summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
authormakefu <makefu@tsp>2015-08-14 14:00:18 +0000
committermakefu <makefu@tsp>2015-08-14 14:00:18 +0000
commitd35de37b0d2b9d5d567a530726aa01f2ec686bf3 (patch)
tree8bcccdb27a1c0087668cd9d63bb294e71f4cb79a /krebs/3modules
parentc36ea0e029772649e33a727a9be15986cbb1fed2 (diff)
parentb8b2575d8313cfd0696a121cee1b8738faff6638 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix10
-rw-r--r--krebs/3modules/exim-retiolum.nix182
-rw-r--r--krebs/3modules/exim-smarthost.nix219
3 files changed, 320 insertions, 91 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index d77d00c05..a0d4f0157 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -7,6 +7,7 @@ let
out = {
imports = [
./exim-retiolum.nix
+ ./exim-smarthost.nix
./github-hosts-sync.nix
./git.nix
./nginx.nix
@@ -309,9 +310,11 @@ let
users = addNames {
lass = {
pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
+ mail = "lass@mors.retiolum";
};
uriel = {
pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
+ mail = "uriel@mors.retiolum";
};
};
};
@@ -455,6 +458,13 @@ let
cd = {
cores = 2;
dc = "tv"; #dc = "cac";
+ extraZones = {
+ "de.krebsco" = ''
+ mx23 IN A ${elemAt nets.internet.addrs4 0}
+ cd IN A ${elemAt nets.internet.addrs4 0}
+ krebsco.de. IN MX 5 mx23
+ '';
+ };
nets = rec {
internet = {
addrs4 = ["162.219.7.216"];
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 71c091917..e1315d8c8 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -8,11 +8,7 @@ let
out = {
options.krebs.exim-retiolum = api;
config =
- # This configuration makes only sense for retiolum-enabled hosts.
- # TODO modular configuration
- mkIf cfg.enable (
- #assert config.krebs.retiolum.enable;
- imp);
+ mkIf cfg.enable imp;
};
api = {
@@ -20,121 +16,125 @@ let
};
imp = {
- services.exim = {
- enable = true;
- config = ''
- primary_hostname = ${retiolumHostname}
- domainlist local_domains = @ : localhost
- domainlist relay_to_domains = *.retiolum
- hostlist relay_from_hosts = <; 127.0.0.1 ; ::1
+ services.exim =
+ # This configuration makes only sense for retiolum-enabled hosts.
+ # TODO modular configuration
+ assert config.krebs.retiolum.enable;
+ {
+ enable = true;
+ config = ''
+ primary_hostname = ${retiolumHostname}
+ domainlist local_domains = @ : localhost
+ domainlist relay_to_domains = *.retiolum
+ hostlist relay_from_hosts = <; 127.0.0.1 ; ::1
- acl_smtp_rcpt = acl_check_rcpt
- acl_smtp_data = acl_check_data
+ acl_smtp_rcpt = acl_check_rcpt
+ acl_smtp_data = acl_check_data
- host_lookup = *
- rfc1413_hosts = *
- rfc1413_query_timeout = 5s
+ host_lookup = *
+ rfc1413_hosts = *
+ rfc1413_query_timeout = 5s
- log_file_path = syslog
- syslog_timestamp = false
- syslog_duplication = false
+ log_file_path = syslog
+ syslog_timestamp = false
+ syslog_duplication = false
- begin acl
+ begin acl
- acl_check_rcpt:
- accept hosts = :
- control = dkim_disable_verify
+ acl_check_rcpt:
+ accept hosts = :
+ control = dkim_disable_verify
- deny message = Restricted characters in address
- domains = +local_domains
- local_parts = ^[.] : ^.*[@%!/|]
+ deny message = Restricted characters in address
+ domains = +local_domains
+ local_parts = ^[.] : ^.*[@%!/|]
- deny message = Restricted characters in address
- domains = !+local_domains
- local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+ deny message = Restricted characters in address
+ domains = !+local_domains
+ local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
- accept local_parts = postmaster
- domains = +local_domains
+ accept local_parts = postmaster
+ domains = +local_domains
- #accept
- # hosts = *.retiolum
- # domains = *.retiolum
- # control = dkim_disable_verify
+ #accept
+ # hosts = *.retiolum
+ # domains = *.retiolum
+ # control = dkim_disable_verify
- #require verify = sender
+ #require verify = sender
- accept hosts = +relay_from_hosts
- control = submission
- control = dkim_disable_verify
+ accept hosts = +relay_from_hosts
+ control = submission
+ control = dkim_disable_verify
- accept authenticated = *
- control = submission
- control = dkim_disable_verify
+ accept authenticated = *
+ control = submission
+ control = dkim_disable_verify
- require message = relay not permitted
- domains = +local_domains : +relay_to_domains
+ require message = relay not permitted
+ domains = +local_domains : +relay_to_domains
- require verify = recipient
+ require verify = recipient
- accept
+ accept
- acl_check_data:
- accept
+ acl_check_data:
+ accept
- begin routers
+ begin routers
- retiolum:
- driver = manualroute
- domains = ! ${retiolumHostname} : *.retiolum
- transport = remote_smtp
- route_list = ^.* $0 byname
- no_more
+ retiolum:
+ driver = manualroute
+ domains = ! ${retiolumHostname} : *.retiolum
+ transport = remote_smtp
+ route_list = ^.* $0 byname
+ no_more
- nonlocal:
- debug_print = "R: nonlocal for $local_part@$domain"
- driver = redirect
- domains = ! +local_domains
- allow_fail
- data = :fail: Mailing to remote domains not supported
- no_more
+ nonlocal:
+ debug_print = "R: nonlocal for $local_part@$domain"
+ driver = redirect
+ domains = ! +local_domains
+ allow_fail
+ data = :fail: Mailing to remote domains not supported
+ no_more
- local_user:
- # debug_print = "R: local_user for $local_part@$domain"
- driver = accept
- check_local_user
- # local_part_suffix = +* : -*
- # local_part_suffix_optional
- transport = home_maildir
- cannot_route_message = Unknown user
+ local_user:
+ # debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ check_local_user
+ # local_part_suffix = +* : -*
+ # local_part_suffix_optional
+ transport = home_maildir
+ cannot_route_message = Unknown user
- begin transports
+ begin transports
- remote_smtp:
- driver = smtp
+ remote_smtp:
+ driver = smtp
- home_maildir:
- driver = appendfile
- maildir_format
- directory = $home/Maildir
- directory_mode = 0700
- delivery_date_add
- envelope_to_add
- return_path_add
- # group = mail
- # mode = 0660
+ home_maildir:
+ driver = appendfile
+ maildir_format
+ directory = $home/Maildir
+ directory_mode = 0700
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+ # group = mail
+ # mode = 0660
- begin retry
- *.retiolum * F,42d,1m
- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+ begin retry
+ *.retiolum * F,42d,1m
+ * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
- begin rewrite
+ begin rewrite
- begin authenticators
- '';
- };
+ begin authenticators
+ '';
+ };
};
# TODO get the hostname from somewhere else.
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
new file mode 100644
index 000000000..a564430ea
--- /dev/null
+++ b/krebs/3modules/exim-smarthost.nix
@@ -0,0 +1,219 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+ cfg = config.krebs.exim-smarthost;
+
+ out = {
+ options.krebs.exim-smarthost = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "krebs.exim-smarthost";
+
+ internet-aliases = mkOption {
+ type = types.listOf (types.submodule ({
+ options = {
+ from = mkOption {
+ type = types.str; # TODO e-mail address
+ };
+ to = mkOption {
+ type = types.str; # TODO e-mail address / TODO listOf
+ };
+ };
+ }));
+ };
+
+ relay_from_hosts = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+
+ primary_hostname = mkOption {
+ type = types.str;
+ default = "${config.networking.hostName}.retiolum";
+ };
+
+ sender_domains = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+
+ system-aliases = mkOption {
+ type = types.listOf (types.submodule ({
+ options = {
+ from = mkOption {
+ type = types.str; # TODO e-mail address
+ };
+ to = mkOption {
+ type = types.str; # TODO e-mail address / TODO listOf
+ };
+ };
+ }));
+ };
+ };
+
+ imp = {
+ services.exim = {
+ enable = true;
+ config = ''
+ primary_hostname = ${cfg.primary_hostname}
+
+ # HOST_REDIR contains the real destinations for "local_domains".
+ #HOST_REDIR = /etc/exim4/host_redirect
+
+
+ # Domains not listed in local_domains need to be deliverable remotely.
+ # XXX We abuse local_domains to mean "domains, we're the gateway for".
+ domainlist local_domains = @ : localhost
+ domainlist relay_to_domains =
+ hostlist relay_from_hosts = <;${concatStringsSep ";" (
+ [
+ "127.0.0.1"
+ "::1"
+ ]
+ ++
+ cfg.relay_from_hosts
+ )}
+
+ acl_smtp_rcpt = acl_check_rcpt
+ acl_smtp_data = acl_check_data
+
+ never_users = root
+
+ host_lookup = *
+
+ rfc1413_hosts = *
+ rfc1413_query_timeout = 5s
+
+ log_selector = -queue_run +address_rewrite +all_parents +queue_time
+ log_file_path = syslog
+ syslog_timestamp = false
+ syslog_duplication = false
+
+ begin acl
+
+ acl_check_rcpt:
+ accept hosts = :
+ control = dkim_disable_verify
+
+ deny message = Restricted characters in address
+ domains = +local_domains
+ local_parts = ^[.] : ^.*[@%!/|]
+
+ deny message = Restricted characters in address
+ domains = !+local_domains
+ local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+ accept local_parts = postmaster
+ domains = +local_domains
+
+ accept hosts = +relay_from_hosts
+ control = submission
+ control = dkim_disable_verify
+
+ accept authenticated = *
+ control = submission
+ control = dkim_disable_verify
+
+ accept message = relay not permitted 2
+ recipients = lsearch;${lsearch.internet-aliases}
+
+ require message = relay not permitted
+ domains = +local_domains : +relay_to_domains
+
+ require
+ message = unknown user
+ verify = recipient/callout
+
+ accept
+
+
+ acl_check_data:
+ warn
+ sender_domains = ${concatStringsSep ":" cfg.sender_domains}
+ set acl_m_special_dom = $sender_address_domain
+
+ accept
+
+
+ begin routers
+
+ # feature RETIOLUM_MAIL
+ retiolum:
+ debug_print = "R: retiolum for $local_part@$domain"
+ driver = manualroute
+ domains = ! ${cfg.primary_hostname} : *.retiolum
+ transport = retiolum_smtp
+ route_list = ^.* $0 byname
+ no_more
+
+ internet_aliases:
+ debug_print = "R: internet_aliases for $local_part@$domain"
+ driver = redirect
+ data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
+
+ dnslookup:
+ debug_print = "R: dnslookup for $local_part@$domain"
+ driver = dnslookup
+ domains = ! +local_domains
+ transport = remote_smtp
+ ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+ no_more
+
+ system_aliases:
+ debug_print = "R: system_aliases for $local_part@$domain"
+ driver = redirect
+ data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
+
+ local_user:
+ debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ check_local_user
+ transport = home_maildir
+ cannot_route_message = Unknown user
+
+ begin transports
+
+ retiolum_smtp:
+ driver = smtp
+ retry_include_ip_address = false
+
+ remote_smtp:
+ driver = smtp
+ helo_data = ''${if eq{$acl_m_special_dom}{} \
+ {$primary_hostname} \
+ {$acl_m_special_dom} }
+
+ home_maildir:
+ driver = appendfile
+ maildir_format
+ maildir_use_size_file
+ directory = $home/Mail
+ directory_mode = 0700
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+
+ begin retry
+ *.retiolum * F,42d,1m
+ * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+ begin rewrite
+ begin authenticators
+ '';
+ };
+ };
+
+
+ lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) {
+ inherit (cfg) internet-aliases;
+ inherit (cfg) system-aliases;
+ };
+
+ to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}");
+
+in
+out