Add simple-nixos-mailserver to umbriel

Author: jfly

flake.lock

@@ -31,6 +31,7 @@
       url = "github:numtide/srvos";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs = {

flake.nix

@@ -26,6 +26,7 @@
             value
             inputs.disko.nixosModules.disko
             inputs.first-time-contribution-tagger.nixosModule
+            inputs.simple-nixos-mailserver.nixosModule
             inputs.sops-nix.nixosModules.sops
           ];
           extraModules = [ inputs.colmena.nixosModules.deploymentOptions ];
@@ -49,8 +50,14 @@
     };
 
   perSystem =
-    { pkgs, inputs', ... }:
+    { inputs', ... }:
+    # Use the latest packages from `nixpkgs-unstable` for dev tools.
+    let
+      pkgs = inputs'.nixpkgs-unstable.legacyPackages;
+    in
     {
+      packages.encrypt-email-address = pkgs.callPackage ./packages/encrypt-email-address { };
+
       devShells.non-critical-infra = pkgs.mkShellNoCC {
         packages = [
           inputs'.colmena.packages.colmena

non-critical-infra/flake-module.nix

@@ -8,6 +8,7 @@
     ../../modules/common.nix
     ../../modules/mjolnir.nix
     ../../modules/prometheus/node-exporter.nix
+    ./mailserver
   ];
 
   # Bootloader.

non-critical-infra/hosts/umbriel.nixos.org/default.nix

@@ -0,0 +1,14 @@
+# NixOS mailserver
+
+This module will [eventually][issue 485] provide mail services for `nixos.org`.
+
+## Mailing lists
+
+To create a new mailing list, or change membership of a mailing list, see the
+instructions at the top of [`mailing-lists.nix`](./mailing-lists.nix).
+
+## Sending mail
+
+This module does not yet provide SMTP login.
+
+[issue 485]: https://github.com/NixOS/infra/issues/485

non-critical-infra/hosts/umbriel.nixos.org/mailserver/README.md

@@ -0,0 +1,25 @@
+{ config, ... }:
+
+{
+  imports = [ ./mailing-lists.nix ];
+
+  mailserver = {
+    enable = true;
+    certificateScheme = "acme-nginx";
+
+    # Until we have login accounts, there's no reason to run either of these.
+    enablePop3 = false;
+    enableImap = false;
+
+    fqdn = config.networking.fqdn;
+
+    # TODO: create an `MX` record for `playground.nixos.org` (value `umbriel.nixos.org`): <https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html#set-a-mx-record>.
+    # TODO: create an `SPF` record for `playground.nixos.org`: <https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html#set-a-mx-record>.
+    # TODO: create `DKIM` TXT record: <https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html#set-dkim-signature>.
+    #       (can't do this until after SNM is deployed)
+    # TODO: set a `DMARC` record: <https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html#set-a-dmarc-record>.
+    #       (and then make it strict (`v=DMARC1; p=reject; adkim=s; aspf=s;`) once things are working)
+    # TODO: change to `nixos.org` when ready
+    domains = [ "playground.nixos.org" ];
+  };
+}

non-critical-infra/hosts/umbriel.nixos.org/mailserver/default.nix

@@ -0,0 +1,39 @@
+# This module provides the mailing list definitions for `@nixos.org`.
+#
+# Simply change the `lists` attribute set below to create new mailing lists or
+# edit membership of existing lists.
+#
+# If you wish to hide your email address, you can encrypt it with SOPS. Just
+# run `nix run .#encrypt-email-address` in the `non-critical-infra/` folder and
+# follow the instructions.
+
+{ config, lib, ... }:
+
+let
+  # Mailing lists go here.
+  # TODO: replace with the real `nixos.org` mailing lists.
+  lists = {
+    "[email protected]" = [
+      "[email protected]"
+      config.sops.placeholder.jfly-email
+      "[email protected]"
+    ];
+  };
+in
+
+{
+  # Encrypted email addresses go here.
+  sops.secrets.jfly-email = {
+    format = "binary";
+    sopsFile = ../../../secrets/jfly-email.umbriel;
+  };
+
+  sops.templates."postfix-virtual-mailing-lists".content = lib.concatStringsSep "\n" (
+    lib.mapAttrsToList (name: members: "${name} ${lib.concatStringsSep ", " members}") lists
+  );
+
+  services.postfix.mapFiles.virtual-mailing-lists =
+    config.sops.templates."postfix-virtual-mailing-lists".path;
+
+  services.postfix.config.virtual_alias_maps = [ "hash:/etc/postfix/virtual-mailing-lists" ];
+}

non-critical-infra/hosts/umbriel.nixos.org/mailserver/mailing-lists.nix

@@ -0,0 +1,24 @@
+{
+  lib,
+  python3,
+  ruff,
+  sops,
+}:
+
+python3.pkgs.buildPythonApplication {
+  name = "encrypt-email-address";
+  src = ./.;
+
+  format = "other";
+
+  nativeBuildInputs = [ ruff ];
+
+  propagatedBuildInputs = [ python3.pkgs.click ];
+
+  installPhase = ''
+    ruff check ./encrypt-email-address.py
+    mkdir -p $out/bin
+    mv ./encrypt-email-address.py $out/bin/encrypt-email-address
+    wrapProgram $out/bin/encrypt-email-address --prefix PATH : ${lib.makeBinPath [ sops ]}
+  '';
+}

non-critical-infra/packages/encrypt-email-address/default.nix

@@ -0,0 +1,100 @@
+#!/usr/bin/env python
+
+import re
+import click
+import subprocess
+from pathlib import Path
+from textwrap import dedent
+from textwrap import indent
+
+
+@click.command(
+    help=dedent("""\
+        Encrypt an email address (or email addresses) for inclusion in a mailing list.
+
+        See `non-critical-infra/hosts/umbriel.nixos.org/mailserver/mailing-lists.nix` for
+        documentation about how to use this.
+    """)
+)
+@click.argument("id")
+@click.argument("email")
+@click.option("--force/--no-force", "-f/ ", default=False)
+def main(id: str, email: str, force: bool):
+    # Feel free to make the regex less restrictive if you need to.
+    id_re = re.compile("[A-Za-z0-9-]+")
+    if not id_re.fullmatch(id):
+        raise click.ClickException(
+            f"Given ID: {id!r} is invalid. Must match regex: {id_re.pattern}"
+        )
+
+    # Make sure we aren't being given a text file that happens to have a newline at the end.
+    if "\n" in email:
+        raise click.ClickException(
+            "Email address must not not contain a newline character"
+        )
+
+    if Path.cwd().name != "non-critical-infra":
+        raise click.ClickException(
+            "You must run this command inside the `non-critical-infra/` folder."
+        )
+
+    secret_path = Path(f"secrets/{id}-email.umbriel")
+
+    if secret_path.exists():
+        if not force:
+            raise click.ClickException(
+                f"Refusing to clobber existing {secret_path}. Use `--force` to override."
+            )
+        else:
+            click.secho(f"Clobbering existing {secret_path}", fg="yellow")
+
+    cp = subprocess.run(
+        ["sops", "--encrypt", "--filename-override", secret_path, "/dev/stdin"],
+        text=True,
+        check=True,
+        stdout=subprocess.PIPE,
+        input=email,
+    )
+
+    secret_path.write_text(cp.stdout)
+
+    click.secho(f"Successfully generated {secret_path}", fg="green")
+
+    mailing_list_nix = Path("hosts/umbriel.nixos.org/mailserver/mailing-lists.nix")
+    assert mailing_list_nix.exists()
+
+    secret_id = f"{id}-email"
+
+    click.secho()
+    click.secho("Now add yourself to ", nl=False)
+    click.secho(mailing_list_nix, fg="blue", nl=False)
+    click.secho(". ")
+
+    click.secho()
+    click.secho("Search for '", nl=False)
+    click.secho("# Encrypted email addresses go here.", fg="blue", nl=False)
+    click.secho("' and add this:")
+    click.secho()
+    click.secho(
+        indent(
+            dedent(f"""\
+              sops.secrets.{secret_id} = {{
+                format = "binary";
+                sopsFile = {secret_path.relative_to(mailing_list_nix.parent, walk_up=True)};
+              }};
+            """),
+            prefix="  ",
+        ),
+        fg="blue",
+    )
+
+    click.secho()
+    click.secho("Lastly, add `", nl=False)
+    click.secho(f"config.sops.placeholder.{secret_id}", fg="blue", nl=False)
+    click.secho("` to the relevant mailing list under '", nl=False)
+    click.secho("# Mailing lists go here.", fg="blue", nl=False)
+    click.secho("'.")
+
+
+if __name__ == "__main__":
+    main()