Merge branch 'main' into vaultwarden

2023-07-12 15:51:25 +02:00 · 2023-07-12 15:51:25 +02:00 · c0266785cd
commit c0266785cd
parent e7adae7b45 6e4e213b0f
17 changed files with 177 additions and 1598 deletions
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@ -1,42 +0,0 @@
-{ pkgs, lib, config, office_stuff, ... }:
-
-let
-
-  extra_office_packages = (lib.ifEnable config.fsr.enable_office_bloat (with pkgs; [
-    vlc
-    libreoffice-fresh
-    okular
-    texlive.combined.scheme-full
-  ]));
-
-
-in
-{
-  # enable XFCE as lightweight desktop environment
-  services = {
-    xserver.enable = true;
-    xserver.desktopManager.xfce.enable = true;
-    xserver.displayManager.defaultSession = "xfce";
-
-    # Configure keymap in X11
-    xserver.layout = "de";
-    xserver.xkbOptions = "eurosign:e,ctrl:nocaps,compose:prsc";
-
-    # enable touchpad support
-    xserver.libinput.enable = true;
-  };
-  # enable sound
-  sound.enable = true;
-  sound.mediaKeys.enable = true;
-  hardware.pulseaudio.enable = true;
-
-  # additional programs for a lightweight working office environment
-  environment.systemPackages = with pkgs; [
-    ## audio management
-    pavucontrol
-    ## terminal, browsers, text editing
-    #vscodium
-    firefox
-  ] ++ extra_office_packages;
-
-}
--- a/modules/infoscreen.nix
+++ b/modules/infoscreen.nix
@ -1,29 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  fsr-infoscreen = pkgs.fsr-infoscreen;
-
-in
-{
-
-  systemd = {
-    services."fsr-infoscreen" = {
-      enable = true;
-      wantedBy = [ "multi-user.target" ];
-      script = ''
-        ${pkgs.python39}/bin/python39 ${fsr-infoscreen}/build/middleware/infoscreen.py
-      '';
-
-      serviceConfig = {
-        User = "infoscreen";
-        Restart = "on-failure";
-      };
-    };
-  };
-
-  users.users.infoscreen = {
-    name = "infoscreen";
-    description = "custom user for service infoscreen service";
-    isNormalUser = true;
-  };
-
-}
--- a/modules/kpp.nix
+++ b/modules/kpp.nix
@ -0,0 +1,15 @@
+{ config, ... }:
+let
+  domain = "kpp.${config.fsr.domain}";
+in
+{
+  services.kpp = {
+    enable = true;
+    hostName = domain;
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+}
--- a/modules/ldap/0001-update-user-validation-regex.patch
+++ b/modules/ldap/0001-update-user-validation-regex.patch
@ -0,0 +1,25 @@
+From f5c68898be345fb0dca5ab7b596b9cbe674f5dfb Mon Sep 17 00:00:00 2001
+From: Rouven Seifert <rouven@rfive.de>
+Date: Tue, 4 Jul 2023 15:14:00 +0200
+Subject: [PATCH] update user validation regex
+
+---
+ internal/core/validation.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/internal/core/validation.go b/internal/core/validation.go
+index 3e168b5..10dfc0a 100644
+--- a/internal/core/validation.go
+++ b/internal/core/validation.go
+@@ -30,7 +30,7 @@ import (
+ )
+ 
+ //this regexp copied from useradd(8) manpage
+-const posixAccountNamePattern = `[a-z_][a-z0-9_-]*\$?`
+const posixAccountNamePattern = `[a-z_][a-z0-9._-]*\$?`
+ 
+ var (
+ 	errIsMissing      = errors.New("is missing")
+-- 
+2.41.0
+
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@ -48,6 +48,9 @@ in

  services.portunus = {
    enable = true;
+    package = pkgs.portunus.overrideAttrs (old: {
+      patches = [ ./0001-update-user-validation-regex.patch ];
+    });
    user = "${portunusUser}";
    group = "${portunusGroup}";
    domain = "${domain}";
@ -65,7 +68,7 @@ in
      #tls = true;
    };

-    seedPath = ../config/portunus_seeds.json;
+    seedPath = ../../config/portunus_seeds.json;
  };

  #users.ldap = {
@ -123,18 +126,4 @@ in
      };
    };
  };
-
-  # nixpkgs.overlays = [
-  #   (self: super:
-  #     {
-  #       portunus = super.portunus.overrideAttrs (old: {
-  #         src = super.fetchFromGitHub {
-  #           owner = "revol-xut";
-  #           repo = "portunus";
-  #           rev = "4dc29febacb11c613785bc95352fa00e0ca9b14a";
-  #           sha256 = "sha256-6O2392aHXhgvgZf6ftDY5Bh6hG3OzzCnlriig/Vkkz8=";
-  #         };
-  #       });
-  #     })
-  # ];
 }
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -39,7 +39,7 @@ in
      domain = "${domain}";
      origin = "${domain}";
      destination = [ "${hostname}" "${domain}" "localhost" ];
-      networks = [ "127.0.0.1" "141.30.30.169" ];
+      networksStyle = "host"; # localhost and own public IP
      sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
      sslKey = "/var/lib/acme/${hostname}/key.pem";
      relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
@ -61,9 +61,13 @@ in
        dumper:         root
        operator:       root
        abuse:          postmaster
+        postmaster:     root

        # trap decode to catch security attacks
        decode:         root
+
+        # yeet into the void
+        noreply:        /dev/null
      '';
      config = {
        home_mailbox = "Maildir/";
@ -98,6 +102,7 @@ in
        ];
        # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
        alias_maps = [ "hash:/etc/aliases" ];
+        alias_database = [ "hash:/etc/aliases" ];
        # alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
        smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
        non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
@ -105,10 +110,10 @@ in
        smtpd_sasl_path = "/var/lib/postfix/auth";
        smtpd_sasl_type = "dovecot";
        #mailman stuff
-        local_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
+        mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";

        transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
-        local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" ];
+        local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
      };
    };
    dovecot2 = {
@ -152,37 +157,36 @@ in
        pkgs.dovecot_pigeonhole
      ];
      extraConfig = ''
-          auth_username_format = %Ln
-          passdb {
-            driver = ldap
-            args = ${dovecot-ldap-args}
+        auth_username_format = %Ln
+        passdb {
+          driver = ldap
+          args = ${dovecot-ldap-args}
+        }
+        userdb {
+          driver = ldap
+          args = ${dovecot-ldap-args}
+        }
+        service auth {
+          unix_listener /var/lib/postfix/auth {
+            group = postfix
+            mode = 0660
+            user = postfix
          }
-          userdb {
-            driver = ldap
-            args = ${dovecot-ldap-args}
+        }
+        service managesieve-login {
+          inet_listener sieve {
+            port = 4190
          }
-          service auth {
-            unix_listener /var/lib/postfix/auth {
-                 group = postfix
-                 mode = 0660
-                 user = postfix
-              }
+          service_count = 1
+        }
+        service lmtp {
+          unix_listener dovecot-lmtp {
+            group = postfix
+            mode = 0600
+            user = postfix
          }
-        	service managesieve-login {
-        	  inet_listener sieve {
-        	    port = 4190
-        	  }
-        	
-        	  service_count = 1
-        	}
-        	service lmtp {
-        	 unix_listener dovecot-lmtp {
-        	   group = postfix
-        	   mode = 0600
-        	   user = postfix
-        	  }
-        	  client_limit = 1
-        	}
+          client_limit = 1
+        }
      '';
    };
    opendkim = {
@ -190,7 +194,7 @@ in
      domains = "csl:${config.fsr.domain}";
      selector = config.networking.hostName;
      configFile = pkgs.writeText "opendkim-config" ''
-        UMask                   0117
+        UMask 0117
      '';
    };
    rspamd = {
--- a/modules/sogo.nix
+++ b/modules/sogo.nix
@ -39,7 +39,6 @@ in
        SOGoSieveServer = sieve://127.0.0.1:4190;
        SOGoSieveScriptsEnabled = YES;
        SOGoVacationEnabled = YES;
-        SOGoForwardEnabled = YES;
      '';
      configReplaces = {
        "LDAP_SEARCH" = config.sops.secrets.ldap_search.path;
--- a/modules/userdir.nix
+++ b/modules/userdir.nix
@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "users.${config.fsr.domain}";
+  port = 8083;
+  apacheUser = config.services.httpd.user;
+in
+{
+  # home directory setup
+  systemd.tmpfiles.rules = [
+    "d /etc/skel"
+  ];
+  environment.extraInit = /*sh*/ ''
+    if [[ "$HOME" != "/" && "$UID" != 0 ]]; then
+      umask 002
+
+      # home dir: apache may traverse only, creation mode is rw(x)------
+      setfacl -m u:${apacheUser}:x,d:u::rwx,d:g::-,d:o::- $HOME
+
+      mkdir -p $HOME/public_html
+      # public_html dir: apache and $USER have rwx on everything inside
+      setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:$USER:rwx $HOME/public_html
+    fi
+  '';
+
+  services.httpd = {
+    enable = true;
+    enablePHP = true;
+
+    virtualHosts.${domain} = {
+      enableUserDir = true;
+      extraConfig = ''
+        <Directory "/home/*/public_html">
+          Options -Indexes
+          DirectoryIndex index.php index.html
+          AllowOverride FileInfo AuthConfig Limit Indexes Options=Indexes
+        </Directory>
+      '';
+      listen = [{
+        ip = "127.0.0.1";
+        inherit port;
+      }];
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:${toString port}";
+    };
+  };
+}