NNCP: Difference between revisions

← Older edit

VisualWikitext

@@ Line 16: / Line 16: @@
 $ nncp-cfgnew -nocomments > /etc/secrets/nncp.hjson
 </syntaxhighlight>
-This file generated file be stripped down to include only the <code>self</code> and <code>neigh</code> sections:
+This generated file should be stripped down to include only the <code>self</code> and <code>neigh</code> sections:
 <pre>
@@ Line 59: / Line 59: @@
      secrets = [ "/etc/secrets/nncp.hjson" ];
      neigh = {
-       alice = {
+       carol = {
-         # information that Alice has given us about her "self".
+         # information that Carol has given us about her "self".
          id = "D6BOO…YTYWQ";
          exchpub = "V4WJ6…4VA3Q";
          signpub = "NZLTN…HCGOA";
          noisepub = "UNL2J…7FRDA";
-         # We can connect directly to Alice over network.
+         # We can connect directly to Carol over network.
          addr = {
            lan = "[fe80::1234%igb0]:5400";
-           internet = "alice.com:3389";
+           internet = "carol.example.com:3389";
            proxied = "|ssh remote.host nncp-daemon -ucspi";
          };
@@ Line 78: / Line 78: @@
          signpub = "E6XSC…5VYRA";
          noisepub = "TAKXG…Z6MZQ";
-         # We cannoct connect to Bob but be can relay packets to him thru Alice.
+         # We cannot connect to Bob but we can relay packets to him thru Carol.
-         via = [ "alice" ];
+         via = [ "carol" ];
        };
      };
@@ Line 88: / Line 88: @@
 == Callers and Daemons ==
-Automatically starting the <code>nncp-caller</code> and <code>nncp-daemon</code> programs is not yet available from a NixOS module.
+The NNCP caller and daemon can be enabled for NixOS using the options <code>services.nncp.caller</code> and <code>services.nncp.daemon</code>.
-== Remote command execution ==
+<syntaxhighlight lang="nix">
+{
+  services.nncp = let
+    attrs = {
+      enable = true;
+      extraArgs = [ "-autotoss" ];
+    };
+  in {
+    caller = attrs;
+    daemon = attrs;
+  };
+}
+</syntaxhighlight>
+== Copying Nix store paths ==
-=== Store path importing ===
+NNCP can be use to transport the closures of Nix store paths between machines.
 NNCP config:
@@ Line 105: / Line 119: @@
 $ nix-store --export ./result | nncp-exec "$NODE" nix-store-import
 </syntaxhighlight>
+== Email ==
+NNCP is an ideal transport for secure email.
+=== Receiving email ===
+<syntaxhighlight lang="nix">
+# NixOS module for Alice that allows reception of mail from Bob and Carol as well as mail relayed thru her mailserver.
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  programs.nncp.settings.neigh =
+    let
+      mailer.exec.sendmail = [
+        "/run/wrappers/bin/sendmail" # Pipe mail into the system sendmail.
+        "alice"                      # Redirect messages to the "alice" user.
+      ];
+    in
+    {
+      bob = mailer;
+      carol = mailer;
+      mailserver = mailer; # This is Alice's mailserver, described later.
+    };
+  # Use opensmtpd for the system sendmail command.
+  services.opensmtpd = {
+    enable = true;
+    setSendmail = true;
+    serverConfiguration = ''
+      listen on lo
+      # Deliver mail into Alice's home directory.
+      action "inbox" maildir "%{user.directory}/mail"
+      match for local action "inbox"
+    '';
+  };
+}
+</syntaxhighlight>
+=== Sending mail ===
+To send mail alice configures her client to relay mail to her mailserver by using nncp-exec as if it were <code>sendmail</code>.
+<code>
+nncp-exec -noprogress mailserver sendmail -f alice@example.org -t
+</code>
+=== Relaying email ===
+To send mail to domains via STMP a relay is required that implements the  [[wikipedia:Sender Policy Framework|SPF]] standard. Configuring SPF and other DNS based standards is not described here.
+<syntaxhighlight lang="nix">
+# NixOS module for Alice's STMP relay server.
+{ config, lib, ... }:
+let
+  domain = "example.org";
+  fqdn = "example.org";
+  certCfg = config.security.acme.certs.${fqdn};
+  certDir = certCfg.directory;
+  smtpdCertDir = "/var/lib/smtp";
+in
+{
+  # Allow incoming SMTP connections.
+  networking.firewall.allowedTCPPorts = [
+  ];
+  # Receive mail from Alice's NNCP node and pipe it into sendmail unaltered.
+  programs.nncp.settings.neigh.alice.exec.sendmail = [
+    "/run/wrappers/bin/sendmail"
+  ];
+  # Get a certificate for SMTP from ACME.
+  security.acme = {
+    acceptTerms = true;
+    certs.${fqdn} = {
+      email = "admin@${domain}";
+      reloadServices = [ "opensmtpd.service" ];
+      postRun = ''
+        mkdir -p ${smtpdCertDir}
+        cp ${certDir}/cert.pem ${smtpdCertDir}/cert
+        cp ${certDir}/key.pem ${smtpdCertDir}/key
+        chown 0:0 ${smtpdCertDir}/*
+      '';
+    };
+  };
+  # Wrap nncp-exec so that the unpriviledged
+  # smtpd can produce outgoing NNCP packets.
+  security.wrappers.nncp-exec = {
+    setuid = true;
+    owner = "root";
+    group = "uucp";
+    source = "${config.programs.nncp.package}/bin/nncp-exec";
+  };
+  # Configure an smtpd.
+  services.opensmtpd = {
+    enable = true;
+    setSendmail = true; # Create the sendmail command for incoming NNCP mails.
+    serverConfiguration = ''
+      # Use the ACME certificate.
+      pki ${fqdn} cert "${smtpdCertDir}/cert"
+      pki ${fqdn} key "${smtpdCertDir}/key"
+      # Configure SMTP listeners.
+      # Authentication is by domain only, there are no logins here.
+      listen on lo
+      listen on eth0 smtps pki ${fqdn} # Classical SMTP.
+      listen on eth0 tls pki ${fqdn}   # Listen with TLS.
+      listen on tun0 mask-src          # Listen on a tunnel interface but
+                                       # omit the details from headers.
+      # Configure a NNCP Mail Delivery Agent (MDA) for local users.
+      action "nncp" mda "/run/wrappers/bin/nncp-exec -quiet %{dest.user:strip} sendmail"
+      # Configure SMTP relaying to external domains.
+      action "relay" relay tls helo ${domain}
+      # Rules for mail received at this smtpd.
+      match from any for domain "${domain}" action "nncp"
+      match from local for any action "relay"
+    '';
+  };
+}
+</syntaxhighlight>
+[[Category:Networking]]
+[[Category:Server]]
+[[Category:CLI]]