From c3e5470e06d81b8a0dd201bf6e0ad1a8aa4d859f Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH] First try to install Stalwart as a mail software --- .sops.yaml | 7 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 39 +++ .../kaalut/allowlistPassMatheball.yaml | 39 +++ .../kaalut/allowlistPassMathebau.yaml | 39 +++ .../kaalut/allowlistPassMathechor.yaml | 39 +++ nixos/machines/kaalut/backupKey.yaml | 39 +++ nixos/machines/kaalut/configuration.nix | 74 ++++++ .../kaalut/hardware-configuration.nix | 30 +++ nixos/machines/kaalut/mailForwardSieve.yaml | 39 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 39 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 233 ++++++++++++++++++ 12 files changed, 624 insertions(+) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/mailForwardSieve.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..e112b48 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..05ff499 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,39 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:vvXurWHumzWQAvcFlkzJqQ==,iv:8zizeoGXY6zBGYsajuDJdvw8YNL81vXaghvBNOPTwYk=,tag:Fwwh56wLSeIPswSUEKWFZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T08:05:54Z" + mac: ENC[AES256_GCM,data:L/bMe8fpKnUfWyjIANJF7yLkoEGcsjvnFoGpRbGeKV9Xv9NgVfZk+h58BXeq9cMvrcWxeJC1SmiVy31XRkqjaOYqYdW2R2yRqSBKeHX6fjh1iSjdHVctl1Jk7mBNhObD8PqOQ9mMdschTg5s87n3bOgFhrkarktbbmf7fOKQ5Z4=,iv:fClCggabDbSXO5h9p+B10H2J7ouKJnBkHEKWyj1Jnwk=,tag:5MthaOqhUFROdrpJOV3BxQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..35bf6ed --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,39 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:KYrnJRTKt/h5,iv:TSCWpvrBqVvpRBxL1efzIJkdhd3V98EzG3PBoMJjfK0=,tag:L6yR49TuTlvFwtwhQ6WByg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:12Z" + mac: ENC[AES256_GCM,data:NjzqVHpG/KRQNB0slb6rJ7+zJhV9JSsUjfjHk9DhyvgtgP9NUsMTdKKUkJmi0mCwQYk0fDXSDyptCvXk1x6AkgAUcZCdD7nxYH87QTF4hcdiwYohxTEqhuJzEBbIek4z96B1BUd2kQc9pH3OvvHJNXMOO/88uhj2WzOEdeBz+Qw=,iv:iT2aa66hJr3c4HiYsFbzURM8bZegnuAaF9yYMNCd5io=,tag:9ZIB2sofrxB/FxM0Yam7Kg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..64908cd --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,39 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:/82Jz2LOREgt,iv:K04xQd4djPzfg1D2RTVUw0wQLpG3+GEAFwlaC+qx4NY=,tag:GpZmS53bX8egsUEbPlVouw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:22Z" + mac: ENC[AES256_GCM,data:1rcc3zGN+emSqaRw0Yng6w/yHgcGW7k6DFrwouLi0ejZO/yo1fl4kYO/MCk7Ujlgls+KVwn9+sdQxCjfNjIGIIurtcGu2b8BGAZzSz3n8U/EEOqn6lD1xn598xC24hfv17/fbBgzw812FVupHE5ZVxDm92foCN0o64G1iX+3jqw=,iv:/iR3iqQVpQU35h8C1QOtRFFfVtGkKGxtl6JqixTR4VI=,tag:DVPVtcIiCiwkJvJDUkHBSg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..974694c --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,39 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:XEcJzY7R4obq,iv:45yRZwODIcUosD4bESmBxs0nOZHE6YQj5ptwoNyKLe8=,tag:h7SxNVhU9EpiFNv8b7N8yA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:30Z" + mac: ENC[AES256_GCM,data:8/g54eitQhBZscPNQrS2uQH/aMEyxAlghM6wbMm8ynL8XO5of9HG3wk+1/zI3r9EpH8OwC2ZDvMPmgSsM9OZK8Q4v4s3qcsAzXU6yvhfLLeLtQ0F+hxnN2Iq0wa5OhvZkRk+7Q+xZYZSjoseJG240+trO0ltaCCF7ZBodFJ0BK8=,iv:827qo3WHh6zmk9hHrY9yt791cLegw4RHfnFUdR4h9Gg=,tag:VDKXQ8VB4FK3PI9AyxDgaw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3dd60c6 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,39 @@ +backupKey: ENC[AES256_GCM,data:DSbjTD/60Y9wUQRXGUIwRdLgIHNAVqUs+6v1WRIs3tbMh0efOiNQ82GpKFtwmgtyfmLl9HCVZPYgw6ZiLrMj3T3tIl69Q3PZ6OKAPhrecOz9xwPaZzV6UIt2MO/xyUZy0hm+JYor3fnWqKLMv0amRLRlfTtpc6Ol7ocPGtOh/m/VDEFmouQJAlSbnAnL+eijaaEBZMCVkquWxERiYGyqXlnXFO1qDjc5LR3IJwIbNZIZ5j22FsLIp2ot79Tw+so+rqJC5Yd5Q7+BTFPkN8R+BHC8aLnMUhTBe7PQB730XmslOKZ6lixxF7CeXXblfF6RGTNl0gwp4LwkZ3PWx7M/OhgAW1YcdZdBHhSpSNJegXCSXyRcHdFGxesYGohcZJbOFl2rqyA9NiPOGSpfUfoeXHb06h23hVnm4o1xCWXB58521F92AuVystM8+pHrFll1Opin2KuaiQGx3D/3Rj0XDkMgiY8aP6OCRCkgWBARGqNgQOyg6kFwfrlwTNZezSWfyJCbZLggNPntmttC8Kzl,iv:ap0DBhc41rGhwGZkZM54QfFGGCJiGu+WcaTwT2JKjsY=,tag:8xvJHjVT8cKxg2IA0iNqEA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN + Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju + WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL + d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK + hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz + clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp + clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ + UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm + /0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu + Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0 + a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT + Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc + 00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T20:10:40Z" + mac: ENC[AES256_GCM,data:SkhsUgq/d/FBUhIu3qfmIYKcRM6NuyR/e0KGz+0e70Du7hqVFXehoqUiWk869alJCjvIOU3zjq7rA3pFvGakV7nRfCQvYI5QkWHFctbCDtopLWcq67uUdj/VZpaW9UVt3e41hWIodxbDhFaxYAoqEfAUK5rhESMCx4Idd/fpYL8=,iv:DcaeyKkRhv02UbCCvr3XUcI0h0F2ZNA/TBrcyPIBi/c=,tag:CAqsBq055TmgPbSiPRVtAQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..1bbac6f --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,74 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + + services.mathebau-mail = { + enable = true; + domains = [ + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + mailForwardSieve = { + sopsFile = ./mailForwardSieve.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/mailForwardSieve.yaml b/nixos/machines/kaalut/mailForwardSieve.yaml new file mode 100644 index 0000000..e2915b9 --- /dev/null +++ b/nixos/machines/kaalut/mailForwardSieve.yaml @@ -0,0 +1,39 @@ +mailForwardSieve: ENC[AES256_GCM,data:OtsgvN93/WjvT3SiNt1NchwuTx8erHp4Fbmx7pdbVZ1vA094fWzQVZkWo+LFBZYz/Ny3WV9SAE0nAy/RPkY6X0/7HeTq6if423DpdCwSASqzqrNmLBkybo+I0hEDG8D03EbpVBAEQ665xmQlSsVGpTIdsYs9urplTTzfdAY4YF1hUpBDcR1Zb1zrtKWEz0fhTS4J0j7WPdcXEFhuq/IE26rWU3XG3kaO2nKZ0Pjun5cfCeuE32icQ3FqfUhwzXgqi0r2FftSPGUvZ+rzOsDJ4go95ukCUh2mHvdWxZy3nGcZOqq4x2g/6cRIIpTNlnOy3/G2vWm+QYOT3EEkOkbdSGIV5CZZsH3XO0OgI6oQyuZbTCvcbIuT6CgGjo1280xAHWuNvoKqYT+1K3hvUsHQ9kMSIo8wH7loGkkY9DHK2hFAY4+TvtWtxGBdGJDeOQ+KE4TQsfiMcr22FutKF9SdKw3x3GKo1Udr7YIcOJDFWwtAYpFw3nLw/ETHib9LNcR87ypEC5vGfPWdIySC02JbXYFeo1DTaqaTk/2nlwPtdOhqVA1uNohZWPoUHJr9aZkNUuz5LBdY5pWUPodE2cYyeYpgjB3KuILKjVUptX7PyvEdOPuIG0j+BY2hIOD/xynQ25LZXL7I9LWOzfaQ8XIDL8Q6qg5egugHlGVbLEzg5MUPcFpEsX/GV5BdlMMLfLM1aymXGsXWZimBj3AUBJqBV1as/hlxasBUnwsIt4n+jAr22ZBASULIQ6zdcdYSTa22CK6+HE1hUg1H51mjdchUlH+AWCIfX8oDXnJhCvz/yMp/YCls+8wT50XpKI/5jD1pR844SfVXmb8YFyczgge7Xjsw0VwlRmxyFZeihZAROrAOK8DFYDz+AhI2LJzmU+cbfuY08wIiW121YPBiN4zk63k1KW9p4qVIA+tLaMq3m66Tg4ZrMJG6akwzYMWHgOK28zmtIVB+BDHJ6QyW1P5qIKoZ4KTVlL4GhXY7032c+SaTA0XoZonWs6V+yRbuZgNAF4PgMB7OuE9iNHZc987Tr8O8sKfL0Yqwb/2+v7hJ1YA3pRci+lBwIc5fvX/a1303ugU8i0sByeXwp3vprAzGb0FeTDCxJcAumHRoAH8EuyvAFvIZgSB2ZpmDO8Q20qNG0lzmdX5ZpC3uH2SZcmCXuuQr/Xz1DoqXNoWvPfdRBkJ1M1Z5dhZ290yjChSPwsPfoBUZG6ppF0QNdosb5TdxO1BTq8GmR7ZYqawLyX8XDB3RFlT8sMJaiX1GbfKNqhccQfzx4S5+1lc4yy7p5ngQjrLy/o/TzAbJh6Se9zV6mU6BukmagoLKt5hQ7MXZi79CJU/2zqwXGvnyNCIYHdbX1mIqSGHk9u99heFSySH6IuInVcS3rHSk7+Ooze54gr6jaRfX0aE1wrRq1Hi0t6IBu6PTl7wjj/ZwtshcSOh6QCzQEFvrI5KmsxUBU5hglt2Y10Kd3hp6qc2i4bebGkdf/Lp+zrS1NzqeC55eKIRZ,iv:K2HuwQWa8b2i3ohlBTuqTgoldIgvdmVq9P/2i+p3b1Y=,tag:LPzWm92AZLgNbj/78a4gHg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-26T13:26:51Z" + mac: ENC[AES256_GCM,data:05xTO7gwUegQpoYOpmbp4ANWdBmwfM2bbdIwmrwfoMioHRMm/cV9V9TYdpkiIYjh0jtFAqNUWGtrDidhU6qeaUpAJPk2CWGcyg+Acvs/6WEvIi7DHACNu7dg2hGEe4fdJ8Huxhs5Lin9z/THo2cACTRwvDnz9aeogfOiLczAVOg=,iv:2BaaZYe5u179FIbLXSPk/keS+hI9dH536XaAGJ4thg4=,tag:i85Xds3fS+mFcZ96LYrkyA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..a237fcd --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,39 @@ +stalwartAdmin: ENC[AES256_GCM,data:bivVihZRD+ie1Vo1htEFiZ77u6A=,iv:sJ97O7oT9btgML8YzM4Puy8h+9VajVHSlzWObhrUEWU=,tag:+jZIn18tixkNTprQlz6WiQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr + MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt + U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv + L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt + C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO + bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov + RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR + MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR + Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz + d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H + VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi + dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs + JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T08:06:21Z" + mac: ENC[AES256_GCM,data:2ab0OS7muwU0RrxKIvLJMt9RYaFZ79ABbMzYvO9A01yhuSGQAdkq5h1KfhfSXslTCQTvIIz2meT1wD1JZOOgYo6oA6qxtp2Sfp0XFQtEHL6Rb4vS1iPDt0jHvllTtnA8vj4R6lk2991utiGRNAnmbiAEFCXNZwKHVLAf6SnyjNc=,iv:Eb9nH23WoIeDw+0oViOfRJhb/+sKH17Jc3dL7njrxLQ=,tag:5YnJLBo0qvFr6CmomTAmKQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..62b0b3d --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,233 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + type = str; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls.mta-sts = "disable"; + tls.dane = "disable"; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + session.rcpt = { + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for marcos to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/run/secrets/mailForwardSieve}%"; + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; + }; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd.timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; # Run every 5 minutes + OnUnitActiveSec = "5m"; + RandomizedDelaySec = "2m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + # ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_`{|}~]+@koma89.tu-darmstadt.de" /run/secrets/mailForwardSieve >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + systemd.services."mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + }: '' + # Get the mail addresses' local-part + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee /tmp/addresses + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /run/secrets/mailForwardSieve | tee -a /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = true; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +}