Address first round of review

2024-12-14 17:31:31 +01:00 · 2024-12-14 17:31:31 +01:00 · 43016d852d
commit 43016d852d
parent aa13fb974f
10 changed files with 83 additions and 280 deletions
--- a/nixos/machines/kaalut/configuration.nix
+++ b/nixos/machines/kaalut/configuration.nix
@ -1,4 +1,4 @@
-{
+{config, ...}: {
  imports = [
    ./hardware-configuration.nix
    ../../modules/mail.nix
@ -10,26 +10,29 @@
  # System configuration here
  services.mathebau-mail = {
    enable = true;
+    stalwartAdmin = config.sops.secrets.stalwartAdmin.path;
+    # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
+    stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
    domains = [
      # lists.mathebau.de is forwarded to another VM and does not need to be listed here.
      {
        domain = "matheball.de";
-        allowlistPass = "/run/secrets/allowlistPassMatheball";
+        allowlistPass = config.sops.secrets."allowlistPass/matheball".path;
      }
      {
        domain = "mathebau.de";
-        allowlistPass = "/run/secrets/allowlistPassMathebau";
-        virt_aliases = "/run/secrets/mathebau.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/mathebau".path;
+        virt_aliases = config.sops.secrets."mathebau.aliases".path;
      }
      {
        domain = "mathechor.de";
-        allowlistPass = "/run/secrets/allowlistPassMathechor";
-        virt_aliases = "/run/secrets/mathechor.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/mathechor".path;
+        virt_aliases = config.sops.secrets."mathechor.aliases".path;
      }
      {
        domain = "koma89.tu-darmstadt.de";
-        allowlistPass = "/run/secrets/allowlistPassKoMa";
-        virt_aliases = "/run/secrets/koma.aliases";
+        allowlistPass = config.sops.secrets."allowlistPass/koma".path;
+        virt_aliases = config.sops.secrets."koma.aliases".path;
      }
    ];
  };
@ -38,32 +41,19 @@
  vmNetwork.ipv4 = "192.168.0.17";
  system.stateVersion = "24.05";

-  sops.secrets = {
+  sops.secrets = let
+    allowlistSops = {
+      sopsFile = ./allowlistPass.yaml;
+      owner = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0400";
+    };
+  in {
    # Password for the HRZ API that gets a list of mailaddresses that we serve
-    allowlistPassMatheball = {
-      sopsFile = ./allowlistPassMatheball.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassMathebau = {
-      sopsFile = ./allowlistPassMathebau.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassMathechor = {
-      sopsFile = ./allowlistPassMathechor.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
-    allowlistPassKoMa = {
-      sopsFile = ./allowlistPassKoMa.yaml;
-      owner = "stalwart-mail";
-      group = "stalwart-mail";
-      mode = "0400";
-    };
+    "allowlistPass/matheball" = allowlistSops;
+    "allowlistPass/mathebau" = allowlistSops;
+    "allowlistPass/mathechor" = allowlistSops;
+    "allowlistPass/koma" = allowlistSops;
    # Virtual alias file
    "mathebau.aliases" = {
      sopsFile = ./mathebau.aliases.yaml;