Compare commits

...

5 commits

Author SHA1 Message Date
27a70518bc Restrict HRZ allowlist update service privileges 2024-07-01 21:34:27 +02:00
0b39fc78fc Mailman backups 2024-07-01 21:34:27 +02:00
c01078bde5 Add pushing to hrz allowlist 2024-07-01 21:34:27 +02:00
49af9f7d1e Setze Mailman-Maschine auf 2024-07-01 21:34:27 +02:00
367cbeed0a nix flake update
Especially contains https://github.com/NixOS/nixpkgs/pull/323753
2024-07-01 21:32:35 +02:00
8 changed files with 311 additions and 15 deletions

View file

@ -4,6 +4,7 @@ keys:
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
creation_rules: creation_rules:
- path_regex: nixos/machines/nyarlathotep/.* - path_regex: nixos/machines/nyarlathotep/.*
@ -18,6 +19,12 @@ creation_rules:
- *nerf - *nerf
- *gonne - *gonne
- *bragi - *bragi
- path_regex: nixos/machines/lobon/.*
key_groups:
- age:
- *nerf
- *gonne
- *lobon
# this is the catchall clause if nothing above machtes. Encrypt to users but not # this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines # to machines
- key_groups: - key_groups:

View file

@ -21,11 +21,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1717285511, "lastModified": 1719745305,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", "narHash": "sha256-xwgjVUpqSviudEkpQnioeez1Uo2wzrsMaJKJClh+Bls=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", "rev": "c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -71,11 +71,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719075281, "lastModified": 1719690277,
"narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=", "narHash": "sha256-0xSej1g7eP2kaUF+JQp8jdyNmpmCJKRpO12mKl/36Kc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a71e967ef3694799d0c418c98332f7ff4cc5f6af", "rev": "2741b4b489b55df32afac57bc4bfd220e8bf617e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -114,11 +114,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1719099622, "lastModified": 1719663039,
"narHash": "sha256-YzJECAxFt+U5LPYf/pCwW/e1iUd2PF21WITHY9B/BAs=", "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5e8e3b89adbd0be63192f6e645e0a54080004924", "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -136,11 +136,11 @@
"nixpkgs-stable": [] "nixpkgs-stable": []
}, },
"locked": { "locked": {
"lastModified": 1718879355, "lastModified": 1719259945,
"narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=", "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a", "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -167,11 +167,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1719111739, "lastModified": 1719716556,
"narHash": "sha256-kr2QzRrplzlCP87ddayCZQS+dhGW98kw2zy7+jUXtF4=", "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5e2e9421e9ed2b918be0a441c4535cfa45e04811", "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -0,0 +1,39 @@
allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-31T14:34:54Z"
mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,39 @@
backupKey: ENC[AES256_GCM,data:/PErHUVZDTyqK+GKI2inDoEBQpSmezeBTgXWnrthc8IPtUFn4Ur2CkDo+MqfiAlSn9vT2ksHmyS5qmoGANG01e1Cm50qpt/BdoC2hh15jOVuc0uUBNOq7f5YBVeYtbemwjPcmbF7dgUeRlEAvxhqtX3/ntzxSB1inew/SsEgPrU4Yl0FF+CHhqgbeB/NJOhQY29/3hBGwMksfTUDymUmX6pUgIN1M26crIKFCn5IyqAXl10F+zL4PThZPnhmks7Y8BsGUbKkiE6ghdaUjEjBjGOGgbaGAjolG+nJ17xyM1Pc2speT4E/3VgAC34dpaByveGcf2SfsXir0KavcI86mUkjzaNF9u7GjGO0Szn742/aqbdUoOkJl41unb0Enf2/D4Up3fy6LrUqVqrHIM4Dea9WLQd0poD0FWSN12IKh+ylkouMkmhwLXUXFzIHOePS92/MsPM+9fLhH4cU64qxr9UzmfYRnNBpAHrjlxdkK9WZ1Oj4mdtu6R20vYkYcMIQgU38FvSN6uWGvPxJj+Ij,iv:ghvgkC6qFO/0tvsc7igCoZy7am8eNsd21WYCSAKiZDs=,tag:MFnk/Nnw+cloN+x7sd4LLg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNVExTHQrY2h1M3RZOEdU
Wm5kdDBHZ1NmZGpQU0VOYWtjOTdBVURQZkJnCmZzWTEvSWxvMFk4NlFOVnBDbm9q
Tncva0VyMGVDL29ZZ0YxeGE3RFBUS3cKLS0tIDluK05NMUNNM3pEUmlCNE9BV3lT
L0dPYTBwbjJzUmJnYktiM2JBME5LM3cKvPwth4DxQgFYhvr9vJLfeaiNc+UfAo4c
RdXPLkwtq3vksrU1IR54tHcUJ0yZiZ1HxxGp3PCPaXXJiUykllnJPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdFV0OVA5VTBuOVhsL3lp
MFpDN2RHVDExck5vcWpDNDNPM2k3S1FqQUFFCjNreXdSbDFXOHJ4b21mNGlZb0xQ
YUh0WVNGN2o1aFVaaGpxbmk4aUQ4ZTAKLS0tIHhtci84Zk1zZlBOOHk4a3VKUlM1
MXNZbWdpVEJiTTlIRERLYzBlNWxBMlUK4Z8JLlN5FOegfdg5njhHjbCwAm/f+kJS
buOHGWzWirW0ZibOP+fikzJwdIzIsX8v8tGaV89nQwf0hrxK0748Hg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZa2pUZlZsVmhPU242d0Nj
bi9BSlJBU1Q1cFU4ZjA4NnlJNmdwaVFBc2xNCjJlSG5UaDFnSzFHZ01RVVNjOHY5
L1JVUit6SThvbGRIU0loNmtZanllNXcKLS0tIFhMR1pxRmlGQWFEQURiRFJoMWJZ
dlExV2xTVWR6bWI3VCtSdU81SmtqYncKLFQczlIj89vzlfgE33w6ktotYFdxaWr9
YyewbY8qZmOUGQ4xKlZmhojeMh/FEH8dGNEf1AxnKbuQdnW6lqGR/w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-31T16:01:00Z"
mac: ENC[AES256_GCM,data:AawTzIXyX+3FyFpw8pXFeVJJtXN7ZpTFnUqhedC2vcbbNUzMMt1X0SaxtNNJ5chZI/tYHn59FT6zznl1eO4Xn29Zc2Up4dkT1BE4yqkEG0hiCFXrXMz/PaHfROzBhIWCVyF4fYj6MZKg1iBBxhWRqhJlQ1q4UVkoaITRUKpFJgs=,iv:3lTPOQ8VjmP3WNGbFK2yLU4Ks1KviNS/l7TH4SnvSUs=,tag:KUbAU6+76/Uxj2Wn9EnqnA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,36 @@
{
imports = [
./hardware-configuration.nix
../../modules/mailman.nix
../../roles
../../roles/vm.nix
../../modules/vmNetwork.nix
];
# System configuration here
services.mathebau-mailman = {
enable = true;
hostName = "lists.mathebau.de";
siteOwner = "root@mathebau.de";
};
networking.hostName = "lobon";
vmNetwork.ipv4 = "192.168.0.22";
system.stateVersion = "23.11";
sops.secrets = {
allowlistPass = {
sopsFile = ./allowlistPass.yaml;
owner = "mailman";
group = "mailman";
mode = "0400";
};
backupKey = {
sopsFile = ./backupKey.yaml;
owner = "root";
group = "root";
mode = "0400";
};
};
}

View file

@ -0,0 +1,30 @@
{
lib,
pkgs,
...
}: {
imports = [];
fileSystems."/" = {
device = "root";
fsType = "tmpfs";
options = ["size=1G" "mode=755"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=persist"];
neededForBoot = true;
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/nix" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = ["subvol=nix"];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -83,6 +83,13 @@ in {
path = "/var/lib/backups/ithaqua"; path = "/var/lib/backups/ithaqua";
allowSubRepos = true; allowSubRepos = true;
}; };
lobon = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
];
path = "/var/lib/backups/lobon";
allowSubRepos = true;
};
sanctamariamaterdei = { sanctamariamaterdei = {
authorizedKeysAppendOnly = [ authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9Le5OI4ympQ0mQKYHmxgxGF598rzpD5VVpWK1mGfd8 Sanctamariamaterdei Backupsystem" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9Le5OI4ympQ0mQKYHmxgxGF598rzpD5VVpWK1mGfd8 Sanctamariamaterdei Backupsystem"

138
nixos/modules/mailman.nix Normal file
View file

@ -0,0 +1,138 @@
# Adapted and simplified from https://nixos.wiki/wiki/Mailman
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkIf
mkEnableOption
mkOption
;
inherit (lib.types) str;
cfg = config.services.mathebau-mailman;
in {
options.services.mathebau-mailman = {
enable = mkEnableOption "mathebau mailman service";
hostName = mkOption {
type = str;
};
siteOwner = mkOption {
type = str;
};
};
config = mkIf cfg.enable {
services = {
postfix = {
enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
proxy_interfaces = "130.83.2.184";
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
};
relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
};
mailman = {
enable = true;
inherit (cfg) siteOwner;
hyperkitty.enable = true;
webHosts = [cfg.hostName];
serve.enable = true; #
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
settings.mta.verp_confirmations = "no";
};
nginx.virtualHosts.${cfg.hostName} = {
enableACME = true; # Get certificates (primarily for postfix)
forceSSL = false; # Don't use HTTPS behind the proxy
};
};
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/acme" # Persist TLS keys and account
"/var/lib/mailman"
"/var/lib/mailman-web"
];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
};
security.acme.defaults.email = cfg.siteOwner;
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443];
# Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
# will stop working if no valid TUIDs are associated to our domain.
systemd.timers."mailAllowlist" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m"; # Run every 5 minutes
OnUnitActiveSec = "5m";
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
Unit = "mailAllowlist.service";
};
};
systemd.services."mailAllowlist" = {
description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
script = ''
# Get the mail addresses' local-part
cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
# Post local-parts to HRZ
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
# Cleanup
rm /tmp/addresses
'';
serviceConfig = {
Type = "oneshot";
User = "mailman";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = true;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
# Backups
services.borgbackup.jobs.mailman = {
paths = [
"/var/lib/mailman/data"
"/var/lib/mailman-web"
];
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
# “Borg ensures that backups are not created on random drives that just happen to contain a Borg repository.”
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
# We don't want this in order to not need to persist borg cache and simplify new deployments.
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily";
user = "root";
group = "root";
};
};
}