nixos/machines/kaalut/allowlistPass.yaml

@@ -1,4 +1,8 @@
-allowlistPassKoMa: ENC[AES256_GCM,data:TGFyk/kVc5+EFtjJXUVTNEk=,iv:QQDiOK81JDQXnuzgrcDHVtu+Pm2Ki7H2sEBuNMSKY9U=,tag:mgd/jPMl7fjl+dH6d2sKTg==,type:str]
+allowlistPass:
+    matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str]
+    mathebau: ENC[AES256_GCM,data:D8Ri3fI=,iv:usZ6UktgqOGqtWrJjeZsYhHo/01IzT0aw9Nxgmfe35o=,tag:2tQfIcDd9rPFW/7779HSNw==,type:str]
+    mathechor: ENC[AES256_GCM,data:3EILes4=,iv:e3Tjlk+BBi2GyPLvhUeshbL3IqKPKlqSjT6+CrgnjYQ=,tag:R5cpo1+2vxI+HfdOvu2WRw==,type:str]
+    koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -41,8 +45,8 @@ sops:
             bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR
             HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:/OUhbhrO36jEdQUc2+fPfYc13Qezbedo534r+dtULWNR3upzIkP1EnZmTe//TQcKe6GYE/AIWOCIdmfj5+TdXZfoFGZ4YjjFof2HYvDjNKHq7m0F5PFmmzNNkpzUdwHBj5N1usPRoPbsYIpfV74AUJJEeBSTpE76vIATNuE21Js=,iv:Rnh+uIDOPW0vdHPhjqyce9xl7MtURMTrp9kYoWZ6zOA=,tag:jONUKe1pXReqHjtnqCOTjw==,type:str]
+    lastmodified: "2024-12-14T15:53:00Z"
+    mac: ENC[AES256_GCM,data:q+Ad2f5ALcBK4/krvmOGXVfNS05vv138Qo4CqNO2hxzryUEzBe5PGYPcx2yExEOEopsv8NGcugNoGQ4nCgaMc7q+t1Feja6dWI85INUt+sE39ws7QAh9IFa2O06AX1WEsUEpnwl3xLWxyCHgKDoaaTfcUENEcPTSVnMwDr/HiwY=,iv:Z+hh06JAm6yfVkclRFfaPZhg0Gjbz0kFdPlYpvMWr+s=,tag:0QUt2WBubt1kKU0pRykfWQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2

nixos/machines/kaalut/allowlistPassMatheball.yaml

@@ -1,48 +0,0 @@
-allowlistPassMatheball: ENC[AES256_GCM,data:cnYmhQ+2sNMR,iv:hSn9JbDce2NZdzptY1Miik4+VFh0i6ehQAGxcd9dJWg=,tag:XI1bE6Z84ppIxPYOasNO/w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS2ZFM3JQcGx4VFo2M1Fy
-            T3pnNFg5dEhiaEI4SkNFbDNmV0Y4cDZHa0ZJCjd2SmRwMWtod2pxbEZkY2ZhbWhT
-            cEFJVHVyU2R0dncvekNFdzNpODlCMDgKLS0tIDRLSGFISXpXMUlzdGdDK1pBb3JX
-            N3RJVUpsdFZySTVWYlkwbStCaWVRZzgKInXWOMB5LX87zIKcdllGcOBc1CJHcSWP
-            htTOydt1XQGlZ809yT1Ovnsenk7SIFrtUGCgpSvju4C68FyS8fgJKQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk1qdTBZRWYvMFgyZ3NN
-            QkZpb3BjSnVqRFJzeElCYVp1NDlyQitITGp3ClRtbVhBQnFvU0t5cUZGK0MveExJ
-            c1RtT2lRZm4ybkgxQ2VmV290SFRId1UKLS0tIEttRFFqTWJHbW54MUxCMHZ2NVA5
-            NkFnM3R4eTEvdm85TzE5WFJLUTZMclUKpyGsJAAlqRagy13dH3AyeNi9v3oP8R6C
-            UayJeCPN89IyDsaIsrgAJk67+t92N8wTRIpOzfLEBQzz1WVBYCTPhA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT012TTQ1V1ZlMnZycVB6
-            empqdFc1SE13b1NNSCsyNkRMUWZ2aUdIRlc0CmEwYnp6WVI4SmRaVWRqTUZ5cWJJ
-            SXpUb3JLT2hNalc2ZlBhOTc2YWdDMkUKLS0tIGFPdW1OS0xFYjF3K01YcVh0bDQr
-            TjcxNTM3cjZrNnN1RThYUW56WHQ1RzAKvNCz1CW4VwI/YPqzpYfhpvhukbhE3g3Q
-            31JZhyUViS/tutNy3rUpP+6zS2sY4yKhoavBTmMwI8W9I0JSZaVc5Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQytnV3hWODAva0JGdFF4
-            MC84UmdaKzd1MVloK0dXL1NjS3pGaGY5RGw4CnF5NjlvSUU1N0ZlMHMxVXlhekxH
-            QkJJR3MzQVdJd2ZrT0t0S3FKMFZaOW8KLS0tICt6SEhEcm1QR0MwQjJ1YllRSlY2
-            QlZ3Zk1hdkxpNllwSTNxRlZrZWtuVEUK65FpDbLv+S+MvF5+rpTyhjfi9xOUekTP
-            WupHKoeMMzAFxRK7DcH8bREib731JgBPbZEl8QZcY+xZDORnv1XZhg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:qA7d/k9vSQIvtdHOx20yfi98s5jgdGPYsP2c1rNrX4MeZnJ4RE+KR8wR37A54AvgOURUnTJUSfDNKGuTIPxioRC1j8iNlo/y0IefkbTaO2CBoh+BHurlh6wweTKI3LRUk8V0i5Qn/5INYc+DEzfsiA2g+QcbT5d0fU98+x7V/yY=,iv:xcgMXDFDN0Vo15rr2Eo6QV/Y5+X0t0mvAfuFmN1NDXY=,tag:PywW0L+VspBh2pZGXbM+sA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

nixos/machines/kaalut/allowlistPassMathebau.yaml

@@ -1,48 +0,0 @@
-allowlistPassMathebau: ENC[AES256_GCM,data:DuCBcWAC61JW,iv:g0zYvVmTjsJESTq3kkWtaiypYPLIE6zkFyYLeOp/qhw=,tag:pyK6KMuPLkhLSTPAzbVxdQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaWhNaDFEREcrejY2ejhI
-            L0tnOEtTWktNVDVoK1JQd3pBY1BndTY1NUFjCjFFSEd2Nkc2TVVMYzlwRXhyenVq
-            WmlCZkc4VWtFS1drNDRjRXR6SEVoYVEKLS0tIDRCQjJkdUM0V1BGV0hVNUtNQ1d4
-            M2J2TEtPTjRVVG8yOHd6WThRNm5SU2MKVIAU8GCGklXvqNf0bpahJ4SsvIQxMged
-            m6mznRxcK9QPMApHayOBgw+8T+3IQkaEKGRuhI1y9UXahGSr8yxPYA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkNiVWo3SWFmaFlENm5C
-            cDlJdHM0OXBnTFdYV1NtTHFmTndndTdwQWhRCitMTVJIcnpiRzEvL3JzMTZJMW9p
-            NTlIREJ5VVpLTVplWVNhSFFDMlVpNTQKLS0tIFkvMjYvVy9DZUZSVDVvQTkzck1F
-            ZHM5M2tRVUVIYmR5L1FsR3VxNUZSdW8KWIq5Cjbd12SqQfXRZDpUxTnUZGCyMVb+
-            XxCixIFoGYZRTBc15k/Z6yM5OxYnSv3tbioF68PYtPaaRJrw0ICDxQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWVHME1JN0gvZlNDQkFt
-            YTFsRG12UWlLckVLanNGQlozSXFaVGhMQWdzCndPdnRnNFU2dUpQangxUGU1RGVG
-            Z0Z5SmxZVG1jYW91YW5Jc1UwY25yOEkKLS0tIDJ1U2w1RzhpUk5WR0JUbzhRSStE
-            VnZpWUFwaHFMa2V6NlpQR285RGU0L2cKeN08hqlFz4re9iVwKmp2THEs1vZFqNXg
-            uK9Em5IeCx3pBjd5nnguAM751vR9X5O91ntA/R3MoL2bxGhbXHbOmA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYStiSFpMWjh3M0EydEU4
-            YlBpcFNYRXJTN0k4MWQ3blFmdW4zTHR6MWhrCmtsVkpGNFlIT0xBQU9SSG45czhU
-            NzlKSm9RMStFZXpselNBa3NpNGM5SzAKLS0tIDh0LzI0SkdlM0hONmF4RndCV2Q2
-            VmwxWjcxVG5Kd1pPYUdpWDJCZkU3Q00Kbc8dYrQ2AiRAUfzXl6Bdj1mlbwlHSKzS
-            6B/wzrIB3yws4QXCdZsIifxsGqJh/74UdQSXEab0VNwaHqsyXecIjw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:JLCK4mH4yS4YMhrmI821s/TfONkCyEx8x+pFHD/QOoU4KHyhDIggEhTYo31JFpWIQdDZMPbeFaUN+IvQwh1pqD1V92XfJVC0zHPiwhG7W2kI8WFAONVqI/bbMJ/ne4am5w/koGpQNPiM2RIo+9/9BKOkyLJLB7XTqPBY/FNW2n0=,iv:JiHwaSbPJSJYofiFABjn/AehSKyRrlOKHXBs1DGZcFQ=,tag:ajR0zYdHWxQcY2DhAuAzAw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

nixos/machines/kaalut/allowlistPassMathechor.yaml

@@ -1,48 +0,0 @@
-allowlistPassMathechor: ENC[AES256_GCM,data:CuLKFiBN6JwB,iv:cwiwShPKrGjjfuglRttmG/AB+qblJ/6ZLyD88mAsZ30=,tag:JIJjHJ4it077RSD3pSOBgg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzBXNVFObnk5OWtaemNz
-            UlFDTFpGRmJ6N0xYUmx3dllzS3hyWmNURmxRCm1CbmpSNWRkVHR5M21ibmJ4ZzNJ
-            elZQQ0UyN3lOTmRwQ2tnL1lHUFF5djgKLS0tIFUvRUkwSW0wSFhCMFByTkI0eEo4
-            emdnN2JoMDVOb3FUTmZhZFIxWFhxZEkKDWFrvxDHjybQ2b9hORThAG2TihGdvaK0
-            EHrzz0h1NVEO/nLUJSXRugGJ+J1GqThgOG1WCwJ+2Fk4Hm+q040DWQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbmQ3ZXdhZkV2VTMxTUFK
-            eHM5aXAyNXdtV2ZkRVZKTC9GdWtDWUJtdFFFCkdBMWs3OFltRjFLVU1rSG52NGo2
-            Q0dnS1V2c01EdVRuRGlsZ0lQT1JtUG8KLS0tIHErblZ6U01HTm1FUVJTZjdGQ2RB
-            bE90R0NsdkQ2UWNrbXZydjR5YTNGVWcK46c5ec7plT6X1874abnSSryG+cUZq/QT
-            3LpgQs26dc9nIARiZUk/2UTPiUwxFesi7e4I87bWh5A+mQOHNfRAyw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUmJXMlFlb0pUbkduWkJK
-            SWhlUXNqZ0FQeFlEMFppUWR6MHFyS282emhJCkNLMDdaQ2JXRExLT3F2Y094VE90
-            bTdmNGIvV0JHNlVldTVxUmdueTllYWsKLS0tIDAvNlhRQnFKSW5JT004WDFhSGEv
-            M0hKbWxuWjRlUWlRaHBQQUpkVlM4dTQKm4vPZTHMIfk79dTOO7mP9IZaJZbu3hx8
-            J/y5xwUFVakqPaX144YZXjjStsjp6H71jE+z3EWeqvW3hwI8XAOv/w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGFsenFjQkRBTCtsVXRI
-            VnpQZmVld0VFZ09hWTdlSjNzczA1T1VhWkZrCkpRUml1UFJrU2laQ1FEVi9USEg2
-            Y3J5VlZCVG83UUh0bnRVbkZRVWVMMlUKLS0tIEl1VUFPQ3NvMm40clFTMHcwRzlC
-            dENsZ2ttbFI1aGdFYlZ0M1crZGlRek0KWF+sAOdOGf7GKkY3ZlfPkXGGDwSf89Lk
-            uvSkh+2Y9RIkQ7HRUvWxPBPi4vBUUhM7y5+lA8sNi+lLMzPyzVeKaQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:4LMhli417gbzauxvsx+cSA0VfCt5+dr1lsGdzVqNts/ELcCxlH2599V/xPdgZJYvbvY/AUDEVc6/7vodqtxsI9d99P9AD9IRaETqHkQ2RmPfyUHLJL8kgLdcql6zBdlZTpy05438Bs53sOQMWCcUmE2TohH9jlvmwpqCaRgfYf0=,iv:BkfHGIFAdlSIjdLvqOeaeoIkBaMQ5yXqYBFgGBrzMjk=,tag:7+vgwa89KxeXWNvfbiKSsg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

nixos/machines/kaalut/configuration.nix

@@ -1,4 +1,4 @@
-{
+{config, ...}: {
   imports = [
     ./hardware-configuration.nix
     ../../modules/mail.nix
@@ -10,26 +10,29 @@
   # System configuration here
   services.mathebau-mail = {
     enable = true;
+    stalwartAdmin = config.sops.secrets.stalwartAdmin.path;
+    # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
+    stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
     domains = [
       # lists.mathebau.de is forwarded to another VM and does not need to be listed here.
       {
         domain = "matheball.de";
-        allowlistPass = "/run/secrets/allowlistPassMatheball";
+        allowlistPass = config.sops.secrets."allowlistPass/matheball".path;
       }
       {
         domain = "mathebau.de";
-        allowlistPass = "/run/secrets/allowlistPassMathebau";
-        virt_aliases = "/run/secrets/mathebau.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/mathebau".path;
+        virt_aliases = config.sops.secrets."mathebau.aliases".path;
       }
       {
         domain = "mathechor.de";
-        allowlistPass = "/run/secrets/allowlistPassMathechor";
-        virt_aliases = "/run/secrets/mathechor.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/mathechor".path;
+        virt_aliases = config.sops.secrets."mathechor.aliases".path;
       }
       {
         domain = "koma89.tu-darmstadt.de";
-        allowlistPass = "/run/secrets/allowlistPassKoMa";
-        virt_aliases = "/run/secrets/koma.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/koma".path;
+        virt_aliases = config.sops.secrets."koma.aliases".path;
       }
     ];
   };
@@ -38,32 +41,19 @@
   vmNetwork.ipv4 = "192.168.0.17";
   system.stateVersion = "24.05";
 
-  sops.secrets = {
+  sops.secrets = let
+    allowlistSops = {
+      sopsFile = ./allowlistPass.yaml;
+      owner = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0400";
+    };
+  in {
     # Password for the HRZ API that gets a list of mailaddresses that we serve
-    allowlistPassMatheball = {
-      sopsFile = ./allowlistPassMatheball.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassMathebau = {
-      sopsFile = ./allowlistPassMathebau.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassMathechor = {
-      sopsFile = ./allowlistPassMathechor.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassKoMa = {
-      sopsFile = ./allowlistPassKoMa.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
+    "allowlistPass/matheball" = allowlistSops;
+    "allowlistPass/mathebau" = allowlistSops;
+    "allowlistPass/mathechor" = allowlistSops;
+    "allowlistPass/koma" = allowlistSops;
     # Virtual alias file
     "mathebau.aliases" = {
       sopsFile = ./mathebau.aliases.yaml;

nixos/modules/mail.nix

@@ -1,7 +1,9 @@
 /*
 * Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
 *   Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
-* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy.
+*   If you only want to deploy configuration changes and no software updates, consider building on the target VM.
+*   It has stalwart in its nix store and does not need to rebuild it.
+* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy.
 *   Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
 * Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
 *   and use your personal admin account or create one using the fallback admin password.
@@ -22,24 +24,34 @@
     mkEnableOption
     mkOption
     ;
-  inherit (lib.types) listOf str;
+  inherit (lib.types) listOf strMatching str path;
   cfg = config.services.mathebau-mail;
 in {
   options.services.mathebau-mail = {
     enable = mkEnableOption "mathebau mail service";
+    stalwartAdmin = mkOption {
+      type = path;
+      description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth";
+    };
+    stalwartAdminHash = mkOption {
+      type = str;
+      description = "String containing the hashed fallback admin password";
+    };
     domains = mkOption {
       type = listOf (lib.types.submodule {
         options = {
           domain = mkOption {
-            type = str;
+            description = "Domain name that we serve. We also push its addresses to HRZ.";
+            type = strMatching "^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$"; #Regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html
           };
           allowlistPass = mkOption {
-            # Password for the HRZ API that gets a list of mailaddresses that we serve
-            type = str;
+            description = "Password file for the HRZ API that gets a list of mailaddresses that we serve";
+            type = path;
           };
           virt_aliases = mkOption {
-            type = str;
-            default = "";
+            description = "File path to a virtual alias file applicable for this domain";
+            type = path;
+            default = "/dev/null"; # there might not be an alias file and reading an empty one works with our implementation
           };
         };
       });
@@ -47,8 +59,6 @@ in {
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts
-
     services = {
       stalwart-mail = {
         enable = true;
@@ -57,12 +67,13 @@ in {
           server = {
             lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
             listener = {
+              # Do not enable JMAP until https://github.com/stalwartlabs/mail-server/issues/618 is resolved!
+              # Luckily, this bug does not apply to IMAP.
               "smtp" = {
                 bind = ["[::]:25"];
                 protocol = "smtp";
               };
               "submissions" = {
-                # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
                 bind = ["[::]:465"];
                 protocol = "smtp";
                 tls.implicit = true;
@@ -73,7 +84,11 @@ in {
                 tls.implicit = true;
               };
               "management" = {
-                bind = ["[::]:80"]; # This must also bind publically for ACME to work.
+                # Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/
+                # for TLS certificate challenge validation
+                # whereas the rest of the management interface is not available publically.
+                # It can be reached via SSH and portforwarding.
+                bind = ["[::]:80"];
                 protocol = "http";
               };
             };
@@ -111,6 +126,7 @@ in {
               {"else" = "'hrz'";}
             ];
             tls = {
+              # we only talk to HRZ and our own VMs anyway
               mta-sts = "disable";
               dane = "disable";
               starttls = "optional"; # e.g. Lobon does not offer starttls
@@ -120,13 +136,13 @@ in {
             address = "mailout.hrz.tu-darmstadt.de";
             port = 25;
             protocol = "smtp";
-            tls.implicit = false; # somehow this is needed here
+            tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
           };
           remote."mailman" = {
             address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
             port = 25;
             protocol = "smtp";
-            tls.implicit = false; # somehow this is needed here
+            tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
           };
 
           session.rcpt = {
@@ -142,6 +158,12 @@ in {
               {"else" = false;}
             ];
           };
+
+          # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module
+          # and from a database that can be configured from web management interface or via Rest API.
+          # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
+          # because only TOML-based keys may use macros to load files from disk.
+          # We want this to be able to load our sieve-script for mail forwarding.
           config.local-keys =
             [
               "store.*"
@@ -165,9 +187,9 @@ in {
 
           authentication.fallback-admin = {
             user = "admin";
-            secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext
+            # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
+            secret = cfg.stalwartAdminHash;
           };
-          tracer.stdout.level = "debug";
         };
       };
     };
@@ -201,12 +223,13 @@ in {
               ...
             }: ''
               echo "process ${domain}"
-              # Get the mail addresses' local-part
-              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(</run/secrets/stalwartAdmin)" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
+              # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
+              # This line searches for available redirects and adds them to the submission file.
               ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
-              # Post local-parts to HRZ
+              # Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload
               ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
-              # Cleanup
+              # Cleanup submission file
               rm /tmp/addresses
             '';
           in
@@ -241,17 +264,7 @@ in {
         };
         "virt-aliases-generator" = {
           description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
-          script = let
-            scriptTemplate = {
-              domain,
-              virt_aliases,
-              ...
-            }:
-              if virt_aliases != ""
-              then "${virt_aliases} ${domain} "
-              else "";
-          in
-            lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]);
+          script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]);
           wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
           serviceConfig = {
             Type = "oneshot";

nixos/modules/mailman.nix

@@ -35,7 +35,7 @@ in {
           proxy_interfaces = "130.83.2.184";
           smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
         };
-        relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
+        relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
       };
       mailman = {
         enable = true;
@@ -64,9 +64,9 @@ in {
     systemd.timers."mailAllowlist" = {
       wantedBy = ["timers.target"];
       timerConfig = {
-        OnBootSec = "5m"; # Run every 5 minutes
-        OnUnitActiveSec = "5m";
-        RandomizedDelaySec = "2m"; # prevent overload on regular intervals
+        OnBootSec = "1h"; # Run every hour
+        OnUnitActiveSec = "1h";
+        RandomizedDelaySec = "10m"; # prevent overload on regular intervals
         Unit = "mailAllowlist.service";
       };
     };