From f6e600c20d6a97ebeda23fa2bb5621646222b2b0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 2 Jan 2021 20:53:17 +0100
Subject: sif: import config

---
 hosts/sif/mail/default.nix  | 66 +++++++++++++++++++++++++++++++++++++++++++++
 hosts/sif/mail/secrets.yaml | 33 +++++++++++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 hosts/sif/mail/default.nix
 create mode 100644 hosts/sif/mail/secrets.yaml

(limited to 'hosts/sif/mail')

diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..2addba9d
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = true;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    relayHost = "uucp:ymir";
+    recipientDelimiter = "+";
+    masterConfig = {
+      uucp = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "pipe";
+        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+      };
+    };
+    transport = ''
+      odin.asgard.yggdrasil uucp:odin
+    '';
+    config = {
+      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+
+      default_transport = "uucp:ymir";
+
+      inet_interfaces = "loopback-only";
+
+      authorized_submit_users = ["!uucp" "static:anyone"];
+      message_size_limit = "0";
+
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''texthash:${pkgs.writeText "sender_bcc" ''
+        uni2work@ifi.lmu.de uni2work@ifi.lmu.de
+        @ifi.lmu.de gregor.kleen@ifi.lmu.de
+      ''}'';
+
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    useDane = true;
+  };
+
+  sops.secrets.postfix-sasl-passwd = {
+    key = "sasl-passwd";
+    path = "/var/db/postfix/sasl_passwd";
+    owner = "postfix";
+    sopsFile = ./secrets.yaml;
+  };
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..00422f82
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
+sasl-passwd: ENC[AES256_GCM,data:RDZHUgQJHH7IzJD5j+LOuQb4OuPopUEa6CwDRoD/FqoHFW/YKarF3Hxxu4HKA5GDf3SRrFOcPBXmf+0f1CucUQwJQh4nY4fmDVqrH0UXRowuAkIhYpt0sLXlzrOzSeZz788A9xK4AGPzEOx1va7GOqJIaPJ+pyyzazQsSgCJaFkUMriCfKbZ0zhRCr0pk2RPLOLKGuo2mDFf5c3EZYAn7vEzhZj+B3XbNWotV/JXTX7JPK6GPcsX2RMKEYBdmxZzrMCTTFU23W1DbiDJ01mxJh3ckIX+KTmaWNoVg4Tong1vBe2wxKchXajmykwFLJFR1Kj5wv4uAxy2qNvKtQIF/LJosG6LXcdk5QDQBXUINqswupBdV8lt08mk53JHLJPXcV8RpEHT3NUL,iv:2u203xTmUEfWIJDB2ZkOKzhYQrV4TGT7rfOd0md+VOw=,tag:RJ/iLbbq8B8dMmXGWjok/g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T19:29:40Z'
+    mac: ENC[AES256_GCM,data:g8wNpsFXiGoENSteWa1w1UkF8LQwnwtoeEHskKhGqAlCFtA1cVdyFSItm8/h1/eqJl/NWXRGU25XpZysCAkJi+uCq4bNGjV+gjqeIT8Dv5teQbVwthoFqkE/s3jew35+f29/xxb5Cro6EihlTrs5Lt3wExv2+NUdim1aeNgR+4Q=,iv:bj/igDT7GPiCjj4BwE7ihM8wR8CbJeXu/s550rc+QEw=,tag:KKt6tWlqxu5C/L/ZYbQL3g==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
+            4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
+            0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
+            Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
+            =7rOv
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
+            8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
+            0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
+            ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
+            =E/qh
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
-- 
cgit v1.2.3