NNCP: Difference between revisions
m Fix typo, update status of caller and daemon services. |
m Category:CLI added |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 59: | Line 59: | ||
secrets = [ "/etc/secrets/nncp.hjson" ]; | secrets = [ "/etc/secrets/nncp.hjson" ]; | ||
neigh = { | neigh = { | ||
carol = { | |||
# information that | # information that Carol has given us about her "self". | ||
id = "D6BOO…YTYWQ"; | id = "D6BOO…YTYWQ"; | ||
exchpub = "V4WJ6…4VA3Q"; | exchpub = "V4WJ6…4VA3Q"; | ||
signpub = "NZLTN…HCGOA"; | signpub = "NZLTN…HCGOA"; | ||
noisepub = "UNL2J…7FRDA"; | noisepub = "UNL2J…7FRDA"; | ||
# We can connect directly to | # We can connect directly to Carol over network. | ||
addr = { | addr = { | ||
lan = "[fe80::1234%igb0]:5400"; | lan = "[fe80::1234%igb0]:5400"; | ||
internet = " | internet = "carol.example.com:3389"; | ||
proxied = "|ssh remote.host nncp-daemon -ucspi"; | proxied = "|ssh remote.host nncp-daemon -ucspi"; | ||
}; | }; | ||
| Line 78: | Line 78: | ||
signpub = "E6XSC…5VYRA"; | signpub = "E6XSC…5VYRA"; | ||
noisepub = "TAKXG…Z6MZQ"; | noisepub = "TAKXG…Z6MZQ"; | ||
# We | # We cannot connect to Bob but we can relay packets to him thru Carol. | ||
via = [ " | via = [ "carol" ]; | ||
}; | }; | ||
}; | }; | ||
| Line 104: | Line 104: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== | == Copying Nix store paths == | ||
NNCP can be use to transport the closures of Nix store paths between machines. | |||
NNCP config: | NNCP config: | ||
| Line 119: | Line 119: | ||
$ nix-store --export ./result | nncp-exec "$NODE" nix-store-import | $ nix-store --export ./result | nncp-exec "$NODE" nix-store-import | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Email == | |||
NNCP is an ideal transport for secure email. | |||
=== Receiving email === | |||
<syntaxhighlight lang="nix"> | |||
# NixOS module for Alice that allows reception of mail from Bob and Carol as well as mail relayed thru her mailserver. | |||
{ | |||
config, | |||
lib, | |||
pkgs, | |||
... | |||
}: | |||
{ | |||
programs.nncp.settings.neigh = | |||
let | |||
mailer.exec.sendmail = [ | |||
"/run/wrappers/bin/sendmail" # Pipe mail into the system sendmail. | |||
"alice" # Redirect messages to the "alice" user. | |||
]; | |||
in | |||
{ | |||
bob = mailer; | |||
carol = mailer; | |||
mailserver = mailer; # This is Alice's mailserver, described later. | |||
}; | |||
# Use opensmtpd for the system sendmail command. | |||
services.opensmtpd = { | |||
enable = true; | |||
setSendmail = true; | |||
serverConfiguration = '' | |||
listen on lo | |||
# Deliver mail into Alice's home directory. | |||
action "inbox" maildir "%{user.directory}/mail" | |||
match for local action "inbox" | |||
''; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
=== Sending mail === | |||
To send mail alice configures her client to relay mail to her mailserver by using nncp-exec as if it were <code>sendmail</code>. | |||
<code> | |||
nncp-exec -noprogress mailserver sendmail -f alice@example.org -t | |||
</code> | |||
=== Relaying email === | |||
To send mail to domains via STMP a relay is required that implements the [[wikipedia:Sender Policy Framework|SPF]] standard. Configuring SPF and other DNS based standards is not described here. | |||
<syntaxhighlight lang="nix"> | |||
# NixOS module for Alice's STMP relay server. | |||
{ config, lib, ... }: | |||
let | |||
domain = "example.org"; | |||
fqdn = "example.org"; | |||
certCfg = config.security.acme.certs.${fqdn}; | |||
certDir = certCfg.directory; | |||
smtpdCertDir = "/var/lib/smtp"; | |||
in | |||
{ | |||
# Allow incoming SMTP connections. | |||
networking.firewall.allowedTCPPorts = [ | |||
25 | |||
465 | |||
]; | |||
# Receive mail from Alice's NNCP node and pipe it into sendmail unaltered. | |||
programs.nncp.settings.neigh.alice.exec.sendmail = [ | |||
"/run/wrappers/bin/sendmail" | |||
]; | |||
# Get a certificate for SMTP from ACME. | |||
security.acme = { | |||
acceptTerms = true; | |||
certs.${fqdn} = { | |||
email = "admin@${domain}"; | |||
reloadServices = [ "opensmtpd.service" ]; | |||
postRun = '' | |||
mkdir -p ${smtpdCertDir} | |||
cp ${certDir}/cert.pem ${smtpdCertDir}/cert | |||
cp ${certDir}/key.pem ${smtpdCertDir}/key | |||
chown 0:0 ${smtpdCertDir}/* | |||
''; | |||
}; | |||
}; | |||
# Wrap nncp-exec so that the unpriviledged | |||
# smtpd can produce outgoing NNCP packets. | |||
security.wrappers.nncp-exec = { | |||
setuid = true; | |||
owner = "root"; | |||
group = "uucp"; | |||
source = "${config.programs.nncp.package}/bin/nncp-exec"; | |||
}; | |||
# Configure an smtpd. | |||
services.opensmtpd = { | |||
enable = true; | |||
setSendmail = true; # Create the sendmail command for incoming NNCP mails. | |||
serverConfiguration = '' | |||
# Use the ACME certificate. | |||
pki ${fqdn} cert "${smtpdCertDir}/cert" | |||
pki ${fqdn} key "${smtpdCertDir}/key" | |||
# Configure SMTP listeners. | |||
# Authentication is by domain only, there are no logins here. | |||
listen on lo | |||
listen on eth0 smtps pki ${fqdn} # Classical SMTP. | |||
listen on eth0 tls pki ${fqdn} # Listen with TLS. | |||
listen on tun0 mask-src # Listen on a tunnel interface but | |||
# omit the details from headers. | |||
# Configure a NNCP Mail Delivery Agent (MDA) for local users. | |||
action "nncp" mda "/run/wrappers/bin/nncp-exec -quiet %{dest.user:strip} sendmail" | |||
# Configure SMTP relaying to external domains. | |||
action "relay" relay tls helo ${domain} | |||
# Rules for mail received at this smtpd. | |||
match from any for domain "${domain}" action "nncp" | |||
match from local for any action "relay" | |||
''; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
[[Category:Networking]] | |||
[[Category:Server]] | |||
[[Category:CLI]] | |||