is the way. The Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS). On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff. “Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme
I don't want to do DNS validation so this is the way. The `services.mailman.serve.enable = true` enables nginx anyway.
Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS).
On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.
|
|||||||
forceSSL = false;
|
forceSSL = false; # Don't use HTTPS behind the proxy
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
Gonne marked this conversation as resolved
Outdated
Gonne
commented
TODO: Backups? TODO: Backups?
Gonne
commented
Done for mailman data. The certificates can be regenerated on hardware failure. Done for mailman data. The certificates can be regenerated on hardware failure.
|
|||||||
|
@ -63,5 +66,40 @@ in {
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
networking.firewall.allowedTCPPorts = [25 80 443];
|
||||||
|
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
See above comment about who handles tls, we might not need 443 and 80 See above comment about who handles tls, we might not need 443 and 80
|
|||||||
|
# Update HRZ allowlist
|
||||||
|
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||||
|
# will stop working if no valid TUIDs are associated to our domain.
|
||||||
|
systemd.timers."mailAllowlist" = {
|
||||||
|
wantedBy = ["timers.target"];
|
||||||
|
timerConfig = {
|
||||||
|
OnBootSec = "5m"; # Run every 5 minutes
|
||||||
|
OnUnitActiveSec = "5m";
|
||||||
|
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
|
||||||
|
Unit = "mailAllowlist.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services."mailAllowlist" = {
|
||||||
|
description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
|
||||||
|
script = ''
|
||||||
|
# Get the mail addresses' local-part
|
||||||
|
cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
|
||||||
|
# Post local-parts to HRZ
|
||||||
|
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
|
||||||
|
# Cleanup
|
||||||
|
rm /tmp/addresses
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
I love and hate this so much,maybe we should/could make this script its own package? maybe idiomatically correct but overkill. I love and hate this so much,maybe we should/could make this script its own package? maybe idiomatically correct but overkill.
Gonne
commented
I think it's overkill and I don't want to do it. I think it's overkill and I don't want to do it.
|
|||||||
|
Type = "oneshot";
|
||||||
|
User = "mailman";
|
||||||
|
PrivateTmp = true;
|
||||||
|
};
|
||||||
nerf
commented
can we set And one could read the Sandboxing part of can we set `NoNewPrivileges = true;`? or does it break the service?
And one could read the Sandboxing part of `systemd.exec(5)`
Gonne
commented
Yes, I added a bunch of them in Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out `ExecPaths=` and `NoExecPaths=` because the correct values are unclear to me.
|
|||||||
|
};
|
||||||
|
sops.secrets.allowlistPass = {
|
||||||
|
sopsFile = ../machines/lobon/allowlistPass.yaml;
|
||||||
|
owner = "mailman";
|
||||||
|
group = "mailman";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
See comment on the other sops file.