Mailman backups

.sops.yaml

@@ -1,9 +1,10 @@
 keys:
   - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-  - &gonne age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
+  - &gonne age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
 
   - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
   - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
+  - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
 
 creation_rules:
   - path_regex: nixos/machines/nyarlathotep/.*
@@ -18,6 +19,12 @@ creation_rules:
         - *nerf
         - *gonne
         - *bragi
+  - path_regex: nixos/machines/lobon/.*
+    key_groups:
+      - age:
+        - *nerf
+        - *gonne
+        - *lobon
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:

nixos/machines/bragi/backupKey.yaml

@@ -0,0 +1,39 @@
+backupKey: ENC[AES256_GCM,data:PBdeV6uQ/Jg9xk7HXylyDKCBdny/XRflF752arUZAnUvmVv4yiSwOY9ua3tH1BDpddiql1aNJqmfatZOB3JKB2mHnyeSt7L0B81zuIFpxJOdsnGACviH6sUfsC5ogkGRhLKynf5Ghz/6xanthyK6euIpAAu05wDWcseg4y8k5rdFhL7rasmOMi0oVLN54Psmyf9vahfX6BNGBHQA1qJyeaI5iDLI+6gh7dtOXjTd4pHX8T9PEYpGnOBMHvaaVA2r7z27iUJSKqzzSB9B/rm01tI6LTG/yfQU+TKlWFU2iIodCG7eJ2qe+exvxOlEj9At/UI/Kd+dNSHcffLDUxVcstthOOP0TUdHkPCTC8BEJtAAexUBqSv+LTOPfJeAbIw3QhEpfeyZOpw2FY1qstQ/G0+1sDF8762uJu9v1amx4+4e8NEiSa/dtdnQAKFiEswk+5nqRSKQJOH3w0tHr9NRhhS775lUtUX4DW0xN42QeABM0xg56qJPxPNif3K2ovPX3BTSSZnQ0EZzuxployu1MyJxpcBT+6qa8l/h,iv:ZdivBorDtIyBOs7XSg/DHjReG+T6/exeS8ziA7ms7FM=,tag:gcIXgpyd2UeQV3APqCCxMg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR2dRc3NPeUwwaHdCL25V
+            RHNaWU9xRUw5dDlaOG5hczVlNm5UR01QUEVNClJsVFRBWU85Z0JuV1l3MDdvd1F2
+            RS9CcXhuNEJWdEE1cktXYjF3RW9wUDQKLS0tIHk3MURmWlJNanVZaHlUR3R2UEZG
+            K2JxOHpNY2hsTysrWjNLajFKQkxuNHcKaFMvnDt9a3HsnbP1Q/i4ifRIXFcXYn8z
+            YyOho0hSmWZNhTbltmuVKjvCNgt9ONVRW93uRDDoju8Odps0qwwvuA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMM1NCbHdFZDJvYjJjcmZ6
+            bUFjSG5OUEdydS9pTkNHRjFKb3gvWll0Q0RVCk56ZnhDa0NGeUNhVVdDZENieDFW
+            Q0xSNXhYQXZSVnI3WlRzUjhxOXRyM2sKLS0tIGhnVWJaRG4vSGpUcnQ5SFVFT3VQ
+            YUFzTlNLSE9CbW9oYTFsY0tpTE4vZTQKjurd87tDH8z58pAGJyVXRAu8Q2+k7e4G
+            zOGZhm5DpSmFv2O2fqXgBg8nT5wrPKQDFvcDh1P+a0753tUTbUttIA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWmlwS0E5TytFdEpxN09U
+            Y3k0SDhnM2h5Rnh1bXQ2czA5bWt1Mkk3aUFFCmtwT2ZmN0IweGdOYURWNDVHcWtH
+            R3lRaFRkcWYzb2g4NWNFQU5WOXZZaGMKLS0tIHpWNnNvVUNucE5MQ1cxQWl6Qm1x
+            NUZDVnJORXF1NGlyNUkzOGl2REFHdmsK18k9UfOmtFSep6mZcSp6di7SjvrBXgGp
+            oWtLehp1UFEHCgaU5YxlYhtkrrOhb8ykFb1on+kmzrloaHqyvks7Aw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-21T16:38:08Z"
+    mac: ENC[AES256_GCM,data:kEVWd988Ia6T8v3w0slQhM0lh78VhnP8qJNa6IZg0NF2B0JQbFRnQNbUfvG9Rf4mkAR/O9PD+r6HR+b3LCwzb/Ok/eD4/M3+oPaEx/JnoHrzF/1N29VEAvBHjQgw6DL05toqu5G03UDcDUFGc111AeRsexhONQRHJx3zqWyWGy4=,iv:T5Pkhl3vhSAIoKkC3r3VQn3tC4t04WxvAZDQ4PMvD84=,tag:h0/aB91SFr5q0Or5daxWUQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixos/machines/bragi/configuration.nix

@@ -0,0 +1,15 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../roles
+    ../../roles/hardware.nix
+    ./network.nix
+    ../../modules/borgbackup.nix
+  ];
+
+  services.mathebau-borgbackup.enable = true;
+
+  # System configuration here
+  networking.hostName = "bragi";
+  system.stateVersion = "23.11";
+}

nixos/machines/bragi/hardware-configuration.nix

@@ -0,0 +1,32 @@
+{lib, ...}: {
+  fileSystems."/" = {
+    device = "root";
+    fsType = "tmpfs";
+    options = ["size=2G" "mode=755"];
+  };
+  fileSystems."/persist" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = ["subvol=persist"];
+    neededForBoot = true;
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = ["subvol=nix"];
+  };
+  fileSystems."/var/lib/backups" = {
+    device = "/dev/disk/by-label/backups";
+    fsType = "btrfs";
+  };
+
+  swapDevices = [{device = "/dev/disk/by-label/swap";}];
+
+  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5000c5003891662c";
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/machines/bragi/network.nix

@@ -0,0 +1,15 @@
+# We sohuld put that config somewhere in roles and give it a parameter or something,
+# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
+# depend on the same thing
+{
+  networking = {
+    interfaces.enp0s25.ipv4.addresses = [
+      {
+        address = "192.168.1.11";
+        prefixLength = 24;
+      }
+    ];
+    defaultGateway = "192.168.1.137";
+    nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
+  };
+}

nixos/machines/lobon/allowlistPass.yaml

@@ -0,0 +1,39 @@
+allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
+            NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
+            Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
+            Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
+            ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
+            QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
+            SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
+            NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
+            G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
+            TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
+            VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
+            Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
+            uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-31T14:34:54Z"
+    mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixos/machines/lobon/backupKey.yaml

@@ -0,0 +1,39 @@
+backupKey: ENC[AES256_GCM,data:/PErHUVZDTyqK+GKI2inDoEBQpSmezeBTgXWnrthc8IPtUFn4Ur2CkDo+MqfiAlSn9vT2ksHmyS5qmoGANG01e1Cm50qpt/BdoC2hh15jOVuc0uUBNOq7f5YBVeYtbemwjPcmbF7dgUeRlEAvxhqtX3/ntzxSB1inew/SsEgPrU4Yl0FF+CHhqgbeB/NJOhQY29/3hBGwMksfTUDymUmX6pUgIN1M26crIKFCn5IyqAXl10F+zL4PThZPnhmks7Y8BsGUbKkiE6ghdaUjEjBjGOGgbaGAjolG+nJ17xyM1Pc2speT4E/3VgAC34dpaByveGcf2SfsXir0KavcI86mUkjzaNF9u7GjGO0Szn742/aqbdUoOkJl41unb0Enf2/D4Up3fy6LrUqVqrHIM4Dea9WLQd0poD0FWSN12IKh+ylkouMkmhwLXUXFzIHOePS92/MsPM+9fLhH4cU64qxr9UzmfYRnNBpAHrjlxdkK9WZ1Oj4mdtu6R20vYkYcMIQgU38FvSN6uWGvPxJj+Ij,iv:ghvgkC6qFO/0tvsc7igCoZy7am8eNsd21WYCSAKiZDs=,tag:MFnk/Nnw+cloN+x7sd4LLg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNVExTHQrY2h1M3RZOEdU
+            Wm5kdDBHZ1NmZGpQU0VOYWtjOTdBVURQZkJnCmZzWTEvSWxvMFk4NlFOVnBDbm9q
+            Tncva0VyMGVDL29ZZ0YxeGE3RFBUS3cKLS0tIDluK05NMUNNM3pEUmlCNE9BV3lT
+            L0dPYTBwbjJzUmJnYktiM2JBME5LM3cKvPwth4DxQgFYhvr9vJLfeaiNc+UfAo4c
+            RdXPLkwtq3vksrU1IR54tHcUJ0yZiZ1HxxGp3PCPaXXJiUykllnJPw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdFV0OVA5VTBuOVhsL3lp
+            MFpDN2RHVDExck5vcWpDNDNPM2k3S1FqQUFFCjNreXdSbDFXOHJ4b21mNGlZb0xQ
+            YUh0WVNGN2o1aFVaaGpxbmk4aUQ4ZTAKLS0tIHhtci84Zk1zZlBOOHk4a3VKUlM1
+            MXNZbWdpVEJiTTlIRERLYzBlNWxBMlUK4Z8JLlN5FOegfdg5njhHjbCwAm/f+kJS
+            buOHGWzWirW0ZibOP+fikzJwdIzIsX8v8tGaV89nQwf0hrxK0748Hg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZa2pUZlZsVmhPU242d0Nj
+            bi9BSlJBU1Q1cFU4ZjA4NnlJNmdwaVFBc2xNCjJlSG5UaDFnSzFHZ01RVVNjOHY5
+            L1JVUit6SThvbGRIU0loNmtZanllNXcKLS0tIFhMR1pxRmlGQWFEQURiRFJoMWJZ
+            dlExV2xTVWR6bWI3VCtSdU81SmtqYncKLFQczlIj89vzlfgE33w6ktotYFdxaWr9
+            YyewbY8qZmOUGQ4xKlZmhojeMh/FEH8dGNEf1AxnKbuQdnW6lqGR/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-31T16:01:00Z"
+    mac: ENC[AES256_GCM,data:AawTzIXyX+3FyFpw8pXFeVJJtXN7ZpTFnUqhedC2vcbbNUzMMt1X0SaxtNNJ5chZI/tYHn59FT6zznl1eO4Xn29Zc2Up4dkT1BE4yqkEG0hiCFXrXMz/PaHfROzBhIWCVyF4fYj6MZKg1iBBxhWRqhJlQ1q4UVkoaITRUKpFJgs=,iv:3lTPOQ8VjmP3WNGbFK2yLU4Ks1KviNS/l7TH4SnvSUs=,tag:KUbAU6+76/Uxj2Wn9EnqnA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixos/machines/lobon/configuration.nix

@@ -0,0 +1,20 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules/mailman.nix
+    ../../roles
+    ../../roles/vm.nix
+    ./network.nix
+  ];
+
+  # System configuration here
+
+  services.mathebau-mailman = {
+    enable = true;
+    hostName = "lists.mathebau.de";
+    siteOwner = "root@mathebau.de";
+  };
+
+  networking.hostName = "lobon";
+  system.stateVersion = "23.11";
+}

nixos/machines/lobon/hardware-configuration.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [];
+
+  fileSystems."/" = {
+    device = "root";
+    fsType = "tmpfs";
+    options = ["size=512M" "mode=755"];
+  };
+  fileSystems."/persist" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = ["subvol=persist"];
+    neededForBoot = true;
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "btrfs";
+    options = ["subvol=nix"];
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/machines/lobon/network.nix

@@ -0,0 +1,16 @@
+# We sohuld put that config somewhere in roles and give it a parameter or something,
+# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
+# depend on the same thing
+{
+  imports = [];
+  networking = {
+    interfaces.enX0.ipv4.addresses = [
+      {
+        address = "192.168.0.22";
+        prefixLength = 16;
+      }
+    ];
+    defaultGateway = "192.168.0.149";
+    nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
+  };
+}

nixos/modules/borgbackup.nix

@@ -0,0 +1,178 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit
+    (lib)
+    mkIf
+    mkEnableOption
+    ;
+  cfg = config.services.mathebau-borgbackup;
+in {
+  imports = [];
+
+  options.services.mathebau-borgbackup = {
+    enable = mkEnableOption "mathebau borgbackup service";
+  };
+
+  config = mkIf cfg.enable {
+    services.borgbackup = {
+      # repos are made available at ssh://borg@hostname and served according to the presented ssh-key
+
+      # If you think about adding keys of nix machines:
+      # Congratulations, you are the first person to make backups from a nixos machine.
+      # Your won the task of automatizing this endeavor, so in future we don't need to hand copy any
+      # ssh keys anymore.
+      repos = {
+        aphoom-zhah = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8pI6uinXezAMH4vG2yEbu/yOYU5vXcsZN74tYgV+Wj Aphoom-Zhah Backup"
+          ];
+          path = "/var/lib/backups/aphoom-zhah";
+          # subrepos are allowed because each vm creates at least one repo below this filepath and yibb-tstll even more
+          allowSubRepos = true;
+        };
+        azathoth = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBEwllQ77ktoirXX6dJ6ET8TfK4lzq0aaq+X4rrX2Vk Azathoth Backup"
+          ];
+          path = "/var/lib/backups/azathoth";
+          allowSubRepos = true;
+        };
+        cthulhu = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSJl1MvabUADTdOCgufsBzn1tIIpxMq4iDcYZsaW1lV Cthulhu Backup"
+          ];
+          path = "/var/lib/backups/cthulhu";
+          allowSubRepos = true;
+        };
+        dagon = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaTBennwqT9eB43gVD1nM1os3dMPZ8RWwIKPEjqMK5V Dagon Backup"
+          ];
+          path = "/var/lib/backups/dagon";
+          allowSubRepos = true;
+        };
+        eihort = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup"
+          ];
+          path = "/var/lib/backups/eihort";
+          allowSubRepos = true;
+        };
+        fsaccount = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+Y7fQTYdIWHehrKdk92CaJ0AisEux4OrS4nIyMstU4 FS Account Backup"
+          ];
+          path = "/var/lib/backups/fsaccount";
+          allowSubRepos = true;
+        };
+        hastur = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeDvTyOUdIPARatX0PPhHgrV1gjERWLt2Twa8E2GETb Hastur Backupsystem"
+          ];
+          path = "/var/lib/backups/hastur";
+          allowSubRepos = true;
+        };
+        ithaqua = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJmBf8cz3FTDdeuxWbp1MO2yPT5rvH8ZIGUzfogjpXi Ithaqua Backup"
+          ];
+          path = "/var/lib/backups/ithaqua";
+          allowSubRepos = true;
+        };
+        lobon = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
+          ];
+          path = "/var/lib/backups/lobon";
+          allowSubRepos = true;
+        };
+        sanctamariamaterdei = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9Le5OI4ympQ0mQKYHmxgxGF598rzpD5VVpWK1mGfd8 Sanctamariamaterdei Backupsystem"
+          ];
+          path = "/var/lib/backups/sanctamariamaterdei";
+          allowSubRepos = true;
+        };
+        tsathoggua = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKS9/1lFOhv+3sNuGcysM3TYh2xRrjMeAZX3K7CBx0QW Tsathoggua Backup"
+          ];
+          path = "/var/lib/backups/tsathoggua";
+          allowSubRepos = true;
+        };
+        uvhash = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB8DjIqgFgmYhQnTLpbqL0r7xBPb8TPy6SO5RhQ31OGj Uvhash Backup"
+          ];
+          path = "/var/lib/backups/uvhash";
+          allowSubRepos = true;
+        };
+        yibb-tstll = {
+          authorizedKeysAppendOnly = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlnGOV58Ks9lu+WTI4F7QAHtDrJq2jY8ZocITZG8K0+ Yibb-Tstll Backup"
+          ];
+          path = "/var/lib/backups/yibb-tstll";
+          allowSubRepos = true;
+        };
+      };
+      # Configure backup of files on the department's fs account:
+      # This job first copies the files to the local account 'fsaccount' in tmpfs
+      # and then takes a regular backup of the mirrored folder.
+
+      # See also https://borgbackup.readthedocs.io/en/stable/deployment/pull-backup.html
+      # which does not work due to missing permissions.
+      jobs.fsaccount = {
+        preHook = ''
+          mkdir -p /home/fsaccount/sicherung # Create if it does not exist
+          ${pkgs.rsync}/bin/rsync -e 'ssh -i /run/secrets/backupKey' -r fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
+        '';
+        paths = "/home/fsaccount/sicherung";
+        encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
+        environment = {
+          BORG_RSH = "ssh -i /run/secrets/backupKey";
+          # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
+          # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
+          # We don't want this in order to not need to persist borg cache and simplify new deployments.
+          BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+        };
+        repo = "borg@localhost:fsaccount";
+        startAt = "daily";
+        user = "fsaccount";
+        group = "users";
+        readWritePaths = ["/home/fsaccount"];
+      };
+    };
+    # Extra user for FS account backup
+    users.users = {
+      fsaccount = {
+        description = "FS Account backup";
+        isSystemUser = true;
+        home = "/home/fsaccount";
+        createHome = true;
+        group = "users";
+      };
+    };
+    environment.persistence.${config.impermanence.name} = {
+      users.fsaccount.files = [
+        {
+          file = ".ssh/known_hosts";
+          parentDirectory = {
+            mode = "u=rwx,g=,o=";
+            user = "fsaccount";
+            group = "users";
+          };
+        }
+      ];
+    };
+    sops.secrets.backupKey = {
+      sopsFile = ../machines/bragi/backupKey.yaml;
+      owner = config.users.users.fsaccount.name;
+      inherit (config.users.users.fsaccount) group;
+      mode = "0400";
+    };
+  };
+}

nixos/modules/mailman.nix

@@ -0,0 +1,129 @@
+# Adapted and simplified from https://nixos.wiki/wiki/Mailman
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit
+    (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    ;
+  inherit (lib.types) str;
+  cfg = config.services.mathebau-mailman;
+in {
+  options.services.mathebau-mailman = {
+    enable = mkEnableOption "mathebau mailman service";
+    hostName = mkOption {
+      type = str;
+    };
+    siteOwner = mkOption {
+      type = str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services = {
+      postfix = {
+        enable = true;
+        relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
+        sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
+        sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
+        config = {
+          transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
+          local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
+          proxy_interfaces = "130.83.2.184";
+          smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
+        };
+        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
+      };
+      mailman = {
+        enable = true;
+        inherit (cfg) siteOwner;
+        hyperkitty.enable = true;
+        webHosts = [cfg.hostName];
+        serve.enable = true; #
+        # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
+        settings.mta.verp_confirmations = "no";
+      };
+      nginx.virtualHosts.${cfg.hostName} = {
+        enableACME = true; # Get certificates (primarily for postfix)
+        forceSSL = false; # Don't use HTTPS behind the proxy
+      };
+    };
+
+    environment.persistence.${config.impermanence.name} = {
+      directories = [
+        "/var/lib/acme" # Persist TLS keys and account
+        "/var/lib/mailman"
+        "/var/lib/mailman-web"
+      ];
+      files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
+    };
+
+    security.acme.defaults.email = cfg.siteOwner;
+    security.acme.acceptTerms = true;
+
+    networking.firewall.allowedTCPPorts = [25 80 443];
+
+    # Update HRZ allowlist
+    # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
+    # will stop working if no valid TUIDs are associated to our domain.
+    systemd.timers."mailAllowlist" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5m"; # Run every 5 minutes
+        OnUnitActiveSec = "5m";
+        RandomizedDelaySec = "2m"; # prevent overload on regular intervals
+        Unit = "mailAllowlist.service";
+      };
+    };
+    systemd.services."mailAllowlist" = {
+      description = "Allowlist update: Post the mail addresses used by mailman to the HRZ allowllist";
+      script = ''
+        # Get the mail addresses' local-part
+        cut -d '@' -f 1 /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > /tmp/addresses
+        # Post local-parts to HRZ
+        ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
+        # Cleanup
+        rm /tmp/addresses
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "mailman";
+        PrivateTmp = true;
+      };
+    };
+    sops.secrets.allowlistPass = {
+      sopsFile = ../machines/lobon/allowlistPass.yaml;
+      owner = "mailman";
+      group = "mailman";
+      mode = "0400";
+    };
+
+    # Backups
+    services.borgbackup.jobs.mailman = {
+      paths = "/var/lib/mailman/data/mailman.db";
+      encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
+      environment = {
+        BORG_RSH = "ssh -i /run/secrets/backupKey";
+        # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.”
+        # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
+        # We don't want this in order to not need to persist borg cache and simplify new deployments.
+        BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
+      };
+      repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
+      startAt = "daily";
+      user = "root";
+      group = "root";
+    };
+    sops.secrets.backupKey = {
+      sopsFile = ../machines/lobon/backupKey.yaml;
+      owner = "root";
+      group = "root";
+      mode = "0400";
+    };
+  };
+}