forked from Fachschaft/nixConfig
First try to install Stalwart as a mail software
This commit is contained in:
parent
7823d09292
commit
5cba7d362b
17 changed files with 887 additions and 30 deletions
|
@ -5,6 +5,7 @@ keys:
|
||||||
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
|
||||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||||
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
|
- &kaalut age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: nixos/machines/nyarlathotep/.*
|
- path_regex: nixos/machines/nyarlathotep/.*
|
||||||
|
@ -25,6 +26,12 @@ creation_rules:
|
||||||
- *nerf
|
- *nerf
|
||||||
- *gonne
|
- *gonne
|
||||||
- *lobon
|
- *lobon
|
||||||
|
- path_regex: nixos/machines/kaalut/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nerf
|
||||||
|
- *gonne
|
||||||
|
- *kaalut
|
||||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||||
# to machines
|
# to machines
|
||||||
- key_groups:
|
- key_groups:
|
||||||
|
|
|
@ -53,6 +53,12 @@
|
||||||
_module.args.pkgs = import inputs.nixpkgs {
|
_module.args.pkgs = import inputs.nixpkgs {
|
||||||
inherit system;
|
inherit system;
|
||||||
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
|
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
|
||||||
|
|
||||||
|
overlays = [
|
||||||
|
(_: _: {
|
||||||
|
alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default;
|
||||||
|
})
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
144
flake.lock
144
flake.lock
|
@ -1,5 +1,25 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"alias-to-sieve": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-parts": "flake-parts",
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"rust-overlay": "rust-overlay"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1731580934,
|
||||||
|
"narHash": "sha256-b1TZ91IFOEPPXfuhVG0nb4GGyX+g0SQujuqS9RJaC5Q=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "b3f09cd22fb0f73ee8d91bf19f51f5144280e3cb",
|
||||||
|
"revCount": 11,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve"
|
||||||
|
}
|
||||||
|
},
|
||||||
"blobs": {
|
"blobs": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -21,11 +41,29 @@
|
||||||
"nixpkgs-lib": "nixpkgs-lib"
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727826117,
|
"lastModified": 1730504689,
|
||||||
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
|
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
|
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-parts_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": "nixpkgs-lib_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730504689,
|
||||||
|
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -35,11 +73,11 @@
|
||||||
},
|
},
|
||||||
"impermanence": {
|
"impermanence": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729068498,
|
"lastModified": 1731242966,
|
||||||
"narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=",
|
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "impermanence",
|
"repo": "impermanence",
|
||||||
"rev": "e337457502571b23e449bf42153d7faa10c0a562",
|
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -71,15 +109,15 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729665710,
|
"lastModified": 1730200266,
|
||||||
"narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
|
"narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
|
||||||
"owner": "NixOS",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
|
"rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "nixos",
|
||||||
"ref": "nixos-unstable",
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
|
@ -102,28 +140,56 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727825735,
|
"lastModified": 1730504152,
|
||||||
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
|
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-lib_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729357638,
|
"lastModified": 1730504152,
|
||||||
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
|
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1728538411,
|
||||||
|
"narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
|
"rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-24.05",
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1732014248,
|
||||||
|
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -136,11 +202,11 @@
|
||||||
"nixpkgs-stable": []
|
"nixpkgs-stable": []
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729104314,
|
"lastModified": 1732021966,
|
||||||
"narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=",
|
"narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "pre-commit-hooks.nix",
|
"repo": "pre-commit-hooks.nix",
|
||||||
"rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
|
"rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -151,27 +217,45 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-parts": "flake-parts",
|
"alias-to-sieve": "alias-to-sieve",
|
||||||
|
"flake-parts": "flake-parts_2",
|
||||||
"impermanence": "impermanence",
|
"impermanence": "impermanence",
|
||||||
"nixos-mailserver": "nixos-mailserver",
|
"nixos-mailserver": "nixos-mailserver",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs_3",
|
||||||
"pre-commit-hooks": "pre-commit-hooks",
|
"pre-commit-hooks": "pre-commit-hooks",
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"rust-overlay": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730601085,
|
||||||
|
"narHash": "sha256-Sgax33jGuvVHTjl1P78IwzlhAGyOxtx5Q26inKja8S4=",
|
||||||
|
"owner": "oxalica",
|
||||||
|
"repo": "rust-overlay",
|
||||||
|
"rev": "8d1b40f8dfd7539aaa3de56e207e22b3cc451825",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "oxalica",
|
||||||
|
"repo": "rust-overlay",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"sops-nix": {
|
"sops-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
]
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729931925,
|
"lastModified": 1732186149,
|
||||||
"narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=",
|
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e",
|
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
description = "Description for the project";
|
description = "Description for the project";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
|
alias-to-sieve = {
|
||||||
|
url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve";
|
||||||
|
};
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
nixos-mailserver = {
|
nixos-mailserver = {
|
||||||
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
|
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git";
|
||||||
|
|
39
nixos/machines/kaalut/allowlistPassKoMa.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassKoMa.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassKoMa: ENC[AES256_GCM,data:vvXurWHumzWQAvcFlkzJqQ==,iv:8zizeoGXY6zBGYsajuDJdvw8YNL81vXaghvBNOPTwYk=,tag:Fwwh56wLSeIPswSUEKWFZA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-09T08:05:54Z"
|
||||||
|
mac: ENC[AES256_GCM,data:L/bMe8fpKnUfWyjIANJF7yLkoEGcsjvnFoGpRbGeKV9Xv9NgVfZk+h58BXeq9cMvrcWxeJC1SmiVy31XRkqjaOYqYdW2R2yRqSBKeHX6fjh1iSjdHVctl1Jk7mBNhObD8PqOQ9mMdschTg5s87n3bOgFhrkarktbbmf7fOKQ5Z4=,iv:fClCggabDbSXO5h9p+B10H2J7ouKJnBkHEKWyj1Jnwk=,tag:5MthaOqhUFROdrpJOV3BxQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
39
nixos/machines/kaalut/allowlistPassMatheball.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassMatheball.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassMatheball: ENC[AES256_GCM,data:KYrnJRTKt/h5,iv:TSCWpvrBqVvpRBxL1efzIJkdhd3V98EzG3PBoMJjfK0=,tag:L6yR49TuTlvFwtwhQ6WByg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-09T19:57:12Z"
|
||||||
|
mac: ENC[AES256_GCM,data:NjzqVHpG/KRQNB0slb6rJ7+zJhV9JSsUjfjHk9DhyvgtgP9NUsMTdKKUkJmi0mCwQYk0fDXSDyptCvXk1x6AkgAUcZCdD7nxYH87QTF4hcdiwYohxTEqhuJzEBbIek4z96B1BUd2kQc9pH3OvvHJNXMOO/88uhj2WzOEdeBz+Qw=,iv:iT2aa66hJr3c4HiYsFbzURM8bZegnuAaF9yYMNCd5io=,tag:9ZIB2sofrxB/FxM0Yam7Kg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
39
nixos/machines/kaalut/allowlistPassMathebau.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassMathebau.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassMathebau: ENC[AES256_GCM,data:/82Jz2LOREgt,iv:K04xQd4djPzfg1D2RTVUw0wQLpG3+GEAFwlaC+qx4NY=,tag:GpZmS53bX8egsUEbPlVouw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-09T19:57:22Z"
|
||||||
|
mac: ENC[AES256_GCM,data:1rcc3zGN+emSqaRw0Yng6w/yHgcGW7k6DFrwouLi0ejZO/yo1fl4kYO/MCk7Ujlgls+KVwn9+sdQxCjfNjIGIIurtcGu2b8BGAZzSz3n8U/EEOqn6lD1xn598xC24hfv17/fbBgzw812FVupHE5ZVxDm92foCN0o64G1iX+3jqw=,iv:/iR3iqQVpQU35h8C1QOtRFFfVtGkKGxtl6JqixTR4VI=,tag:DVPVtcIiCiwkJvJDUkHBSg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
39
nixos/machines/kaalut/allowlistPassMathechor.yaml
Normal file
39
nixos/machines/kaalut/allowlistPassMathechor.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
allowlistPassMathechor: ENC[AES256_GCM,data:XEcJzY7R4obq,iv:45yRZwODIcUosD4bESmBxs0nOZHE6YQj5ptwoNyKLe8=,tag:h7SxNVhU9EpiFNv8b7N8yA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv
|
||||||
|
dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo
|
||||||
|
TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy
|
||||||
|
MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK
|
||||||
|
wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm
|
||||||
|
THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds
|
||||||
|
M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG
|
||||||
|
WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr
|
||||||
|
hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4
|
||||||
|
My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG
|
||||||
|
VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5
|
||||||
|
VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui
|
||||||
|
uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-09T19:57:30Z"
|
||||||
|
mac: ENC[AES256_GCM,data:8/g54eitQhBZscPNQrS2uQH/aMEyxAlghM6wbMm8ynL8XO5of9HG3wk+1/zI3r9EpH8OwC2ZDvMPmgSsM9OZK8Q4v4s3qcsAzXU6yvhfLLeLtQ0F+hxnN2Iq0wa5OhvZkRk+7Q+xZYZSjoseJG240+trO0ltaCCF7ZBodFJ0BK8=,iv:827qo3WHh6zmk9hHrY9yt791cLegw4RHfnFUdR4h9Gg=,tag:VDKXQ8VB4FK3PI9AyxDgaw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
39
nixos/machines/kaalut/backupKey.yaml
Normal file
39
nixos/machines/kaalut/backupKey.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
backupKey: ENC[AES256_GCM,data:DSbjTD/60Y9wUQRXGUIwRdLgIHNAVqUs+6v1WRIs3tbMh0efOiNQ82GpKFtwmgtyfmLl9HCVZPYgw6ZiLrMj3T3tIl69Q3PZ6OKAPhrecOz9xwPaZzV6UIt2MO/xyUZy0hm+JYor3fnWqKLMv0amRLRlfTtpc6Ol7ocPGtOh/m/VDEFmouQJAlSbnAnL+eijaaEBZMCVkquWxERiYGyqXlnXFO1qDjc5LR3IJwIbNZIZ5j22FsLIp2ot79Tw+so+rqJC5Yd5Q7+BTFPkN8R+BHC8aLnMUhTBe7PQB730XmslOKZ6lixxF7CeXXblfF6RGTNl0gwp4LwkZ3PWx7M/OhgAW1YcdZdBHhSpSNJegXCSXyRcHdFGxesYGohcZJbOFl2rqyA9NiPOGSpfUfoeXHb06h23hVnm4o1xCWXB58521F92AuVystM8+pHrFll1Opin2KuaiQGx3D/3Rj0XDkMgiY8aP6OCRCkgWBARGqNgQOyg6kFwfrlwTNZezSWfyJCbZLggNPntmttC8Kzl,iv:ap0DBhc41rGhwGZkZM54QfFGGCJiGu+WcaTwT2JKjsY=,tag:8xvJHjVT8cKxg2IA0iNqEA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN
|
||||||
|
Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju
|
||||||
|
WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL
|
||||||
|
d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK
|
||||||
|
hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz
|
||||||
|
clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp
|
||||||
|
clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ
|
||||||
|
UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm
|
||||||
|
/0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu
|
||||||
|
Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0
|
||||||
|
a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT
|
||||||
|
Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc
|
||||||
|
00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-09T20:10:40Z"
|
||||||
|
mac: ENC[AES256_GCM,data:SkhsUgq/d/FBUhIu3qfmIYKcRM6NuyR/e0KGz+0e70Du7hqVFXehoqUiWk869alJCjvIOU3zjq7rA3pFvGakV7nRfCQvYI5QkWHFctbCDtopLWcq67uUdj/VZpaW9UVt3e41hWIodxbDhFaxYAoqEfAUK5rhESMCx4Idd/fpYL8=,iv:DcaeyKkRhv02UbCCvr3XUcI0h0F2ZNA/TBrcyPIBi/c=,tag:CAqsBq055TmgPbSiPRVtAQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
81
nixos/machines/kaalut/configuration.nix
Normal file
81
nixos/machines/kaalut/configuration.nix
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
../../modules/mail.nix
|
||||||
|
../../roles
|
||||||
|
../../roles/vm.nix
|
||||||
|
../../modules/vmNetwork.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# System configuration here
|
||||||
|
services.mathebau-mail = {
|
||||||
|
enable = true;
|
||||||
|
domains = [
|
||||||
|
{
|
||||||
|
domain = "koma89.tu-darmstadt.de";
|
||||||
|
allowlistPass = "/run/secrets/allowlistPassKoMa";
|
||||||
|
virt_aliases = "/run/secrets/koma.aliases";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "mathebau.de";
|
||||||
|
allowlistPass = "/run/secrets/allowlistPassMathebau";
|
||||||
|
virt_aliases = "/run/secrets/mathebau.aliases";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "kaalut";
|
||||||
|
vmNetwork.ipv4 = "192.168.0.17";
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
allowlistPassMatheball = {
|
||||||
|
sopsFile = ./allowlistPassMatheball.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
allowlistPassMathebau = {
|
||||||
|
sopsFile = ./allowlistPassMathebau.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
allowlistPassMathechor = {
|
||||||
|
sopsFile = ./allowlistPassMathechor.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
allowlistPassKoMa = {
|
||||||
|
sopsFile = ./allowlistPassKoMa.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
stalwartAdmin = {
|
||||||
|
sopsFile = ./stalwartAdmin.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
backupKey = {
|
||||||
|
sopsFile = ./backupKey.yaml;
|
||||||
|
owner = "root";
|
||||||
|
group = "root";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
"koma.aliases" = {
|
||||||
|
sopsFile = ./koma.aliases.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
"mathebau.aliases" = {
|
||||||
|
sopsFile = ./mathebau.aliases.yaml;
|
||||||
|
owner = "stalwart-mail";
|
||||||
|
group = "stalwart-mail";
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
30
nixos/machines/kaalut/hardware-configuration.nix
Normal file
30
nixos/machines/kaalut/hardware-configuration.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "root";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["size=1G" "mode=755"];
|
||||||
|
};
|
||||||
|
fileSystems."/persist" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=persist"];
|
||||||
|
neededForBoot = true;
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-label/boot";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
fileSystems."/nix" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["subvol=nix"];
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
39
nixos/machines/kaalut/koma.aliases.yaml
Normal file
39
nixos/machines/kaalut/koma.aliases.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
koma.aliases: ENC[AES256_GCM,data:GfbmoJpX1sQ/Fumey+pGxPKDnTd8cFFiGWQhU5PiAdcoFsO7CdK/alzOlzxut+gDeEpSuyV4fjYJ3+YGswrmbEOSpbylVj7hLakOnrUP+AMq7m8Ku+nQvM5wkT5OmMie6fPyDo6DRXTP84DKvlEtU612e+p6tZwJhbL1luFOxw==,iv:WbD+gAb8Yj2n7HPbbYzC4IrWpKf53COUuyy45iBf9cU=,tag:fdvWGoBnqnLDZUXrTi5PKQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2
|
||||||
|
aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy
|
||||||
|
Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4
|
||||||
|
bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy
|
||||||
|
MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3
|
||||||
|
QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45
|
||||||
|
c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu
|
||||||
|
NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR
|
||||||
|
io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC
|
||||||
|
RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv
|
||||||
|
K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy
|
||||||
|
VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI
|
||||||
|
N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-20T16:58:33Z"
|
||||||
|
mac: ENC[AES256_GCM,data:7jlEw0bcNpgqcY+6FByr721UGN6/svyQaXJluCBgD33kYiyZeAclMTEGbH0Hvpg2jgjojNoGLk05boKstfOCvT1T0ifhuIFiU3uiund09qahEv7o0ZPCmEepPF9O/Mdkz9TNB3y2BMEwPXKpWDXwFGAEL59uuTpIhzGDuVhfFd4=,iv:PknetrIaupjTsBfPPdrpthxE05UDFg5Iesz4mS134Oo=,tag:1CFIG7PEEIKb7nlgFUmgTQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/mailForwardSieve.yaml
Normal file
39
nixos/machines/kaalut/mailForwardSieve.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
mailForwardSieve: ENC[AES256_GCM,data:MuESY5OhKunADHNzgqTxHJXCBteGgRFM0j3Mohf2J+VALaxtbHw2koaIx6+yx+EiXI+sQc+kPuQsqSb3mSyiZUucm0fYwIfB43U0fZcFYSxnuLrCrYp1Z1Ur9fmIRMIC5+ZWrj6t6Pfuclmyn0azlx4WzHm2rqZiYojauKtlmrEAMC4zFYeleSPjOXcEGRZ7W/3+DukA4Z7KfAVz9qXQMV18BKZ4w8V2u/hQgAxDzRdkWJZi6jksq3WQcn/DmkE/98Iv60VNi4LkZVMztWnUiSdi8/NTuaNjga8WfzVoLDR5LvK4yVnJTnuWRPWCjgD05NcEZ4Ev/x6k18H5XbsNgCbIZ0AhE0dg1z+hdow0uDRIYVIfRk69pY69E2RIO38DUW3fAnLaUisunLl0jcllWVK0wJvcPO2RslJDD57UF4RJY6dCl0TMr4ap9nuqIlcbXPtQUoj+vfSyf+Z8buiBxYRxpqUbxIGunWyLiwhNOIV8PhxHI1NUTMp3mMBltv9qXZbCd7ddWNOVgn/b5hQFZ865g05wpspIAkaqRmzMCo9SRJVBcxLRlFXbvJgq5A+63LIlUs6B5b4iHPp2zFAGc5uCOZ9F7m5lrM3179zsg8sgjFHTI2tG53YkE5D2fN+TEEx21PY/1tjK5tusYTB0mcOQ+rZAWOeqUBAOCxZ8hLn/N0tbTIbk+ZgMrihldWUxt99QxZk+FwCng9h59BMRa1gC/5+DabxmwembiOu3lU8kbhQGonRAQEvPP5BPSqOq4zhzwJuVwR3l+aKtstUjBtlwEkpqyyoDSgHbBZWxq5LvHeGYIEhYrd1mZtH/Nsv7Bm3iuQjegGwTEJxIKcUZCJrBmxs3IJbXZxzfMQ0zOukyCAans1/NOQX/RycUjav8Re7OWFComgcg0kR17sb5zbbFogo12vidpclkHgEGRoHmftB9wBYRmuW++6By3X2rntX3LCVUeN423iWAh2gj6QhE+k9G5o5IugU2YXbykTapo1LjedTQOCQQrSDbUSb6FDQiDjyCaX6LPjJx1Q8e+cqQWBp1d/2/bLwC6H2gERKZthWMWqBm2PILAKoN4GKLdKZgU1uQ1ND/7UYarzFDSqoX7NWGTLyGl3dbNScUkz9NEcb/BhvRwjlih3tgfXpzbSIfA3PqGeLdTf2oJYOvh62P8WNe6WCgQ+h2bIJqpFNRgEQEY2pzJdO/QsnNiXQf4HF0pF27UIvHUtUM3foAxFrD2O4ozDQkqF+1i4feVq5/BZbqRe1gYITpWfIPECvpKv4YJWSy4Liocw076Lbzdy54bGZf2C6MD2ZyuU07fomqy1hwp3QwJyPxpwrCKzfvsR0dVx9Kx/L8x4X5R3XXWVZrQ2RdIW+63cVZpRwYKc1Tf6f5oci363OmjH5pnEttQcmFs3oaYkmvJ6oib2OIweUPHFYvvNONZZYb5vZryLpXhKuWrWQSflO3Dr+7MNmlb8keIXlJmHZYrIxfKziaSkRq+yNZbKEUf/NHXYz5DZ56fH3CYUx0irM5eZ4EAvFQrbVgI5rTU5H6WUHZx5fBS0FoFcGNgzeVbdAfWimLwO5xkDj06h/KJTf7PFTrSgI96j/fo6iAVjGAKl5JmVTTSplHdqMEuGJyXXmkYil284dCD93AX4HV1CyTXPY+2p0vTdDhs7VGKi6azdm+UN06X8D1jjjwuF9fhnj7XhuJ3479ra2c7VNb+kIoK4TgrDrqd7LSi6J3WjG5ttVyCB5W/W4ATWkM2z+3sRDjHS1At4qbSbwJQHDR9v8T09B6KZC0Ct5Y0ejHoif8zBIfRm61HYoTL1xZlxobgXjtbWPlCZw5lVwRquRoI59OU5T8muI=,iv:8jbgemrc1+q0OoMc0WivjVLwL2dY78fQmwD0oUZZ8B4=,tag:7YkjrPYPccm/bsjdRVnhYQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2
|
||||||
|
QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2
|
||||||
|
ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3
|
||||||
|
bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ
|
||||||
|
LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81
|
||||||
|
bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04
|
||||||
|
Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm
|
||||||
|
Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd
|
||||||
|
WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn
|
||||||
|
QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV
|
||||||
|
R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy
|
||||||
|
VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs
|
||||||
|
lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-02T18:06:42Z"
|
||||||
|
mac: ENC[AES256_GCM,data:lRrj0QHKJEPsvnF0A009ch7hDXT1kjq60VPoXU44vmcUcA34vb0Eg7YcBprxCkCrmk6nkBo+4dx24mh+KhtqE4IP2JusIUyY8nhnIYawftfZwWSE3MtEe3EhQc+/1dlg6QOBHX+EyxVpPeOPEgNk5cFWYRHVKTYgQTsfAbWM4Q4=,iv:sUVb+7e1/kNKI4adubfLjYQ9CtNlKnMtGcLesoEyRXQ=,tag:Idg/iKz8dX2jHp1C3sHDIA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
39
nixos/machines/kaalut/mathebau.aliases.yaml
Normal file
39
nixos/machines/kaalut/mathebau.aliases.yaml
Normal file
File diff suppressed because one or more lines are too long
39
nixos/machines/kaalut/stalwartAdmin.yaml
Normal file
39
nixos/machines/kaalut/stalwartAdmin.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
stalwartAdmin: ENC[AES256_GCM,data:bivVihZRD+ie1Vo1htEFiZ77u6A=,iv:sJ97O7oT9btgML8YzM4Puy8h+9VajVHSlzWObhrUEWU=,tag:+jZIn18tixkNTprQlz6WiQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr
|
||||||
|
MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt
|
||||||
|
U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv
|
||||||
|
L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt
|
||||||
|
C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO
|
||||||
|
bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov
|
||||||
|
RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR
|
||||||
|
MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR
|
||||||
|
Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz
|
||||||
|
d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H
|
||||||
|
VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi
|
||||||
|
dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs
|
||||||
|
JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-09T08:06:21Z"
|
||||||
|
mac: ENC[AES256_GCM,data:2ab0OS7muwU0RrxKIvLJMt9RYaFZ79ABbMzYvO9A01yhuSGQAdkq5h1KfhfSXslTCQTvIIz2meT1wD1JZOOgYo6oA6qxtp2Sfp0XFQtEHL6Rb4vS1iPDt0jHvllTtnA8vj4R6lk2991utiGRNAnmbiAEFCXNZwKHVLAf6SnyjNc=,iv:Eb9nH23WoIeDw+0oViOfRJhb/+sKH17Jc3dL7njrxLQ=,tag:5YnJLBo0qvFr6CmomTAmKQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
|
@ -76,6 +76,13 @@ in {
|
||||||
path = "/var/lib/backups/ithaqua";
|
path = "/var/lib/backups/ithaqua";
|
||||||
allowSubRepos = true;
|
allowSubRepos = true;
|
||||||
};
|
};
|
||||||
|
kaalut = {
|
||||||
|
authorizedKeysAppendOnly = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup"
|
||||||
|
];
|
||||||
|
path = "/var/lib/backups/kaalut";
|
||||||
|
allowSubRepos = true;
|
||||||
|
};
|
||||||
lobon = {
|
lobon = {
|
||||||
authorizedKeysAppendOnly = [
|
authorizedKeysAppendOnly = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
|
||||||
|
|
288
nixos/modules/mail.nix
Normal file
288
nixos/modules/mail.nix
Normal file
|
@ -0,0 +1,288 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
inherit
|
||||||
|
(lib)
|
||||||
|
mkIf
|
||||||
|
mkEnableOption
|
||||||
|
mkOption
|
||||||
|
;
|
||||||
|
inherit (lib.types) listOf str;
|
||||||
|
cfg = config.services.mathebau-mail;
|
||||||
|
in {
|
||||||
|
options.services.mathebau-mail = {
|
||||||
|
enable = mkEnableOption "mathebau mail service";
|
||||||
|
domains = mkOption {
|
||||||
|
type = listOf (lib.types.submodule {
|
||||||
|
options = {
|
||||||
|
domain = mkOption {
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
allowlistPass = mkOption {
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
virt_aliases = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = "";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages = [pkgs.alias-to-sieve];
|
||||||
|
|
||||||
|
services = {
|
||||||
|
stalwart-mail = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
|
||||||
|
listener = {
|
||||||
|
"smtp" = {
|
||||||
|
bind = ["[::]:25"];
|
||||||
|
protocol = "smtp";
|
||||||
|
};
|
||||||
|
"submissions" = {
|
||||||
|
# Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
|
||||||
|
bind = ["[::]:465"];
|
||||||
|
protocol = "smtp";
|
||||||
|
tls.implicit = true;
|
||||||
|
};
|
||||||
|
"imaptls" = {
|
||||||
|
bind = ["[::]:993"];
|
||||||
|
protocol = "imap";
|
||||||
|
tls.implicit = true;
|
||||||
|
};
|
||||||
|
"management" = {
|
||||||
|
bind = ["[::]:80"]; # This must also bind publically for ACME to work.
|
||||||
|
protocol = "http";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
acme.letsencrypt = {
|
||||||
|
directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated
|
||||||
|
challenge = "http-01";
|
||||||
|
contact = ["root@mathebau.de"];
|
||||||
|
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
|
||||||
|
auth = {
|
||||||
|
# TODO check if HRZ conforms to these standards and we can validate them strictly
|
||||||
|
dkim.verify = "relaxed";
|
||||||
|
arc.verify = "relaxed";
|
||||||
|
dmarc.verify = "relaxed";
|
||||||
|
iprev.verify = "relaxed";
|
||||||
|
spf.verify.ehlo = "relaxed";
|
||||||
|
spf.verify.mail-from = "relaxed";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Forward outgoing mail to HRZ or mail VMs.
|
||||||
|
# see https://stalw.art/docs/smtp/outbound/routing/ relay host example
|
||||||
|
queue.outbound = {
|
||||||
|
next-hop = [
|
||||||
|
{
|
||||||
|
"if" = "rcpt_domain = 'lists.mathebau.de'";
|
||||||
|
"then" = "'mailman'";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
"if" = "is_local_domain('', rcpt_domain)";
|
||||||
|
"then" = "'local'";
|
||||||
|
}
|
||||||
|
{"else" = "'hrz'";}
|
||||||
|
];
|
||||||
|
tls = {
|
||||||
|
mta-sts = "disable";
|
||||||
|
dane = "disable";
|
||||||
|
starttls = "optional"; # e.g. Lobon does not offer starttls
|
||||||
|
};
|
||||||
|
};
|
||||||
|
remote."hrz" = {
|
||||||
|
address = "mailout.hrz.tu-darmstadt.de";
|
||||||
|
port = 25;
|
||||||
|
protocol = "smtp";
|
||||||
|
tls.implicit = false; # somehow this is needed here
|
||||||
|
};
|
||||||
|
remote."mailman" = {
|
||||||
|
address = "lobon.mathebau.de"; # must be created in DNS as a MX record
|
||||||
|
port = 25;
|
||||||
|
protocol = "smtp";
|
||||||
|
tls.implicit = false; # somehow this is needed here
|
||||||
|
};
|
||||||
|
|
||||||
|
# In order to accept mail that we only forward
|
||||||
|
# without having to generate an account.
|
||||||
|
# Invalid addresses are filtered by DFN beforehand.
|
||||||
|
session.rcpt = {
|
||||||
|
catch-all = true;
|
||||||
|
relay = [
|
||||||
|
{
|
||||||
|
"if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'";
|
||||||
|
"then" = true;
|
||||||
|
}
|
||||||
|
{"else" = false;}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
config.local-keys =
|
||||||
|
[
|
||||||
|
"store.*"
|
||||||
|
"directory.*"
|
||||||
|
"tracer.*"
|
||||||
|
"server.*"
|
||||||
|
"!server.blocked-ip.*"
|
||||||
|
"authentication.fallback-admin.*"
|
||||||
|
"cluster.node-id"
|
||||||
|
"storage.data"
|
||||||
|
"storage.blob"
|
||||||
|
"storage.lookup"
|
||||||
|
"storage.fts"
|
||||||
|
"storage.directory"
|
||||||
|
"lookup.default.hostname"
|
||||||
|
"certificate.*"
|
||||||
|
] # the default ones
|
||||||
|
++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script
|
||||||
|
sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%";
|
||||||
|
session.data.script = "'redirects'";
|
||||||
|
|
||||||
|
authentication.fallback-admin = {
|
||||||
|
user = "admin";
|
||||||
|
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.persistence.${config.impermanence.name} = {
|
||||||
|
directories = [
|
||||||
|
"/var/lib/stalwart-mail"
|
||||||
|
];
|
||||||
|
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||||
|
};
|
||||||
|
|
||||||
|
# Update HRZ allowlist
|
||||||
|
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||||
|
# will stop working if no valid TUIDs are associated to our domain.
|
||||||
|
systemd = {
|
||||||
|
timers."mailAllowlist" = {
|
||||||
|
wantedBy = ["timers.target"];
|
||||||
|
timerConfig = {
|
||||||
|
OnBootSec = "5m"; # Run every 5 minutes
|
||||||
|
OnUnitActiveSec = "5m";
|
||||||
|
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
|
||||||
|
Unit = "mailAllowlist.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services = {
|
||||||
|
"mailAllowlist" = {
|
||||||
|
description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
|
||||||
|
script = let
|
||||||
|
scriptTemplate = {
|
||||||
|
domain,
|
||||||
|
allowlistPass,
|
||||||
|
...
|
||||||
|
}: ''
|
||||||
|
# Get the mail addresses' local-part
|
||||||
|
${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee /tmp/addresses
|
||||||
|
${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses
|
||||||
|
${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses
|
||||||
|
${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases | tee -a /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
|
||||||
|
# Post local-parts to HRZ
|
||||||
|
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll
|
||||||
|
# Cleanup
|
||||||
|
rm /tmp/addresses
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "stalwart-mail";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||||
|
PrivateTmp = false; # allow access to sieve script
|
||||||
|
ProtectHome = true;
|
||||||
|
ReadOnlyPaths = "/";
|
||||||
|
ReadWritePaths = "/tmp";
|
||||||
|
InaccessiblePaths = "-/lost+found";
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"stalwart-mail" = {
|
||||||
|
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets;
|
||||||
|
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
|
||||||
|
};
|
||||||
|
"virt-aliases-generator" = {
|
||||||
|
description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
|
||||||
|
script = let
|
||||||
|
scriptTemplate = {
|
||||||
|
domain,
|
||||||
|
virt_aliases,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
if virt_aliases != ""
|
||||||
|
then "${virt_aliases} ${domain} "
|
||||||
|
else "";
|
||||||
|
in
|
||||||
|
lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]);
|
||||||
|
wantedBy = ["stalwart-mail.service"];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "stalwart-mail";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||||
|
PrivateTmp = false;
|
||||||
|
ProtectHome = true;
|
||||||
|
ReadOnlyPaths = "/";
|
||||||
|
ReadWritePaths = "/tmp";
|
||||||
|
InaccessiblePaths = "-/lost+found";
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# Backups
|
||||||
|
services.borgbackup.jobs.mail = {
|
||||||
|
paths = [
|
||||||
|
"/var/lib/stalwart-mail/data"
|
||||||
|
];
|
||||||
|
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
|
||||||
|
environment = {
|
||||||
|
BORG_RSH = "ssh -i /run/secrets/backupKey";
|
||||||
|
# “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
|
||||||
|
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
|
||||||
|
# We don't want this in order to not need to persist borg cache and simplify new deployments.
|
||||||
|
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
|
||||||
|
};
|
||||||
|
repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
|
||||||
|
startAt = "daily";
|
||||||
|
user = "root";
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue