NixOS Wiki

NNCP: Difference between revisions

VisualWikitext
imported>Ehmry
Quick first version
 
Klinger (talk | contribs)
trusted
903 edits
m Category:CLI added
 
(8 intermediate revisions by 3 users not shown)
Line 16: Line 16:
$ nncp-cfgnew -nocomments > /etc/secrets/nncp.hjson
$ nncp-cfgnew -nocomments > /etc/secrets/nncp.hjson
</syntaxhighlight>
</syntaxhighlight>
This file generated file be stripped down to include only the <code>self</code> and <code>neigh</code> sections:
This generated file should be stripped down to include only the <code>self</code> and <code>neigh</code> sections:


<pre>
<pre>
Line 59: Line 59:
     secrets = [ "/etc/secrets/nncp.hjson" ];
     secrets = [ "/etc/secrets/nncp.hjson" ];
     neigh = {
     neigh = {
       alice = {
       carol = {
         # information that Alice has given us about her "self".
         # information that Carol has given us about her "self".
         id = "D6BOO…YTYWQ";
         id = "D6BOO…YTYWQ";
         exchpub = "V4WJ6…4VA3Q";
         exchpub = "V4WJ6…4VA3Q";
         signpub = "NZLTN…HCGOA";
         signpub = "NZLTN…HCGOA";
         noisepub = "UNL2J…7FRDA";
         noisepub = "UNL2J…7FRDA";
         # We can connect directly to Alice over network.
         # We can connect directly to Carol over network.
         addr = {
         addr = {
           lan = "[fe80::1234%igb0]:5400";
           lan = "[fe80::1234%igb0]:5400";
           internet = "alice.com:3389";
           internet = "carol.example.com:3389";
           proxied = "|ssh remote.host nncp-daemon -ucspi";
           proxied = "|ssh remote.host nncp-daemon -ucspi";
         };
         };
Line 78: Line 78:
         signpub = "E6XSC…5VYRA";
         signpub = "E6XSC…5VYRA";
         noisepub = "TAKXG…Z6MZQ";
         noisepub = "TAKXG…Z6MZQ";
         # We cannoct connect to Bob but be can relay packets to him thru Alice.
         # We cannot connect to Bob but we can relay packets to him thru Carol.
         via = [ "alice" ];
         via = [ "carol" ];
       };
       };
     };
     };
Line 88: Line 88:
== Callers and Daemons ==
== Callers and Daemons ==


Automatically starting the <code>nncp-caller</code> and <code>nncp-daemon</code> programs is not yet available from a NixOS module.
The NNCP caller and daemon can be enabled for NixOS using the options <code>services.nncp.caller</code> and <code>services.nncp.daemon</code>.
 
<syntaxhighlight lang="nix">
{
  services.nncp = let
    attrs = {
      enable = true;
      extraArgs = [ "-autotoss" ];
    };
  in {
    caller = attrs;
    daemon = attrs;
  };
}
</syntaxhighlight>
 
== Copying Nix store paths ==
 
NNCP can be use to transport the closures of Nix store paths between machines.
 
NNCP config:
<syntaxhighlight lang="nix">
{
  programs.nncp.settings.neigh.${NODE}.exec.nix-store-import = "nix-store --import";
}
</syntaxhighlight>
 
Export command:
<syntaxhighlight lang="console">
$ nix-store --export ./result | nncp-exec "$NODE" nix-store-import
</syntaxhighlight>
 
== Email ==
 
NNCP is an ideal transport for secure email.
 
=== Receiving email ===
 
<syntaxhighlight lang="nix">
# NixOS module for Alice that allows reception of mail from Bob and Carol as well as mail relayed thru her mailserver.
{
  config,
  lib,
  pkgs,
  ...
}:
 
{
  programs.nncp.settings.neigh =
    let
      mailer.exec.sendmail = [
        "/run/wrappers/bin/sendmail" # Pipe mail into the system sendmail.
        "alice"                      # Redirect messages to the "alice" user.
      ];
    in
    {
      bob = mailer;
      carol = mailer;
      mailserver = mailer; # This is Alice's mailserver, described later.
    };
 
  # Use opensmtpd for the system sendmail command.
  services.opensmtpd = {
    enable = true;
    setSendmail = true;
    serverConfiguration = ''
      listen on lo
 
      # Deliver mail into Alice's home directory.
      action "inbox" maildir "%{user.directory}/mail"
 
      match for local action "inbox"
    '';
  };
 
}
</syntaxhighlight>
 
=== Sending mail ===
 
To send mail alice configures her client to relay mail to her mailserver by using nncp-exec as if it were <code>sendmail</code>.
 
<code>
nncp-exec -noprogress mailserver sendmail -f alice@example.org -t
</code>
 
=== Relaying email ===
 
To send mail to domains via STMP a relay is required that implements the  [[wikipedia:Sender Policy Framework|SPF]] standard. Configuring SPF and other DNS based standards is not described here.
 
<syntaxhighlight lang="nix">
# NixOS module for Alice's STMP relay server.
{ config, lib, ... }:
 
let
  domain = "example.org";
  fqdn = "example.org";
  certCfg = config.security.acme.certs.${fqdn};
  certDir = certCfg.directory;
  smtpdCertDir = "/var/lib/smtp";
in
{
  # Allow incoming SMTP connections.
  networking.firewall.allowedTCPPorts = [
    25
    465
  ];
 
  # Receive mail from Alice's NNCP node and pipe it into sendmail unaltered.
  programs.nncp.settings.neigh.alice.exec.sendmail = [
    "/run/wrappers/bin/sendmail"
  ];
 
  # Get a certificate for SMTP from ACME.
  security.acme = {
    acceptTerms = true;
    certs.${fqdn} = {
      email = "admin@${domain}";
      reloadServices = [ "opensmtpd.service" ];
      postRun = ''
        mkdir -p ${smtpdCertDir}
        cp ${certDir}/cert.pem ${smtpdCertDir}/cert
        cp ${certDir}/key.pem ${smtpdCertDir}/key
        chown 0:0 ${smtpdCertDir}/*
      '';
    };
  };
 
  # Wrap nncp-exec so that the unpriviledged
  # smtpd can produce outgoing NNCP packets.
  security.wrappers.nncp-exec = {
    setuid = true;
    owner = "root";
    group = "uucp";
    source = "${config.programs.nncp.package}/bin/nncp-exec";
  }; 
 
  # Configure an smtpd.
  services.opensmtpd = {
    enable = true;
    setSendmail = true; # Create the sendmail command for incoming NNCP mails.
    serverConfiguration = ''
      # Use the ACME certificate.
      pki ${fqdn} cert "${smtpdCertDir}/cert"
      pki ${fqdn} key "${smtpdCertDir}/key"
 
      # Configure SMTP listeners.
      # Authentication is by domain only, there are no logins here.
      listen on lo
      listen on eth0 smtps pki ${fqdn} # Classical SMTP.
      listen on eth0 tls pki ${fqdn}  # Listen with TLS.
      listen on tun0 mask-src          # Listen on a tunnel interface but
                                      # omit the details from headers.
 
      # Configure a NNCP Mail Delivery Agent (MDA) for local users.
      action "nncp" mda "/run/wrappers/bin/nncp-exec -quiet %{dest.user:strip} sendmail"
 
      # Configure SMTP relaying to external domains.
      action "relay" relay tls helo ${domain}
 
      # Rules for mail received at this smtpd.
      match from any for domain "${domain}" action "nncp"
      match from local for any action "relay"
    '';
  };
}
</syntaxhighlight>
 
[[Category:Networking]]
[[Category:Server]]
[[Category:CLI]]
Retrieved from "https://wiki.nixos.org/wiki/NNCP"