Gonne/nixConfig
1
0
Fork 0
forked from Fachschaft/nixConfig
Code Pull requests Activity

First try to install Stalwart as a mail software

Browse source
This commit is contained in:
Gonne 2024-07-10 22:56:46 +02:00
parent 55ba2c9122
commit 3d0fd046d0
5 changed files with 274 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -5,6 +5,7 @@ keys:
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
- &kaalut age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
creation_rules: creation_rules:
- path_regex: nixos/machines/nyarlathotep/.* - path_regex: nixos/machines/nyarlathotep/.*
@ -25,6 +26,12 @@ creation_rules:
- *nerf - *nerf
- *gonne - *gonne
- *lobon - *lobon
- path_regex: nixos/machines/kaalut/.*
key_groups:
- age:
- *nerf
- *gonne
- *kaalut
# this is the catchall clause if nothing above machtes. Encrypt to users but not # this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines # to machines
- key_groups: - key_groups:

48
flake.lock
View file

@ -21,11 +21,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1719877454, "lastModified": 1722555600,
"narHash": "sha256-g5N1yyOSsPNiOlFfkuI/wcUjmtah+nxdImJqrSATjOU=", "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "4e3583423212f9303aa1a6337f8dffb415920e4f", "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -56,11 +56,11 @@
"nixpkgs-24_05": "nixpkgs-24_05" "nixpkgs-24_05": "nixpkgs-24_05"
}, },
"locked": { "locked": {
"lastModified": 1718697807, "lastModified": 1722877200,
"narHash": "sha256-Enla61WFisytTYbWygPynEbu8vozjeGc6Obkj2GRj7o=", "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "290a995de5c3d3f08468fa548f0d55ab2efc7b6b", "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"revCount": 591, "revCount": 593,
"type": "git", "type": "git",
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"
}, },
@ -71,11 +71,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719848872, "lastModified": 1723637854,
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -102,28 +102,28 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1719876945, "lastModified": 1722555339,
"narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1719663039, "lastModified": 1721524707,
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=", "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119", "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "release-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -136,11 +136,11 @@
"nixpkgs-stable": [] "nixpkgs-stable": []
}, },
"locked": { "locked": {
"lastModified": 1719259945, "lastModified": 1723803910,
"narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=", "narHash": "sha256-yezvUuFiEnCFbGuwj/bQcqg7RykIEqudOy/RBrId0pc=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07", "rev": "bfef0ada09e2c8ac55bbcd0831bd0c9d42e651ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -167,11 +167,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1719873517, "lastModified": 1723501126,
"narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "a11224af8d824935f363928074b4717ca2e280db", "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
"type": "github" "type": "github"
}, },
"original": { "original": {

39
nixos/machines/kaalut/configuration.nix Normal file
View file

@ -0,0 +1,39 @@
{
imports = [
./hardware-configuration.nix
../../modules/mail.nix
../../roles
../../roles/vm.nix
../../modules/vmNetwork.nix
];
# System configuration here
services.mathebau-mail = {
enable = true;
fqdn = "fb04184.mathematik.tu-darmstadt.de";
domain = "koma89.tu-darmstadt.de";
siteOwner = "root@mathebau.de";
};
networking.hostName = "kaalut";
vmNetwork.ipv4 = "192.168.0.17";
system.stateVersion = "24.05";
sops.secrets = {
/*
allowlistPass = {
sopsFile = ./allowlistPass.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
backupKey = {
sopsFile = ./backupKey.yaml;
owner = "stalwart-mail";
group = "stalwart-mail";
mode = "0400";
};
*/
};
}

30
nixos/machines/kaalut/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{
lib,
pkgs,
...
}: {
imports = [];
fileSystems."/" = {
device = "root";
fsType = "tmpfs";
options = ["size=1G" "mode=755"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=persist"];
neededForBoot = true;
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix"];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

174
nixos/modules/mail.nix Normal file
View file

@ -0,0 +1,174 @@
{
config,
lib,
# pkgs,
...
}: let
inherit
(lib)
mkIf
mkEnableOption
mkOption
;
inherit (lib.types) str;
cfg = config.services.mathebau-mail;
in {
options.services.mathebau-mail = {
enable = mkEnableOption "mathebau mail service";
fqdn = mkOption {
type = str;
};
domain = mkOption {
type = str;
};
siteOwner = mkOption {
type = str;
};
};
config = mkIf cfg.enable {
services = {
stalwart-mail = {
enable = true;
openFirewall = true;
settings = {
# TODO TLS
server = {
hostname = cfg.fqdn;
listener = {
"smtp" = {
bind = ["[::]:25"];
protocol = "smtp";
tls.implicit = false;
};
"submissions" = {
bind = ["[::]:465"];
protocol = "smtp";
tls.implicit = true;
};
"imaptls" = {
bind = ["[::]:993"];
protocol = "imap";
tls.implicit = true;
};
"management" = {
bind = ["127.0.0.1:8080"];
protocol = "http";
};
};
tls = {
certificate = cfg.fqdn;
enable = true;
implicit = false;
};
};
#TODO session.rcpt.relay = [ { if = "!is_empty(authenticated_as)", then = true }, { else = false } ];
queue.outbound = {
# see https://stalw.art/docs/smtp/outbound/routing/ relay host example
next-hop = "'relay'";
tls.mta-sts = "disable";
tls.dane = "disable";
};
remote."relay" = {
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false;
tls.allow-invalid-certs = false;
};
/*
sieve.trusted.scripts = {
redirects = ''
require ["envelope", "include"]; include :global "track-replies"; if envelope :is "to" "gonne@koma89.tu-darmstadt.de" { redirect "gonne@mathebau.de"; }
'';
};
session.data.script = "'redirects'";
*/
authentication.fallback-admin = {
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
};
};
};
};
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/acme" # Persist TLS keys and account
"/var/lib/stalwart-mail"
];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
};
security.acme.defaults.email = cfg.siteOwner;
security.acme.acceptTerms = true;
# Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
# will stop working if no valid TUIDs are associated to our domain.
/*
systemd.timers."mailAllowlist" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m"; # Run every 5 minutes
OnUnitActiveSec = "5m";
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
Unit = "mailAllowlist.service";
};
};
systemd.services."mailAllowlist" = {
description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
script = ''
# Get the mail addresses' local-part
#TODO
# Post local-parts to HRZ
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.domain} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
# Cleanup
rm /tmp/addresses
'';
serviceConfig = {
Type = "oneshot";
User = "stalwart-mail";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = true;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
*/
# Backups
/*
services.borgbackup.jobs.mail = {
paths = [
"/var/lib/stalwart-mail"
];
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
# “Borg ensures that backups are not created on random drives that just happen to contain a Borg repository.”
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
# We don't want this in order to not need to persist borg cache and simplify new deployments.
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily";
user = "root";
group = "root";
};
*/
};
}