trying to make sogo a little bit more secure

2023-04-13 18:38:37 +02:00 · 2023-04-13 18:38:37 +02:00 · a8824ce574
commit a8824ce574
parent c813f3ac83
4 changed files with 54 additions and 29 deletions
--- a/modules/sogo.nix
+++ b/modules/sogo.nix
@ -1,12 +1,15 @@
 { config, pkgs, ... }:
 let
-  SOGo-hostname = "mail.${config.fsr.domain}";
+  sogo-hostname = "mail.${config.fsr.domain}";
  domain = config.fsr.domain;
 in
 {
  sops.secrets.ldap_search = {
    owner = config.systemd.services.sogo.serviceConfig.User;
  };
+  sops.secrets.postgres_sogo = {
+    owner = config.systemd.services.sogo.serviceConfig.User;
+  };

  services = {
    sogo = {
@ -20,30 +23,38 @@ in
                  UIDFieldName = uid;
                  baseDN = "ou = users, dc=ifsr, dc=de";
                  bindDN = "uid=search, ou=users, dc=ifsr, dc=de";
-                  bindPassword = ${config.sops.secrets.ldap_search.path}; 
+                  bindPassword = LDAP_SEARCH;
                  hostname = "ldap://localhost";
                  canAuthenticate = YES;
                  id = directory;
      
                });
                SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";    
-        				SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
-        				OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
-        				
+        		SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
+        		OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
      ''; # Hier ist bindPassword noch nicht vollständig
-      vhostName = "${SOGo-hostname}";
+      configReplaces = {
+        LDAP_SEARCH = config.sops.secrets.ldap_search.path; 
+      };
+      vhostName = "${sogo-hostname}";
      timezone = "Europe/Berlin";
    };
-    postgresql = {
-      ensureUsers = [{
-        name = "SOGo";
-      }];
-      ensureDatabases = [ "SOGo" ];
-    };
+      postgresql = {
+        enable = true;
+        ensureUsers = [
+          {
+            name = "sogo";
+            ensurePermissions = {
+              "DATABASE sogo" = "ALL PRIVILEGES";
+            };
+          }
+        ];
+        ensureDatabases = [ "sogo" ];
+      };

    nginx = {
      recommendedProxySettings = true;
-      virtualHosts."${SOGo-hostname}" = {
+      virtualHosts."${sogo-hostname}" = {
        forceSSL = true;
        enableACME = true;
        locations = {
@ -52,10 +63,22 @@ in
            proxyWebsockets = true;
          };
        };
-
-
      };
-
    };
  };
+
+  systemd.services.sogo.after = [ "sogo-pgsetup.service" ];
+
+  systemd.services.sogo-pgsetup = {
+    description = "Prepare Sogo postgres database";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" "postgresql.service" ];
+    serviceConfig.Type = "oneshot";
+
+    path = [ pkgs.sudo config.services.postgresql.package ];
+    script = ''
+      sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'"
+    '';
+  };
+
 }