Fachschaft/nixConfig
7
2
Fork 2
Code Issues 12 Pull requests 2 Projects Wiki Activity

lobon (Mailman-VM) #30

Merged
Gonne merged 5 commits from Gonne/nixConfig:lobon into main 2024-10-12 14:10:02 +00:00
Conversation 8 Commits 5 Files changed 7 +286
Gonne commented 2024-02-06 14:50:01 +00:00
Owner
Copy link

Mailman in einer eigenen VM. Die Mailinglisten enden jetzt auf @lists.mathebau.de.

Ausstehend zum Live-Betrieb sind noch:

  • Entsprechende Weiterleitung von Eihort
  • Reverse-Proxy in Cthulhu umstellen
  • Backups der Mailinglisten einrichten
  • HRZ Allowlisting einrichten

Basiert auf https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/26.

Mailman in einer eigenen VM. Die Mailinglisten enden jetzt auf @lists.mathebau.de. Ausstehend zum Live-Betrieb sind noch: - [x] Entsprechende Weiterleitung von Eihort - [x] Reverse-Proxy in Cthulhu umstellen - [x] Backups der Mailinglisten einrichten - [x] HRZ Allowlisting einrichten Basiert auf https://gitea.mathebau.de/Fachschaft/nixConfig/pulls/26.
Gonne reviewed 2024-02-06 14:53:22 +00:00
nixos/modules/mailman.nix Outdated
@ -0,0 +53,4 @@
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/acme" # Persist TLS keys and account
Gonne commented 2024-02-06 14:53:22 +00:00
Author
Owner
Copy link

TODO: Backups?

TODO: Backups?
Gonne commented 2024-04-02 16:49:08 +00:00
Author
Owner
Copy link

Done for mailman data. The certificates can be regenerated on hardware failure.

Done for mailman data. The certificates can be regenerated on hardware failure.
Gonne marked this conversation as resolved
Gonne changed title from WIP: lobon (Mailman-VM) to lobon (Mailman-VM) 2024-03-31 21:24:23 +00:00
Gonne commented 2024-03-31 21:24:47 +00:00
Author
Owner
Copy link

Seems to work now.

Seems to work now.
Gonne commented 2024-04-02 18:25:46 +00:00
Author
Owner
Copy link

Gonne force-pushed lobon from 4d965ba394 to dcc055891f

I decided to include all of mailman's persistent state in the backups to include archives.

> Gonne force-pushed lobon from 4d965ba394 to dcc055891f I decided to include all of mailman's persistent state in the backups to include archives.
nerf reviewed 2024-04-04 14:01:42 +00:00
nixos/machines/lobon/allowlistPass.yaml Outdated
@ -0,0 +1,39 @@
allowlistPass: ENC[AES256_GCM,data:bb9jXSvWeDnZqqiY/IarwA==,iv:qeFAYvXYdh2uEleg8kpCd77u4PTbwM8ydEkbMhyPz1I=,tag:1/eysyZb2mJ0mYHXIrpihw==,type:str]
nerf commented 2024-04-03 14:06:29 +00:00
Owner
Copy link

See comment on the other sops file.

See comment on the other sops file.
nerf marked this conversation as resolved
nixos/machines/lobon/backupKey.yaml Outdated
@ -0,0 +1,39 @@
backupKey: ENC[AES256_GCM,data:/PErHUVZDTyqK+GKI2inDoEBQpSmezeBTgXWnrthc8IPtUFn4Ur2CkDo+MqfiAlSn9vT2ksHmyS5qmoGANG01e1Cm50qpt/BdoC2hh15jOVuc0uUBNOq7f5YBVeYtbemwjPcmbF7dgUeRlEAvxhqtX3/ntzxSB1inew/SsEgPrU4Yl0FF+CHhqgbeB/NJOhQY29/3hBGwMksfTUDymUmX6pUgIN1M26crIKFCn5IyqAXl10F+zL4PThZPnhmks7Y8BsGUbKkiE6ghdaUjEjBjGOGgbaGAjolG+nJ17xyM1Pc2speT4E/3VgAC34dpaByveGcf2SfsXir0KavcI86mUkjzaNF9u7GjGO0Szn742/aqbdUoOkJl41unb0Enf2/D4Up3fy6LrUqVqrHIM4Dea9WLQd0poD0FWSN12IKh+ylkouMkmhwLXUXFzIHOePS92/MsPM+9fLhH4cU64qxr9UzmfYRnNBpAHrjlxdkK9WZ1Oj4mdtu6R20vYkYcMIQgU38FvSN6uWGvPxJj+Ij,iv:ghvgkC6qFO/0tvsc7igCoZy7am8eNsd21WYCSAKiZDs=,tag:MFnk/Nnw+cloN+x7sd4LLg==,type:str]
nerf commented 2024-04-03 14:05:59 +00:00
Owner
Copy link

Hmm, I didn't have thought about the following:

Which secrets get different sops files and which go into the same file?
can we put both of this secrets into the same yaml, is this desirable?

Hmm, I didn't have thought about the following: Which secrets get different sops files and which go into the same file? can we put both of this secrets into the same yaml, is this desirable?
Gonne commented 2024-04-04 14:22:20 +00:00
Author
Owner
Copy link

I think splitting per desired system user is useful (might even be necessary). Apart from that it feels more about conventions which I don't know.

Currently the secrets are used by root and mailman but giving the backup service root-access in itself feels like a mistake.

I think splitting per desired system user is useful (might even be necessary). Apart from that it feels more about conventions which I don't know. Currently the secrets are used by `root` and `mailman` but giving the backup service `root`-access in itself feels like a mistake.
nerf commented 2024-04-04 14:44:36 +00:00
Owner
Copy link

refactoring the backup process sounds like something, that we should do uniform across all VM. So I think we should do that
in a dedicated pull request. I will open an issue for that. Finding a solution for this is probably out of scope here.

refactoring the backup process sounds like something, that we should do uniform across all VM. So I think we should do that in a dedicated pull request. I will open an issue for that. Finding a solution for this is probably out of scope here.
nerf marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +93,4 @@
serviceConfig = {
Type = "oneshot";
User = "mailman";
PrivateTmp = true;
nerf commented 2024-04-04 14:01:17 +00:00
Owner
Copy link

can we set NoNewPrivileges = true;? or does it break the service?

And one could read the Sandboxing part of systemd.exec(5)

can we set `NoNewPrivileges = true;`? or does it break the service? And one could read the Sandboxing part of `systemd.exec(5)`
Gonne commented 2024-04-04 15:19:15 +00:00
Author
Owner
Copy link

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out ExecPaths= and NoExecPaths= because the correct values are unclear to me.

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out `ExecPaths=` and `NoExecPaths=` because the correct values are unclear to me.
nerf reviewed 2024-04-04 14:42:26 +00:00
nixos/modules/mailman.nix Outdated
@ -0,0 +113,4 @@
};
repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily";
user = "root";
nerf commented 2024-04-04 14:42:26 +00:00
Owner
Copy link

This is probably a bigger refactoring pull request and outside the scope of this one.
We could think making it easier configurable that backups are made by a user that can
basically read everything but not write.

This is probably a bigger refactoring pull request and outside the scope of this one. We could think making it easier configurable that backups are made by a user that can basically read everything but not write.
👍 1
nerf marked this conversation as resolved
nerf requested changes 2024-08-18 16:40:54 +00:00
Dismissed
nerf left a comment
Owner
Copy link

It is more like, please answer my questions (and depending what the answers is, change some minor stuff), and
not really, request changes, but I only have limited options

It is more like, please answer my questions (and depending what the answers is, change some minor stuff), and not really, request changes, but I only have limited options
nixos/modules/mailman.nix Outdated
@ -0,0 +17,4 @@
options.services.mathebau-mailman = {
enable = mkEnableOption "mathebau mailman service";
hostName = mkOption {
type = str;
nerf commented 2024-08-18 16:27:05 +00:00
Owner
Copy link

are these allowed to be empty?

are these allowed to be empty?
Gonne commented 2024-08-18 20:05:59 +00:00
Author
Owner
Copy link

Probably not. No idea how to achieve that.

Probably not. No idea how to achieve that.
nerf commented 2024-08-18 20:54:31 +00:00
Owner
Copy link

there is lib.types.nonEmptyStr

there is `lib.types.nonEmptyStr`
Gonne marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +20,4 @@
type = str;
};
siteOwner = mkOption {
type = str;
nerf commented 2024-08-18 16:27:15 +00:00
Owner
Copy link

same as above?

same as above?
Gonne marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +35,4 @@
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
proxy_interfaces = "130.83.2.184";
smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
nerf commented 2024-08-18 16:28:44 +00:00
Owner
Copy link

m(

m(
Gonne marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +49,4 @@
settings.mta.verp_confirmations = "no";
};
nginx.virtualHosts.${cfg.hostName} = {
enableACME = true; # Get certificates (primarily for postfix)
nerf commented 2024-08-18 16:31:58 +00:00
Owner
Copy link

I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one).
If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block?

Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?

I'm not sure how to stand on this, and it is a purely idiomatic question (not a technical one). If we want the certs mainly for non nginx use, should we config them separately and not in the nginx block? Also how does the webinterface work, are we proxied by cthulhu? If yes who handles tls certs?
Gonne commented 2024-08-19 15:18:47 +00:00
Author
Owner
Copy link

“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme

I don't want to do DNS validation so this is the way. The services.mailman.serve.enable = true enables nginx anyway.

Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS).

On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.

“Automatic cert validation and configuration for Apache and Nginx virtual hosts is included in NixOS, however if you would like to generate a wildcard cert or you are not using a web server you will have to configure DNS based validation.” – https://nixos.org/manual/nixos/stable/index.html#module-security-acme I don't want to do DNS validation so this is the way. The `services.mailman.serve.enable = true` enables nginx anyway. Web requests get proxied through cthulhu and reach this VM via http. Mail gets proxied via eihort and also probably reaches this VM in plaintext (possibly with STARTTLS). On the other hand this VM is not supposed to be communicating with anything besides cthulhu and eihort so we might as well try to disable all TLS stuff.
Gonne marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +60,4 @@
"/var/lib/mailman"
"/var/lib/mailman-web"
];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
nerf commented 2024-08-18 16:35:34 +00:00
Owner
Copy link

we could move this to the general vm role, right? Every vm makes backups this way, (or am i missing something?)

we could move this to the general vm role, right? Every vm makes backups this way, (or am i missing something?)
Gonne commented 2024-08-18 20:09:46 +00:00
Author
Owner
Copy link

Maybe. This is in scope for the backup refactoring.

Maybe. This is in scope for the backup refactoring.
nixos/modules/mailman.nix Outdated
@ -0,0 +66,4 @@
security.acme.defaults.email = cfg.siteOwner;
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [25 80 443];
nerf commented 2024-08-18 16:36:19 +00:00
Owner
Copy link

See above comment about who handles tls, we might not need 443 and 80

See above comment about who handles tls, we might not need 443 and 80
Gonne marked this conversation as resolved
nixos/modules/mailman.nix Outdated
@ -0,0 +89,4 @@
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.hostName} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
# Cleanup
rm /tmp/addresses
'';
nerf commented 2024-08-18 16:37:30 +00:00
Owner
Copy link

I love and hate this so much,maybe we should/could make this script its own package? maybe idiomatically correct but overkill.

I love and hate this so much,maybe we should/could make this script its own package? maybe idiomatically correct but overkill.
Gonne commented 2024-08-18 20:10:44 +00:00
Author
Owner
Copy link

I think it's overkill and I don't want to do it.

I think it's overkill and I don't want to do it.
Gonne marked this conversation as resolved
Gonne commented 2024-10-12 11:57:41 +00:00
Author
Owner
Copy link

I disabled all TLS on this machine.

I disabled all TLS on this machine.
Gonne requested review from nerf 2024-10-12 11:57:46 +00:00
nerf approved these changes 2024-10-12 14:09:25 +00:00
nerf left a comment
Owner
Copy link

There was also a change to postfix, to change encryption to may

There was also a change to postfix, to change encryption to may
Gonne merged commit e7154785dd into main 2024-10-12 14:10:02 +00:00
Gonne deleted branch lobon 2024-10-12 14:10:03 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
nerf
Labels
Clear labels   
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Fachschaft/nixConfig!30
No description provided.