Fachschaft/nixConfig
6
2
Fork 2
Code Issues 10 Pull requests 2 Projects Wiki Activity

Mail machine #47

Merged
Gonne merged 9 commits from Gonne/nixConfig:nyarlathotep into main 2025-02-27 15:59:49 +00:00
Conversation 4 Commits 9 Files changed 16 +8 -4
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit cc91339f80 - Show all commits

12
nixos/modules/mail.nix
View file

@ -24,18 +24,18 @@
mkEnableOption mkEnableOption
mkOption mkOption
; ;
inherit (lib.types) listOf strMatching str path; inherit (lib.types) listOf strMatching nonEmptyStr path;
cfg = config.services.mathebau-mail; cfg = config.services.mathebau-mail;
in { in {
options.services.mathebau-mail = { options.services.mathebau-mail = {
enable = mkEnableOption "mathebau mail service"; enable = mkEnableOption "mathebau mail service";
stalwartAdmin = mkOption { stalwartAdmin = mkOption {
type = path; type = path;
description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth"; description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth. Update together with the stalwartAdminHash and the pass store.";
Gonne marked this conversation as resolved Outdated
Gonne commented 2024-12-13 16:51:41 +00:00
Outdated
Copy link

did you think about a more specialized type, non empty string? string matching regex? something like this?

did you think about a more specialized type, non empty string? string matching regex? something like this?
}; };
stalwartAdminHash = mkOption { stalwartAdminHash = mkOption {
type = str; type = nonEmptyStr;
Gonne marked this conversation as resolved Outdated
nerf commented 2025-02-26 14:34:44 +00:00
Outdated
Copy link

nonempty?

nonempty?
description = "String containing the hashed fallback admin password"; description = "String containing the hashed fallback admin password. Update together with the stalwartAdmin setting and the pass store.";
}; };
domains = mkOption { domains = mkOption {
type = listOf (lib.types.submodule { type = listOf (lib.types.submodule {
@ -98,6 +98,7 @@ in {
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
default = true; default = true;
}; };
# Reevaluate after DKIM and DMARC deployment
Gonne marked this conversation as resolved Outdated
nerf commented 2025-02-26 14:43:54 +00:00
Outdated
Copy link

maybe make a note here, so we find this again after we have DKIM and DMARC

maybe make a note here, so we find this again after we have DKIM and DMARC
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
auth = { auth = {
nerf commented 2025-02-26 14:46:10 +00:00
Copy link

https://www.hrz.tu-darmstadt.de/hrz_aktuelles/news_details_177024.en.jsp
Maybe parts of this are now?

https://www.hrz.tu-darmstadt.de/hrz_aktuelles/news_details_177024.en.jsp Maybe parts of this are now?
Gonne commented 2025-02-27 12:05:36 +00:00
Copy link

I would like to evaluate this in production based on logs.

I would like to evaluate this in production based on logs.
nerf commented 2025-02-27 14:58:48 +00:00
Copy link

Fine by me, that should be an easy fix

Fine by me, that should be an easy fix
# TODO check if HRZ conforms to these standards and we can validate them strictly # TODO check if HRZ conforms to these standards and we can validate them strictly
@ -162,6 +163,7 @@ in {
# We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
# because only TOML-based keys may use macros to load files from disk. # because only TOML-based keys may use macros to load files from disk.
# We want this to be able to load our sieve-script for mail forwarding. # We want this to be able to load our sieve-script for mail forwarding.
# See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
config.local-keys = config.local-keys =
[ [
Gonne marked this conversation as resolved Outdated
Gonne commented 2024-12-13 17:17:47 +00:00
Outdated
Copy link

comment is outdated

comment is outdated
"store.*" "store.*"
@ -226,6 +228,7 @@ in {
}: '' }: ''
echo "process ${domain}" echo "process ${domain}"
Gonne marked this conversation as resolved
nerf commented 2025-02-26 16:49:15 +00:00
Copy link

can we have a comment for this regex?

can we have a comment for this regex?
# This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission. # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
# The regex searches for alphanumerics combined with some special characters as local paths and the right domain.
Gonne marked this conversation as resolved Outdated
nerf commented 2025-02-26 16:52:04 +00:00
Outdated
Copy link

and this one? is it the same?

and this one? is it the same?
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
# This line searches for available redirects and adds them to the submission file. # This line searches for available redirects and adds them to the submission file.
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
@ -260,6 +263,7 @@ in {
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
Gonne marked this conversation as resolved Outdated
nerf commented 2025-02-26 17:00:45 +00:00
Outdated
Copy link

Can we make a comment that this is only an extension of the existing service?

Can we make a comment that this is only an extension of the existing service?
}; };
}; };
# This service is defined by the nixpkgs stalwart module and we only modify it.
"stalwart-mail" = { "stalwart-mail" = {
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script