Mail machine #47
15 changed files with 867 additions and 34 deletions
|
@ -5,6 +5,7 @@ keys:
|
|||
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||
- &kaalut age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||
|
||||
creation_rules:
|
||||
- path_regex: nixos/machines/nyarlathotep/.*
|
||||
|
@ -25,6 +26,12 @@ creation_rules:
|
|||
- *nerf
|
||||
- *gonne
|
||||
- *lobon
|
||||
- path_regex: nixos/machines/kaalut/.*
|
||||
key_groups:
|
||||
- age:
|
||||
- *nerf
|
||||
- *gonne
|
||||
- *kaalut
|
||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||
# to machines
|
||||
- key_groups:
|
||||
|
|
|
@ -53,6 +53,12 @@
|
|||
_module.args.pkgs = import inputs.nixpkgs {
|
||||
inherit system;
|
||||
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
|
||||
|
||||
overlays = [
|
||||
(_: _: {
|
||||
alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine
|
||||
Gonne marked this conversation as resolved
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
|
144
flake.lock
144
flake.lock
|
@ -1,5 +1,25 @@
|
|||
{
|
||||
"nodes": {
|
||||
"alias-to-sieve": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1733169152,
|
||||
"narHash": "sha256-HUJuoOjNdweJ/ZjYrwJ13omhLZrztp+0RTZsFIwRojc=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "963c13f80d80dcff748e57061b18b542ba76a463",
|
||||
"revCount": 19,
|
||||
"type": "git",
|
||||
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
|
||||
}
|
||||
},
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -21,11 +41,29 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1727826117,
|
||||
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
|
||||
"lastModified": 1730504689,
|
||||
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
|
||||
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": "nixpkgs-lib_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730504689,
|
||||
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -35,11 +73,11 @@
|
|||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1727649413,
|
||||
"narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=",
|
||||
"lastModified": 1731242966,
|
||||
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "d0b38e550039a72aff896ee65b0918e975e6d48e",
|
||||
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -71,15 +109,15 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1728492678,
|
||||
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
|
||||
"owner": "NixOS",
|
||||
"lastModified": 1732014248,
|
||||
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
|
||||
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
|
@ -102,28 +140,56 @@
|
|||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1727825735,
|
||||
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
|
||||
"lastModified": 1730504152,
|
||||
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"nixpkgs-lib_2": {
|
||||
"locked": {
|
||||
"lastModified": 1728156290,
|
||||
"narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
|
||||
"lastModified": 1730504152,
|
||||
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1728538411,
|
||||
"narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "17ae88b569bb15590549ff478bab6494dde4a907",
|
||||
"rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-24.05",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1733015953,
|
||||
"narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -136,11 +202,11 @@
|
|||
"nixpkgs-stable": []
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1728727368,
|
||||
"narHash": "sha256-7FMyNISP7K6XDSIt1NJxkXZnEdV3HZUXvFoBaJ/qdOg=",
|
||||
"lastModified": 1732021966,
|
||||
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "eb74e0be24a11a1531b5b8659535580554d30b28",
|
||||
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -151,27 +217,45 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"alias-to-sieve": "alias-to-sieve",
|
||||
"flake-parts": "flake-parts_2",
|
||||
"impermanence": "impermanence",
|
||||
"nixos-mailserver": "nixos-mailserver",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"pre-commit-hooks": "pre-commit-hooks",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1732328983,
|
||||
"narHash": "sha256-RHt12f/slrzDpSL7SSkydh8wUE4Nr4r23HlpWywed9E=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "ed8aa5b64f7d36d9338eb1d0a3bb60cf52069a72",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1728345710,
|
||||
"narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
|
||||
"lastModified": 1733128155,
|
||||
"narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
|
||||
"rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
description = "Description for the project";
|
||||
|
||||
inputs = {
|
||||
alias-to-sieve = {
|
||||
url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve";
|
||||
};
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
nixos-mailserver = {
|
||||
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
|
||||
|
|
52
nixos/machines/kaalut/allowlistPass.yaml
Normal file
52
nixos/machines/kaalut/allowlistPass.yaml
Normal file
|
@ -0,0 +1,52 @@
|
|||
allowlistPass:
|
||||
matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str]
|
||||
mathebau: ENC[AES256_GCM,data:D8Ri3fI=,iv:usZ6UktgqOGqtWrJjeZsYhHo/01IzT0aw9Nxgmfe35o=,tag:2tQfIcDd9rPFW/7779HSNw==,type:str]
|
||||
mathechor: ENC[AES256_GCM,data:3EILes4=,iv:e3Tjlk+BBi2GyPLvhUeshbL3IqKPKlqSjT6+CrgnjYQ=,tag:R5cpo1+2vxI+HfdOvu2WRw==,type:str]
|
||||
koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ
|
||||
VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6
|
||||
cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0
|
||||
cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa
|
||||
zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy
|
||||
NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE
|
||||
bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv
|
||||
Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T
|
||||
ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC
|
||||
bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ
|
||||
ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t
|
||||
TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo
|
||||
NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv
|
||||
aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X
|
||||
MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt
|
||||
bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR
|
||||
HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-12-14T15:53:00Z"
|
||||
mac: ENC[AES256_GCM,data:q+Ad2f5ALcBK4/krvmOGXVfNS05vv138Qo4CqNO2hxzryUEzBe5PGYPcx2yExEOEopsv8NGcugNoGQ4nCgaMc7q+t1Feja6dWI85INUt+sE39ws7QAh9IFa2O06AX1WEsUEpnwl3xLWxyCHgKDoaaTfcUENEcPTSVnMwDr/HiwY=,iv:Z+hh06JAm6yfVkclRFfaPZhg0Gjbz0kFdPlYpvMWr+s=,tag:0QUt2WBubt1kKU0pRykfWQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.2
|
48
nixos/machines/kaalut/backupKey.yaml
Normal file
48
nixos/machines/kaalut/backupKey.yaml
Normal file
|
@ -0,0 +1,48 @@
|
|||
backupKey: ENC[AES256_GCM,data:4ZN6V9ihkUEyz1pih87Xi2OPvfRdx+TY9nvw3CHG0vUeWavxLD8MuzEVL2xlI3A8X1F+KgQ40noaVL5qcq+SENGSdhHJaxzxc/oGN++k5C3b0FuyspI15XqIPjXWu/ApRpPktSrr57dbiQfAUtcg8E1R0Wn3uJxdFnVj9iQjnMzy0qezZbp+8UpEuFUqi4ZsQddltf12HxAGyHcedddUhEdE7bCZcj5/zSiEvXpyp1Ta9naVWnD6KkkVcB3zou7vCjwFKHf+qKUFPC70OCUomXF6scjb47iGexLNQIwaRe3+BmD4X0WFB2EM7DedenKh7SvRdYh25yYR2SzfSb71Aj5JwVi9TuuyhJvlXsDcwERPkq2R7VgbvVqYVVfjbtDlERp11xZzuEX85Pmvfh8rEkVCNfW2pqm5F+rmvFQ4KpwwMvnVEKXvasOECiGq16sp2Zk/e5cOIX+IlqgcY/GW6hBKs8CROxi0w4qCstfyFB0KxS0dGlarvhDJ2i5Rkx9RRP91yU/8QzqNRY0ixJpB,iv:ReA4k7S4F8NBE0VBCy9ks6YZJiubdUdP/AhEwc0kHaA=,tag:zagxPVYKQhf/tdK3tJFa2A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn
|
||||
Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x
|
||||
NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ
|
||||
ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l
|
||||
RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD
|
||||
OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS
|
||||
WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz
|
||||
eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l
|
||||
bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv
|
||||
bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl
|
||||
YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN
|
||||
OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q
|
||||
C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs
|
||||
K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK
|
||||
cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY
|
||||
RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ
|
||||
efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-23T09:05:51Z"
|
||||
mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
90
nixos/machines/kaalut/configuration.nix
Normal file
90
nixos/machines/kaalut/configuration.nix
Normal file
|
@ -0,0 +1,90 @@
|
|||
{config, ...}: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/mail.nix
|
||||
../../roles
|
||||
../../roles/vm.nix
|
||||
../../modules/vmNetwork.nix
|
||||
];
|
||||
|
||||
# System configuration here
|
||||
services.mathebau-mail = {
|
||||
enable = true;
|
||||
stalwartAdmin = config.sops.secrets.stalwartAdmin.path;
|
||||
# see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
|
||||
stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
|
||||
domains = [
|
||||
# lists.mathebau.de is forwarded to another VM and does not need to be listed here.
|
||||
{
|
||||
domain = "matheball.de";
|
||||
allowlistPass = config.sops.secrets."allowlistPass/matheball".path;
|
||||
}
|
||||
{
|
||||
domain = "mathebau.de";
|
||||
allowlistPass = config.sops.secrets."allowlistPass/mathebau".path;
|
||||
virt_aliases = config.sops.secrets."mathebau.aliases".path;
|
||||
}
|
||||
{
|
||||
domain = "mathechor.de";
|
||||
allowlistPass = config.sops.secrets."allowlistPass/mathechor".path;
|
||||
virt_aliases = config.sops.secrets."mathechor.aliases".path;
|
||||
}
|
||||
{
|
||||
domain = "koma89.tu-darmstadt.de";
|
||||
allowlistPass = config.sops.secrets."allowlistPass/koma".path;
|
||||
virt_aliases = config.sops.secrets."koma.aliases".path;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
networking.hostName = "kaalut";
|
||||
vmNetwork.ipv4 = "192.168.0.17";
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
sops.secrets = let
|
||||
allowlistSops = {
|
||||
sopsFile = ./allowlistPass.yaml;
|
||||
owner = "stalwart-mail";
|
||||
group = "stalwart-mail";
|
||||
mode = "0400";
|
||||
};
|
||||
in {
|
||||
# Password for the HRZ API that gets a list of mailaddresses that we serve
|
||||
"allowlistPass/matheball" = allowlistSops;
|
||||
"allowlistPass/mathebau" = allowlistSops;
|
||||
"allowlistPass/mathechor" = allowlistSops;
|
||||
"allowlistPass/koma" = allowlistSops;
|
||||
# Virtual alias file
|
||||
"mathebau.aliases" = {
|
||||
sopsFile = ./mathebau.aliases.yaml;
|
||||
owner = "stalwart-mail";
|
||||
group = "stalwart-mail";
|
||||
mode = "0440";
|
||||
};
|
||||
"mathechor.aliases" = {
|
||||
sopsFile = ./mathechor.aliases.yaml;
|
||||
owner = "stalwart-mail";
|
||||
group = "stalwart-mail";
|
||||
mode = "0440";
|
||||
};
|
||||
"koma.aliases" = {
|
||||
sopsFile = ./koma.aliases.yaml;
|
||||
owner = "stalwart-mail";
|
||||
group = "stalwart-mail";
|
||||
mode = "0440";
|
||||
};
|
||||
# password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header
|
||||
stalwartAdmin = {
|
||||
sopsFile = ./stalwartAdmin.yaml;
|
||||
owner = "stalwart-mail";
|
||||
group = "stalwart-mail";
|
||||
mode = "0400";
|
||||
};
|
||||
backupKey = {
|
||||
sopsFile = ./backupKey.yaml;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
mode = "0400";
|
||||
};
|
||||
};
|
||||
}
|
30
nixos/machines/kaalut/hardware-configuration.nix
Normal file
30
nixos/machines/kaalut/hardware-configuration.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "root";
|
||||
fsType = "tmpfs";
|
||||
options = ["size=1G" "mode=755"];
|
||||
};
|
||||
fileSystems."/persist" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "btrfs";
|
||||
options = ["subvol=persist"];
|
||||
neededForBoot = true;
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-label/boot";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/nix" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "btrfs";
|
||||
options = ["subvol=nix"];
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
48
nixos/machines/kaalut/koma.aliases.yaml
Normal file
48
nixos/machines/kaalut/koma.aliases.yaml
Normal file
|
@ -0,0 +1,48 @@
|
|||
koma.aliases: ENC[AES256_GCM,data:YXHv59u9hHbkXH9s8CbDmP1adthMLiU3ijCIg/yBfXvwtzWUY45un3D/iP8aIEB31PkfVtmTYcbsrJRU5brPgtev28U9DsTc1UrLdUW7YyAgo8xN0nyte6Qxdv9OfUVmwTg4tY9Tv7WmjgpXuIx2sRglfn42X3S4tVAmqzYNrg==,iv:3PM0wfq4lFG1bV607cGkZ6QgznRk8iLMQ55M/BMMJAg=,tag:npKbdQ4esykcjMcYEVHR5Q==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5
|
||||
SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w
|
||||
dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n
|
||||
SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo
|
||||
DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu
|
||||
RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u
|
||||
aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu
|
||||
MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy
|
||||
3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx
|
||||
SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW
|
||||
WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD
|
||||
V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF
|
||||
GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5
|
||||
c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1
|
||||
eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL
|
||||
OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx
|
||||
t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-23T09:05:51Z"
|
||||
mac: ENC[AES256_GCM,data:L29+n5e38RVgVT71y96EbrboHZigbCUvv1gZ+uTWEchOmB8+pgamKhF/m3mpI1iauKtkNlkcS7NbtsEhbLumEHAibJ1H2EZdbWKB53m0RZMCWdZKV+49DenLjROljWMC+mXs0zIir+ts3mhD3ORhQZVBgs/svfkgIyPkcl0wHaE=,iv:ipUpydj18/fgFgwoD0NDjmwLXM+vfkC85I3uvmG9GLE=,tag:sA1UVTquN7cbWAMh9vF5cg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
48
nixos/machines/kaalut/mathebau.aliases.yaml
Normal file
48
nixos/machines/kaalut/mathebau.aliases.yaml
Normal file
File diff suppressed because one or more lines are too long
48
nixos/machines/kaalut/mathechor.aliases.yaml
Normal file
48
nixos/machines/kaalut/mathechor.aliases.yaml
Normal file
|
@ -0,0 +1,48 @@
|
|||
mathechor.aliases: ENC[AES256_GCM,data:VKEGY6KVtgKApnV7N2e2cqy9erDWQ2fb88Gwcpp5th/t0VGp16KGDtGiuQXhY80j6dDIcQMd9bLHzqAzc4+i/WhmEPhiXUkGiEKuarMfvqNl1LBlXFCoIrUXMMSIqab9q+fE3ignVQapE/YZt9aniyvg1prcmBcwIy9rDoHkiTY006ux5CM+vX0F60ADX8Nf6Qmn/JncPxXgq2jYsBxjXPj7BwJaair/+nxrbVf0,iv:Elj1NDeR1fdIIjIbjvkV3BmcVAKjwdMfknuNxMXJsa4=,tag:AkXWQ8sTMLsd7a+MfRcF/w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy
|
||||
WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh
|
||||
SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn
|
||||
b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp
|
||||
iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu
|
||||
SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE
|
||||
dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4
|
||||
YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6
|
||||
WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v
|
||||
SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx
|
||||
Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX
|
||||
dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy
|
||||
cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW
|
||||
NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5
|
||||
RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU
|
||||
Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro
|
||||
b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-23T09:05:51Z"
|
||||
mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
48
nixos/machines/kaalut/stalwartAdmin.yaml
Normal file
48
nixos/machines/kaalut/stalwartAdmin.yaml
Normal file
|
@ -0,0 +1,48 @@
|
|||
stalwartAdmin: ENC[AES256_GCM,data:4vpvxtFa2KiF3ojl+cw3ic/MI7UM9JQCQn76bidYvbW31zgF,iv:DtLAi68oQRf3U69uFK0Cz4qHMkxM6NnB3lVYft/DtqQ=,tag:HYm2mdpTuXNHdQIv2Rkwig==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o
|
||||
Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh
|
||||
YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF
|
||||
MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N
|
||||
SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2
|
||||
SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv
|
||||
ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO
|
||||
eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS
|
||||
FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB
|
||||
MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK
|
||||
NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN
|
||||
d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+
|
||||
jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2
|
||||
ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy
|
||||
VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC
|
||||
UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a
|
||||
5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-23T11:43:23Z"
|
||||
mac: ENC[AES256_GCM,data:GZ1Q67n43WU3fDQd6SGsD2EZgoaq1mzh5biy42cx6FQWlveK5lhb0F2HUuWWv5zSHKpslEPD6odvkQmMNCRY8NsvT3+KBAnHHU0aHzM9AEV27cDL4x6oBvO52EMxsNCMm+fXPD1CubQxfbfvx/aIuqb1sovgKGgwf4u6yqIrHJ0=,iv:ExX+ySMXhF/c1w2IP7y8mdlcy8W9Zxiy6X67b2f4AeY=,tag:shxQJdaW3HsG6sNY+zDNCA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
|
@ -76,6 +76,13 @@ in {
|
|||
path = "/var/lib/backups/ithaqua";
|
||||
allowSubRepos = true;
|
||||
};
|
||||
kaalut = {
|
||||
authorizedKeysAppendOnly = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup"
|
||||
];
|
||||
path = "/var/lib/backups/kaalut";
|
||||
allowSubRepos = true;
|
||||
};
|
||||
lobon = {
|
||||
authorizedKeysAppendOnly = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
|
||||
|
|
314
nixos/modules/mail.nix
Normal file
314
nixos/modules/mail.nix
Normal file
|
@ -0,0 +1,314 @@
|
|||
/*
|
||||
* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally.
|
||||
Gonne marked this conversation as resolved
Gonne
commented
ufff ufff
|
||||
* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp.
|
||||
Gonne marked this conversation as resolved
Gonne
commented
double uff double uff
|
||||
* If you only want to deploy configuration changes and no software updates, consider building on the target VM.
|
||||
* It has stalwart in its nix store and does not need to rebuild it.
|
||||
* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy.
|
||||
* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure.
|
||||
* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and
|
||||
Gonne marked this conversation as resolved
Gonne
commented
if the mailboxes are data on the machine, maybe the aliases should be too. This would also spare us to rebuild stalwart to update an alias if the mailboxes are data on the machine, maybe the aliases should be too. This would also spare us to rebuild stalwart to update an alias
Gonne
commented
If only aliases are changed rebuilds on the VM itself are fast and lean. If only aliases are changed rebuilds on the VM itself are fast and lean.
|
||||
* and use your personal admin account or create one using the fallback admin password.
|
||||
* Create users with mail boxes: Go to the admin interface and create them.
|
||||
* Stalwart mailserver docs can be found at https://stalw.art/docs
|
||||
* DNS-Records: Collect the right DNS entries from the management interface and copy them to the DNS hoster. Caution:
|
||||
* Not all entries are applicable since we relay via HRZ.
|
||||
*/
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(lib)
|
||||
mkIf
|
||||
mkEnableOption
|
||||
mkOption
|
||||
;
|
||||
inherit (lib.types) listOf strMatching str path;
|
||||
cfg = config.services.mathebau-mail;
|
||||
in {
|
||||
options.services.mathebau-mail = {
|
||||
enable = mkEnableOption "mathebau mail service";
|
||||
stalwartAdmin = mkOption {
|
||||
type = path;
|
||||
description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth";
|
||||
};
|
||||
stalwartAdminHash = mkOption {
|
||||
type = str;
|
||||
description = "String containing the hashed fallback admin password";
|
||||
};
|
||||
domains = mkOption {
|
||||
type = listOf (lib.types.submodule {
|
||||
options = {
|
||||
domain = mkOption {
|
||||
description = "Domain name that we serve. We also push its addresses to HRZ.";
|
||||
type = strMatching "^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$"; #Regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html
|
||||
};
|
||||
allowlistPass = mkOption {
|
||||
description = "Password file for the HRZ API that gets a list of mailaddresses that we serve";
|
||||
type = path;
|
||||
};
|
||||
virt_aliases = mkOption {
|
||||
description = "File path to a virtual alias file applicable for this domain";
|
||||
type = path;
|
||||
default = "/dev/null"; # there might not be an alias file and reading an empty one works with our implementation
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services = {
|
||||
stalwart-mail = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
Gonne marked this conversation as resolved
Gonne
commented
??? ???
|
||||
settings = {
|
||||
server = {
|
||||
lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
|
||||
listener = {
|
||||
# Do not enable JMAP until https://github.com/stalwartlabs/mail-server/issues/618 is resolved!
|
||||
# Luckily, this bug does not apply to IMAP.
|
||||
"smtp" = {
|
||||
bind = ["[::]:25"];
|
||||
protocol = "smtp";
|
||||
};
|
||||
"submissions" = {
|
||||
Gonne marked this conversation as resolved
Gonne
commented
maybe a comment what cthulhu should forward to us, and on which connections it handles tls maybe a comment what cthulhu should forward to us, and on which connections it handles tls
|
||||
bind = ["[::]:465"];
|
||||
protocol = "smtp";
|
||||
tls.implicit = true;
|
||||
};
|
||||
"imaptls" = {
|
||||
bind = ["[::]:993"];
|
||||
protocol = "imap";
|
||||
tls.implicit = true;
|
||||
};
|
||||
"management" = {
|
||||
# Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/
|
||||
# for TLS certificate challenge validation
|
||||
# whereas the rest of the management interface is not available publically.
|
||||
# It can be reached via SSH and portforwarding.
|
||||
bind = ["[::]:80"];
|
||||
protocol = "http";
|
||||
};
|
||||
};
|
||||
};
|
||||
acme.letsencrypt = {
|
||||
directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated
|
||||
challenge = "http-01";
|
||||
contact = ["root@mathebau.de"];
|
||||
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
|
||||
default = true;
|
||||
};
|
||||
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
|
||||
auth = {
|
||||
# TODO check if HRZ conforms to these standards and we can validate them strictly
|
||||
dkim.verify = "relaxed";
|
||||
arc.verify = "relaxed";
|
||||
dmarc.verify = "relaxed";
|
||||
iprev.verify = "relaxed";
|
||||
spf.verify.ehlo = "relaxed";
|
||||
spf.verify.mail-from = "relaxed";
|
||||
};
|
||||
|
||||
Gonne marked this conversation as resolved
Gonne
commented
this is fine because we only talk to vms and hrz which are "trusted" entities this is fine because we only talk to vms and hrz which are "trusted" entities
|
||||
# Forward outgoing mail to HRZ or mail VMs.
|
||||
# see https://stalw.art/docs/smtp/outbound/routing/ relay host example
|
||||
queue.outbound = {
|
||||
next-hop = [
|
||||
{
|
||||
"if" = "rcpt_domain = 'lists.mathebau.de'";
|
||||
"then" = "'mailman'";
|
||||
}
|
||||
{
|
||||
"if" = "is_local_domain('', rcpt_domain)";
|
||||
Gonne marked this conversation as resolved
Gonne
commented
I HATE starttls can we burn down the hrz already? I HATE starttls can we burn down the hrz already?
|
||||
"then" = "'local'";
|
||||
}
|
||||
{"else" = "'hrz'";}
|
||||
];
|
||||
tls = {
|
||||
# we only talk to HRZ and our own VMs anyway
|
||||
mta-sts = "disable";
|
||||
dane = "disable";
|
||||
starttls = "optional"; # e.g. Lobon does not offer starttls
|
||||
};
|
||||
};
|
||||
remote."hrz" = {
|
||||
Gonne marked this conversation as resolved
Gonne
commented
I love how we kind of abuse being in a shielded environment I love how we kind of abuse being in a shielded environment
|
||||
address = "mailout.hrz.tu-darmstadt.de";
|
||||
port = 25;
|
||||
protocol = "smtp";
|
||||
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
|
||||
};
|
||||
remote."mailman" = {
|
||||
address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
|
||||
port = 25;
|
||||
protocol = "smtp";
|
||||
tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
|
||||
};
|
||||
|
||||
session.rcpt = {
|
||||
# In order to accept mail that we only forward
|
||||
# without having to generate an account.
|
||||
# Invalid addresses are filtered by DFN beforehand.
|
||||
catch-all = true;
|
||||
relay = [
|
||||
{
|
||||
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'";
|
||||
"then" = true;
|
||||
}
|
||||
{"else" = false;}
|
||||
];
|
||||
};
|
||||
|
||||
# Stalwart gets its configuration from two places: A TOML configuration file that we control in this module
|
||||
# and from a database that can be configured from web management interface or via Rest API.
|
||||
# We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
|
||||
# because only TOML-based keys may use macros to load files from disk.
|
||||
# We want this to be able to load our sieve-script for mail forwarding.
|
||||
config.local-keys =
|
||||
[
|
||||
Gonne marked this conversation as resolved
Gonne
commented
comment is outdated comment is outdated
|
||||
"store.*"
|
||||
"directory.*"
|
||||
Gonne marked this conversation as resolved
Gonne
commented
in production? in production?
|
||||
"tracer.*"
|
||||
"server.*"
|
||||
"!server.blocked-ip.*"
|
||||
"authentication.fallback-admin.*"
|
||||
"cluster.node-id"
|
||||
"storage.data"
|
||||
"storage.blob"
|
||||
"storage.lookup"
|
||||
"storage.fts"
|
||||
"storage.directory"
|
||||
"lookup.default.hostname"
|
||||
"certificate.*"
|
||||
] # the default ones
|
||||
++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script
|
||||
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
|
||||
session.data.script = "'redirects'";
|
||||
|
||||
authentication.fallback-admin = {
|
||||
user = "admin";
|
||||
# see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
|
||||
secret = cfg.stalwartAdminHash;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
environment.persistence.${config.impermanence.name} = {
|
||||
directories = [
|
||||
"/var/lib/stalwart-mail"
|
||||
];
|
||||
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||
};
|
||||
|
||||
# Update HRZ allowlist
|
||||
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||
# will stop working if no valid TUIDs are associated to our domain.
|
||||
Gonne marked this conversation as resolved
Gonne
commented
This line needs explanation. A LOT OF IT This line needs explanation. A LOT OF IT
|
||||
systemd = {
|
||||
timers."mailAllowlist" = {
|
||||
wantedBy = ["timers.target"];
|
||||
Gonne marked this conversation as resolved
Gonne
commented
A linkt to hrz docu, so we can look at it if something breaks A linkt to hrz docu, so we can look at it if something breaks
|
||||
timerConfig = {
|
||||
OnBootSec = "1h"; # Run every hour
|
||||
OnUnitActiveSec = "1h";
|
||||
RandomizedDelaySec = "10m"; # prevent overload on regular intervals
|
||||
Unit = "mailAllowlist.service";
|
||||
};
|
||||
};
|
||||
services = {
|
||||
"mailAllowlist" = {
|
||||
description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
|
||||
script = let
|
||||
scriptTemplate = {
|
||||
domain,
|
||||
allowlistPass,
|
||||
...
|
||||
}: ''
|
||||
echo "process ${domain}"
|
||||
# This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
|
||||
${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
|
||||
# This line searches for available redirects and adds them to the submission file.
|
||||
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
|
||||
# Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload
|
||||
${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
|
||||
# Cleanup submission file
|
||||
rm /tmp/addresses
|
||||
'';
|
||||
in
|
||||
lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "stalwart-mail";
|
||||
NoNewPrivileges = true;
|
||||
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||
PrivateTmp = false; # allow access to sieve script
|
||||
ProtectHome = true;
|
||||
ReadOnlyPaths = "/";
|
||||
ReadWritePaths = "/tmp";
|
||||
InaccessiblePaths = "-/lost+found";
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
};
|
||||
"stalwart-mail" = {
|
||||
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
|
||||
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
|
||||
};
|
||||
"virt-aliases-generator" = {
|
||||
description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
|
||||
script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]);
|
||||
wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "stalwart-mail";
|
||||
NoNewPrivileges = true;
|
||||
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||
PrivateTmp = false;
|
||||
ProtectHome = true;
|
||||
ReadOnlyPaths = "/";
|
||||
ReadWritePaths = "/tmp";
|
||||
InaccessiblePaths = "-/lost+found";
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# Backups
|
||||
services.borgbackup.jobs.mail = {
|
||||
paths = [
|
||||
"/var/lib/stalwart-mail/data"
|
||||
];
|
||||
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
|
||||
environment = {
|
||||
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
||||
# “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
|
||||
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
|
||||
# We don't want this in order to not need to persist borg cache and simplify new deployments.
|
||||
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||
};
|
||||
repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
|
||||
startAt = "daily";
|
||||
user = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -35,7 +35,7 @@ in {
|
|||
proxy_interfaces = "130.83.2.184";
|
||||
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
|
||||
};
|
||||
relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
|
||||
relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
|
||||
};
|
||||
mailman = {
|
||||
enable = true;
|
||||
|
@ -64,9 +64,9 @@ in {
|
|||
systemd.timers."mailAllowlist" = {
|
||||
wantedBy = ["timers.target"];
|
||||
timerConfig = {
|
||||
OnBootSec = "5m"; # Run every 5 minutes
|
||||
OnUnitActiveSec = "5m";
|
||||
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
|
||||
OnBootSec = "1h"; # Run every hour
|
||||
OnUnitActiveSec = "1h";
|
||||
RandomizedDelaySec = "10m"; # prevent overload on regular intervals
|
||||
Unit = "mailAllowlist.service";
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue
The package selection should depend on system, and is there a reason we overlay like this and not
just use
flake-inputs.alias-to-sieve...
in the system config?The
flake-inputs
parameter is not available as a module parameter whilepkgs
is supplied by the nix module system.