Address first round of review

2024-12-14 17:31:31 +01:00 · 2024-12-14 17:31:31 +01:00 · 1160081e82
commit 1160081e82
parent d2ab4d8eea
11 changed files with 84 additions and 282 deletions
--- a/nixos/machines/kaalut/allowlistPassKoMa.yaml
+++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml
@ -1,4 +1,8 @@
-allowlistPassKoMa: ENC[AES256_GCM,data:TGFyk/kVc5+EFtjJXUVTNEk=,iv:QQDiOK81JDQXnuzgrcDHVtu+Pm2Ki7H2sEBuNMSKY9U=,tag:mgd/jPMl7fjl+dH6d2sKTg==,type:str]
+allowlistPass:
+    matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str]
+    mathebau: ENC[AES256_GCM,data:ZlIv0MrCVtsyF3t9Gr/zcg==,iv:ZdBlnx4/zQZjT75ssB0osfDlWVerUe6yvwbMxlXpHZs=,tag:ytlNq7zP2WtPafcSQFZ6RQ==,type:str]
+    mathechor: ENC[AES256_GCM,data:d5KyoD/P8/j+poJSGF1nDA==,iv:ayKtvj4EEqUtMLi/7njbxuUql1A58WNi729svHtZju4=,tag:JqWoxxMN5mVN+gaQTmBv1Q==,type:str]
+    koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -41,8 +45,8 @@ sops:
            bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR
            HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:/OUhbhrO36jEdQUc2+fPfYc13Qezbedo534r+dtULWNR3upzIkP1EnZmTe//TQcKe6GYE/AIWOCIdmfj5+TdXZfoFGZ4YjjFof2HYvDjNKHq7m0F5PFmmzNNkpzUdwHBj5N1usPRoPbsYIpfV74AUJJEeBSTpE76vIATNuE21Js=,iv:Rnh+uIDOPW0vdHPhjqyce9xl7MtURMTrp9kYoWZ6zOA=,tag:jONUKe1pXReqHjtnqCOTjw==,type:str]
+    lastmodified: "2025-01-05T13:49:19Z"
+    mac: ENC[AES256_GCM,data:i7t/Hb5aW0lIvPLk84geQ792uUGP25vX8FC7kK/3H19tz5i4zsIcvl1d+oB5gJ004gP5pRogcuKL1xHUUl+A0UXXNzRpxc0BBVZaxnIhjfPunORbmZeJQRP298tQpvYYqI/pGhjrlit37U9jecGf1l12Cgv97sGW42d2F+S2Soc=,iv:My21fMF3SEr6mg2+eh8KA6B8tzmQVEDy2BG3hfkafrU=,tag:xdU6j8ti8Z68rbiRxkj7Pw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2
--- a/nixos/machines/kaalut/allowlistPassMatheball.yaml
+++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml
@ -1,48 +0,0 @@
-allowlistPassMatheball: ENC[AES256_GCM,data:cnYmhQ+2sNMR,iv:hSn9JbDce2NZdzptY1Miik4+VFh0i6ehQAGxcd9dJWg=,tag:XI1bE6Z84ppIxPYOasNO/w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS2ZFM3JQcGx4VFo2M1Fy
-            T3pnNFg5dEhiaEI4SkNFbDNmV0Y4cDZHa0ZJCjd2SmRwMWtod2pxbEZkY2ZhbWhT
-            cEFJVHVyU2R0dncvekNFdzNpODlCMDgKLS0tIDRLSGFISXpXMUlzdGdDK1pBb3JX
-            N3RJVUpsdFZySTVWYlkwbStCaWVRZzgKInXWOMB5LX87zIKcdllGcOBc1CJHcSWP
-            htTOydt1XQGlZ809yT1Ovnsenk7SIFrtUGCgpSvju4C68FyS8fgJKQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk1qdTBZRWYvMFgyZ3NN
-            QkZpb3BjSnVqRFJzeElCYVp1NDlyQitITGp3ClRtbVhBQnFvU0t5cUZGK0MveExJ
-            c1RtT2lRZm4ybkgxQ2VmV290SFRId1UKLS0tIEttRFFqTWJHbW54MUxCMHZ2NVA5
-            NkFnM3R4eTEvdm85TzE5WFJLUTZMclUKpyGsJAAlqRagy13dH3AyeNi9v3oP8R6C
-            UayJeCPN89IyDsaIsrgAJk67+t92N8wTRIpOzfLEBQzz1WVBYCTPhA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT012TTQ1V1ZlMnZycVB6
-            empqdFc1SE13b1NNSCsyNkRMUWZ2aUdIRlc0CmEwYnp6WVI4SmRaVWRqTUZ5cWJJ
-            SXpUb3JLT2hNalc2ZlBhOTc2YWdDMkUKLS0tIGFPdW1OS0xFYjF3K01YcVh0bDQr
-            TjcxNTM3cjZrNnN1RThYUW56WHQ1RzAKvNCz1CW4VwI/YPqzpYfhpvhukbhE3g3Q
-            31JZhyUViS/tutNy3rUpP+6zS2sY4yKhoavBTmMwI8W9I0JSZaVc5Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQytnV3hWODAva0JGdFF4
-            MC84UmdaKzd1MVloK0dXL1NjS3pGaGY5RGw4CnF5NjlvSUU1N0ZlMHMxVXlhekxH
-            QkJJR3MzQVdJd2ZrT0t0S3FKMFZaOW8KLS0tICt6SEhEcm1QR0MwQjJ1YllRSlY2
-            QlZ3Zk1hdkxpNllwSTNxRlZrZWtuVEUK65FpDbLv+S+MvF5+rpTyhjfi9xOUekTP
-            WupHKoeMMzAFxRK7DcH8bREib731JgBPbZEl8QZcY+xZDORnv1XZhg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:qA7d/k9vSQIvtdHOx20yfi98s5jgdGPYsP2c1rNrX4MeZnJ4RE+KR8wR37A54AvgOURUnTJUSfDNKGuTIPxioRC1j8iNlo/y0IefkbTaO2CBoh+BHurlh6wweTKI3LRUk8V0i5Qn/5INYc+DEzfsiA2g+QcbT5d0fU98+x7V/yY=,iv:xcgMXDFDN0Vo15rr2Eo6QV/Y5+X0t0mvAfuFmN1NDXY=,tag:PywW0L+VspBh2pZGXbM+sA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1
--- a/nixos/machines/kaalut/allowlistPassMathebau.yaml
+++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml
@ -1,48 +0,0 @@
-allowlistPassMathebau: ENC[AES256_GCM,data:DuCBcWAC61JW,iv:g0zYvVmTjsJESTq3kkWtaiypYPLIE6zkFyYLeOp/qhw=,tag:pyK6KMuPLkhLSTPAzbVxdQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaWhNaDFEREcrejY2ejhI
-            L0tnOEtTWktNVDVoK1JQd3pBY1BndTY1NUFjCjFFSEd2Nkc2TVVMYzlwRXhyenVq
-            WmlCZkc4VWtFS1drNDRjRXR6SEVoYVEKLS0tIDRCQjJkdUM0V1BGV0hVNUtNQ1d4
-            M2J2TEtPTjRVVG8yOHd6WThRNm5SU2MKVIAU8GCGklXvqNf0bpahJ4SsvIQxMged
-            m6mznRxcK9QPMApHayOBgw+8T+3IQkaEKGRuhI1y9UXahGSr8yxPYA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkNiVWo3SWFmaFlENm5C
-            cDlJdHM0OXBnTFdYV1NtTHFmTndndTdwQWhRCitMTVJIcnpiRzEvL3JzMTZJMW9p
-            NTlIREJ5VVpLTVplWVNhSFFDMlVpNTQKLS0tIFkvMjYvVy9DZUZSVDVvQTkzck1F
-            ZHM5M2tRVUVIYmR5L1FsR3VxNUZSdW8KWIq5Cjbd12SqQfXRZDpUxTnUZGCyMVb+
-            XxCixIFoGYZRTBc15k/Z6yM5OxYnSv3tbioF68PYtPaaRJrw0ICDxQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWVHME1JN0gvZlNDQkFt
-            YTFsRG12UWlLckVLanNGQlozSXFaVGhMQWdzCndPdnRnNFU2dUpQangxUGU1RGVG
-            Z0Z5SmxZVG1jYW91YW5Jc1UwY25yOEkKLS0tIDJ1U2w1RzhpUk5WR0JUbzhRSStE
-            VnZpWUFwaHFMa2V6NlpQR285RGU0L2cKeN08hqlFz4re9iVwKmp2THEs1vZFqNXg
-            uK9Em5IeCx3pBjd5nnguAM751vR9X5O91ntA/R3MoL2bxGhbXHbOmA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYStiSFpMWjh3M0EydEU4
-            YlBpcFNYRXJTN0k4MWQ3blFmdW4zTHR6MWhrCmtsVkpGNFlIT0xBQU9SSG45czhU
-            NzlKSm9RMStFZXpselNBa3NpNGM5SzAKLS0tIDh0LzI0SkdlM0hONmF4RndCV2Q2
-            VmwxWjcxVG5Kd1pPYUdpWDJCZkU3Q00Kbc8dYrQ2AiRAUfzXl6Bdj1mlbwlHSKzS
-            6B/wzrIB3yws4QXCdZsIifxsGqJh/74UdQSXEab0VNwaHqsyXecIjw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:JLCK4mH4yS4YMhrmI821s/TfONkCyEx8x+pFHD/QOoU4KHyhDIggEhTYo31JFpWIQdDZMPbeFaUN+IvQwh1pqD1V92XfJVC0zHPiwhG7W2kI8WFAONVqI/bbMJ/ne4am5w/koGpQNPiM2RIo+9/9BKOkyLJLB7XTqPBY/FNW2n0=,iv:JiHwaSbPJSJYofiFABjn/AehSKyRrlOKHXBs1DGZcFQ=,tag:ajR0zYdHWxQcY2DhAuAzAw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1
--- a/nixos/machines/kaalut/allowlistPassMathechor.yaml
+++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml
@ -1,48 +0,0 @@
-allowlistPassMathechor: ENC[AES256_GCM,data:CuLKFiBN6JwB,iv:cwiwShPKrGjjfuglRttmG/AB+qblJ/6ZLyD88mAsZ30=,tag:JIJjHJ4it077RSD3pSOBgg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzBXNVFObnk5OWtaemNz
-            UlFDTFpGRmJ6N0xYUmx3dllzS3hyWmNURmxRCm1CbmpSNWRkVHR5M21ibmJ4ZzNJ
-            elZQQ0UyN3lOTmRwQ2tnL1lHUFF5djgKLS0tIFUvRUkwSW0wSFhCMFByTkI0eEo4
-            emdnN2JoMDVOb3FUTmZhZFIxWFhxZEkKDWFrvxDHjybQ2b9hORThAG2TihGdvaK0
-            EHrzz0h1NVEO/nLUJSXRugGJ+J1GqThgOG1WCwJ+2Fk4Hm+q040DWQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbmQ3ZXdhZkV2VTMxTUFK
-            eHM5aXAyNXdtV2ZkRVZKTC9GdWtDWUJtdFFFCkdBMWs3OFltRjFLVU1rSG52NGo2
-            Q0dnS1V2c01EdVRuRGlsZ0lQT1JtUG8KLS0tIHErblZ6U01HTm1FUVJTZjdGQ2RB
-            bE90R0NsdkQ2UWNrbXZydjR5YTNGVWcK46c5ec7plT6X1874abnSSryG+cUZq/QT
-            3LpgQs26dc9nIARiZUk/2UTPiUwxFesi7e4I87bWh5A+mQOHNfRAyw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUmJXMlFlb0pUbkduWkJK
-            SWhlUXNqZ0FQeFlEMFppUWR6MHFyS282emhJCkNLMDdaQ2JXRExLT3F2Y094VE90
-            bTdmNGIvV0JHNlVldTVxUmdueTllYWsKLS0tIDAvNlhRQnFKSW5JT004WDFhSGEv
-            M0hKbWxuWjRlUWlRaHBQQUpkVlM4dTQKm4vPZTHMIfk79dTOO7mP9IZaJZbu3hx8
-            J/y5xwUFVakqPaX144YZXjjStsjp6H71jE+z3EWeqvW3hwI8XAOv/w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGFsenFjQkRBTCtsVXRI
-            VnpQZmVld0VFZ09hWTdlSjNzczA1T1VhWkZrCkpRUml1UFJrU2laQ1FEVi9USEg2
-            Y3J5VlZCVG83UUh0bnRVbkZRVWVMMlUKLS0tIEl1VUFPQ3NvMm40clFTMHcwRzlC
-            dENsZ2ttbFI1aGdFYlZ0M1crZGlRek0KWF+sAOdOGf7GKkY3ZlfPkXGGDwSf89Lk
-            uvSkh+2Y9RIkQ7HRUvWxPBPi4vBUUhM7y5+lA8sNi+lLMzPyzVeKaQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T09:05:51Z"
-    mac: ENC[AES256_GCM,data:4LMhli417gbzauxvsx+cSA0VfCt5+dr1lsGdzVqNts/ELcCxlH2599V/xPdgZJYvbvY/AUDEVc6/7vodqtxsI9d99P9AD9IRaETqHkQ2RmPfyUHLJL8kgLdcql6zBdlZTpy05438Bs53sOQMWCcUmE2TohH9jlvmwpqCaRgfYf0=,iv:BkfHGIFAdlSIjdLvqOeaeoIkBaMQ5yXqYBFgGBrzMjk=,tag:7+vgwa89KxeXWNvfbiKSsg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1
--- a/nixos/machines/kaalut/configuration.nix
+++ b/nixos/machines/kaalut/configuration.nix
@ -1,4 +1,4 @@
-{
+{config, ...}: {
  imports = [
    ./hardware-configuration.nix
    ../../modules/mail.nix
@ -10,26 +10,29 @@
  # System configuration here
  services.mathebau-mail = {
    enable = true;
+    stalwartAdmin = config.sops.secrets.stalwartAdmin.path;
+    # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
+    stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
    domains = [
      # lists.mathebau.de is forwarded to another VM and does not need to be listed here.
      {
        domain = "matheball.de";
-        allowlistPass = "/run/secrets/allowlistPassMatheball";
+        allowlistPass = config.sops.secrets."allowlistPass/matheball".path;
      }
      {
        domain = "mathebau.de";
-        allowlistPass = "/run/secrets/allowlistPassMathebau";
-        virt_aliases = "/run/secrets/mathebau.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/mathebau".path;
+        virt_aliases = config.sops.secrets."mathebau.aliases".path;
      }
      {
        domain = "mathechor.de";
-        allowlistPass = "/run/secrets/allowlistPassMathechor";
-        virt_aliases = "/run/secrets/mathechor.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/mathechor".path;
+        virt_aliases = config.sops.secrets."mathechor.aliases".path;
      }
      {
        domain = "koma89.tu-darmstadt.de";
-        allowlistPass = "/run/secrets/allowlistPassKoMa";
-        virt_aliases = "/run/secrets/koma.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/koma".path;
+        virt_aliases = config.sops.secrets."koma.aliases".path;
      }
    ];
  };
@ -38,32 +41,19 @@
  vmNetwork.ipv4 = "192.168.0.17";
  system.stateVersion = "24.05";

-  sops.secrets = {
+  sops.secrets = let
+    allowlistSops = {
+      sopsFile = ./allowlistPass.yaml;
+      owner = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0400";
+    };
+  in {
    # Password for the HRZ API that gets a list of mailaddresses that we serve
-    allowlistPassMatheball = {
-      sopsFile = ./allowlistPassMatheball.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassMathebau = {
-      sopsFile = ./allowlistPassMathebau.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassMathechor = {
-      sopsFile = ./allowlistPassMathechor.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassKoMa = {
-      sopsFile = ./allowlistPassKoMa.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
+    "allowlistPass/matheball" = allowlistSops;
+    "allowlistPass/mathebau" = allowlistSops;
+    "allowlistPass/mathechor" = allowlistSops;
+    "allowlistPass/koma" = allowlistSops;
    # Virtual alias file
    "mathebau.aliases" = {
      sopsFile = ./mathebau.aliases.yaml;
--- a/nixos/machines/kaalut/mathebau.aliases.yaml
+++ b/nixos/machines/kaalut/mathebau.aliases.yaml