Allow umbriel to send emails as nixos.org

Once this change is deployed, we should be able to start sending test
emails from `@nixos.org` email addresses using umbriel. I updated our
SPF record in a way such that it should allow umbriel without breaking
our existing email sending capabilities (ImprovMX and gandi.net).

This does *not* change our MX (yet): ImprovMX will still be receiving
emails send to `nixos.org`. To verify that we can receive emails sent to
`nixos.org` addresses, I plan to edit `/etc/hosts` on my personal
mailserver and send some test emails. Do folks have better ideas for
testing this out?

Author: jfly

non-critical-infra/hosts/umbriel.nixos.org/README.md

@@ -5,7 +5,7 @@
 If you recreate `umbriel`, it will generate a new `DKIM` signature. That's ok to
 do, but you'll need to update the corresponding `mail._domainkey.*` `TXT` DNS
 record in `terraform/dns.tf` with the generated key in
-`/var/dkim/mail-test.nixos.org.mail.txt`.
+`/var/dkim/nixos.org.mail.txt`.
 
 TODO: declaratively manage the `DKIM` key once
 <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/344>

non-critical-infra/modules/mailserver/default.nix

@@ -9,8 +9,7 @@
 
     fqdn = config.networking.fqdn;
 
-    # TODO: change to `nixos.org` when ready
-    domains = [ "mail-test.nixos.org" ];
+    domains = [ "nixos.org" ];
   };
 
   ### Mailing lists go here ###
@@ -22,14 +21,14 @@
   # follow the instructions.
   mailing-lists = {
     # TODO: replace with the real `nixos.org` mailing lists.
-    "test-list@mail-test.nixos.org" = {
+    "[email protected]" = {
       forwardTo = [
         "[email protected]"
         ../../secrets/jfly-email-address.umbriel
         "[email protected]"
       ];
     };
-    "test-sender@mail-test.nixos.org" = {
+    "[email protected]" = {
       forwardTo = [ "[email protected]" ];
       loginAccount.encryptedHashedPassword = ../../secrets/test-sender-email-login.umbriel;
     };

non-critical-infra/packages/encrypt-email/encrypt-email.py

@@ -149,7 +149,7 @@ def login(address_id: str, force: bool) -> None:
 
     nix_code = dedent(
         f"""\
-        "{address_id}@mail-test.nixos.org" = {{
+        "{address_id}@nixos.org" = {{
           forwardTo = [
             # Add emails here
           ];

terraform/dns.tf

@@ -201,11 +201,6 @@ locals {
       type     = "TXT"
       value    = "9e10a04a4b"
     },
-    {
-      hostname = "nixos.org"
-      type     = "TXT"
-      value    = "v=spf1 include:spf.improvmx.com ~all"
-    },
     {
       # hetzner ax162-r 2548595
       hostname = "elated-minsky.builder.nixos.org"
@@ -405,29 +400,34 @@ locals {
       value    = "2a01:4f9:c012:8178::"
     },
 
-    # Mailserver configuration for `mail-test.nixos.org`
+    # Mailserver configuration for `nixos.org`
+    # TODO: remove the 2 MX records for improvmx below in favor of this once
+    # we're ready to switch to the new mailserver:
+    # https://github.com/NixOS/infra/issues/485
+    # {
+    #   hostname = "nixos.org"
+    #   type     = "MX"
+    #   value    = "umbriel.nixos.org"
+    # },
     {
-      hostname = "mail-test.nixos.org"
-      type     = "MX"
-      value    = "umbriel.nixos.org"
-    },
-    {
-      hostname = "mail-test.nixos.org"
+      hostname = "nixos.org"
       type     = "TXT"
-      value    = "v=spf1 mx ~all"
+      # TODO: simplify to just a `mx` rule once umbriel is our one and only
+      # mailserver:
+      # https://github.com/NixOS/infra/issues/485
+      # value = "v=spf1 mx ~all"
+      value = "v=spf1 include:spf.improvmx.com a:umbriel.nixos.org ~all"
     },
     {
-      hostname = "mail._domainkey.mail-test.nixos.org"
+      hostname = "mail._domainkey.nixos.org"
       type     = "TXT"
-      # From `/var/dkim/mail-test.nixos.org.mail.txt` on `umbriel`.
+      # >>> From `/var/dkim/nixos.org.mail.txt` on `umbriel`. <<<
       value = "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG4Tx788TCAW/sv1h6JefVJChqbaot1yhycwEq0Uo5x9ZIyq43Dkxxl7LdsHIW75HMI7aTKQRru+5xQ26vQmwiIRFJlJlRSYzlZZ2xnFZPXQ27dXnFh7MxLGC7YEyQFksiA2xxgqtQSyIvwu1whm2WK0fXkoJf87SgTtVjjKjnkQIDAQAB"
     },
     {
-      hostname = "_dmarc.mail-test.nixos.org"
+      hostname = "_dmarc.nixos.org"
       type     = "TXT"
-      # TODO: consider making this strict (`v=DMARC1; p=reject; adkim=s; aspf=s;`),
-      #       but make sure this doesn't break mailing lists: https://dmarcian.com/mailing-lists-dmarc/
-      value = "v=DMARC1; p=none"
+      value    = "v=DMARC1; p=none"
     },
   ]
 }
@@ -445,9 +445,9 @@ resource "netlify_dns_record" "nixos" {
   value    = each.value.value
 }
 
+### TODO: remove, see https://github.com/NixOS/infra/issues/485 ###
 # MX records both have the same hostname and type and would clash on the above
 # mapping.
-
 resource "netlify_dns_record" "nixos_MX1" {
   zone_id  = local.zone_id
   hostname = "nixos.org"
@@ -462,8 +462,6 @@ resource "netlify_dns_record" "nixos_MX2" {
   value    = "mx2.improvmx.com"
 }
 
-# additional records for improvmx for dkim & dmarc
-
 resource "netlify_dns_record" "nixos_DKIM1" {
   zone_id  = local.zone_id
   hostname = "dkimprovmx1._domainkey.nixos.org"
@@ -477,13 +475,7 @@ resource "netlify_dns_record" "nixos_DKIM2" {
   type     = "CNAME"
   value    = "dkimprovmx2.improvmx.com"
 }
-
-resource "netlify_dns_record" "nixos_DMARC" {
-  zone_id  = local.zone_id
-  hostname = "_dmarc.nixos.org"
-  type     = "TXT"
-  value    = "v=DMARC1; p=none;"
-}
+### END TODO: remove ###
 
 resource "netlify_dns_record" "nixos_google_verification" {
   zone_id  = local.zone_id