lobon (Mailman-VM) #30

Merged
Gonne merged 5 commits from Gonne/nixConfig:lobon into main 2024-10-12 14:10:02 +00:00
3 changed files with 87 additions and 3 deletions
Showing only changes of commit 67083126be - Show all commits

View file

@ -4,6 +4,7 @@ keys:
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
creation_rules: creation_rules:
- path_regex: nixos/machines/nyarlathotep/.* - path_regex: nixos/machines/nyarlathotep/.*
@ -18,6 +19,12 @@ creation_rules:
- *nerf - *nerf
- *gonne - *gonne
- *bragi - *bragi
- path_regex: nixos/machines/lobon/.*
key_groups:
- age:
- *nerf
- *gonne
- *lobon
# this is the catchall clause if nothing above machtes. Encrypt to users but not # this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines # to machines
- key_groups: - key_groups:

View file

@ -0,0 +1,39 @@
allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
nerf marked this conversation as resolved Outdated
Outdated
Review

See comment on the other sops file.

See comment on the other sops file.
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-31T14:34:54Z"
mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -2,6 +2,7 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
inherit inherit
@ -36,7 +37,7 @@ in {
proxy_interfaces = "130.83.2.184"; proxy_interfaces = "130.83.2.184";
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8 smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
Gonne marked this conversation as resolved Outdated
Outdated
Review

m(

m(
}; };
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
}; };
mailman = { mailman = {
enable = true; enable = true;
@ -44,10 +45,12 @@ in {
hyperkitty.enable = true; hyperkitty.enable = true;
webHosts = [cfg.hostName]; webHosts = [cfg.hostName];
serve.enable = true; # serve.enable = true; #
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
settings.mta.verp_confirmations = "no";
}; };
nginx.virtualHosts.${cfg.hostName} = { nginx.virtualHosts.${cfg.hostName} = {
enableACME = true; enableACME = true; # Get certificates (primarily for postfix)
Gonne marked this conversation as resolved Outdated
Outdated
Review

I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one).
If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block?

Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?

I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one). If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block? Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?
Outdated
Review

“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme

I don't want to do DNS validation so this is the way. The services.mailman.serve.enable = true enables nginx anyway.

Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS).

On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.

“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme I don't want to do DNS validation so this is the way. The `services.mailman.serve.enable = true` enables nginx anyway. Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS). On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.
forceSSL = false; forceSSL = false; # Don't use HTTPS behind the proxy
}; };
}; };
Gonne marked this conversation as resolved Outdated
Outdated
Review

TODO: Backups?

TODO: Backups?
Outdated
Review

Done for mailman data. The certificates can be regenerated on hardware failure.

Done for mailman data. The certificates can be regenerated on hardware failure.
@ -63,5 +66,40 @@ in {
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443]; networking.firewall.allowedTCPPorts = [25 80 443];
Gonne marked this conversation as resolved Outdated
Outdated
Review

See above comment about who handles tls, we might not need 443 and 80

See above comment about who handles tls, we might not need 443 and 80
# Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
# will stop working if no valid TUIDs are associated to our domain.
systemd.timers."mailAllowlist" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m"; # Run every 5 minutes
OnUnitActiveSec = "5m";
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
Unit = "mailAllowlist.service";
};
};
systemd.services."mailAllowlist" = {
description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
script = ''
# Get the mail addresses' local-part
cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
# Post local-parts to HRZ
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
# Cleanup
rm /tmp/addresses
'';
serviceConfig = {
Gonne marked this conversation as resolved Outdated
Outdated
Review

I love and hate this so much,maybe we should/could make this script its own package? maybe idiomatically correct but overkill.

I love and hate this so much,maybe we should/could make this script its own package? maybe idiomatically correct but overkill.
Outdated
Review

I think it's overkill and I don't want to do it.

I think it's overkill and I don't want to do it.
Type = "oneshot";
User = "mailman";
PrivateTmp = true;
};
Outdated
Review

can we set NoNewPrivileges = true;? or does it break the service?

And one could read the Sandboxing part of systemd.exec(5)

can we set `NoNewPrivileges = true;`? or does it break the service? And one could read the Sandboxing part of `systemd.exec(5)`
Outdated
Review

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out ExecPaths= and NoExecPaths= because the correct values are unclear to me.

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out `ExecPaths=` and `NoExecPaths=` because the correct values are unclear to me.
};
sops.secrets.allowlistPass = {
sopsFile = ../machines/lobon/allowlistPass.yaml;
owner = "mailman";
group = "mailman";
mode = "0400";
};
}; };
} }