lobon (Mailman-VM) #30
21
nixos/machines/lobon/configuration.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
../../modules/mailman.nix
|
||||||
|
../../roles
|
||||||
|
../../roles/vm.nix
|
||||||
|
../../modules/vmNetwork.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# System configuration here
|
||||||
|
|
||||||
|
services.mathebau-mailman = {
|
||||||
|
enable = true;
|
||||||
|
hostName = "lists.mathebau.de";
|
||||||
|
siteOwner = "root@mathebau.de";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "lobon";
|
||||||
|
vmNetwork.ipv4 = "192.168.0.22";
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
}
|
30
nixos/machines/lobon/hardware-configuration.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "root";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["size=1G" "mode=755"];
|
||||||
|
};
|
||||||
|
fileSystems."/persist" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=persist"];
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-label/boot";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
fileSystems."/nix" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=nix"];
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
67
nixos/modules/mailman.nix
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
# Adapted and simplified from https://nixos.wiki/wiki/Mailman
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
inherit
|
||||||
|
(lib)
|
||||||
|
mkIf
|
||||||
|
mkEnableOption
|
||||||
|
mkOption
|
||||||
|
;
|
||||||
|
inherit (lib.types) nonEmptyStr;
|
||||||
|
cfg = config.services.mathebau-mailman;
|
||||||
|
in {
|
||||||
|
options.services.mathebau-mailman = {
|
||||||
|
enable = mkEnableOption "mathebau mailman service";
|
||||||
|
hostName = mkOption {
|
||||||
|
type = nonEmptyStr;
|
||||||
|
};
|
||||||
Gonne marked this conversation as resolved
Outdated
|
|||||||
|
siteOwner = mkOption {
|
||||||
|
type = nonEmptyStr;
|
||||||
|
};
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
same as above? same as above?
|
|||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services = {
|
||||||
|
postfix = {
|
||||||
|
enable = true;
|
||||||
|
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||||
|
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
|
||||||
|
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
|
||||||
|
config = {
|
||||||
|
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||||
|
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||||
|
proxy_interfaces = "130.83.2.184";
|
||||||
|
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
||||||
|
};
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
m( m(
|
|||||||
|
relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
|
||||||
|
};
|
||||||
|
mailman = {
|
||||||
|
enable = true;
|
||||||
|
inherit (cfg) siteOwner;
|
||||||
|
hyperkitty.enable = true;
|
||||||
|
webHosts = [cfg.hostName];
|
||||||
|
serve.enable = true; #
|
||||||
|
};
|
||||||
|
nginx.virtualHosts.${cfg.hostName} = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
Gonne marked this conversation as resolved
Outdated
nerf
commented
I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one). Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs? I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one).
If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block?
Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?
Gonne
commented
“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme I don't want to do DNS validation so this is the way. The Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS). On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff. “Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme
I don't want to do DNS validation so this is the way. The `services.mailman.serve.enable = true` enables nginx anyway.
Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS).
On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.
|
|||||||
|
|
||||||
|
environment.persistence.${config.impermanence.name} = {
|
||||||
|
directories = [
|
||||||
|
"/var/lib/acme" # Persist TLS keys and account
|
||||||
Gonne marked this conversation as resolved
Outdated
Gonne
commented
TODO: Backups? TODO: Backups?
Gonne
commented
Done for mailman data. The certificates can be regenerated on hardware failure. Done for mailman data. The certificates can be regenerated on hardware failure.
|
|||||||
|
"/var/lib/mailman"
|
||||||
|
"/var/lib/mailman-web"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.defaults.email = cfg.siteOwner;
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
nerf
commented
we could move this to the general vm role, right? Every vm makes backups this way, (or am i missing something?) we could move this to the general vm role, right? Every vm makes backups this way, (or am i missing something?)
Gonne
commented
Maybe. This is in scope for the backup refactoring. Maybe. This is in scope for the backup refactoring.
|
|||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [25 80 443];
|
||||||
|
};
|
||||||
|
}
|
are these allowed to be empty?
Probably not. No idea how to achieve that.
there is
lib.types.nonEmptyStr