Merge remote-tracking branch 'cd/master'

Zhosts/eulerwalk

@@ -0,0 +1,11 @@
+Subnet = 10.243.176.249
+Subnet = 42:7429:4e08:14cf:fb5d:9c17:76e5:ddcb
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAv0GyX62KaykRkN9f6ZgtAOPk1rr+ZFG6Il24crrkIJgx0He+VVjr
+XgXE7EaVwNjNm/7nIhGGWbCzravDIrRzQXzY+IQIzXwSPKv0WZkqFHZj122SIt9L
+QKtkGnECA136uH3AqbXoxhsz2FnuDunZ6gKAi6XIlq5Qr2Nyv0qKKaM0zTZZ4pI5
+PqsNfV6r2gc3jo/tOuxVgG86dMAEHLMdwjdBE6/49daGXyhsGG7Gh93c8UlyFKyt
+r6LC+4Oc1MCMtCbxsmE/iZWJtpUHAcQDzTcAynP916xg1PBLhczfWFCPR0LXOQGe
+MYSv34G0gZqPmkNJryi1MEFZ61zo/SiO9wIDAQAB
+-----END RSA PUBLIC KEY-----

Zhosts/tmpd

@@ -0,0 +1,11 @@
+Subnet = 10.243.235.99
+Subnet = 42:cd60:2f4b:3382:b9ba:74d7:5a13:ceb7
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAwSNjd1jYjsx+8JDRUV9QXhyMOrAIOMtKUGo/+Ufr+jHIY7h2BlQS
+6Jy7xjZv6zmHhEenhWs+P4qUCASXJPtZ7URgelA4NgkfVMsbgUQDM6VDZr0JwYXq
+csmp/9vxWRRbaNifG9x5+N50tMh9E5rMmDCV9ySWr3DAvDQckKAjfMtys2EWajW2
+sM02mXtMPAy5QgKNRvSbIVDnRjJyZpCkc5xNhv2rl7k+6RZltcec4IarIlnu5nv5
+f1cTAlPaWwGuyyXZeyFbzD0IAGJeWzCkt8+F8kOobRXJQbgDqYWLdH5BXagxBX4g
+VpDZTwdWU6oGph8m4kCg4vJCW1/XYOU1aQIDAQAB
+-----END RSA PUBLIC KEY-----

krebs/3modules/default.nix

@@ -7,6 +7,7 @@ let
   out = {
     imports = [
       ./exim-retiolum.nix
+      ./exim-smarthost.nix
       ./github-hosts-sync.nix
       ./git.nix
       ./nginx.nix
@@ -309,9 +310,11 @@ let
     users = addNames {
       lass = {
         pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
+        mail = "lass@mors.retiolum";
       };
       uriel = {
         pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
+        mail = "uriel@mors.retiolum";
       };
     };
   };
@@ -455,6 +458,13 @@ let
       cd = {
         cores = 2;
         dc = "tv"; #dc = "cac";
+        extraZones = {
+          "de.krebsco" = ''
+            mx23          IN A ${elemAt nets.internet.addrs4 0}
+            cd            IN A ${elemAt nets.internet.addrs4 0}
+            krebsco.de.   IN MX 5 mx23
+          '';
+        };
         nets = rec {
           internet = {
             addrs4 = ["162.219.7.216"];

krebs/3modules/exim-retiolum.nix

@@ -8,11 +8,7 @@ let
   out = {
     options.krebs.exim-retiolum = api;
     config =
-      # This configuration makes only sense for retiolum-enabled hosts.
-      # TODO modular configuration
-      mkIf cfg.enable (
-        #assert config.krebs.retiolum.enable;
-        imp);
+      mkIf cfg.enable imp;
   };
 
   api = {
@@ -20,121 +16,125 @@ let
   };
 
   imp = {
-    services.exim = {
-      enable = true;
-      config = ''
-        primary_hostname = ${retiolumHostname}
-        domainlist local_domains    = @ : localhost
-        domainlist relay_to_domains = *.retiolum
-        hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+    services.exim =
+      # This configuration makes only sense for retiolum-enabled hosts.
+      # TODO modular configuration
+      assert config.krebs.retiolum.enable;
+      {
+        enable = true;
+        config = ''
+          primary_hostname = ${retiolumHostname}
+          domainlist local_domains    = @ : localhost
+          domainlist relay_to_domains = *.retiolum
+          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
 
-        acl_smtp_rcpt = acl_check_rcpt
-        acl_smtp_data = acl_check_data
+          acl_smtp_rcpt = acl_check_rcpt
+          acl_smtp_data = acl_check_data
 
-        host_lookup = *
-        rfc1413_hosts = *
-        rfc1413_query_timeout = 5s
+          host_lookup = *
+          rfc1413_hosts = *
+          rfc1413_query_timeout = 5s
 
-        log_file_path = syslog
-        syslog_timestamp = false
-        syslog_duplication = false
+          log_file_path = syslog
+          syslog_timestamp = false
+          syslog_duplication = false
 
-        begin acl
+          begin acl
 
-        acl_check_rcpt:
-          accept  hosts = :
-                  control = dkim_disable_verify
+          acl_check_rcpt:
+            accept  hosts = :
+                    control = dkim_disable_verify
 
-          deny    message       = Restricted characters in address
-                  domains       = +local_domains
-                  local_parts   = ^[.] : ^.*[@%!/|]
+            deny    message       = Restricted characters in address
+                    domains       = +local_domains
+                    local_parts   = ^[.] : ^.*[@%!/|]
 
-          deny    message       = Restricted characters in address
-                  domains       = !+local_domains
-                  local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+            deny    message       = Restricted characters in address
+                    domains       = !+local_domains
+                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
 
-          accept  local_parts   = postmaster
-                  domains       = +local_domains
+            accept  local_parts   = postmaster
+                    domains       = +local_domains
 
-          #accept
-          #  hosts = *.retiolum
-          #  domains = *.retiolum
-          #  control = dkim_disable_verify
+            #accept
+            #  hosts = *.retiolum
+            #  domains = *.retiolum
+            #  control = dkim_disable_verify
 
-          #require verify        = sender
+            #require verify        = sender
 
-          accept  hosts         = +relay_from_hosts
-                  control       = submission
-                  control       = dkim_disable_verify
+            accept  hosts         = +relay_from_hosts
+                    control       = submission
+                    control       = dkim_disable_verify
 
-          accept  authenticated = *
-                  control       = submission
-                  control       = dkim_disable_verify
+            accept  authenticated = *
+                    control       = submission
+                    control       = dkim_disable_verify
 
-          require message = relay not permitted
-                  domains = +local_domains : +relay_to_domains
+            require message = relay not permitted
+                    domains = +local_domains : +relay_to_domains
 
-          require verify = recipient
+            require verify = recipient
 
-          accept
+            accept
 
 
-        acl_check_data:
-          accept
+          acl_check_data:
+            accept
 
 
-        begin routers
+          begin routers
 
-        retiolum:
-          driver = manualroute
-          domains = ! ${retiolumHostname} : *.retiolum
-          transport = remote_smtp
-          route_list = ^.* $0 byname
-          no_more
+          retiolum:
+            driver = manualroute
+            domains = ! ${retiolumHostname} : *.retiolum
+            transport = remote_smtp
+            route_list = ^.* $0 byname
+            no_more
 
-        nonlocal:
-          debug_print = "R: nonlocal for $local_part@$domain"
-          driver = redirect
-          domains = ! +local_domains
-          allow_fail
-          data = :fail: Mailing to remote domains not supported
-          no_more
+          nonlocal:
+            debug_print = "R: nonlocal for $local_part@$domain"
+            driver = redirect
+            domains = ! +local_domains
+            allow_fail
+            data = :fail: Mailing to remote domains not supported
+            no_more
 
-        local_user:
-          # debug_print = "R: local_user for $local_part@$domain"
-          driver = accept
-          check_local_user
-        # local_part_suffix = +* : -*
-        # local_part_suffix_optional
-          transport = home_maildir
-          cannot_route_message = Unknown user
+          local_user:
+            # debug_print = "R: local_user for $local_part@$domain"
+            driver = accept
+            check_local_user
+          # local_part_suffix = +* : -*
+          # local_part_suffix_optional
+            transport = home_maildir
+            cannot_route_message = Unknown user
 
 
-        begin transports
+          begin transports
 
-        remote_smtp:
-          driver = smtp
+          remote_smtp:
+            driver = smtp
 
-        home_maildir:
-          driver = appendfile
-          maildir_format
-          directory = $home/Maildir
-          directory_mode = 0700
-          delivery_date_add
-          envelope_to_add
-          return_path_add
-        # group = mail
-        # mode = 0660
+          home_maildir:
+            driver = appendfile
+            maildir_format
+            directory = $home/Maildir
+            directory_mode = 0700
+            delivery_date_add
+            envelope_to_add
+            return_path_add
+          # group = mail
+          # mode = 0660
 
-        begin retry
-        *.retiolum             *           F,42d,1m
-        *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+          begin retry
+          *.retiolum             *           F,42d,1m
+          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
 
-        begin rewrite
+          begin rewrite
 
-        begin authenticators
-      '';
-    };
+          begin authenticators
+        '';
+      };
   };
 
   # TODO get the hostname from somewhere else.

krebs/3modules/exim-smarthost.nix

@@ -0,0 +1,219 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.krebs.exim-smarthost;
+
+  out = {
+    options.krebs.exim-smarthost = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "krebs.exim-smarthost";
+
+    internet-aliases = mkOption {
+      type = types.listOf (types.submodule ({
+        options = {
+          from = mkOption {
+            type = types.str; # TODO e-mail address
+          };
+          to = mkOption {
+            type = types.str; # TODO e-mail address / TODO listOf
+          };
+        };
+      }));
+    };
+
+    relay_from_hosts = mkOption {
+      type = with types; listOf str;
+      default = [];
+    };
+
+    primary_hostname = mkOption {
+      type = types.str;
+      default = "${config.networking.hostName}.retiolum";
+    };
+
+    sender_domains = mkOption {
+      type = with types; listOf str;
+      default = [];
+    };
+
+    system-aliases = mkOption {
+      type = types.listOf (types.submodule ({
+        options = {
+          from = mkOption {
+            type = types.str; # TODO e-mail address
+          };
+          to = mkOption {
+            type = types.str; # TODO e-mail address / TODO listOf
+          };
+        };
+      }));
+    };
+  };
+
+  imp = {
+    services.exim = {
+      enable = true;
+      config = ''
+        primary_hostname = ${cfg.primary_hostname}
+
+        # HOST_REDIR contains the real destinations for "local_domains".
+        #HOST_REDIR = /etc/exim4/host_redirect
+
+
+        # Domains not listed in local_domains need to be deliverable remotely.
+        # XXX We abuse local_domains to mean "domains, we're the gateway for".
+        domainlist local_domains = @ : localhost
+        domainlist relay_to_domains =
+        hostlist relay_from_hosts = <;${concatStringsSep ";" (
+          [
+            "127.0.0.1"
+            "::1"
+          ]
+          ++
+          cfg.relay_from_hosts
+        )}
+
+        acl_smtp_rcpt = acl_check_rcpt
+        acl_smtp_data = acl_check_data
+
+        never_users = root
+
+        host_lookup = *
+
+        rfc1413_hosts = *
+        rfc1413_query_timeout = 5s
+
+        log_selector = -queue_run +address_rewrite +all_parents +queue_time
+        log_file_path = syslog
+        syslog_timestamp = false
+        syslog_duplication = false
+
+        begin acl
+
+        acl_check_rcpt:
+          accept  hosts = :
+                  control = dkim_disable_verify
+
+          deny    message       = Restricted characters in address
+                  domains       = +local_domains
+                  local_parts   = ^[.] : ^.*[@%!/|]
+
+          deny    message       = Restricted characters in address
+                  domains       = !+local_domains
+                  local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+          accept  local_parts   = postmaster
+                  domains       = +local_domains
+
+          accept  hosts         = +relay_from_hosts
+                  control       = submission
+                  control       = dkim_disable_verify
+
+          accept  authenticated = *
+                  control       = submission
+                  control       = dkim_disable_verify
+
+          accept message = relay not permitted 2
+                  recipients = lsearch;${lsearch.internet-aliases}
+
+          require message = relay not permitted
+                  domains = +local_domains : +relay_to_domains
+
+          require
+            message = unknown user
+            verify = recipient/callout
+
+          accept
+
+
+        acl_check_data:
+          warn
+            sender_domains = ${concatStringsSep ":" cfg.sender_domains}
+            set acl_m_special_dom = $sender_address_domain
+
+          accept
+
+
+        begin routers
+
+        # feature RETIOLUM_MAIL
+        retiolum:
+          debug_print = "R: retiolum for $local_part@$domain"
+          driver = manualroute
+          domains = ! ${cfg.primary_hostname} : *.retiolum
+          transport = retiolum_smtp
+          route_list = ^.* $0 byname
+          no_more
+
+        internet_aliases:
+          debug_print = "R: internet_aliases for $local_part@$domain"
+          driver = redirect
+          data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
+
+        dnslookup:
+          debug_print = "R: dnslookup for $local_part@$domain"
+          driver = dnslookup
+          domains = ! +local_domains
+          transport = remote_smtp
+          ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+          no_more
+
+        system_aliases:
+          debug_print = "R: system_aliases for $local_part@$domain"
+          driver = redirect
+          data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
+
+        local_user:
+          debug_print = "R: local_user for $local_part@$domain"
+          driver = accept
+          check_local_user
+          transport = home_maildir
+          cannot_route_message = Unknown user
+
+        begin transports
+
+        retiolum_smtp:
+          driver = smtp
+          retry_include_ip_address = false
+
+        remote_smtp:
+          driver = smtp
+          helo_data = ''${if eq{$acl_m_special_dom}{}  \
+                               {$primary_hostname}   \
+                               {$acl_m_special_dom} }
+
+        home_maildir:
+          driver = appendfile
+          maildir_format
+          maildir_use_size_file
+          directory = $home/Mail
+          directory_mode = 0700
+          delivery_date_add
+          envelope_to_add
+          return_path_add
+
+        begin retry
+        *.retiolum             *           F,42d,1m
+        *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+        begin rewrite
+        begin authenticators
+      '';
+    };
+  };
+
+
+  lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) {
+    inherit (cfg) internet-aliases;
+    inherit (cfg) system-aliases;
+  };
+
+  to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}");
+
+in
+out

lass/1systems/mors.nix

@@ -20,6 +20,7 @@
     ../2configs/new-repos.nix
     #../../2configs/tv/synaptics.nix
     ../2configs/retiolum.nix
+    ../2configs/wordpress.nix
   ];
 
   krebs.build = {
@@ -29,7 +30,7 @@
     deps = {
       nixpkgs = {
         url = https://github.com/Lassulus/nixpkgs;
-        rev = "1879a011925c561f0a7fd4043da0768bbff41d0b";
+        rev = "961fd7b7a0f88dde7dac2f7a4c05ee4e1a25381d";
       };
       secrets = {
         url = "/home/lass/secrets/${config.krebs.build.host.name}";

lass/1systems/uriel.nix

@@ -3,15 +3,15 @@
 with builtins;
 {
   imports = [
-    ../../2configs/lass/desktop-base.nix
-    ../../2configs/lass/browsers.nix
-    ../../2configs/lass/games.nix
-    ../../2configs/lass/pass.nix
-    ../../2configs/lass/urxvt.nix
-    ../../2configs/lass/bird.nix
-    ../../2configs/lass/new-repos.nix
-    ../../2configs/lass/chromium-patched.nix
-    ../../2configs/lass/retiolum.nix
+    ../2configs/desktop-base.nix
+    ../2configs/browsers.nix
+    ../2configs/games.nix
+    ../2configs/pass.nix
+    ../2configs/urxvt.nix
+    ../2configs/bird.nix
+    ../2configs/new-repos.nix
+    ../2configs/chromium-patched.nix
+    ../2configs/retiolum.nix
     {
       users.extraUsers = {
         root = {

lass/2configs/downloading.nix

@@ -0,0 +1,67 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../3modules/iptables.nix
+    ../3modules/folderPerms.nix
+  ];
+
+  users.extraUsers = {
+    download = {
+      name = "download";
+      home = "/var/download";
+      createHome = true;
+      extraGroups = [
+        "download"
+      ];
+    };
+
+    transmission = {
+      extraGroups = [
+        "download"
+      ];
+    };
+  };
+
+  users.extraGroups = {
+    download = {
+      members = [
+        "download"
+        "transmission"
+      ];
+    };
+  };
+
+  services.transmission = {
+    enable = true;
+    settings = {
+      download-dir = "/var/download/finished";
+      incomplete-dir = "/var/download/incoming";
+      incomplete-dir-enabled = true;
+
+      rpc-authentication-required = true;
+      rpc-whitelist-enabled = false;
+      rpc-username = "download";
+      #add rpc-password in secrets
+      rpc-password = "test123";
+    };
+  };
+
+  lass.iptables = {
+    enable = true;
+    tables.filter.INPUT.rules = [
+      { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
+    ];
+  };
+
+  lass.folderPerms = {
+    enable = true;
+    permissions = [
+      {
+        path = "/var/download";
+        permission = "775";
+        owner = "transmission:download";
+      }
+    ];
+  };
+}

lass/2configs/fastpoke-pages.nix

@@ -20,8 +20,8 @@ let
       #  10.243.206.102 ${domain}
       #'';
       users.extraUsers = {
-        "${domain}" = {
-          name = "${domain}";
+        ${domain} = {
+          name = domain;
           home = "/var/lib/http/${domain}";
           createHome = true;
         };
@@ -90,9 +90,9 @@ in {
     };
   };
 
-  services.postgresql = {
-    enable = true;
-  };
+  #services.postgresql = {
+  #  enable = true;
+  #};
 
   #config.services.vsftpd = {
   #  enable = true;

lass/2configs/wordpress.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+{
+  containers.wordpress = {
+    privateNetwork = true;
+    hostAddress = "192.168.101.1";
+    localAddress = "192.168.101.2";
+
+    config = {
+      imports = [
+        ../3modules/iptables.nix
+      ];
+
+      lass.iptables = {
+        enable = true;
+        tables = {
+          filter.INPUT.policy = "DROP";
+          filter.FORWARD.policy = "DROP";
+          filter.INPUT.rules = [
+            { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
+            { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+            { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
+            { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
+            { predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
+          ];
+        };
+      };
+
+      environment.systemPackages = with pkgs; [
+        iptables
+      ];
+
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql;
+      };
+
+      services.httpd = {
+        enable = true;
+        adminAddr = "root@apanowicz.de";
+        extraModules = [
+          { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; }
+        ];
+        virtualHosts = [
+          {
+            hostName = "wordpress";
+            serverAliases = [ "wordpress" "www.wordpress" ];
+
+            extraSubservices = [
+              {
+                serviceName = "wordpress";
+              }
+            ];
+          }
+        ];
+      };
+    };
+  };
+}

lass/3modules/folderPerms.nix

@@ -0,0 +1,104 @@
+{ config, lib, pkgs, ... }:
+
+#TODO: implement recursive mode maybe?
+# enable different mods for files and folders
+
+let
+  inherit (pkgs)
+    writeScript
+  ;
+
+  inherit (lib)
+    concatMapStringsSep
+    concatStringsSep
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+  ;
+
+  cfg = config.lass.folderPerms;
+
+  out = {
+    options.lass.folderPerms = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "folder permissions";
+    permissions = mkOption {
+      type = with types; listOf (submodule ({
+        options = {
+          path = mkOption {
+            type = str;
+          };
+          permission = mkOption {
+            type = nullOr str;
+            example = "755";
+            description = ''
+              basically anything that chmod takes as permission
+            '';
+            default = null;
+          };
+          owner = mkOption {
+            type = nullOr str;
+            example = "root:root";
+            description = ''
+              basically anything that chown takes as owner
+            '';
+            default = null;
+          };
+        };
+      }));
+    };
+  };
+
+  imp = {
+    systemd.services.lass-folderPerms = {
+      description = "lass-folderPerms";
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        coreutils
+      ];
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        type = "simple";
+        RemainAfterExit = true;
+        Restart = "always";
+        ExecStart = "@${startScript}";
+      };
+    };
+  };
+
+  startScript = writeScript "lass-folderPerms" ''
+    ${concatMapStringsSep "\n" writeCommand cfg.permissions}
+  '';
+
+  writeCommand = fperm:
+    concatStringsSep "\n" [
+      (buildPermission fperm)
+      (buildOwner fperm)
+    ];
+
+  buildPermission = perm:
+    #TODO: create folder maybe
+    #TODO: check if permission is valid
+    if (perm.permission == null) then
+      ""
+    else
+      "chmod ${perm.permission} ${perm.path}"
+  ;
+
+  buildOwner = perm:
+    #TODO: create folder maybe
+    #TODO: check if owner/group valid
+    if (perm.owner == null) then
+      ""
+    else
+      "chown ${perm.owner} ${perm.path}"
+  ;
+
+in out

tv/1systems/cd.nix

@@ -30,7 +30,6 @@ in
     ../2configs/CAC-CentOS-7-64bit.nix
     ../2configs/base.nix
     ../2configs/consul-server.nix
-    ../2configs/exim-smarthost.nix
     ../2configs/git.nix
     {
       imports = [ ../2configs/charybdis.nix ];
@@ -45,6 +44,59 @@ in
         hosts = [ "jabber.viljetic.de" ];
       };
     }
+    {
+      krebs.exim-smarthost = {
+        enable = true;
+        primary_hostname = "${config.networking.hostName}.retiolum";
+        sender_domains = [
+          "shackspace.de"
+          "viljetic.de"
+        ];
+        relay_from_hosts = [
+          "10.243.13.37"
+        ];
+        internet-aliases = with config.krebs.users; [
+          { from = "tomislav@viljetic.de"; to = tv.mail; }
+
+          # (mindestens) lisp-stammtisch und elli haben die:
+          { from = "tv@viljetic.de"; to = tv.mail; }
+
+          { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
+
+          { from = "mirko@viljetic.de"; to = mv.mail; }
+
+          # TODO killme (wo wird die benutzt?)
+          { from = "tv@cd.retiolum"; to = tv.mail; }
+
+          # TODO lists@smtp.retiolum [consul]
+          { from = "postmaster@krebsco.de"; to = tv.mail; }
+
+          { from = "spam@krebsco.de";
+            to = pkgs.lib.concatStringsSep "," [
+              tv.mail
+              "lass@mors.retiolum"
+              makefu.mail
+            ];
+          }
+        ];
+        system-aliases = [
+          { from = "mailer-daemon"; to = "postmaster"; }
+          { from = "postmaster"; to = "root"; }
+          { from = "nobody"; to = "root"; }
+          { from = "hostmaster"; to = "root"; }
+          { from = "usenet"; to = "root"; }
+          { from = "news"; to = "root"; }
+          { from = "webmaster"; to = "root"; }
+          { from = "www"; to = "root"; }
+          { from = "ftp"; to = "root"; }
+          { from = "abuse"; to = "root"; }
+          { from = "noc"; to = "root"; }
+          { from = "security"; to = "root"; }
+          { from = "root"; to = "tv"; }
+          { from = "mirko"; to = "mv"; }
+        ];
+      };
+    }
     {
       krebs.github-hosts-sync.enable = true;
       tv.iptables.input-internet-accept-new-tcp =

tv/1systems/nomic.nix

@@ -38,7 +38,7 @@ with lib;
       };
     }
     {
-      krebs.exim-retiolum = true;
+      krebs.exim-retiolum.enable = true;
     }
     {
       krebs.nginx = {

tv/1systems/wu.nix

@@ -165,7 +165,7 @@ in
       };
     }
     {
-      krebs.exim-retiolum = true;
+      krebs.exim-retiolum.enable = true;
     }
     {
       krebs.nginx = {

tv/2configs/exim-smarthost.nix

@@ -1,475 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  inherit (builtins) toFile;
-  inherit (pkgs.lib.attrsets) mapAttrs;
-  inherit (pkgs.lib.strings) concatMapStringsSep;
-in
-
-{
-  services.exim =
-    let
-      retiolumHostname = "${config.networking.hostName}.retiolum";
-
-      internet-aliases = with config.krebs.users; [
-        { from = "tomislav@viljetic.de"; to = tv.mail; }
-
-        # (mindestens) lisp-stammtisch und elli haben die:
-        { from = "tv@viljetic.de"; to = tv.mail; }
-
-        { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
-
-        { from = "mirko@viljetic.de"; to = mv.mail; }
-
-        # TODO killme (wo wird die benutzt?)
-        { from = "tv@cd.retiolum"; to = tv.mail; }
-
-        # TODO lists@smtp.retiolum [consul]
-        { from = "postmaster@krebsco.de"; to = tv.mail; }
-      ];
-
-      system-aliases = [
-        { from = "mailer-daemon"; to = "postmaster"; }
-        { from = "postmaster"; to = "root"; }
-        { from = "nobody"; to = "root"; }
-        { from = "hostmaster"; to = "root"; }
-        { from = "usenet"; to = "root"; }
-        { from = "news"; to = "root"; }
-        { from = "webmaster"; to = "root"; }
-        { from = "www"; to = "root"; }
-        { from = "ftp"; to = "root"; }
-        { from = "abuse"; to = "root"; }
-        { from = "noc"; to = "root"; }
-        { from = "security"; to = "root"; }
-        { from = "root"; to = "tv"; }
-        { from = "mirko"; to = "mv"; }
-      ];
-
-      to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}");
-      lsearch =
-        mapAttrs (name: set: toFile name (to-lsearch set)) {
-          inherit internet-aliases;
-          inherit system-aliases;
-        };
-    in
-    {
-      enable = true;
-      config =
-        ''
-          primary_hostname = ${retiolumHostname}
-
-          # HOST_REDIR contains the real destinations for "local_domains".
-          #HOST_REDIR = /etc/exim4/host_redirect
-
-
-          # Domains not listed in local_domains need to be deliverable remotely.
-          # XXX We abuse local_domains to mean "domains, we're the gateway for".
-          domainlist local_domains    = @ : localhost
-          #: viljetic.de : SHACK_REDIR_HOSTNAME
-          domainlist relay_to_domains =
-          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37
-
-          acl_smtp_rcpt = acl_check_rcpt
-          acl_smtp_data = acl_check_data
-
-          # av_scanner = clamd:/tmp/clamd
-          # spamd_address = 127.0.0.1 783
-
-          # tls_advertise_hosts = *
-          # tls_certificate = /etc/ssl/exim.crt
-          # tls_privatekey = /etc/ssl/exim.pem
-          # (debian) tls_verify_certificates (to check client certs)
-
-          # daemon_smtp_ports = 25 : 465 : 587
-          # tls_on_connect_ports = 465
-
-          # qualify_domain defaults to primary_hostname
-          # qualify_recipient defaults to qualify_domain
-
-          # allow_domain_literals
-
-          never_users = root
-
-          host_lookup = *
-
-          # ident callbacks for all incoming SMTP calls
-          rfc1413_hosts = *
-          rfc1413_query_timeout = 5s
-
-          # sender_unqualified_hosts =
-          # recipient_unqualified_hosts =
-
-          # percent_hack_domains =
-
-          # arch & debian
-          #ignore_bounce_errors_after = 2d
-          #timeout_frozen_after = 7d
-          # debian
-          #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
-          #freeze_tell = postmaster
-          #trusted_users = uucp
-          # arch
-          #split_spool_directory = true
-
-          log_selector = -queue_run +address_rewrite +all_parents +queue_time
-          log_file_path = syslog
-          syslog_timestamp = false
-          syslog_duplication = false
-
-          begin acl
-
-          acl_check_rcpt:
-            # Accept if the source is local SMTP (i.e. not over TCP/IP).
-            # We do this by testing for an empty sending host field.
-            accept  hosts = :
-                    # arch & debian:
-                    control = dkim_disable_verify
-
-            deny    message       = Restricted characters in address
-                    domains       = +local_domains
-                    local_parts   = ^[.] : ^.*[@%!/|]
-
-            deny    message       = Restricted characters in address
-                    domains       = !+local_domains
-                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
-
-            accept  local_parts   = postmaster
-                    domains       = +local_domains
-
-            ## feature RETIOLUM_MAIL
-            #accept
-            #  hosts = *.retiolum
-            #  domains = *.retiolum
-            #  control = dkim_disable_verify
-
-            #require verify        = sender
-
-            accept  hosts         = +relay_from_hosts
-                    control       = submission
-                    # debian: control = submission/sender_retain
-                    # arch & debian:
-                    control       = dkim_disable_verify
-
-            accept  authenticated = *
-                    control       = submission
-                    control       = dkim_disable_verify
-
-            accept message = relay not permitted 2
-                    recipients = lsearch;${lsearch.internet-aliases}
-
-            require message = relay not permitted
-                    domains = +local_domains : +relay_to_domains
-
-            require
-              message = unknown user
-              verify = recipient/callout
-
-            # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-            #         dnslists      = black.list.example
-            #
-            # warn    dnslists      = black.list.example
-            #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
-            #         log_message   = found in $dnslist_domain
-
-            # Client SMTP Authorization (csa) checks on the sending host.
-            # Such checks do DNS lookups for special SRV records.
-            # require verify = csa
-
-            accept
-
-
-          acl_check_data:
-            # see av_scanner
-            #deny    malware    = *
-            #        message    = This message contains a virus ($malware_name).
-
-            # Add headers to a message if it is judged to be spam. Before enabling this,
-            # you must install SpamAssassin. You may also need to set the spamd_address
-            # option above.
-            #
-            # warn    spam       = nobody
-            #         add_header = X-Spam_score: $spam_score\n\
-            #                      X-Spam_score_int: $spam_score_int\n\
-            #                      X-Spam_bar: $spam_bar\n\
-            #                      X-Spam_report: $spam_report
-
-            # feature HELO_REWRITE
-            # XXX note that the public ip (162.219.5.183) resolves to viljetic.de
-            warn
-              sender_domains = viljetic.de : shackspace.de
-              set acl_m_special_dom = $sender_address_domain
-
-            accept
-
-
-          begin routers
-
-          # feature RETIOLUM_MAIL
-          retiolum:
-            debug_print = "R: retiolum for $local_part@$domain"
-            driver = manualroute
-            domains = ! ${retiolumHostname} : *.retiolum
-            transport = retiolum_smtp
-            route_list = ^.* $0 byname
-            no_more
-
-          internet_aliases:
-            debug_print = "R: internet_aliases for $local_part@$domain"
-            driver = redirect
-            data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
-
-          dnslookup:
-            debug_print = "R: dnslookup for $local_part@$domain"
-            driver = dnslookup
-            domains = ! +local_domains
-            transport = remote_smtp
-            ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
-            # if ipv6-enabled then instead use:
-            # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-
-            # (debian) same_domain_copy_routing = yes
-            # (debian) ignore private rfc1918 and APIPA addresses
-            # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
-            #                   172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
-            #                   255.255.255.255
-
-            # Fail and bounce if the router does not find the domain in the DNS.
-            # I.e. no more routers are tried.
-            # There are a few cases where a dnslookup router will decline to accept an
-            # address; if such a router is expected to handle "all remaining non-local
-            # domains", then it is important to set no_more.
-            no_more
-
-          # XXX this is only used because these "well known aliases" goto tv@cd.retiolum
-          # TODO bounce everything, there is no @cd.retiolum
-          system_aliases:
-            debug_print = "R: system_aliases for $local_part@$domain"
-            driver = redirect
-            data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
-
-          # TODO this is only b/c mv here... send mv's mails somewhere else...
-          local_user:
-            debug_print = "R: local_user for $local_part@$domain"
-            driver = accept
-            check_local_user
-          # local_part_suffix = +* : -*
-          # local_part_suffix_optional
-            transport = home_maildir
-            cannot_route_message = Unknown user
-
-          begin transports
-
-          retiolum_smtp:
-            driver = smtp
-            retry_include_ip_address = false
-            # serialize_hosts = TODO-all-slow-hosts
-
-          remote_smtp:
-            driver = smtp
-            # debian has also stuff for tls, headers_rewrite and more here
-
-            # feature HELO_REWRITE
-            # XXX note that the public ip (162.219.5.183) resolves to viljetic.de
-            helo_data = ''${if eq{$acl_m_special_dom}{}  \
-                                 {$primary_hostname}   \
-                                 {$acl_m_special_dom} }
-
-          home_maildir:
-            driver = appendfile
-            maildir_format
-            maildir_use_size_file
-            directory = $home/Mail
-            directory_mode = 0700
-            delivery_date_add
-            envelope_to_add
-            return_path_add
-
-          begin retry
-          *.retiolum             *           F,42d,1m
-          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
-
-          begin rewrite
-          begin authenticators
-        '';
-
-
-          # group = mail
-          # mode = 0660
-
-
-          #address_pipe:
-          #  driver = pipe
-          #  return_output
-          #
-          #address_file:
-          #  driver = appendfile
-          #  delivery_date_add
-          #  envelope_to_add
-          #  return_path_add
-          #
-          #address_reply:
-          #  driver = autoreply
-
-
-          #maildrop_pipe:
-          #  debug_print = "T: maildrop_pipe for $local_part@$domain"
-          #  driver = pipe
-          #  path = "/bin:/usr/bin:/usr/local/bin"
-          #  command = "/usr/bin/maildrop"
-          #  return_path_add
-          #  delivery_date_add
-          #  envelope_to_add
-
-
-
-
-
-          ##begin retry
-          # Address or Domain    Error       Retries
-
-          # Our host_redirect destinations might be offline a lot.
-          # TODO define fallback destinations(?)
-          #lsearch;${lsearch.internet-aliases} * F,42d,1m
-
-
-          ## begin rewrite
-
-          # just in case (shackspace.de should already do this)
-          #tv@shackspace.de  tv@SHACK_REDIR_HOSTNAME  T
-
-
-          ## begin authenticators
-          #PLAIN:
-          #  driver                  = plaintext
-          #  server_set_id           = $auth2
-          #  server_prompts          = :
-          #  server_condition        = Authentication is not yet configured
-          #  server_advertise_condition = ''${if def:tls_in_cipher }
-
-          #LOGIN:
-          #  driver                  = plaintext
-          #  server_set_id           = $auth1
-          #  server_prompts          = <| Username: | Password:
-          #  server_condition        = Authentication is not yet configured
-          #  server_advertise_condition = ''${if def:tls_in_cipher }
-
-
-
-      };
-
-}
-
-#        config = ''
-#          primary_hostname = ${retiolumHostname}
-#          domainlist local_domains    = @ : localhost
-#          domainlist relay_to_domains = *.retiolum
-#          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
-#
-#          acl_smtp_rcpt = acl_check_rcpt
-#          acl_smtp_data = acl_check_data
-#
-#          host_lookup = *
-#          rfc1413_hosts = *
-#          rfc1413_query_timeout = 5s
-#
-#          log_file_path = syslog
-#          syslog_timestamp = false
-#          syslog_duplication = false
-#
-#          begin acl
-#
-#          acl_check_rcpt:
-#            accept  hosts = :
-#                    control = dkim_disable_verify
-#
-#            deny    message       = Restricted characters in address
-#                    domains       = +local_domains
-#                    local_parts   = ^[.] : ^.*[@%!/|]
-#
-#            deny    message       = Restricted characters in address
-#                    domains       = !+local_domains
-#                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
-#
-#            accept  local_parts   = postmaster
-#                    domains       = +local_domains
-#
-#            #accept
-#            #  hosts = *.retiolum
-#            #  domains = *.retiolum
-#            #  control = dkim_disable_verify
-#
-#            #require verify        = sender
-#
-#            accept  hosts         = +relay_from_hosts
-#                    control       = submission
-#                    control       = dkim_disable_verify
-#
-#            accept  authenticated = *
-#                    control       = submission
-#                    control       = dkim_disable_verify
-#
-#            require message = relay not permitted
-#                    domains = +local_domains : +relay_to_domains
-#
-#            require verify = recipient
-#
-#            accept
-#
-#
-#          acl_check_data:
-#            accept
-#
-#
-#          begin routers
-#
-#          retiolum:
-#            driver = manualroute
-#            domains = ! ${retiolumHostname} : *.retiolum
-#            transport = remote_smtp
-#            route_list = ^.* $0 byname
-#            no_more
-#
-#          nonlocal:
-#            debug_print = "R: nonlocal for $local_part@$domain"
-#            driver = redirect
-#            domains = ! +local_domains
-#            allow_fail
-#            data = :fail: Mailing to remote domains not supported
-#            no_more
-#
-#          local_user:
-#            # debug_print = "R: local_user for $local_part@$domain"
-#            driver = accept
-#            check_local_user
-#          # local_part_suffix = +* : -*
-#          # local_part_suffix_optional
-#            transport = home_maildir
-#            cannot_route_message = Unknown user
-#
-#
-#          begin transports
-#
-#          remote_smtp:
-#            driver = smtp
-#
-#          home_maildir:
-#            driver = appendfile
-#            maildir_format
-#            directory = $home/Maildir
-#            directory_mode = 0700
-#            delivery_date_add
-#            envelope_to_add
-#            return_path_add
-#          # group = mail
-#          # mode = 0660
-#
-#          begin retry
-#          *.retiolum             *           F,42d,1m
-#          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
-#
-#          begin rewrite
-#
-#          begin authenticators
-#        '';
-#      };
-#}