frieder.hannenheim/fruitbasket
1
0
Fork 0
forked from wurzel/fruitbasket
Code Pull requests Activity

merging with main

Browse source
This commit is contained in:
revol-xut 2023-04-13 18:56:15 +02:00
commit de62b47e52
No known key found for this signature in database
GPG key ID: 4F56FF7759627D07
14 changed files with 133 additions and 377 deletions
Download patch file Download diff file Expand all files Collapse all files

10
modules/autoupdate.nix
View file

@ -1,10 +0,0 @@
{ pkgs, config, ... }:
{
system.autoUpgrade = {
enable = true;
dates = "12:00";
# might need to move this into the configuration of `birne`?
allowReboot = true;
};
}

21
modules/ftp.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }:
let
domain = "ftp.${config.fsr.domain}";
in
{
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
root = "/srv/ftp";
extraConfig = ''
autoindex on;
'';
locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = ''
allow 141.30.0.0/16;
allow 141.76.0.0/16;
allow 172.16.0.0/16;
deny all;
'';
};
}

64
modules/keycloak.nix
View file

@ -1,64 +0,0 @@
{ pkgs, config, lib, ... }: {
sops.secrets.postgres_keycloak = {
owner = config.systemd.services.keycloak.serviceConfig.User;
group = "keycloak";
};
users.users.keycloak = {
name = "keycloak";
isSystemUser = true;
group = "keycloak";
};
users.groups.keycloak = {
name = "keycloak";
members = [ "keycloak" ];
};
services = {
keycloak = {
enable = true;
settings = {
hostname = "keycloak.quitte.tassilo-tanneberger.de";
http-host = "127.0.0.1";
http-port = 8000;
https-port = 8001;
proxy = "edge";
};
database = {
username = "keycloak";
type = "postgresql";
passwordFile = config.sops.secrets.postgres_keycloak.path;
name = "keycloak";
host = "localhost";
createLocally = true;
};
};
postgresql = {
enable = true;
};
nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
enableACME = true;
forceSSL = true;
http2 = true;
locations = {
"/" =
let
cfg = config.services.keycloak.settings;
in
{
proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
};
};
};
};
};
};
}

25
modules/ldap.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, pkgs, ... }:
let
domain = "auth.${config.fsr.domain}";
@ -89,6 +89,29 @@ in
daemon.enable = true;
};
security.pam.services.sshd.text = ''
# Account management.
account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
account required pam_unix.so
# Authentication management.
auth sufficient pam_unix.so likeauth try_first_pass
auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok sha512
password sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
session required pam_loginuid.so
session optional pam_mkhomedir.so
session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
services.nginx = {
enable = true;

107
modules/mail.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
let
hostname = "mail.${config.fsr.domain}";
domain = config.fsr.domain;
@ -6,7 +6,9 @@ let
# brauchen wir das überhaupt?
#ldap-aliases = pkgs.writeText "ldap-aliases.cf" ''
#server_host = ldap://localhost
#search_base = ou=mail, dc=ifsr, dc=de
#search_base = dc=ifsr, dc=de
#query_filter = (&(objectClass=posixAccount)(uid=%n))
#result_attribute=mail
#'';
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
uris = ldap://localhost
@ -17,8 +19,8 @@ let
ldap_version = 3
scope = subtree
base = dc=ifsr, dc=de
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_filter = (&(objectClass=posixAccount)(uid=%n))
user_filter = (&(objectClass=posixAccount)(mail=%u))
pass_filter = (&(objectClass=posixAccount)(mail=%u))
'';
in
{
@ -26,33 +28,85 @@ in
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
networking.firewall.allowedTCPPorts = [ 25 465 993 ];
users.users.postfix.extraGroups = [ "opendkim" ];
services = {
postfix = {
enable = true;
enableSubmissions = true;
hostname = "${hostname}";
domain = "${domain}";
relayHost = "";
origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ];
networks = [ "127.0.0.1" "141.30.30.169" ];
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem";
extraAliases = ''
# Taken from kaki, maybe we can throw out some at some point
# General redirections for pseudo accounts
bin: root
daemon: root
named: root
nobody: root
uucp: root
www: root
ftp-bugs: root
postfix: root
# Well-known aliases
manager: root
dumper: root
operator: root
abuse: postmaster
# trap decode to catch security attacks
decode: root
'';
config = {
home_mailbox = "Maildir/";
smtp_use_tls = true;
smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
smtpd_tls_security_level = lib.mkForce "encrypt";
smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"
"!TLSv1"
"!TLSv1.1"
];
smtpd_recipient_restrictions = [
"reject_unauth_destination"
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
"reject_non_fqdn_hostname"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_invalid_hostname"
];
smtpd_relay_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
];
#alias_maps = [ "ldap:${ldap-aliases}" ];
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth";
virtual_mailbox_base = "/var/mail";
smtpd_sasl_type = "dovecot";
# virtual_mailbox_base = "/var/mail";
};
};
dovecot2 = {
enable = true;
enableImap = true;
enableQuota = false;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
mailboxes = {
@ -74,7 +128,6 @@ in
};
};
extraConfig = ''
mail_location = maildir:/var/mail/%u
passdb {
driver = ldap
args = ${dovecot-ldap-args}
@ -92,6 +145,14 @@ in
}
'';
};
opendkim = {
enable = true;
domains = "csl:${config.fsr.domain}";
selector = config.networking.hostName;
configFile = pkgs.writeText "opendkim-config" ''
UMask 0117
'';
};
rspamd = {
enable = true;
postfix.enable = true;
@ -101,12 +162,6 @@ in
read_servers = "127.0.0.1";
write_servers = "127.0.0.1";
'';
"dkim_signing.conf".text = ''
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "quitte";
sign_authenticated = true;
use_domain = "header";
'';
};
};
redis = {
@ -140,27 +195,3 @@ in
};
};
}

19
modules/nginx.nix
View file

@ -1,6 +1,23 @@
{ config, pkgs, ... }:
{
services.nginx.enable = true;
services.nginx = {
enable = true;
appendHttpConfig = ''
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
# IP addresses to not anonymize
127.0.0.1 $remote_addr;
::1 $remote_addr;
default 0.0.0.0;
}
log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log anon_ip;
'';
};
security.acme = {
acceptTerms = true;
defaults = {

36
modules/printing.nix
View file

@ -1,36 +0,0 @@
{ pkgs, config, ... }:
{
# Enable CUPS to print documents.
services = {
printing.enable = true;
printing.drivers = with pkgs; [
gutenprint
gutenprintBin
hplip
hplipWithPlugin
];
avahi.enable = true;
};
environment.systemPackages = with pkgs; [
gnome.gnome-control-center
];
# set up Heiko
hardware.printers.ensurePrinters = [
{
description = "Drucker im FSR Buero";
deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
location = "FSR Buero";
model = "Kyocera ECOSYS M6630cidn KPDL";
name = "Heiko";
}
{
description = "Drucker im FSR Buero";
deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
location = "FSR Buero";
model = "Kyocera ECOSYS M6630cidn KPDL";
name = "Heiko";
}
];
}

24
modules/wifi.nix
View file

@ -1,24 +0,0 @@
#
# Useful config
# https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam
# https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos
#
{ pkgs, config, ... }:
let
password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)";
in
{
networking = {
wireless = {
enable = true;
networks = {
"FSR" = {
priority = 10;
pskRaw = "9dbdf08e1205b1167a812a35cfac4b49a86e155eec707bd47f4d06d829e7d168";
};
};
};
};
}