From 61059500cd377497751d3f67906df1d908fd5ca4 Mon Sep 17 00:00:00 2001 From: Lucas Fugmann Date: Fri, 18 Nov 2022 19:08:43 +0100 Subject: [PATCH 01/55] fix hedgedoc --- flake.nix | 4 ++-- modules/hedgedoc.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 48f499a..bd91d47 100755 --- a/flake.nix +++ b/flake.nix @@ -60,7 +60,7 @@ ./modules/sops.nix ./modules/keycloak.nix ./modules/nginx.nix - #./modules/hedgedoc.nix + ./modules/hedgedoc.nix ./modules/wiki.nix ./modules/stream.nix ./modules/nextcloud.nix @@ -77,7 +77,7 @@ ./modules/base.nix ./modules/keycloak.nix ./modules/nginx.nix - #./modules/hedgedoc.nix + ./modules/hedgedoc.nix ./modules/wiki.nix ./modules/stream.nix ./modules/vm.nix diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index f85d2a7..501b0d9 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -19,7 +19,7 @@ in hedgedoc = { enable = true; - settings = { + configuration = { port = 3002; domain = "${domain}"; protocolUseSSL = true; @@ -44,7 +44,7 @@ in enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; + proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}"; proxyWebsockets = true; }; }; From 9f8be3c7e1826078846e18fd4bec2542059ee7e8 Mon Sep 17 00:00:00 2001 From: Lucas Fugmann Date: Fri, 25 Nov 2022 16:26:10 +0100 Subject: [PATCH 02/55] add gh-actions workflow --- .github/workflows/main.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..bfb606f --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,33 @@ +name: main + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + check-flake: + name: Check Flake + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v18 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - uses: cachix/cachix-action@v12 + with: + name: fruitbasket + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + extraPullNames: nix-community + + - run: nix build + + - run: nix flake check From ba7d0c0a8a9aee9645624e83f588f7c5cfaff949 Mon Sep 17 00:00:00 2001 From: Lucas Fugmann Date: Fri, 25 Nov 2022 17:15:52 +0100 Subject: [PATCH 03/55] add secrets/admin.yaml --- .sops.yaml | 13 ++++ secrets/admin.yaml | 188 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 secrets/admin.yaml diff --git a/.sops.yaml b/.sops.yaml index 13849d7..3738915 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -44,3 +44,16 @@ creation_rules: - *jonas age: - *test + - path_regex: secrets/admin\.yaml$ + key_groups: + - pgp: + - *bennofs + - *revol-xut + - *felix + - *simon + - *rouven + - *helene + - *fugi + - *emmanuel + - *joachim + - *jonas diff --git a/secrets/admin.yaml b/secrets/admin.yaml new file mode 100644 index 0000000..2a70171 --- /dev/null +++ b/secrets/admin.yaml @@ -0,0 +1,188 @@ +cachix_password: ENC[AES256_GCM,data:Cx8d4Sd3yTDMfxVEPHcI2d1EQXuXRwf7TRO3WmwotYc=,iv:mAr67t4jvLc7cUn7WQaY/oU3AN1w28tCBJBI1ZfeS3U=,tag:kC2VoEugIHxib5zK/em24w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-11-25T15:54:51Z" + mac: ENC[AES256_GCM,data:3r5MEGkl7heMrVP7adypwys1qUj0B8/rhWgoSp0g2U+qMnGfQqAbvuBOTkdmWpNhM1a+aKRD9ASmpoJ2S0QL5tMOFbNpE3exugzSCOlwO7+o/m8wU6uujOw7nxAAFlbDXNbv9s3tFod0gVe6Y14oxFTWI8F1PqS9eGy/y09a8U4=,iv:7IaM37M1hbfdJ1eDr5o3iekz3GQq8nb/59CDRPcSkE0=,tag:raNPUg7abddKyOvhYeL+nQ==,type:str] + pgp: + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DntlvaG5T7wcSAQdAM/BVbImmA9J2ns6PCIHhfb+LPQbKqotoD4Jb9XJNp1Qw + 5qJuTv4gzgQ7sREvihZLtAyydAivVM8z39MjEutazzdUwzK/VO1Gm9zOI6BMbi2O + 0l4BxxANLvRM2Ap0MHH5o5Rhlm8Y6RGc3mQA730ipfHaNYfUPx/BdhEkUtkWBVw0 + 8330JlhDjgzHldxg+8M+ZRTB5BQ7v8HmNTiDRRxgKxKoW720MYLLGyFKG0biw0oj + =/WEe + -----END PGP MESSAGE----- + fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ/7BTAoJD+khMXNIWJizL1BoXDXFXOwA3RCxdpQH0Fp1FSY + b4GKYK4YNf3mFxLvGf2Gz4hn0FPRLw2H2p8bTtRcnKmxpiDnIC9D7WEs4TlznFOz + /7DU/GG1T1qjgScyLQNP5xH+t9LnNIllR+BQKCuTLW/CoPTgfF/GjVR+3U5WqUB2 + +oDrBWMtMkWqjAFFSv7Nx7JWNHUhJm2Deydmg1VCFheVMe6YogoqarsALRLNNvp9 + 6anrIpaneAlWvU15q/ax46qXSIiqbLdMEy/iLfZT6YIopowDb2SrAYCHR6VwXWiZ + qr8OFwhsK9gdBFsN42QlXsySvRlZOy5lWOdq1/fbUZwBbeEJAMUsa5wQjVp3cuYQ + XHHQk5s08eSakGc6U+ypizbrBe8d+RH8H0kWAQVrQ0E8xzB4hnWdps7XNIW/+eAe + dVVcmg4pRnqmvk/O+V+m8UK1TYe49hg8aGRgtX1bojSB09CQkZl3MdCpwGcw53b1 + Udf16K9ggXScAeQYvrsXLJ39kxXNrTfFPTloAaq25kGriRzcPaaOBL8x+Q/sb44P + eibiRTC3jcOdo+9icSLPunaAw9oJGX7LhVv3gvK19EAJyaZFWBI72RKr/57UyYxZ + DQTxz8jGwdQeWuu4z9/M02EM3aWOEswkZBDFO72cfNAn8kOmuGq5ApNY6fOviAjS + XgF68qMCUUOpzuRxmz/g3fsg0oS4OhOCVUn/ntmB5kAtAKtxaKEXHtPqjsdf3iY3 + qH08FulmrYsP0cU4cXM2u+RdqcBj4IeYE/zhmmIlw233XvB07Wjrc4pj9uUWWr4= + =zQ7p + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8uqUsBLHj6XARAAny5iqElv07bTRcGx9/ExcBHtcrFh7WE+r3xDGCuJFbhg + ULcE5IW4Lr4htW8gWcsU8uJSvk8epoB8XnRh3CqKzfa6hjGKaGFdvrqwQl4H5r/v + OOx68am7N6mUzzpbNp10Q8urCCLkCkUUZvh7/t9G5K+uosp1J4/FyqvbX3rDHcQY + hFFpJMISTUkpFVp7LWzzB3GmW2ivqgCKq7FWb8j4GWo5c0TMkEHoSP5KI5A8pLpy + cmlTIk8/wYRAkNaZkN7+H+NFPDvnJirnHab7272TD2CZV9WsaGpv+7R9B0RDGyI/ + LSRHiz0HvTK9d4y/G9WCotqcYQ7qhRy7zT80oarmJ3lYJXWwZHSJDtuXUKUvjaIP + s8fW+8dLKR4yekSrC7SS2d5t+F7o8emAWUWWXnQnjfDGmL8Koj4kDRJscNfsyYsA + DMB5jSmlWzeLLuZBtvbEnrFBg+rvRBSAEo4NleMk52HCi4PAf7dn//P4jlAkpfzN + clCs4XHXY4O1ab5nE/LLHkB5y1m1PYkilP43hMkqXmhA/jrVFd5u+vQ05kNCzCuW + vHSuvQvhoPFvid/ikGEa+qEWIUXFhL7z9/As9/GeGNzlSL5FgmhFd3CwMdEj8bjR + cKGMR76n1I7ER4RMe1pq4nI5vFQ7teCuD1QHKLtLFVAIkQgIBibECdlOXOLIe93U + aAEJAhBrXKPr+8mhR/xRHVdagUUBqxQWicjMZ13d3vuPWb6QBKyKgoGlDixK4VkO + KDDjQY1evyHtmGXeiLXajY3fUwTggPtuKxab2YztmeiliKiG2sLay8PGke4dD8yk + 3WRs2IRu0v4+ + =rwIY + -----END PGP MESSAGE----- + fp: F8634A1CFF7D61608503A70B24363525EA0E8A99 + - created_at: "2022-11-25T15:54:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwDgSONkM+d4ARAAsPpfKaJ+/24rwoPWcjK7VN6vfK78XyOzWvpLFiDlpK2g + 6NscC80PQ2820UFKjXMSG1ZfxPUxnYGqcrP3I75LVMN5ODYi+Tn/snoI3HFwiUhc + R42gvSx/MXcvz65Zf8h8nLOuinSngiMcH9J3fQkEFEmen0laEr0V9D536Zgq87S8 + I13DHosLia/o7l7wL6xig6EjYg2fCK41wm0ZfFBY6m+82eqijOvOwPOdm+bWHwqa + EVOzsxJHAg8iYNQ/FEPRfz0W7K335Kzvcltq5/cp8AiKJQaVB25k1+kfJwyMUIrV + 02UgETvZLqoMTXiwbbYgER8RfFo+pEAiG2Zs8VJcI8Lo4bc6q0jWHqcMIlHVNZyA + vM04p3/ezD4cM7IW/MuvhGuZEnuK3jUrmMOqQRlNYgfama2piqqMlX8W3ypBLOeL + RzuGrwZ9FaSra8XE3yLDmfvx9oazLfr++/Kg14Zm/gVd65dzS9NUvCqdvK7Ie4Cc + fPrRIHLN7gkynt1WrFyF2PcgJa8oepHid7hr8eEYA21d6RtnyvP+dLBnybE1q9Ks + ojKyL5WQtTWtMIOaJwAWI4PA1azFXxwlKjpnnKSNhoG8/71AvG8hugUCkyUwjOCu + ZlGiyUdc3WKD7UYmi2F76TLMnLlSmXBN8iiPGchSNJfdxT61VTz2sNsoVm3jJ9nS + UQHKKWNz9Z5oUTOXqREGVO+5je4c1dQBkRBIa0gVMkhXtvxsR38nc22gWEynO06H + oLefe5EI0xXsCY6pu76hYT4oYcR/xK2pcskPZdkn3/pxzA== + =FD5R + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: "2022-11-25T15:54:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAzUXo8ZPJwGLARAAjeYrnUgB3trB84njBwD5onsJDnhxGRwzB3Gxosf3ocfB + ruW4cJ97XnXcOXtfIyayUJz/tnsaL8LZwTOGxzS7s43RBYC0fhNEkRGcLl2aHCzu + rTNoFqnYNk/C4xrfQPpk8lKlvgW9HYnky1Khv08YrvDlgajYEtkWFI/pbQKzASa2 + arZiDo37NXIQUMWoF6tBgzKu7d7U9mK3DQQ17IX4LjDxmESKIGGJ9JiFc9q7B/sS + 1k9Am13nojNpeCqwOTMSlZ/RrrglPEI5IxuXsfUD+NgDtVWgiBHHNa/SgtPEkmQB + d7PvFneaWcCDOCUhshydlX0dso28IIN5TYJpiG1iCfIy6/0h/fgPpEJb1MAqcAfo + VQCKW5Y5V9X/U/YrofXkueLq+CvdOVilVUWOqNdNqBEHYQg0PlDswSlEYeLqKkaV + EBV0WABZRHoYEkDGdW4R06gN8qdISoRytMV5jyus/kEJnnfRxGYDbsmexRHBZtIl + 37cDbHRMQK0l18LPRFv/4RGVer+lt7/fLWUcJud2bC15Wl6dfabqzqU9GwXPAQdj + x+aP/GSEf7PgPnhOvxzKM6gjrMgb1TuKb5j197Plambh0IA34//34Gea5v+PUKAD + rum+KXvkFec/X+dQMboFfv07e2to1ci+Z0BqC6HUOTHCsmJpAZq3ezEimY610G7S + UQEOtZ/NH5Yjvkc5osaw/TegmJm7ZbSaCR6XaPhCiU95IpwpTxUYYI2QOiBBlRgf + UlunIR/sfNm0Pd5T/eB+RUJapHL3rkRpQquhxkln2kYy0w== + =rDY/ + -----END PGP MESSAGE----- + fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D9r3oXQWw/BASAQdAR6qHAUn8s50JRyEbkIL9Buy/tx5/N1SEeFty3wOCpnEw + +QLAbvme/NMB1uO2jwwY9nlfl7IpwaB7VflXkhN1hPGzU9fCMK5ndaNePOEDcQPe + 1GgBCQIQ7ozw5I51cQOs+kg/9VOkh9zbOpNLUiyoxEqp7u4rswnsA1XrhSnlpX1Y + QtJoyY+0cif1Bz9T+0LM4t9OxCCF0UhVNcf8oYrP+GCHEjkcc7y5WAJuBkUhpeIt + lQPhlrni2TH1+w== + =M5Cq + -----END PGP MESSAGE----- + fp: B43C3A8A92CA28486AC6C4E2F115100C787C1C19 + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA30JDs8MiK29AQ//Ym8SiT1oqRvwEyIPPILK7DY3MnAIxw4ycJJ1nlC2ry2z + e/zzJj3GynYzXogfH6lqaFVtMMWsjAahsgw2CQjk15hPU6rnJKGj7O+vccgNGwfS + 4fpXxgbhHj12wGd2nn+4zGZHNq+HGR1VclSnb1ZcqP0O06VWyhi/G9uDVoyuHcl7 + XxmMJBPPws2DY8Il+DmCOU2DUBq/2p9Y5DOOJPdY16WWUGk49R0h9koTLpn2EQbD + WkQJnn4fUSAOLB8ozWTo0Yg6R1iWpGEgz2jbLC/b8ENuC70crDge0v6mA3r8m153 + 63awupZv0Rwqnq6+JaMmqq86IMOMiFWF8t5ZZ8i9u/d2F+3ok90EVwn/ea1kINn0 + WAOTe1tj4SkX5x/lglucbaeB4hfdHJFrU28UYDC2e5gx+9mGpPjqDVcfvLkdVE/s + +Oa/3zm9IJDa03yxOSPTGOu6KYtXv9huTPKZO+rYCpUbvU8YSHf4EmbnfAMfhT9L + KhItQSLX8uAY2r9o4ycQ0CvYhbktxc0QYO45Cc37dewi+BrF8SUNFGuaLdBZSG7e + y8D5z+4KC76Ygw1K/apds7pnvH8Z/JXog7QAf5mi7Z+crCizFOz5Vrbxw5/1Qxq3 + bhfd2KjUHyZHqOT7dImX0SLuJH0FkCfUnxFgQI4zo13/nwvJfH4dlutkvxT7SfrS + XgH5TJTMXG37k4NSQzW7O8atgT1C6jVyMvhN0HGbHAGPpcHQoE6U76p9v/Xq9nm5 + qfYC4Wo8bvGtEJLYH2YwfzPNILdQj+7cArOTwNLy7Sq4gJlnIRbGGOE8lYrQ8jI= + =lKbJ + -----END PGP MESSAGE----- + fp: BF37903AE6FD294C4C674EE24472A20091BFA792 + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0nQCLGHQlNzAQ/+PNzpv4IOkYpQHkE+5/o15Ob3miIH0d+iPoj74CbhJZpm + jcszEFZ7fMRkMU4O6PpG/+f0QNqhOivwTQOwfxVVhQR/Zyvpr48cuTrfHDgHUePU + U0BZFoQRCx+hWt05ziYjJkTd0x1iBrotlvNAlPwtjbxrjTsBFq1hXUjQsE+9n+Nv + 7d9oBFG1r/3pp6ZCdncnERKWglvRnIjz0DWj6l2rXGeInzP8sbaPdblxKmm0LQBY + K1UQeMJiGmurOOlhIKBDOVsioVrT0nmdQGkJEmGqtJYQ+6cY9piEU4wREj3XKBQc + /JWD96TKZeCZvnEyz/abuXU7P4u9sUrvULCB7us3UreK4n8EPIJKjg9ofMDg89pn + eTTgK2E3Wg6FIfJd3RWLjvs34eCUT3giftoggBzmiKYMJ/ALC3FLuDHywAeDLUQf + FGVvciO7vqM4W31cMsTserxWnCEp+T1wCXwZWS0+Wh58U2X0RtRa+DYeEasU9W7v + 3RJmbGgjCTnTrNNnS7NcgG3Cidg92bbzonXn6VB5eU/vbS0BcoTu/cfoHnyUQfMe + +n/XCwW00fds/jkLOll52x478C4NkeYkwoL1FzDZBgCNkidpPleDLivC7wj62E+w + rhwxNBGf4Qs2LHRWHgimd8l6z9+WG9g+5UgxUTp4WhJkuRSp8TmhbqfIWI0zCGfS + XgFoAIyQtXOKLnFFCEcwFUTh7mKw6bbk8u0pQUPLyQSBlVHZdhqtpkT+hq1+Y4Nm + tU8pb9G8BOryUvgOnEy8dPx9G64iwxYrYOu+cms6AigK8ZGHjSzOfqbJsgn7zgE= + =RDPX + -----END PGP MESSAGE----- + fp: E83F398E6423179FE4F63D4FF085CAD394DE329D + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DNffZWjBmO5ASAQdAsqGwMruz+NHQGNXhBlkFxzz49h/s+0rL8glEfh9avyww + WgBSk5HdE7O2/NNSBKSoNEjO8mHa0Z0yyQEi36ohY3KlwNPsP4ThiPOLl6z8xsK3 + 1GgBCQIQrNrzmh92ThNLfkhjNvfdFnPOK1LScYAVQQt+wYjWZJ7Cj6v3rxmiPWqj + DuJSJrbWRFVXEQWRT7hfTa8lhAymec9G65MYN+GUQy68Yb1dJckPmuj4ja6d0JMA + Mo5Sz7alehfJfw== + =kmse + -----END PGP MESSAGE----- + fp: B1A16011B86BACB56ADB713DB712039D23133661 + - created_at: "2022-11-25T15:54:04Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6MARpDCLIz2ARAAgWhMSYIrgIs5WEpkpKbMQ0Gs89BJVAk+e/aF6F5JFKFD + lXdhin+XOK+foCdba68d8iCj+G94vO2TjnC1clv6BSMtpCjFspLISK3993JahBCt + lVPDl6OPjjgETLa7v9JrkYadafzQasXSDtC0Nqfg3AAb/EfYAe2k/K79kAElHWIl + ALLm8i8kbiOfySnjwhl8cJdDS7ua8nfC+pTac6e2GML0bKGjA0WR+ccOTGpNsFAu + UPtw5onoSDmywqv88tlUdmdWAz1NsnQUhzvZ4j+YCLCltlU7bzDI9/ExhgQHxC4v + Fghfs9jLINQZ7aWdqdib7S3FmFRdN06lsGh4bQFG+NPtLcoFxLcWkiArRVPW2lZ5 + YUZ1Brs+gvHNMvSVPXbe+1V9nwjvm1S76vUYwTm5mf8jm7wA1NqyoB3etPEaQzPA + FYAZqErNVgG7pfa0zpnNYHHBB8y/Z/pyJKqRvRMJFpRj91FFULRrVPFr2B4JARAu + 6/Sonr20Q5UTIPpT2yhzDltL25Yfj6alCrsOTJ+XufGgw5m62UjKmarqCQJUwEk+ + /Qx3z+j1NlMgeuYpr+bWnjLgtwXuR0Q0pFgBkpJdP3VrvmfM/79fOBvEAFRgkevL + tKPNfFrJv56ODfFmjMwmux2tHxROMAXWLUb5gFeAIoRRIk0ru0sEQVGwaj5Yo6bS + XgEaqKfvaVzc1TuY5YIuXuXP+YLOJKJvDLmSaowFnM+GS1HtW1yGrdtCajEls2tE + MJAnCZurAfwK48GfQx1qnzyd9QOi1KYRafXFXEu1AyU7BCgwZiMPp3Qdv09sAMg= + =Rs7Q + -----END PGP MESSAGE----- + fp: A4F92BC7B792108A463995827C1F2DA2BC929412 + unencrypted_suffix: _unencrypted + version: 3.7.3 From 00291f7e9f0415bf9fb53955eb83e5567a13bf77 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Fri, 2 Dec 2022 14:25:55 +0100 Subject: [PATCH 04/55] basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet --- modules/ldap.nix | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 modules/ldap.nix diff --git a/modules/ldap.nix b/modules/ldap.nix new file mode 100644 index 0000000..fe4c3b0 --- /dev/null +++ b/modules/ldap.nix @@ -0,0 +1,53 @@ +{config, ...}: let + # temporary url, zum testen auf laptop zuhause + tld = "moe"; + hostname = "eisvogel"; + domain = "portunus.${hostname}.${tld}"; +in { + # TODO: acme/letsencrypt oder andere lösung? + # + services.nginx = { + enable = true; + virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; + }; + }; + }; + + services.portunus = { + enable = true; + domain = "${domain}"; + ldap = { + suffix = "dc=${hostname},dc=${tld}"; + tls = true; + }; + + # TODO: siehe unten sops, statische config + # seedPath = ""; + + # falls wir das brauchen + # dex = { + # enable = true; + # ... + # }; + # searchUserName = "xxx"; + }; + + users.ldap = { + enable = true; + server = "ldaps://${domain}"; + base = "dc=${hostname},dc=${tld}"; + # useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen + }; + + networking.firewall.allowedTCPPorts = [ + 80 # http + 443 # https + 636 # ldaps + ]; + # TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll +} From 29e69b67edbd4e635d2489b57c7c7647c3ffb560 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 13:58:06 +0100 Subject: [PATCH 05/55] expanded portunus config - daclaritve portunus and openldap users/groups - basic sops stuff still needs discussion --- modules/ldap.nix | 66 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 16 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index fe4c3b0..bced946 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -3,31 +3,53 @@ tld = "moe"; hostname = "eisvogel"; domain = "portunus.${hostname}.${tld}"; + + portunusUser = "portunus"; + portunusGroup = "portunus"; + + ldapUser = "openldap"; + ldapGroup = "openldap"; in { - # TODO: acme/letsencrypt oder andere lösung? - # - services.nginx = { - enable = true; - virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; - "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; - }; - }; + users.users."${portunusUser}" = { + isSystemUser = true; + group = "${portunusGroup}"; + }; + + users.groups."${portunusGroup}" = { + name = "${portunusGroup}"; + members = ["${portunusUser}"]; + }; + + users.users."${ldapUser}" = { + isSystemUser = true; + group = "${ldapGroup}"; + }; + + users.groups."${ldapGroup}" = { + name = "${ldapGroup}"; + members = ["${ldapUser}"]; + }; + + # TODO: eigenes secrets.yaml für seedfile? + sops.secrets.portunus_seedfile = { + owner = "${portunusUser}"; + group = "${portunusGroup}"; }; services.portunus = { enable = true; + user = "${portunusUser}"; + group = "${portunusGroup}"; domain = "${domain}"; ldap = { + user = "${ldapUser}"; + group = "${ldapGroup}"; suffix = "dc=${hostname},dc=${tld}"; tls = true; }; - # TODO: siehe unten sops, statische config - # seedPath = ""; + # TODO: wohin seed file? + seedPath = ""; # falls wir das brauchen # dex = { @@ -41,7 +63,20 @@ in { enable = true; server = "ldaps://${domain}"; base = "dc=${hostname},dc=${tld}"; - # useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen + # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen + }; + + # TODO: acme/letsencrypt oder andere lösung? + services.nginx = { + enable = true; + virtualHosts."${config.services.portunus.domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; + }; + }; }; networking.firewall.allowedTCPPorts = [ @@ -49,5 +84,4 @@ in { 443 # https 636 # ldaps ]; - # TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll } From db63f4eb8d3f43f7ea624b267ddd4330d31e0b38 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 17:42:10 +0100 Subject: [PATCH 06/55] format ldap.nix --- modules/ldap.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index bced946..697bca1 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,4 +1,5 @@ -{config, ...}: let +{ config, ... }: +let # temporary url, zum testen auf laptop zuhause tld = "moe"; hostname = "eisvogel"; @@ -9,7 +10,8 @@ ldapUser = "openldap"; ldapGroup = "openldap"; -in { +in +{ users.users."${portunusUser}" = { isSystemUser = true; group = "${portunusGroup}"; @@ -17,7 +19,7 @@ in { users.groups."${portunusGroup}" = { name = "${portunusGroup}"; - members = ["${portunusUser}"]; + members = [ "${portunusUser}" ]; }; users.users."${ldapUser}" = { @@ -27,7 +29,7 @@ in { users.groups."${ldapGroup}" = { name = "${ldapGroup}"; - members = ["${ldapUser}"]; + members = [ "${ldapUser}" ]; }; # TODO: eigenes secrets.yaml für seedfile? From dee80f1127caef8b4e32c6431680aea8c984155e Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:46:09 +0100 Subject: [PATCH 07/55] addning nixpkgs fmt ci --- .github/workflows/fmt.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/fmt.yaml diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml new file mode 100644 index 0000000..1bffffa --- /dev/null +++ b/.github/workflows/fmt.yaml @@ -0,0 +1,25 @@ +name: main + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + check-flake: + name: Check Flake + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v18 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt .' From c8f8779e4b9029950ade9e69e9b8bec630b625a5 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:46:35 +0100 Subject: [PATCH 08/55] nixpkgs-fmt forgot the --check flag --- .github/workflows/fmt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index 1bffffa..6f8d3f4 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -22,4 +22,4 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes - - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt .' + - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From e6d173f07ff30909d0db96bc383a2a9118135064 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:48:47 +0100 Subject: [PATCH 09/55] github ci updating channel --- .github/workflows/fmt.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index 6f8d3f4..dc26e7a 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -22,4 +22,5 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes + - run: nix-channel --update - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 9776469317bff5604ae602d1e4a26a1078f93183 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 17:50:33 +0100 Subject: [PATCH 10/55] include ldap.nix in flake --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index bd91d47..99a38a7 100755 --- a/flake.nix +++ b/flake.nix @@ -59,6 +59,7 @@ ./modules/base.nix ./modules/sops.nix ./modules/keycloak.nix + ./modules/ldap.nix ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix From e0ef7537e10dc1c7a177148c994654c0cf20f3ed Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:52:51 +0100 Subject: [PATCH 11/55] updating and adding channel --- .github/workflows/fmt.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index dc26e7a..dd730bd 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -21,6 +21,7 @@ jobs: with: extra_nix_config: | experimental-features = nix-command flakes - + - run: nix-channel --list + - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 3395b4740530925b2b94ff7c949c7881aab5e988 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:57:05 +0100 Subject: [PATCH 12/55] lisiting channels --- .github/workflows/fmt.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index dd730bd..d9e3359 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -24,4 +24,5 @@ jobs: - run: nix-channel --list - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update + - run: nix-channel --list - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 01129ebf173945c9ce18ffa3731f2e9caa63dbf9 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 18:01:28 +0100 Subject: [PATCH 13/55] using modern nix --- .github/workflows/fmt.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index d9e3359..ba75025 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -10,7 +10,7 @@ on: jobs: check-flake: - name: Check Flake + name: Nixpkgs Formatting runs-on: ubuntu-latest steps: @@ -21,8 +21,10 @@ jobs: with: extra_nix_config: | experimental-features = nix-command flakes + - run: nix-channel --list - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update - run: nix-channel --list + - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 09d8697f7a2c03977ef04e8e3050008cf4f2c015 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 18:05:19 +0100 Subject: [PATCH 14/55] removing old command from pipeline --- .github/workflows/fmt.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index ba75025..93d16c5 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -22,9 +22,6 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes - - run: nix-channel --list - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update - - run: nix-channel --list - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check - - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From f3ac390cf9eff37a15964bb38960046dd0c0ebf6 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 18:27:16 +0100 Subject: [PATCH 15/55] add portunus seeds file with basic groups, no users --- config/portunus_seeds.json | 34 ++++++++++++++++++++++++++++++++++ modules/ldap.nix | 11 +---------- 2 files changed, 35 insertions(+), 10 deletions(-) create mode 100644 config/portunus_seeds.json diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json new file mode 100644 index 0000000..58900aa --- /dev/null +++ b/config/portunus_seeds.json @@ -0,0 +1,34 @@ +{ + "groups": [ + { + "name": "admins", + "long-name": "Portunus Admins", + "members": [], + "permissions": { + "portunus": { "is-admin": true }, + "ldap": { "can-read": true } + } + }, + { + "name": "ifsr", + "long-name": "Mitglieder des ifsr", + "members": [], + "permissions": { + "portunus": { "is-admin": false }, + "ldap": { "can-read": false } + } + }, + { + "name": "strukturer", + "long-name": "Strukturer des ifsr", + "members": [], + "permissions": { + "portunus": { "is-admin": false }, + "ldap": { "can-read": false } + } + } + ], + "users": [ + {} + ] +} diff --git a/modules/ldap.nix b/modules/ldap.nix index 697bca1..edbdc14 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -50,15 +50,7 @@ in tls = true; }; - # TODO: wohin seed file? - seedPath = ""; - - # falls wir das brauchen - # dex = { - # enable = true; - # ... - # }; - # searchUserName = "xxx"; + seedPath = "../config/portunus_seeds.json"; }; users.ldap = { @@ -68,7 +60,6 @@ in # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen }; - # TODO: acme/letsencrypt oder andere lösung? services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { From eece008de6dd559aa5de451eaebc1d1d702052d8 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 18:48:30 +0100 Subject: [PATCH 16/55] add admin user with sops secured password --- config/portunus_seeds.json | 7 ++++++- modules/ldap.nix | 2 +- secrets/quitte.yaml | 5 +++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json index 58900aa..63a399b 100644 --- a/config/portunus_seeds.json +++ b/config/portunus_seeds.json @@ -29,6 +29,11 @@ } ], "users": [ - {} + { + "login_name": "admin", + "given_name": "admin", + "family_name": "admin", + "password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] } + } ] } diff --git a/modules/ldap.nix b/modules/ldap.nix index edbdc14..80aef7d 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -33,7 +33,7 @@ in }; # TODO: eigenes secrets.yaml für seedfile? - sops.secrets.portunus_seedfile = { + sops.secrets."portunus_admin" = { owner = "${portunusUser}"; group = "${portunusGroup}"; }; diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 5feab36..716bca9 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -4,6 +4,7 @@ postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] +portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -23,8 +24,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-18T15:28:28Z" - mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str] + lastmodified: "2022-12-17T17:42:18Z" + mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | From 2f8d5b89498b2523bf636bede6736ac64ac56654 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:03:02 +0100 Subject: [PATCH 17/55] remove `users.ldap` config --- modules/ldap.nix | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index 80aef7d..b1ed81a 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,9 +1,9 @@ { config, ... }: let # temporary url, zum testen auf laptop zuhause - tld = "moe"; - hostname = "eisvogel"; - domain = "portunus.${hostname}.${tld}"; + tld = "de"; + hostname = "ifsr"; + domain = "auth.staging.${hostname}.${tld}"; portunusUser = "portunus"; portunusGroup = "portunus"; @@ -53,13 +53,6 @@ in seedPath = "../config/portunus_seeds.json"; }; - users.ldap = { - enable = true; - server = "ldaps://${domain}"; - base = "dc=${hostname},dc=${tld}"; - # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen - }; - services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { From e1c992f50a26f3cf0ac2ce6391779134487110eb Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:04:45 +0100 Subject: [PATCH 18/55] clean up ldap.nix --- modules/ldap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index b1ed81a..ce9e798 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -32,7 +32,6 @@ in members = [ "${ldapUser}" ]; }; - # TODO: eigenes secrets.yaml für seedfile? sops.secrets."portunus_admin" = { owner = "${portunusUser}"; group = "${portunusGroup}"; From 565bcae08162ee42c6f68437e59fdeb82ae8db79 Mon Sep 17 00:00:00 2001 From: fugi Date: Sat, 17 Dec 2022 19:11:37 +0100 Subject: [PATCH 19/55] add matrix configuration --- flake.nix | 1 + modules/matrix.nix | 126 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 modules/matrix.nix diff --git a/flake.nix b/flake.nix index bd91d47..973bcda 100755 --- a/flake.nix +++ b/flake.nix @@ -64,6 +64,7 @@ ./modules/wiki.nix ./modules/stream.nix ./modules/nextcloud.nix + ./modules/matrix.nix { sops.defaultSopsFile = ./secrets/quitte.yaml; } diff --git a/modules/matrix.nix b/modules/matrix.nix new file mode 100644 index 0000000..493168c --- /dev/null +++ b/modules/matrix.nix @@ -0,0 +1,126 @@ +{ config, pkgs, lib, ... }: +let + domain = "staging.ifsr.de"; + domainServer = "matrix.${domain}"; + domainClient = "chat.${domain}"; + clientConfig = { + "m.homeserver" = { + base_url = "https://${domainServer}:443"; + server_name = domainServer; + }; + "m.identity_server" = {}; + }; + serverConfig = { + "m.server" = "${domainServer}:443"; + }; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in +{ + #sops.secrets = { + # synapse_registration_secret = { + # owner = "matrix-synapse"; + # group = "matrix-synapse"; + # }; + #}; + + services = { + postgresql = { + enable = true; + ensureUsers = [ + { + name = "matrix-synapse"; + } + ]; + }; + + nginx = { + recommendedProxySettings = true; + virtualHosts = { + # synapse + "${domainServer}" = { + enableACME = true; + forceSSL = true; + + # homeserver discovery + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + + # 404 on / + locations."/".extraConfig = "return 404;"; + + # proxy to synapse + locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + + # element + "${domainClient}" = { + enableACME = true; + forceSSL = true; + + root = pkgs.element-web.override { + conf = { + default_server_config = clientConfig; + }; + }; + }; + }; + }; + + matrix-synapse = { + enable = true; + + settings = { + server_name = domainServer; + + listeners = [{ + port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + }]; + + # TODO: ldap + registration_shared_secret = "registration_shared_secret"; + }; + # extraConfigFiles = [ + # (pkgs.writeTextFile { + # name = "matrix-synapse-extra-config.yml"; + # text = '' + # ''; + # }) + # ]; + }; + }; + + systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ]; + + systemd.services.matrix-synapse-pgsetup = { + description = "Prepare Synapse postgres database"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" "postgresql.service" ]; + serviceConfig.Type = "oneshot"; + + path = [ pkgs.sudo config.services.postgresql.package ]; + + # create database for synapse. will silently fail if already exists + script = '' + sudo -u ${config.services.postgresql.superUser} psql < Date: Sat, 17 Dec 2022 19:12:41 +0100 Subject: [PATCH 20/55] adding option for domain --- flake.nix | 8 ++++++-- modules/hedgedoc.nix | 2 +- modules/nextcloud.nix | 2 +- modules/options.nix | 15 +++++++++++---- modules/stream.nix | 2 +- modules/wiki.nix | 10 +--------- 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/flake.nix b/flake.nix index bd91d47..2f5f766 100755 --- a/flake.nix +++ b/flake.nix @@ -56,15 +56,18 @@ modules = [ inputs.sops-nix.nixosModules.sops ./hosts/quitte/configuration.nix + ./modules/options.nix ./modules/base.nix ./modules/sops.nix - ./modules/keycloak.nix + # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix ./modules/stream.nix ./modules/nextcloud.nix { + fsr.enable_office_bloat = false; + fsr.domain = "staging.ifsr.de"; sops.defaultSopsFile = ./secrets/quitte.yaml; } ]; @@ -74,8 +77,9 @@ modules = [ inputs.sops-nix.nixosModules.sops ./hosts/quitte/configuration.nix + ./modules/options.nix ./modules/base.nix - ./modules/keycloak.nix + # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 501b0d9..3c8b776 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - domain = "pad.quitte.tassilo-tanneberger.de"; + domain = "pad.${config.fsr.domain}"; in { services = { diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 407f847..373466d 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - domain = "nc.quitte.fugi.dev"; + domain = "nc.${config.fsr.domain}"; in { sops.secrets = { diff --git a/modules/options.nix b/modules/options.nix index 26868ae..dc8f4d5 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -1,7 +1,14 @@ { config, lib, ... }: with lib; { - options.fsr.enable_office_bloat = mkOption { - type = types.bool; - default = false; - description = "install heavy office bloat like texlive, okular, ..."; + options.fsr = { + enable_office_bloat = mkOption { + type = types.bool; + default = false; + description = "install heavy office bloat like texlive, okular, ..."; + }; + domain = mkOption { + type = types.str; + default = "ifsr.de"; + description = "under which top level domain the services should run"; + }; }; } diff --git a/modules/stream.nix b/modules/stream.nix index 2d7bb7f..088840d 100644 --- a/modules/stream.nix +++ b/modules/stream.nix @@ -10,7 +10,7 @@ in services = { nginx = { virtualHosts = { - "stream.ifsr.de" = { + "stream.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = diff --git a/modules/wiki.nix b/modules/wiki.nix index 23767c8..aa4e5cc 100644 --- a/modules/wiki.nix +++ b/modules/wiki.nix @@ -116,10 +116,6 @@ $wgPluggableAuth_EnableLocalLogin = true; ''; extensions = { - #Cite = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203658/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-d40993e.tar.gz"; - # sha256 = "sha256-dziMo6sH4yMPjnDtt0TXiGBxE5uGRJM+scwdeuer5sM="; - #}; CiteThisPage = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz"; sha256 = "sha256-sTZMCLlOkQBEmLiFz2BQJpWRxSDbpS40EZQ+f/jFjxI="; @@ -128,10 +124,6 @@ url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz"; sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk="; }; - #DynamicPageList = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203129/https://extdist.wmflabs.org/dist/extensions/DynamicPageList-REL1_38-3b7a26d.tar.gz"; - # sha256 = "sha256-WjVLks0Q9hSN2poqbKzTJhvOXog7UHJqjY2WJ4Uc64o="; - #}; Lockdown = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; @@ -188,7 +180,7 @@ nginx = { recommendedProxySettings = true; virtualHosts = { - "wiki.quitte.tassilo-tanneberger.de" = { + "wiki.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = { From 86295b55018468025005ceaca6d1124a71d311d6 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:21:16 +0100 Subject: [PATCH 21/55] use `config.fsr.domain` --- modules/ldap.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index ce9e798..1de922e 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,9 +1,6 @@ { config, ... }: let - # temporary url, zum testen auf laptop zuhause - tld = "de"; - hostname = "ifsr"; - domain = "auth.staging.${hostname}.${tld}"; + domain = "auth.${config.fsr.domain}"; portunusUser = "portunus"; portunusGroup = "portunus"; @@ -45,7 +42,7 @@ in ldap = { user = "${ldapUser}"; group = "${ldapGroup}"; - suffix = "dc=${hostname},dc=${tld}"; + suffix = "dc=ifsr,dc=de"; tls = true; }; From f442eba0f8ba72a2f6f423e384f62bbbad72ce9a Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:22:05 +0100 Subject: [PATCH 22/55] update nixpkgs version --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 8d70ec2..fee070a 100755 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = github:nixos/nixpkgs/nixos-22.05; + nixpkgs.url = github:nixos/nixpkgs/nixos-22.11; sops-nix.url = github:Mic92/sops-nix; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; fsr-infoscreen.url = github:fsr/infoscreen; From 8cb57aa7233327ba344ef30990f01f132b507530 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:31:52 +0100 Subject: [PATCH 23/55] portunus: add admin user to admin group --- config/portunus_seeds.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json index 63a399b..dc28aba 100644 --- a/config/portunus_seeds.json +++ b/config/portunus_seeds.json @@ -3,7 +3,7 @@ { "name": "admins", "long-name": "Portunus Admins", - "members": [], + "members": ["admin"], "permissions": { "portunus": { "is-admin": true }, "ldap": { "can-read": true } From c91bcb11f81573e5030aa4b1b0b8388cc2bc50f5 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:44:16 +0100 Subject: [PATCH 24/55] fix: seedPath string -> path --- modules/ldap.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index 1de922e..ab46c53 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -46,7 +46,7 @@ in tls = true; }; - seedPath = "../config/portunus_seeds.json"; + seedPath = ../config/portunus_seeds.json; }; services.nginx = { From cd1647e5d6866ca32ef1f2cf90eebbcaaae159ef Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:45:06 +0100 Subject: [PATCH 25/55] fix: remove unneeded `/dex` reverse proxy --- modules/ldap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index ab46c53..e35d909 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -56,7 +56,6 @@ in enableACME = true; locations = { "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; - "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; }; }; }; From fc873af4b37ce0e949534ec7ffb33e835a8bee0a Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:45:53 +0100 Subject: [PATCH 26/55] fix: remove open port 636, potential security risk --- modules/ldap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index e35d909..7d39bea 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -63,6 +63,5 @@ in networking.firewall.allowedTCPPorts = [ 80 # http 443 # https - 636 # ldaps ]; } From 49632576234361ff03fe67997447dbfa6fef95fb Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:49:08 +0100 Subject: [PATCH 27/55] nix flake update --- flake.lock | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index 7698a4f..714027c 100644 --- a/flake.lock +++ b/flake.lock @@ -69,34 +69,34 @@ "type": "github" } }, - "nixpkgs-22_05": { + "nixpkgs-stable": { "locked": { - "lastModified": 1668307144, - "narHash": "sha256-uY2StvGJvTfgtLaiz3uvX+EQeWZDkiLFiz2vekgJ9ZE=", + "lastModified": 1670146390, + "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eac99848dfd869e486573d8272b0c10729675ca2", + "rev": "86370507cb20c905800527539fc049a2bf09c667", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.05", + "ref": "release-22.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1668595291, - "narHash": "sha256-j8cyfbtT5sAYPYwbERgTDzfD48ZernL0/V668eGpXAM=", + "lastModified": 1671215800, + "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b", + "rev": "9d692a724e74d2a49f7c985132972f991d144254", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } @@ -113,14 +113,14 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-22_05": "nixpkgs-22_05" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1668311578, - "narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=", + "lastModified": 1670149631, + "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb", + "rev": "da98a111623101c64474a14983d83dad8f09f93d", "type": "github" }, "original": { From 5094feb4f9b8fbee8dd5bf5e0a03b5c5e9da75ae Mon Sep 17 00:00:00 2001 From: tenksom <102464707+tenksom@users.noreply.github.com> Date: Sat, 17 Dec 2022 20:59:09 +0100 Subject: [PATCH 28/55] Update ssh-key --- keys/ssh/joachim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keys/ssh/joachim b/keys/ssh/joachim index dcf3458..1f20229 100644 --- a/keys/ssh/joachim +++ b/keys/ssh/joachim @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9akyIw74vwJ+8NM7um8NhTcMO7okD46jYkodHTLYe6Oj7QR/kHZD3VEu5Wy7mN33av0Pr6gqeqzPBmn1kxa+J0FnD83rjm989Z9mKbpjt1EtAd9WSlx1MmixHCSgTvHezaiUHmikWdUK3XLITZeGOM3fyDDV5Nqm1rvg5PMV2mAMP9j8T2RsWweGUgcoE8RIfH4WA6t1ZhP4Px01UWozFadeQ6qRG8hMfq3gWKC9lGLAlgUHqpUuNVJ8I45znR/UhrR+h4VF0mkCYFM3JP0z+o/KwDTfcLlRCMxcY3rpRvbrhmgkqHuPTqwQfiBxTyZvWb2IeCkKVFAk0WmFb1M4Elnk+tJrF2G7yzpyRNilin8/P7pQk7M3BAY2m1iZA6u7cBUxWFbzRqRluRR8R+HAk9hqjtr0XmMifq0K7ZX31u48Ss/lgNXa2KHHYeI79++mfELhIhNXAznkhIAT1PhRKeL12RtDVjzfEd1JbHR8hE1L/n0K3Hyfzw/bJXBAwJJ8= joach@DESKTOP-FOASM6G +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0FSJ1IFmAMaeuO/OcY56koVTO68DZOJkUpZvHKkGttCtSmio2w3lXoJG+X+950DdwZcgF9vf4/h8VjsmQdNg/ACQQM6gNwVk8p2arIbYy9M3s0FfHKoMkfMDlZ91Md0/9BtogFRQWCP9Og3vV7q63cPJldqk+gljp10OruxawjAc+myz2xUppjk3BWzoHX86lAtF2ggqY1HW9rloMqj0j1zdqyMkHzy4akJbE2NAekNsdz0dWKC3tTGuEXlisZiC1Q51S5JrZIsr8hZXdL2u/nThsveSPC/jW3tfQxthu7TFyLr5n5ms9S3s47TGdtUTKmkTXWvspAHD4EP2nHTniqnesVO3TE9lHiI++TBQAtrTp+Ivb6Fwv55fUH1V36tkaFfAuTJq0zHv7tYedqMdzfH99jsHb4hej6LWMJPaH1R/UyNOzJr+ac50C7vFO+j4UKiu0vFRebnID7nLBY7vl3n5bmX1FjfD9axHncIranI4Lyt5RMxueR11IHIDqEEE= From 924ac7ee31a0683f89cbf2de1dbbb0662f5d106d Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 21:03:54 +0100 Subject: [PATCH 29/55] fix: set portunus port to 8081 --- modules/ldap.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/ldap.nix b/modules/ldap.nix index 7d39bea..20a8cc8 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -39,6 +39,7 @@ in user = "${portunusUser}"; group = "${portunusGroup}"; domain = "${domain}"; + port = 8081; ldap = { user = "${ldapUser}"; group = "${ldapGroup}"; From 4c90187f283c951ac10a4cd4df81d6ad620c520b Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 21:04:13 +0100 Subject: [PATCH 30/55] fix: change `-` to `_` in portunus seeds file --- config/portunus_seeds.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json index dc28aba..5b213fd 100644 --- a/config/portunus_seeds.json +++ b/config/portunus_seeds.json @@ -2,29 +2,29 @@ "groups": [ { "name": "admins", - "long-name": "Portunus Admins", + "long_name": "Portunus Admins", "members": ["admin"], "permissions": { - "portunus": { "is-admin": true }, - "ldap": { "can-read": true } + "portunus": { "is_admin": true }, + "ldap": { "can_read": true } } }, { "name": "ifsr", - "long-name": "Mitglieder des ifsr", + "long_name": "Mitglieder des ifsr", "members": [], "permissions": { - "portunus": { "is-admin": false }, - "ldap": { "can-read": false } + "portunus": { "is_admin": false }, + "ldap": { "can_read": false } } }, { "name": "strukturer", - "long-name": "Strukturer des ifsr", + "long_name": "Strukturer des ifsr", "members": [], "permissions": { - "portunus": { "is-admin": false }, - "ldap": { "can-read": false } + "portunus": { "is_admin": false }, + "ldap": { "can_read": false } } } ], From ce7db4dac514ff14a99807d3d7c87f52acc4be7d Mon Sep 17 00:00:00 2001 From: fugi Date: Sat, 17 Dec 2022 21:23:46 +0100 Subject: [PATCH 31/55] format, use domain option --- modules/matrix.nix | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/modules/matrix.nix b/modules/matrix.nix index 493168c..be57b89 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -1,18 +1,19 @@ { config, pkgs, lib, ... }: let - domain = "staging.ifsr.de"; - domainServer = "matrix.${domain}"; - domainClient = "chat.${domain}"; + domainServer = "matrix.${config.fsr.domain}"; + domainClient = "chat.${config.fsr.domain}"; + clientConfig = { "m.homeserver" = { base_url = "https://${domainServer}:443"; server_name = domainServer; }; - "m.identity_server" = {}; + "m.identity_server" = { }; }; serverConfig = { "m.server" = "${domainServer}:443"; }; + mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; @@ -20,12 +21,12 @@ let ''; in { - #sops.secrets = { - # synapse_registration_secret = { - # owner = "matrix-synapse"; - # group = "matrix-synapse"; - # }; - #}; + # sops.secrets = { + # synapse_registration_secret = { + # owner = "matrix-synapse"; + # group = "matrix-synapse"; + # }; + # }; services = { postgresql = { @@ -92,13 +93,13 @@ in # TODO: ldap registration_shared_secret = "registration_shared_secret"; }; - # extraConfigFiles = [ - # (pkgs.writeTextFile { - # name = "matrix-synapse-extra-config.yml"; - # text = '' - # ''; - # }) - # ]; + # extraConfigFiles = [ + # (pkgs.writeTextFile { + # name = "matrix-synapse-extra-config.yml"; + # text = '' + # ''; + # }) + # ]; }; }; From 819286654bc22c3c34cf19870295b0407222d8dd Mon Sep 17 00:00:00 2001 From: fugi Date: Sat, 17 Dec 2022 21:38:01 +0100 Subject: [PATCH 32/55] add portunus_admin to secrets/test.yaml --- secrets/test.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/secrets/test.yaml b/secrets/test.yaml index 521db7f..a5e8835 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -4,6 +4,7 @@ postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4 nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] +portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] @@ -23,8 +24,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-18T15:23:26Z" - mac: ENC[AES256_GCM,data:meFon3NJLJ3E7pxGFvmol2WThaTPlPUKdRzeLnPhcLeJ2cGzj/DlnjTBmsk9hKhhTsQ4osdFo/DchId0MyV7Xi5ZmMVD0lyRZEPzguIbkg3UezRiNlosm21DpQ7Pl/yEXd02x/5kLast/Ud3zF1ZNGeGTxNriZvm5XY3KFiMCSY=,iv:oPPQnA82IbMTCsivp1fh4k9hS2keyh7Zm1C1jRkYUMU=,tag:vOkON7/N4v3yXu8kYkAEMg==,type:str] + lastmodified: "2022-12-17T20:37:05Z" + mac: ENC[AES256_GCM,data:zRn9Y43k9jEYmI9gU5vKPAEcG0N+O7ILFisyttXDHbdaiYJfAWu8556Hkofq1hS6WByB/ZE+BZO9vJ9JFzGxodCDeOTF0XLmFeb5frL7Vb9u2MXvT+z640kwA9VJUoLligoqmVt4O+ba3Tr+wU1qy85vLxyDFeEIj6ATo68E8b0=,iv:LaB6cJx5oXGVNNWvfwIievTm8KmVCAJ1j6RVOwFsyBU=,tag:3H7PnmpU65ub6ysVLsB3bQ==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: | From 5ccbf975b63f05ca9dc84881c937e2c691896381 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Mon, 9 Jan 2023 18:47:37 +0100 Subject: [PATCH 33/55] fix .gitignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8cb727e..ee0c388 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -.qcow2 +*.qcow2 result From c3134e1e586c5548ac41f12c35876d7fc3793355 Mon Sep 17 00:00:00 2001 From: Fugi Date: Wed, 18 Jan 2023 14:12:03 +0100 Subject: [PATCH 34/55] Synapse LDAP config, add Portunus search user, update flake --- config/portunus_seeds.json | 15 ++++++++++ flake.lock | 18 +++++------ modules/ldap.nix | 23 +++++++++----- modules/matrix.nix | 61 ++++++++++++++++++++++++-------------- secrets/quitte.yaml | 5 ++-- secrets/test.yaml | 5 ++-- 6 files changed, 83 insertions(+), 44 deletions(-) diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json index 5b213fd..b73bf07 100644 --- a/config/portunus_seeds.json +++ b/config/portunus_seeds.json @@ -26,6 +26,15 @@ "portunus": { "is_admin": false }, "ldap": { "can_read": false } } + }, + { + "name": "search", + "long_name": "LDAP search group", + "members": ["search"], + "permissions": { + "portunus": { "is_admin": false }, + "ldap": { "can_read": true } + } } ], "users": [ @@ -34,6 +43,12 @@ "given_name": "admin", "family_name": "admin", "password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] } + }, + { + "login_name": "search", + "given_name": "search", + "family_name": "search", + "password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_search"] } } ] } diff --git a/flake.lock b/flake.lock index 714027c..84b48fd 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1670146390, - "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", + "lastModified": 1673740915, + "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "86370507cb20c905800527539fc049a2bf09c667", + "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1671215800, - "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=", + "lastModified": 1673800717, + "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9d692a724e74d2a49f7c985132972f991d144254", + "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", "type": "github" }, "original": { @@ -116,11 +116,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1670149631, - "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", + "lastModified": 1673752321, + "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "da98a111623101c64474a14983d83dad8f09f93d", + "rev": "e18eefd2b133a58309475298052c341c08470717", "type": "github" }, "original": { diff --git a/modules/ldap.nix b/modules/ldap.nix index 20a8cc8..a1965a6 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -29,9 +29,15 @@ in members = [ "${ldapUser}" ]; }; - sops.secrets."portunus_admin" = { - owner = "${portunusUser}"; - group = "${portunusGroup}"; + sops.secrets = { + "portunus_admin" = { + owner = "${portunusUser}"; + group = "${portunusGroup}"; + }; + "portunus_search" = { + owner = "${portunusUser}"; + group = "${portunusGroup}"; + }; }; services.portunus = { @@ -40,10 +46,16 @@ in group = "${portunusGroup}"; domain = "${domain}"; port = 8081; + ldap = { user = "${ldapUser}"; group = "${ldapGroup}"; + suffix = "dc=ifsr,dc=de"; + searchUserName = "search"; + + # disables port 389, use 636 with tls + # `portunus.domain` resolves to localhost tls = true; }; @@ -60,9 +72,4 @@ in }; }; }; - - networking.firewall.allowedTCPPorts = [ - 80 # http - 443 # https - ]; } diff --git a/modules/matrix.nix b/modules/matrix.nix index be57b89..5648c1b 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -8,7 +8,6 @@ let base_url = "https://${domainServer}:443"; server_name = domainServer; }; - "m.identity_server" = { }; }; serverConfig = { "m.server" = "${domainServer}:443"; @@ -21,21 +20,17 @@ let ''; in { - # sops.secrets = { - # synapse_registration_secret = { - # owner = "matrix-synapse"; - # group = "matrix-synapse"; - # }; - # }; + sops.secrets.matrix_ldap_search = { + key = "portunus_search"; + owner = config.systemd.services.matrix-synapse.serviceConfig.User; + }; services = { postgresql = { enable = true; - ensureUsers = [ - { - name = "matrix-synapse"; - } - ]; + ensureUsers = [{ + name = "matrix-synapse"; + }]; }; nginx = { @@ -66,6 +61,7 @@ in root = pkgs.element-web.override { conf = { default_server_config = clientConfig; + disable_3pid_login = true; }; }; }; @@ -75,6 +71,10 @@ in matrix-synapse = { enable = true; + plugins = with config.services.matrix-synapse.package.plugins; [ + matrix-synapse-ldap3 + ]; + settings = { server_name = domainServer; @@ -89,17 +89,32 @@ in compress = false; }]; }]; - - # TODO: ldap - registration_shared_secret = "registration_shared_secret"; }; - # extraConfigFiles = [ - # (pkgs.writeTextFile { - # name = "matrix-synapse-extra-config.yml"; - # text = '' - # ''; - # }) - # ]; + + extraConfigFiles = [ + (pkgs.writeTextFile { + name = "matrix-synapse-extra-config.yml"; + text = '' + # `password_providers` is deprecated but `modules` is not supported yet. + password_providers: + - module: ldap_auth_provider.LdapAuthProvider + config: + enabled: true + # have to use fqdn here for tls (still connects to localhost) + uri: ldaps://auth.nix.fugi.dev:636 + base: ou=users,dc=ifsr,dc=de + # taken from kaki config + attributes: + uid: uid + mail: uid + name: cn + bind_dn: uid=search,ou=users,dc=ifsr,dc=de + # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround + bind_password: portunus_search + # bind_password_file: ${config.sops.secrets.portunus_search.path} + ''; + }) + ]; }; }; @@ -113,7 +128,7 @@ in path = [ pkgs.sudo config.services.postgresql.package ]; - # create database for synapse. will silently fail if already exists + # create database for synapse. will silently fail if it already exists script = '' sudo -u ${config.services.postgresql.superUser} psql < Date: Fri, 20 Jan 2023 15:08:57 +0100 Subject: [PATCH 35/55] trying to fix joachims ssh key --- keys/ssh/joachim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keys/ssh/joachim b/keys/ssh/joachim index 1f20229..218443f 100644 --- a/keys/ssh/joachim +++ b/keys/ssh/joachim @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0FSJ1IFmAMaeuO/OcY56koVTO68DZOJkUpZvHKkGttCtSmio2w3lXoJG+X+950DdwZcgF9vf4/h8VjsmQdNg/ACQQM6gNwVk8p2arIbYy9M3s0FfHKoMkfMDlZ91Md0/9BtogFRQWCP9Og3vV7q63cPJldqk+gljp10OruxawjAc+myz2xUppjk3BWzoHX86lAtF2ggqY1HW9rloMqj0j1zdqyMkHzy4akJbE2NAekNsdz0dWKC3tTGuEXlisZiC1Q51S5JrZIsr8hZXdL2u/nThsveSPC/jW3tfQxthu7TFyLr5n5ms9S3s47TGdtUTKmkTXWvspAHD4EP2nHTniqnesVO3TE9lHiI++TBQAtrTp+Ivb6Fwv55fUH1V36tkaFfAuTJq0zHv7tYedqMdzfH99jsHb4hej6LWMJPaH1R/UyNOzJr+ac50C7vFO+j4UKiu0vFRebnID7nLBY7vl3n5bmX1FjfD9axHncIranI4Lyt5RMxueR11IHIDqEEE= +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0FSJ1IFmAMaeuO/OcY56koVTO68DZOJkUpZvHKkGttCtSmio2w3lXoJG+X+950DdwZcgF9vf4/h8VjsmQdNg/ACQQM6gNwVk8p2arIbYy9M3s0FfHKoMkfMDlZ91Md0/9BtogFRQWCP9Og3vV7q63cPJldqk+gljp10OruxawjAc+myz2xUppjk3BWzoHX86lAtF2ggqY1HW9rloMqj0j1zdqyMkHzy4akJbE2NAekNsdz0dWKC3tTGuEXlisZiC1Q51S5JrZIsr8hZXdL2u/nThsveSPC/jW3tfQxthu7TFyLr5n5ms9S3s47TGdtUTKmkTXWvspAHD4EP2nHTniqnesVO3TE9lHiI++TBQAtrTp+Ivb6Fwv55fUH1V36tkaFfAuTJq0zHv7tYedqMdzfH99jsHb4hej6LWMJPaH1R/UyNOzJr+ac50C7vFO+j4UKiu0vFRebnID7nLBY7vl3n5bmX1FjfD9axHncIranI4Lyt5RMxueR11IHIDqEEE= joachim@nixos From fab0899e7eff764dc773693208fc77b00cd4ffb0 Mon Sep 17 00:00:00 2001 From: Fugi Date: Sat, 21 Jan 2023 21:26:24 +0100 Subject: [PATCH 36/55] package ldap3 plugin --- modules/matrix.nix | 25 ++++++++++++------------- modules/pkgs/matrix-synapse-ldap3.nix | 21 +++++++++++++++++++++ 2 files changed, 33 insertions(+), 13 deletions(-) create mode 100644 modules/pkgs/matrix-synapse-ldap3.nix diff --git a/modules/matrix.nix b/modules/matrix.nix index 5648c1b..d1d0938 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -18,6 +18,10 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; + + # build ldap3 plugin from git because it's very outdated in nixpkgs + matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ./pkgs/matrix-synapse-ldap3.nix { }; + # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3; in { sops.secrets.matrix_ldap_search = { @@ -71,9 +75,7 @@ in matrix-synapse = { enable = true; - plugins = with config.services.matrix-synapse.package.plugins; [ - matrix-synapse-ldap3 - ]; + plugins = [ matrix-synapse-ldap3 ]; settings = { server_name = domainServer; @@ -94,24 +96,21 @@ in extraConfigFiles = [ (pkgs.writeTextFile { name = "matrix-synapse-extra-config.yml"; - text = '' - # `password_providers` is deprecated but `modules` is not supported yet. - password_providers: - - module: ldap_auth_provider.LdapAuthProvider + text = let portunus = config.services.portunus; in '' + modules: + - module: ldap_auth_provider.LdapAuthProviderModule config: enabled: true # have to use fqdn here for tls (still connects to localhost) - uri: ldaps://auth.nix.fugi.dev:636 - base: ou=users,dc=ifsr,dc=de + uri: ldaps://${portunus.domain}:636 + base: ou=users,${portunus.ldap.suffix} # taken from kaki config attributes: uid: uid mail: uid name: cn - bind_dn: uid=search,ou=users,dc=ifsr,dc=de - # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround - bind_password: portunus_search - # bind_password_file: ${config.sops.secrets.portunus_search.path} + bind_dn: uid=search,ou=users,${portunus.ldap.suffix} + bind_password_file: ${config.sops.secrets.matrix_ldap_search.path} ''; }) ]; diff --git a/modules/pkgs/matrix-synapse-ldap3.nix b/modules/pkgs/matrix-synapse-ldap3.nix new file mode 100644 index 0000000..0635ab0 --- /dev/null +++ b/modules/pkgs/matrix-synapse-ldap3.nix @@ -0,0 +1,21 @@ +{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }: + +buildPythonPackage rec { + pname = "matrix-synapse-ldap3"; + version = "0.2.2"; + + format = "pyproject"; + + src = pkgs.fetchFromGitHub { + owner = "matrix-org"; + repo = "matrix-synapse-ldap3"; + rev = "2584736204165f16c176567183f9c350ee253f74"; + sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8="; + }; + + propagatedBuildInputs = [ service-identity ldap3 twisted ]; + + # ldaptor is not ready for py3 yet + doCheck = !isPy3k; + checkInputs = [ ldaptor mock ]; +} From eeac519650a261134320cd1510fdf9bdb01b01ac Mon Sep 17 00:00:00 2001 From: Fugi Date: Thu, 2 Feb 2023 21:16:55 +0100 Subject: [PATCH 37/55] move matrix-synapse-ldap3.nix to /pkgs --- modules/matrix.nix | 2 +- {modules/pkgs => pkgs}/matrix-synapse-ldap3.nix | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename {modules/pkgs => pkgs}/matrix-synapse-ldap3.nix (100%) diff --git a/modules/matrix.nix b/modules/matrix.nix index d1d0938..82cfa0f 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -20,7 +20,7 @@ let ''; # build ldap3 plugin from git because it's very outdated in nixpkgs - matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ./pkgs/matrix-synapse-ldap3.nix { }; + matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ../pkgs/matrix-synapse-ldap3.nix { }; # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3; in { diff --git a/modules/pkgs/matrix-synapse-ldap3.nix b/pkgs/matrix-synapse-ldap3.nix similarity index 100% rename from modules/pkgs/matrix-synapse-ldap3.nix rename to pkgs/matrix-synapse-ldap3.nix From 15597ce6faa1780df8f33dca789244ace179b03f Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 3 Feb 2023 15:36:04 +0100 Subject: [PATCH 38/55] updating deps --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 84b48fd..425570a 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1673740915, - "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=", + "lastModified": 1675265860, + "narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2", + "rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1673800717, - "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=", + "lastModified": 1675237434, + "narHash": "sha256-YoFR0vyEa1HXufLNIFgOGhIFMRnY6aZ0IepZF5cYemo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", + "rev": "285b3ff0660640575186a4086e1f8dc0df2874b5", "type": "github" }, "original": { @@ -116,11 +116,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1673752321, - "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=", + "lastModified": 1675288837, + "narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e18eefd2b133a58309475298052c341c08470717", + "rev": "a81ce6c961480b3b93498507074000c589bd9d60", "type": "github" }, "original": { From c41369e2ac01fd1f0e12aab705a4b422cee57113 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 3 Feb 2023 15:40:42 +0100 Subject: [PATCH 39/55] enabeling ldap auth --- modules/ldap.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/ldap.nix b/modules/ldap.nix index a1965a6..adbe392 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -62,6 +62,12 @@ in seedPath = ../config/portunus_seeds.json; }; + users.ldap = { + enable = true; + server = "ldap://localhost"; + base = "${config.services.portunus.ldap.suffix}"; + }; + services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { From 1f70d58853bd87bf0d4fccfd0d32c7fb01af3eaf Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 25 Nov 2022 15:24:05 +0100 Subject: [PATCH 40/55] Initial Email config Bare-minimum config consisting of postfix and dovecot2. For testing, passwd is used as userdb. Definitely NOT Production ready! --- modules/mail.nix | 69 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 modules/mail.nix diff --git a/modules/mail.nix b/modules/mail.nix new file mode 100644 index 0000000..078a4fb --- /dev/null +++ b/modules/mail.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + let hostname = "mail.test.stramke.com"; + in { + networking.firewall.allowedTCPPorts = [ 25 587 143]; + services = { + postfix = { + enable = true; + hostname = "${hostname}"; + config = { + myorigin = "mail.test.stramke.com"; + mydestination = "127.0.0.1"; + smtpd_recipient_restrictions = [ + "reject_unauth_destination" + "permit_sasl_authenticated" + + ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; + smtpd_sasl_type = "dovecot"; + smtpd_relay_restrictions = [ + "reject_unauth_destination" + # "relay_domains = "${hostname}" + "permit_sasl_authenticated" + ]; + }; + }; + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = false; + mailboxes = { + Spam = { + auto = "create"; + specialUse = "Junk"; + }; + Sent = { + auto = "create"; + specialUse = "Sent"; + }; + Drafts = { + auto = "create"; + specialUse = "Drafts"; + }; + Trash = { + auto = "create"; + specialUse = "Trash"; + }; + }; + extraConfig = '' + mail_location = mbox:~/mail:INBOX=/var/mail/%u + # auth_mechanisms = plain login + # disable_plaintext_auth = no + userdb { + driver = passwd + args = blocking=no + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + user = dovecot2 + } + ''; + }; + }; + } + From ffae1bc8c5c122df7b802cb94431c055ac789631 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 2 Dec 2022 16:13:18 +0100 Subject: [PATCH 41/55] receiving emails works now --- modules/mail.nix | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 078a4fb..abfe0ec 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,27 +1,25 @@ { config, pkgs, ... }: let hostname = "mail.test.stramke.com"; in { - networking.firewall.allowedTCPPorts = [ 25 587 143]; + networking.firewall.allowedTCPPorts = [ 25 587 143 ]; services = { postfix = { enable = true; hostname = "${hostname}"; + domain = "test.stramke.com"; + relayHost = ""; + origin = "test.stramke.com"; + destination = ["mail.test.stramke.com" "test.stramke.com" "localhost"]; config = { - myorigin = "mail.test.stramke.com"; - mydestination = "127.0.0.1"; + mynetworks = "168.119.135.69/32 10.0.0.0/24 0.0.0.0/0 127.0.0.1"; smtpd_recipient_restrictions = [ - "reject_unauth_destination" - "permit_sasl_authenticated" - - ]; + "reject_unauth_destination" + "permit_sasl_authenticated" + "permit_mynetworks" + ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - smtpd_sasl_type = "dovecot"; - smtpd_relay_restrictions = [ - "reject_unauth_destination" - # "relay_domains = "${hostname}" - "permit_sasl_authenticated" - ]; + # smtpd_sasl_type = "dovecot"; }; }; dovecot2 = { @@ -47,9 +45,9 @@ }; }; extraConfig = '' - mail_location = mbox:~/mail:INBOX=/var/mail/%u - # auth_mechanisms = plain login - # disable_plaintext_auth = no + mail_location = maildir:/var/spool/mail/%u + auth_mechanisms = plain login + disable_plaintext_auth = no userdb { driver = passwd args = blocking=no @@ -60,7 +58,7 @@ mode = 0660 user = postfix } - user = dovecot2 + } ''; }; From 14ad30e65d1c99eeeb93704542ae733f8983d452 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 12:58:27 +0100 Subject: [PATCH 42/55] beautified the file and added opendkim --- modules/mail.nix | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index abfe0ec..e03672c 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,15 +1,17 @@ { config, pkgs, ... }: - let hostname = "mail.test.stramke.com"; + let + hostname = "mail.test.stramke.com"; + domain = "test.stramke.com"; in { networking.firewall.allowedTCPPorts = [ 25 587 143 ]; services = { postfix = { enable = true; hostname = "${hostname}"; - domain = "test.stramke.com"; + domain = "${domain}"; relayHost = ""; - origin = "test.stramke.com"; - destination = ["mail.test.stramke.com" "test.stramke.com" "localhost"]; + origin = "${domain}"; + destination = ["${hostname}" "${domain}" "localhost"]; config = { mynetworks = "168.119.135.69/32 10.0.0.0/24 0.0.0.0/0 127.0.0.1"; smtpd_recipient_restrictions = [ @@ -62,6 +64,14 @@ } ''; }; + rspamd = { + enable = true; + }; + opendkim = { + enable = true; + selector = "mail"; + domains = "csl:${domain}"; + }; }; } From 2a0e2c662380ea7790bfd76ae0d4ca71d59babf0 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 19:45:36 +0100 Subject: [PATCH 43/55] add mail filters --- modules/mail.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index e03672c..2cd49f5 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -3,7 +3,8 @@ hostname = "mail.test.stramke.com"; domain = "test.stramke.com"; in { - networking.firewall.allowedTCPPorts = [ 25 587 143 ]; + networking.firewall.allowedTCPPorts = [ 25 587 143 11334]; + users.users.postfix.extraGroups = ["rspamd"]; # doesn't seem to work services = { postfix = { enable = true; @@ -13,7 +14,6 @@ origin = "${domain}"; destination = ["${hostname}" "${domain}" "localhost"]; config = { - mynetworks = "168.119.135.69/32 10.0.0.0/24 0.0.0.0/0 127.0.0.1"; smtpd_recipient_restrictions = [ "reject_unauth_destination" "permit_sasl_authenticated" @@ -21,7 +21,11 @@ ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - # smtpd_sasl_type = "dovecot"; + + # put in opendkim (port 8891) and rspamd (port 11334) as mail filter + smtpd_milters = ["inet:localhost:8891" "/run/rspamd/rspamd.sock"]; + non_smtpd_milters = "$smtpd_milters"; + milter_default_action = "accept"; }; }; dovecot2 = { @@ -69,8 +73,9 @@ }; opendkim = { enable = true; - selector = "mail"; + selector = "default"; domains = "csl:${domain}"; + socket = "inet:8891"; }; }; } From fb8b55b2c9d45d018e14c51ab54913b8888b6094 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 19:46:25 +0100 Subject: [PATCH 44/55] add the mail module to flake.nix --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 335440c..ef4e809 100755 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,7 @@ ./modules/sops.nix ./modules/ldap.nix # ./modules/keycloak.nix replaced by portunus + ./modules/mail.nix ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix From e569bdec5023d1afa4580e87b026b108c42ae414 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 17 Dec 2022 21:33:45 +0100 Subject: [PATCH 45/55] formatting --- modules/mail.nix | 164 +++++++++++++++++++++++++---------------------- 1 file changed, 86 insertions(+), 78 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 2cd49f5..7a48656 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,82 +1,90 @@ { config, pkgs, ... }: - let - hostname = "mail.test.stramke.com"; - domain = "test.stramke.com"; - in { - networking.firewall.allowedTCPPorts = [ 25 587 143 11334]; - users.users.postfix.extraGroups = ["rspamd"]; # doesn't seem to work - services = { - postfix = { - enable = true; - hostname = "${hostname}"; - domain = "${domain}"; - relayHost = ""; - origin = "${domain}"; - destination = ["${hostname}" "${domain}" "localhost"]; - config = { - smtpd_recipient_restrictions = [ - "reject_unauth_destination" - "permit_sasl_authenticated" - "permit_mynetworks" - ]; - smtpd_sasl_auth_enable = true; - smtpd_sasl_path = "/var/lib/postfix/auth"; +let + hostname = "mail.test.stramke.com"; + domain = "test.stramke.com"; +in +{ + networking.firewall.allowedTCPPorts = [ 25 587 143 ]; + services = { + postfix = { + enable = true; + hostname = "${hostname}"; + domain = "${domain}"; + relayHost = ""; + origin = "${domain}"; + destination = [ "${hostname}" "${domain}" "localhost" ]; + config = { + smtpd_recipient_restrictions = [ + "reject_unauth_destination" + "permit_sasl_authenticated" + "permit_mynetworks" + ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; - # put in opendkim (port 8891) and rspamd (port 11334) as mail filter - smtpd_milters = ["inet:localhost:8891" "/run/rspamd/rspamd.sock"]; - non_smtpd_milters = "$smtpd_milters"; - milter_default_action = "accept"; - }; - }; - dovecot2 = { - enable = true; - enableImap = true; - enableQuota = false; - mailboxes = { - Spam = { - auto = "create"; - specialUse = "Junk"; - }; - Sent = { - auto = "create"; - specialUse = "Sent"; - }; - Drafts = { - auto = "create"; - specialUse = "Drafts"; - }; - Trash = { - auto = "create"; - specialUse = "Trash"; - }; - }; - extraConfig = '' - mail_location = maildir:/var/spool/mail/%u - auth_mechanisms = plain login - disable_plaintext_auth = no - userdb { - driver = passwd - args = blocking=no - } - service auth { - unix_listener /var/lib/postfix/auth { - group = postfix - mode = 0660 - user = postfix - } - - } - ''; - }; - rspamd = { - enable = true; - }; - opendkim = { - enable = true; - selector = "default"; - domains = "csl:${domain}"; - socket = "inet:8891"; - }; + # put in opendkim (port 8891) and rspamd (port 11333) as mail filter + smtpd_milters = [ "inet:localhost:8891" "inet:localhost:11333" ]; + non_smtpd_milters = "$smtpd_milters"; + milter_default_action = "accept"; + }; + }; + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = false; + mailboxes = { + Spam = { + auto = "create"; + specialUse = "Junk"; }; - } + Sent = { + auto = "create"; + specialUse = "Sent"; + }; + Drafts = { + auto = "create"; + specialUse = "Drafts"; + }; + Trash = { + auto = "create"; + specialUse = "Trash"; + }; + }; + extraConfig = '' + mail_location = maildir:/var/spool/mail/%u + auth_mechanisms = plain login + disable_plaintext_auth = no + userdb { + driver = passwd + args = blocking=no + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + + } + ''; + }; + rspamd = { + enable = true; + workers = { + normal = { + bindSockets = [ "*:11333" ]; # interface for the mailfilter + }; + controller = { + bindSockets = [ "*:11334" ]; # webinterface + }; + }; + }; + opendkim = { + enable = true; + selector = "default"; + domains = "csl:${domain}"; + socket = "inet:8891"; + }; + }; +} From a11a3614a9a83107c9c0252d66217417a350d638 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 6 Jan 2023 16:57:26 +0100 Subject: [PATCH 46/55] configured tls and rspamd --- modules/mail.nix | 48 ++++++++++++++++++++++----------------------- secrets/quitte.yaml | 7 ++++--- secrets/test.yaml | 5 +++-- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 7a48656..b2eefaa 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,10 +1,13 @@ { config, pkgs, ... }: let - hostname = "mail.test.stramke.com"; - domain = "test.stramke.com"; + hostname = "mail.${config.fsr.domain}"; + domain = config.fsr.domain; in { - networking.firewall.allowedTCPPorts = [ 25 587 143 ]; + sops.secrets."rspamd-password".owner = config.users.user.rspamd.name; + + networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + services = { postfix = { enable = true; @@ -13,6 +16,8 @@ in relayHost = ""; origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; + sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { smtpd_recipient_restrictions = [ "reject_unauth_destination" @@ -21,17 +26,15 @@ in ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - - # put in opendkim (port 8891) and rspamd (port 11333) as mail filter - smtpd_milters = [ "inet:localhost:8891" "inet:localhost:11333" ]; - non_smtpd_milters = "$smtpd_milters"; - milter_default_action = "accept"; + virtual_mailbox_base = "/var/spool/mail"; }; }; dovecot2 = { enable = true; enableImap = true; enableQuota = false; + sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { Spam = { auto = "create"; @@ -51,40 +54,35 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/spool/mail/%u + mail_location = maildir:/var/mail/%u auth_mechanisms = plain login disable_plaintext_auth = no userdb { - driver = passwd - args = blocking=no + driver = passwd + args = blocking=no } service auth { - unix_listener /var/lib/postfix/auth { + unix_listener /var/lib/postfix/auth { group = postfix mode = 0660 user = postfix } - } ''; }; rspamd = { enable = true; - workers = { - normal = { - bindSockets = [ "*:11333" ]; # interface for the mailfilter - }; - controller = { - bindSockets = [ "*:11334" ]; # webinterface - }; + postfix.enable = true; + locals = { + "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; }; }; - opendkim = { + nginx = { enable = true; - selector = "default"; - domains = "csl:${domain}"; - socket = "inet:8891"; + virtualHosts."${hostname}" = { + forceSSL = true; + enableACME = true; + }; }; }; } - diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index c01f749..9a186ee 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -5,7 +5,8 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] -portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str] +portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str] +rspamd-password: ENC[AES256_GCM,data:bOW6eAwr18Guq+BQt68It6O6i3aAthDv1ANZ02Q8zAZgV+UlfsJk9IELIA==,iv:7O48+wB7zJUIp3lQDTC7tkP1UFvmDfjs50x1Zo3hOhw=,tag:MNdiDF22a3n1ZrE6qTDVLA==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -25,8 +26,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-17T22:50:14Z" - mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str] + lastmodified: "2023-02-03T14:46:12Z" + mac: ENC[AES256_GCM,data:Bg5S8lSYnCUhlYFObVpmPXsp2IVxm1vfDdyzEmGGoKNU9lit/0nxrmgv3ZvOfzrcilQQHLzAfPIM5HXTCVtoPPWmkicQ72SdNWLJbY9p1+MFQgiqFZcVAYb+FMm9s1IOxBgXx/OQWmQxDmTA6jZHqgYBZnrBMgjeo0ol1Zp60uY=,iv:FlCsVbOBQC43yrmAKv8j7b0DTuhZXmeURxWWkbIcRQQ=,tag:e9vubxFQOK6h1fHQ8GHLvQ==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | diff --git a/secrets/test.yaml b/secrets/test.yaml index bc0d72f..f1163c6 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -6,6 +6,7 @@ hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str] +rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] @@ -25,8 +26,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-17T22:26:52Z" - mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str] + lastmodified: "2023-02-03T14:47:01Z" + mac: ENC[AES256_GCM,data:qSuGdUOgVDhZ25zYGfZ6+GC7XxsoGV9dUSKM0YstpSQgR7u9S8fQVkcbz5gNTVhG8bdGQVxmMPTW3QyMI6s76yngs6kBxwnBSycAFowJlO6P/cRPqRlAuVhJy82hq0lOJem93vOnRPBQsb6Da0OS/7+SKoRd/I66BtPNKMmxEdo=,iv:IXy3cuZfUK2k8TIA7LpIbPSzcxXtiW4pmdILO6441Is=,tag:PuACj+FwaTxoTCFLytXoiw==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: | From 2411a9c18566f820e3ca845c039997d1478532ac Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Mon, 9 Jan 2023 18:14:32 +0100 Subject: [PATCH 47/55] finished rspamd setup --- modules/mail.nix | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index b2eefaa..5e929a5 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -4,7 +4,7 @@ let domain = config.fsr.domain; in { - sops.secrets."rspamd-password".owner = config.users.user.rspamd.name; + sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; @@ -75,13 +75,41 @@ in postfix.enable = true; locals = { "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; + "redis.conf".text = '' + read_servers = "127.0.0.1"; + write_servers = "127.0.0.1"; + ''; + }; + }; + redis = { + vmOverCommit = true; + servers.rspamd = { + enable = true; + port = 6379; }; }; nginx = { enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."${hostname}" = { forceSSL = true; enableACME = true; + locations = { + "/rspamd" = { + proxyWebsockets = true; + + # maybe there is a more beautiful way for this + extraConfig = '' + if ($request_uri ~* "/rspamd/(.*)") { + proxy_pass http://127.0.0.1:11334/$1; + } + ''; + }; + }; }; }; }; From b74d72f722f7b84526c5543a17332ffb2daa2470 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 20 Jan 2023 15:57:12 +0100 Subject: [PATCH 48/55] configured dkim signing --- modules/mail.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index 5e929a5..1a64b7a 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -79,7 +79,13 @@ in read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; ''; - }; + "dkim_signing.conf".text = '' + path = "/var/lib/rspamd/dkim/$domain.$selector.key"; + selector = "quitte"; + sign_authenticated = true; + use_domain = "header"; + ''; + }; }; redis = { vmOverCommit = true; From 4e687b14844103911a913499ae0551c8f071113b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 27 Jan 2023 16:39:25 +0100 Subject: [PATCH 49/55] some ldap config --- modules/mail.nix | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 1a64b7a..a6b46ea 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -2,6 +2,21 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; + ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' + server_host = ldaps://auth.${config.fsr.domain} + search_base = dc=ifsr, dc=de + ''; + dovecot-ldap-args = pkgs.writeText "ldap-args" '' + uris = auth.${config.fsr.domain} + dn = uid=search, ou=admins, dc=ifsr, dc=de + + auth_bind = yes + ldap_version = 3 + scope = subtree + base = ou=ifsr, dc=ifsr, dc=de + user_filter = (&(ou=mail)(uid=%n)) + pass_filter = (&(ou=mail)(uid=%n)) + ''; in { sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; @@ -24,6 +39,7 @@ in "permit_sasl_authenticated" "permit_mynetworks" ]; + alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; virtual_mailbox_base = "/var/spool/mail"; @@ -57,9 +73,13 @@ in mail_location = maildir:/var/mail/%u auth_mechanisms = plain login disable_plaintext_auth = no + passdb { + driver = ldap + args = ${dovecot-ldap-args} + } userdb { - driver = passwd - args = blocking=no + driver = ldap + args = ${dovecot-ldap-args} } service auth { unix_listener /var/lib/postfix/auth { From e893690e1d7b164343a285043ef7482c2dfd87f6 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 15:37:56 +0100 Subject: [PATCH 50/55] use search user for ldap --- modules/mail.nix | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index a6b46ea..7badeef 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -2,18 +2,20 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; - ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' - server_host = ldaps://auth.${config.fsr.domain} - search_base = dc=ifsr, dc=de - ''; + # brauchen wir das überhaupt? + #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' + #server_host = ldap://localhost + #search_base = ou=mail, dc=ifsr, dc=de + #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' - uris = auth.${config.fsr.domain} - dn = uid=search, ou=admins, dc=ifsr, dc=de - + uris = ldap://localhost + dn = uid=search, ou=users, dc=ifsr, dc=de auth_bind = yes + dnpass = $(${pkgs.coreutils}/bin/cat /run/secrets/portunus_search) + ldap_version = 3 scope = subtree - base = ou=ifsr, dc=ifsr, dc=de + base = dc=ifsr, dc=de user_filter = (&(ou=mail)(uid=%n)) pass_filter = (&(ou=mail)(uid=%n)) ''; @@ -39,7 +41,7 @@ in "permit_sasl_authenticated" "permit_mynetworks" ]; - alias_maps = [ "ldap:${ldap-aliases}" ]; + #alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; virtual_mailbox_base = "/var/spool/mail"; @@ -71,8 +73,6 @@ in }; extraConfig = '' mail_location = maildir:/var/mail/%u - auth_mechanisms = plain login - disable_plaintext_auth = no passdb { driver = ldap args = ${dovecot-ldap-args} From b600c70202a1696f335a3ce5d9de09457a7c1515 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 15:50:36 +0100 Subject: [PATCH 51/55] formatting --- modules/mail.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 7badeef..c7c5e83 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -4,8 +4,8 @@ let domain = config.fsr.domain; # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' - #server_host = ldap://localhost - #search_base = ou=mail, dc=ifsr, dc=de + #server_host = ldap://localhost + #search_base = ou=mail, dc=ifsr, dc=de #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost @@ -105,7 +105,7 @@ in sign_authenticated = true; use_domain = "header"; ''; - }; + }; }; redis = { vmOverCommit = true; From 58449429b9ceffc622dfac26b79e48ef147a6930 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 16:04:45 +0100 Subject: [PATCH 52/55] changed maildir to /var/lib/mail, rspamd fixes --- modules/mail.nix | 44 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index c7c5e83..d41bb4e 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -2,6 +2,7 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; + rspamd-domain = "rspamd.${config.fsr.domain}"; # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #server_host = ldap://localhost @@ -11,7 +12,7 @@ let uris = ldap://localhost dn = uid=search, ou=users, dc=ifsr, dc=de auth_bind = yes - dnpass = $(${pkgs.coreutils}/bin/cat /run/secrets/portunus_search) + dnpass = $(${pkgs.coreutils}/bin/cat ${config.sops.secrets."portunus_search".path}) ldap_version = 3 scope = subtree @@ -44,7 +45,7 @@ in #alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - virtual_mailbox_base = "/var/spool/mail"; + virtual_mailbox_base = "/var/lib/mail"; }; }; dovecot2 = { @@ -72,7 +73,7 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/mail/%u + mail_location = maildir:/var/lib/mail/%u passdb { driver = ldap args = ${dovecot-ldap-args} @@ -124,15 +125,14 @@ in virtualHosts."${hostname}" = { forceSSL = true; enableACME = true; + }; + virtualHosts."${rspamd-domain}" = { + forceSSL = true; + enableACME = true; locations = { - "/rspamd" = { + "/" = { + proxyPass = "http://127.0.0.1:11334"; proxyWebsockets = true; - - # maybe there is a more beautiful way for this - extraConfig = '' - if ($request_uri ~* "/rspamd/(.*)") { - proxy_pass http://127.0.0.1:11334/$1; - } ''; }; }; @@ -140,3 +140,27 @@ in }; }; } + + + + + + + + + + + + + + + + + + + + + + + + From f1b22088c20616d57270bad11786c4526a9b586b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 3 Feb 2023 16:09:41 +0100 Subject: [PATCH 53/55] format fix --- modules/mail.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index d41bb4e..14c009c 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -133,7 +133,6 @@ in "/" = { proxyPass = "http://127.0.0.1:11334"; proxyWebsockets = true; - ''; }; }; }; From bb23a7f67adc615d1e0f05c98adf272a6db2a23b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 15 Feb 2023 11:29:47 +0100 Subject: [PATCH 54/55] fixing the ldap user and temp disabling tls --- modules/ldap.nix | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index adbe392..c1e9eb9 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -9,6 +9,12 @@ let ldapGroup = "openldap"; in { + sops.secrets.unix_ldap_search = { + key = "portunus_search"; + owner = config.systemd.services.nslcd.serviceConfig.User; + }; + + users.users."${portunusUser}" = { isSystemUser = true; group = "${portunusGroup}"; @@ -56,18 +62,32 @@ in # disables port 389, use 636 with tls # `portunus.domain` resolves to localhost - tls = true; + #tls = true; }; seedPath = ../config/portunus_seeds.json; }; - users.ldap = { + #users.ldap = { + #enable = true; + #server = "ldap://localhost"; + #base = "${config.services.portunus.ldap.suffix}"; + #}; + users.ldap = let + portunus = config.services.portunus; + base = "ou=users,${portunus.ldap.suffix}"; + in { enable = true; server = "ldap://localhost"; - base = "${config.services.portunus.ldap.suffix}"; + base = base; + bind = { + distinguishedName = "uid=${portunus.ldap.searchUserName},${base}"; + passwordFile = config.sops.secrets.unix_ldap_search.path; + }; + daemon.enable = true; }; + services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { From 82f47b66cb5463752386c7823d43a482e0fdb399 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Wed, 15 Feb 2023 13:20:23 +0100 Subject: [PATCH 55/55] formatting --- modules/ldap.nix | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index c1e9eb9..dd459e0 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -69,23 +69,25 @@ in }; #users.ldap = { - #enable = true; - #server = "ldap://localhost"; - #base = "${config.services.portunus.ldap.suffix}"; + #enable = true; + #server = "ldap://localhost"; + #base = "${config.services.portunus.ldap.suffix}"; #}; - users.ldap = let - portunus = config.services.portunus; - base = "ou=users,${portunus.ldap.suffix}"; - in { - enable = true; - server = "ldap://localhost"; - base = base; - bind = { - distinguishedName = "uid=${portunus.ldap.searchUserName},${base}"; - passwordFile = config.sops.secrets.unix_ldap_search.path; + users.ldap = + let + portunus = config.services.portunus; + base = "ou=users,${portunus.ldap.suffix}"; + in + { + enable = true; + server = "ldap://localhost"; + base = base; + bind = { + distinguishedName = "uid=${portunus.ldap.searchUserName},${base}"; + passwordFile = config.sops.secrets.unix_ldap_search.path; + }; + daemon.enable = true; }; - daemon.enable = true; - }; services.nginx = {