diff --git a/modules/sogo.nix b/modules/sogo.nix index f60bba7..f0ae723 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let sogo-hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; @@ -13,27 +13,30 @@ in }; services = { + memcached.enable = true; sogo = { enable = true; language = "German"; extraConfig = '' - WOWorkersCount = 10; - SOGoUserSources = ({ - type = ldap; - CNFieldName = cn; - UIDFieldName = uid; - baseDN = "ou=users, dc=ifsr, dc=de"; - bindDN = "uid=search, ou=users, dc=ifsr, dc=de"; - bindPassword = LDAP_SEARCH; - hostname = "ldap://localhost"; - canAuthenticate = YES; - id = directory; + WOWorkersCount = 10; + SOGoUserSources = ({ + type = ldap; + CNFieldName = cn; + UIDFieldName = uid; + IDFieldName = uid; + + baseDN = "ou=users, dc=ifsr, dc=de"; + bindDN = "uid=search, ou=users, dc=ifsr, dc=de"; + bindPassword = LDAP_SEARCH; + hostname = "ldap://localhost"; + canAuthenticate = YES; + id = directory; - }); - SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile"; - SOGoFolderInfoURL = "postgreql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder"; - ''; # Hier ist bindPassword noch nicht vollständig + }); + SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile"; + OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder"; + OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info"; + ''; configReplaces = { "LDAP_SEARCH" = config.sops.secrets.ldap_search.path; "POSTGRES_PASSWORD" = config.sops.secrets.postgres_sogo.path; @@ -57,13 +60,41 @@ in nginx = { recommendedProxySettings = true; virtualHosts."${sogo-hostname}" = { + extraConfig = '' + proxy_busy_buffers_size 64k; + proxy_buffers 8 64k; + proxy_buffer_size 64k; + ''; forceSSL = true; enableACME = true; locations = { - "/" = { - proxyPass = "http://127.0.0.1:20000"; - proxyWebsockets = true; - }; + + + "^~/SOGo".extraConfig = lib.mkForce '' + proxy_pass http://127.0.0.1:20000; + proxy_redirect http://127.0.0.1:20000 default; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 64k; + proxy_buffers 8 64k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + client_max_body_size 50m; + client_body_buffer_size 128k; + break; + ''; + + }; }; }; @@ -71,6 +102,28 @@ in systemd.services.sogo.after = [ "sogo-pgsetup.service" ]; + # one of these prevents access to sendmail, don't know which one + systemd.services.sogo.serviceConfig = { + LockPersonality = lib.mkForce false; + + MemoryDenyWriteExecute = lib.mkForce false; + NoNewPrivileges = lib.mkForce false; + PrivateDevices = lib.mkForce false; + PrivateUsers = lib.mkForce false; + ProtectClock = lib.mkForce false; + ProtectHostname = lib.mkForce false; + ProtectKernelLogs = lib.mkForce false; + ProtectKernelModules = lib.mkForce false; + ProtectKernelTunables = lib.mkForce false; + RestrictAddressFamilies = lib.mkForce [ ]; + RestrictRealtime = lib.mkForce false; + RestrictSUIDSGID = lib.mkForce false; + SystemCallArchitectures = lib.mkForce ""; + SystemCallFilter = lib.mkForce [ ]; + ReadWriteDirectories = "/var/lib/postfix/queue/maildrop"; + + }; + systemd.services.sogo-pgsetup = { description = "Prepare Sogo postgres database"; wantedBy = [ "multi-user.target" ];