@@ -56,0 +56,4 @@
+
+      overlays = [
+        (_: _: {
+          alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine

@@ -0,0 +41,4 @@
+  sops.secrets = {
+    # Password for the HRZ API that gets a list of mailaddresses that we serve
+    allowlistPassMatheball = {
+      sopsFile = ./allowlistPassMatheball.yaml;

@@ -0,0 +1,301 @@
+/*
+* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.

@@ -0,0 +1,301 @@
+/*
+* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
+*   Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.

@@ -0,0 +2,4 @@
+* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
+*   Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
+* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy.
+*   Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.

@@ -0,0 +5,4 @@
+*   Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
+* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
+*   and use your personal admin account or create one using the fallback admin password.
+* Create users with mail boxes: Go to the admin interface and create them.

@@ -0,0 +31,4 @@
+      type = listOf (lib.types.submodule {
+        options = {
+          domain = mkOption {
+            type = str;

@@ -0,0 +47,4 @@
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts

@@ -0,0 +62,4 @@
+                protocol = "smtp";
+              };
+              "submissions" = {
+                # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618

@@ -0,0 +73,4 @@
+                tls.implicit = true;
+              };
+              "management" = {
+                bind = ["[::]:80"]; # This must also bind publically for ACME to work.

@@ -0,0 +87,4 @@
+          };
+          spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
+          auth = {
+            # TODO check if HRZ conforms to these standards and we can validate them strictly

@@ -0,0 +110,4 @@
+              }
+              {"else" = "'hrz'";}
+            ];
+            tls = {

@@ -0,0 +120,4 @@
+            address = "mailout.hrz.tu-darmstadt.de";
+            port = 25;
+            protocol = "smtp";
+            tls.implicit = false; # somehow this is needed here

@@ -0,0 +132,4 @@
+          session.rcpt = {
+            # In order to accept mail that we only forward
+            # without having to generate an account.
+            # Invalid addresses are filtered by DFN beforehand.

@@ -0,0 +142,4 @@
+              {"else" = false;}
+            ];
+          };
+          config.local-keys =

@@ -0,0 +165,4 @@
+
+          authentication.fallback-admin = {
+            user = "admin";
+            secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext

@@ -0,0 +167,4 @@
+            user = "admin";
+            secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
+          };
+          tracer.stdout.level = "debug";

@@ -0,0 +202,4 @@
+            }: ''
+              echo "process ${domain}"
+              # Get the mail addresses' local-part
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses

@@ -0,0 +205,4 @@
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
+              ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
+              # Post local-parts to HRZ
+              ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll

@@ -1,19 +1,25 @@
 {

@@ -37,3 +61,2 @@
       "locked": {
-        "lastModified": 1727649413,
-        "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=",
+        "lastModified": 1737831083,

@@ -38,2 +62,2 @@
-        "lastModified": 1727649413,
-        "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=",
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",

@@ -10,2 +5,2 @@
-        nixpkgs.follows = "";
-      };
+    alias-to-sieve = {
+      url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve";

@@ -0,0 +1,52 @@
+allowlistPass:

@@ -0,0 +6,4 @@
+* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy.
+*   Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
+* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
+*   and use your personal admin account or create one using the fallback admin password.

@@ -0,0 +34,4 @@
+      description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth";
+    };
+    stalwartAdminHash = mkOption {
+      type = str;

@@ -0,0 +98,4 @@
+            domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
+            default = true;
+          };
+          spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding

@@ -0,0 +100,4 @@
+          };
+          spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
+          auth = {
+            # TODO check if HRZ conforms to these standards and we can validate them strictly

@@ -0,0 +126,4 @@
+            tls = {
+              # we only talk to HRZ and our own VMs anyway
+              mta-sts = "disable";
+              dane = "disable";

@@ -0,0 +127,4 @@
+              # we only talk to HRZ and our own VMs anyway
+              mta-sts = "disable";
+              dane = "disable";
+              starttls = "optional"; # e.g. Lobon does not offer starttls

@@ -0,0 +150,4 @@
+            catch-all = true;
+            relay = [
+              {
+                "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP

@@ -0,0 +157,4 @@
+            ];
+          };
+
+          # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module

@@ -0,0 +185,4 @@
+
+          authentication.fallback-admin = {
+            user = "admin";
+            # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH

@@ -0,0 +188,4 @@
+            # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
+            secret = cfg.stalwartAdminHash;
+          };
+          store = {

@@ -0,0 +226,4 @@
+            }: ''
+              echo "process ${domain}"
+              # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses

@@ -0,0 +228,4 @@
+              # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
+              # This line searches for available redirects and adds them to the submission file.
+              ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.

@@ -0,0 +239,4 @@
+          serviceConfig = {
+            Type = "oneshot";
+            User = "stalwart-mail";
+            NoNewPrivileges = true;

@@ -0,0 +260,4 @@
+            RestrictSUIDSGID = true;
+          };
+        };
+        "stalwart-mail" = {

@@ -0,0 +271,4 @@
+          serviceConfig = {
+            Type = "oneshot";
+            User = "stalwart-mail";
+            NoNewPrivileges = true;

@@ -0,0 +307,4 @@
+        # We don't want this in order to not need to persist borg cache and simplify new deployments.
+        BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+      };
+      repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33