Unfinished znuny deployment, mainly mail io missing

voc · Oct 30, 2024 · c40e56d · c40e56d
1 parent 7d70013
commit c40e56d
Show file tree

Hide file tree

Showing 6 changed files with 388 additions and 8 deletions.
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
@@ -5,6 +5,7 @@ keys:
   - &admin_keepass age13yl99pyktjyssdm487pa5ucm4rxcrdrt4lq8qk2vkvdwyfhcvahqs4e6cw
   - &host_tel age1glkmsh6pex9g5v95vwx78a8xksmnkvsu7ccnhxzu09yvnfnjudls3lfkru
   - &host_mail age1zcj3dt7uc3gc3kyt6l7m86qjzm9vlgq7kcsm9wh9gank6rqff4gqwrtzpa
+  - &host_tickets age1d3xrfzn6uht3ls7sg68emz33wxxwytmjjd7y4rv3zt9e366dealqkex4j8
 
 creation_rules:
   - path_regex: hosts/tel/.*
@@ -25,3 +26,12 @@ creation_rules:
       - *admin_hexchen
       - *admin_jayjay
       - *host_mail
+  - path_regex: hosts/tickets/.*
+    key_groups:
+    - pgp:
+#     - *admin_n0emis
+      age:
+      - *admin_keepass
+      - *admin_hexchen
+      - *admin_jayjay
+      - *host_tickets
diff --git a/nixos/hosts.nix b/nixos/hosts.nix
@@ -4,7 +4,7 @@
   netbox = { ... }: {};
   sso = { ... }: {};
   tel = { ... }: {};
-  rt = { ... }: {};
+  tickets = { ... }: {};
   loudness-player = { ... }: {
   };
 }
diff --git a/nixos/hosts/mail/mail.nix b/nixos/hosts/mail/mail.nix
@@ -24,6 +24,8 @@ in {
       "c3voc.de"
     ];
 
+    debug = true;
+
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
     # down nginx and opens port 80.
     certificateScheme = "acme-nginx";
@@ -39,17 +41,17 @@ in {
       "muenchen" = "[email protected]";
       "studios" = "[email protected]";
       "voc" = "[email protected]";
-    } // lib.genAttrs [ # rt related addresses
-      "rt"
-      "rt-comment"
-      "rt-test"
-    ] (addr: "${addr}@rt.c3voc.de");
+    };
 
     # whitelist SPF checks from mng (for now)
     policydSPFExtraConfig = ''
       HELO_Whitelist = mng.c3voc.de
       skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,185.106.84.49,2001:67c:20a0:e::179
     '';
+
+    loginAccounts."[email protected]" = {
+      hashedPassword = "$2b$05$KSWvSJXyURjzQjXfSIzPTeDTZ0lXjj2.z.t6QT8lL32q4UBwZQAQ6";
+    };
   };
 
   sops.secrets.aliases = {};
@@ -66,8 +68,6 @@ in {
     networks = [ 
       "127.0.0.1/32"
       "[::1]/128"
-      "185.106.84.19/32"         # rt.c3voc.de uses mail.c3cov.de as mail relay
-      "[2001:67c:20a0:e::19]/128"  # also rt.c3voc.de
     ];
   };
 

diff --git a/nixos/hosts/tickets/default.nix b/nixos/hosts/tickets/default.nix
@@ -0,0 +1,62 @@
+{ config, lib, modulesPath, pkgs, ... }:
+
+with lib;
+
+let
+in
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-image.nix"
+
+    ./znuny.nix
+  ];
+  config = {
+    system.stateVersion = "23.11"; # do not touch
+
+    sops.secrets."znuny_mail_password".owner = "znuny";
+
+    networking.useDHCP = false;
+    networking.interfaces.eth0.ipv4.addresses = [{
+      address = "185.106.84.19";
+      prefixLength = 26;
+    }];
+    networking.interfaces.eth0.ipv6.addresses = [{
+      address = "2001:67c:20a0:e::19";
+      prefixLength = 64;
+    }];
+    networking.defaultGateway = "185.106.84.1";
+    networking.defaultGateway6 = "2001:67c:20a0:e::1";
+    networking.nameservers = [
+      "9.9.9.9"
+      "1.1.1.1"
+    ];
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = "[email protected]";
+
+    services.znuny.enable = true;
+    services.znuny.prefork = 4;
+    services.znuny.extraConfig = ''
+      $Self->{FQDN} = '${config.networking.fqdn}';
+
+      $Self->{AdminEmail} = '[email protected]';
+
+      $Self->{Organization} = 'c3voc';
+
+      $Self->{'SendmailModule'} = 'Kernel::System::Email::SMTPTLS';
+      $Self->{'SendmailModule::Host'} = 'mail.c3voc.de';
+      $Self->{'SendmailModule::Port'} = '565';
+      $Self->{'SendmailModule::AuthUser'} = 'znuny';
+      use File::Slurper 'read_text';
+      $Self->{'SendmailModule::AuthPassword'} = read_text('${config.sops.secrets."znuny_mail_password".path}');
+    '';
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."tickets.c3voc.de" = {
+      forceSSL = true;
+      enableACME = true;
+    } // config.services.znuny.nginxVirtualHostConfig;
+  };
+}
diff --git a/nixos/hosts/tickets/secrets.yaml b/nixos/hosts/tickets/secrets.yaml
@@ -0,0 +1,48 @@
+znuny_mail_password: ENC[AES256_GCM,data:QdOmah7eqq8L155k1Hn7vmeYouXMZJPD9ruYkaH4yVw=,iv:thuDkijzvN61wCsNl/h4DJWf+jPj37B3Nth3no2J/yw=,tag:MWAiD/MWjkkooy51MCFmrQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13yl99pyktjyssdm487pa5ucm4rxcrdrt4lq8qk2vkvdwyfhcvahqs4e6cw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOGR0VkVFR3UzVTljaFhW
+            c25ZZW5QaUdWVFY4QWtiUlpPRlY1NEMzdEFnCjJpY2NGbXFYODV4bUN5SDBwUno3
+            UVlVQThxOXJrZm5YMndrWWJiOXJURDQKLS0tIDJnM2RxL1dLUG84ekF3ZWgxSFNq
+            ZXRCZzl1dloxR3RqeWNYSm9uNEQ3TzQK8Id5mNLRRHp79Lm0Fd3GywYouRPmkHg1
+            mbphdLN4WnKYE3YhUFc5vZwXSLFHQ9yMFddB23W6XpXVf6lvqDPr/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wvtkhug4q7fcs7wz03kpn77ruqkkwp2xqq30npv4287wtf3w8ukq370vre
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Mzk3bHh1dmxsSU9DMDF3
+            ZjJsWlI3SVlZbk1IdU9KZ1BSN2NDVE5LSm1RCjFQZE5pZ0xUamg0SVNCMlRCTFV1
+            WVZTUldIMkZmaTRtSC9QRFBOVTAzUVkKLS0tIDlMVFpicDdMdmtBUVlqckdCVitK
+            Z00zdGRXcG5paEgrQmtWbWFvN1U1SHMKTMm8uobpBugaL6V2AjrEcTGHUoDRk10E
+            mV3YA83H7BvmUgZgGf5wfldJSyexh69FPQni9LJPY/KOoqNPmCUD6Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yyxdtt7lpcm9hr0y76g559yq4uqz8e8hjc2fzqtwnhctsj99fp6sf3ksl6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMVVSOGRFcXpvcHZLbktP
+            KzVsT29WelhybmI1dnBBTk52eTVNVEd1alFJCmU2LzFrUUNzc3E0MS9KZ3FFM1V6
+            ajJpd1NjYkFLWFcrc1dtVWFSWmhJVkkKLS0tIDBSQUJMYmt2Nnkwb24rUzE3ckg4
+            VnlsaGFYUGM1ZDUzVFcrRnpQUmkra28Kyp19yfsvXyhnAypoPGf9QRMTtqfaNvJ9
+            ECmx3PRgnYA49pIAZjQRd47h1AQZkNf8VIEIETjgQraBxlDk1c2/DQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d3xrfzn6uht3ls7sg68emz33wxxwytmjjd7y4rv3zt9e366dealqkex4j8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWlRVaW01a2hYVUlVV09R
+            QXBjWHlYeGNuOTVCUXZHeGhyVGRQQkYxQm40CjVMMEsvcmgrL1BrZVNpZEpJamFH
+            M0dtQ01VSS91U2tvK3ozQ1dTTU42c3MKLS0tIGQyN2o5NkJDa0Z5aG9nNUp4NEZx
+            US9NUEZYSjNKMi9VdkU2ckpWdm9oNVkK6Vospcd2YXmq33rY4bCIC1I9TRq49lSJ
+            Vsdl5vVf5kWoUtLQywy2AgvzSUS8l4O3bKiFo7cCBYhTKwVEqA7BFw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-28T19:07:15Z"
+    mac: ENC[AES256_GCM,data:VDsnXCmlX0TgW1kYmkR9nHw2kyQe+MeHCWDxYKKnDqUbYu7p4FfczdgY9Xp+nJLij4OYQhED7nz633ZLYNRnSMFZTOMTC50qlWdIJNqchfZbjSgb6fpQ88SCy5wesHIL7hhnYV20+4n6w6XPLmtmkUZQd23TEykaz3V09Spi5u8=,iv:2Dk4ex2grWoJpGYJhK1drv/749Z4o2vbjdFgcsR5sb0=,tag:PNoxZpW8Z62HPWl0CcsbyQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1