From a8824ce574a12d7fcc53eb77c0163213336c97e5 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Thu, 13 Apr 2023 18:38:37 +0200 Subject: [PATCH 1/3] trying to make sogo a little bit more secure --- flake.lock | 18 +++++++-------- modules/sogo.nix | 55 ++++++++++++++++++++++++++++++++------------- secrets/quitte.yaml | 5 +++-- secrets/test.yaml | 5 +++-- 4 files changed, 54 insertions(+), 29 deletions(-) diff --git a/flake.lock b/flake.lock index 3650034..59ede56 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1676162277, - "narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=", + "lastModified": 1681005198, + "narHash": "sha256-5LrnBeXR7Hv8OXh6eany7br4qBW+ZNl4LKf1CJu9zbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d863ca850a06d91365c01620dcac342574ecf46f", + "rev": "e45cc0138829ad86e7ff17a76acf2d05e781e30a", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1676375384, - "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=", + "lastModified": 1681269223, + "narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c43f676c938662072772339be6269226c77b51b8", + "rev": "87edbd74246ccdfa64503f334ed86fa04010bab9", "type": "github" }, "original": { @@ -116,11 +116,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1676171095, - "narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=", + "lastModified": 1681209176, + "narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade", + "rev": "00d5fd73756d424de5263b92235563bc06f2c6e1", "type": "github" }, "original": { diff --git a/modules/sogo.nix b/modules/sogo.nix index 6f67965..269162f 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -1,12 +1,15 @@ { config, pkgs, ... }: let - SOGo-hostname = "mail.${config.fsr.domain}"; + sogo-hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; in { sops.secrets.ldap_search = { owner = config.systemd.services.sogo.serviceConfig.User; }; + sops.secrets.postgres_sogo = { + owner = config.systemd.services.sogo.serviceConfig.User; + }; services = { sogo = { @@ -20,30 +23,38 @@ in UIDFieldName = uid; baseDN = "ou = users, dc=ifsr, dc=de"; bindDN = "uid=search, ou=users, dc=ifsr, dc=de"; - bindPassword = ${config.sops.secrets.ldap_search.path}; + bindPassword = LDAP_SEARCH; hostname = "ldap://localhost"; canAuthenticate = YES; id = directory; }); SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"; - SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"; - + SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"; ''; # Hier ist bindPassword noch nicht vollständig - vhostName = "${SOGo-hostname}"; + configReplaces = { + LDAP_SEARCH = config.sops.secrets.ldap_search.path; + }; + vhostName = "${sogo-hostname}"; timezone = "Europe/Berlin"; }; - postgresql = { - ensureUsers = [{ - name = "SOGo"; - }]; - ensureDatabases = [ "SOGo" ]; - }; + postgresql = { + enable = true; + ensureUsers = [ + { + name = "sogo"; + ensurePermissions = { + "DATABASE sogo" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "sogo" ]; + }; nginx = { recommendedProxySettings = true; - virtualHosts."${SOGo-hostname}" = { + virtualHosts."${sogo-hostname}" = { forceSSL = true; enableACME = true; locations = { @@ -52,10 +63,22 @@ in proxyWebsockets = true; }; }; - - }; - }; }; + + systemd.services.sogo.after = [ "sogo-pgsetup.service" ]; + + systemd.services.sogo-pgsetup = { + description = "Prepare Sogo postgres database"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" "postgresql.service" ]; + serviceConfig.Type = "oneshot"; + + path = [ pkgs.sudo config.services.postgresql.package ]; + script = '' + sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'" + ''; + }; + } diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index d78b8ca..7b6a75c 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -1,6 +1,7 @@ postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:PLsPSfAb/b4UyXVW5w/zKkIBySIuPceRx8TvoA1DNok=,iv:v2FtaaJME9Nf/nQNPtpGFwTOXVk5hx7JUc20WI6CpkI=,tag:7obCT3uIPkrYecsraxwWag==,type:str] postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str] +postgres_sogo: ENC[AES256_GCM,data:CkHaLVcDuznmjXWNBDKzXdjMY8EkCg6ARHtVkZxNNgI=,iv:CpzmvN/caV+xozQnxEtR99ZJtMAdH5rSt3SHAKiHAIE=,tag:IeNR2z9FG+XepYwsYEHaoA==,type:str] nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str] @@ -29,8 +30,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-03T21:11:07Z" - mac: ENC[AES256_GCM,data:rRaRGEZ0OSuABW2Fh2bKIt9eu8XQf+fHGFYhYzENwl46KErNAtRuw1Zphx1xOBh6hTFcpfc2IzbuLlBtLN7SyL0Z7az2ze/ds1I8cnz08Q9sv/BgrcF6zYOdvd1XetwuQsGPIxKvi3FDr/KBET5DbXGS2TOw58VgeurUMAiuXU0=,iv:dfsXrOYHwmfvg9UtTPLtpgV/PaFOlzgEMNliwgzePww=,tag:vRvupS+FtwaaQvaKFyHGAA==,type:str] + lastmodified: "2023-04-03T21:29:19Z" + mac: ENC[AES256_GCM,data:rpUgxzTSUAHjCJKIvCXRGSiJF3G4LyTqQXL1x9yUeEe18WHEBWowllMF4S2sqKDU4WLwElCjz/vU8/W3HjrhHK8DHBRIw+7ztol7e3KZdiRJuj+3yazsxo34DkM4mMvA125llFJhhys3w+9WOrdlY9mVITv8uVfLbSYBDLZ6dAg=,iv:K7QXSE7YixdZcPAJo7vXkPvjFuOzkglIxHQefCFYHig=,tag:7gsDdVKLOvjfTQVU0orreA==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | diff --git a/secrets/test.yaml b/secrets/test.yaml index 01a3964..e68e340 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -2,6 +2,7 @@ wg-fsr: ENC[AES256_GCM,data:lowgrdHM,iv:DueIQ7nAFo/5NJrjvMwiUIYBtQ0xks1/DEfQDzgD postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str] postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str] +postgres_sogo: ENC[AES256_GCM,data:L2n5FxSQ6PPaLecmcg==,iv:9aykDfFp5Ysqpi14J7Aj0w3yeLYHVFdnx7fxCvLqK80=,tag:22VqPcPp/Y57FKM0RmSiiA==,type:str] nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] @@ -29,8 +30,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-03T21:11:24Z" - mac: ENC[AES256_GCM,data:SheawpXSXX7pWeGwpZkQa4deAI9tdq4hb/Ms2L5TrjimD3CFA+tBGnwZZat7VR/4UQ+8AsReShZwYZR9vhP90NAjlODjaL3GU3bo5+WGT0jfLyEdPmmSnQsv8n2jipKWPZLb6GNBLYNF06p43KyKi7Vl7ie2KSDt6BonZqEo89Q=,iv:Z45sHZv/eIfBf7uE8Vyv7mRdsrdJPj13EoKrSKjW8C0=,tag:PfWEUmLtC6t1gKXJj8y/+Q==,type:str] + lastmodified: "2023-04-03T21:29:36Z" + mac: ENC[AES256_GCM,data:tsnXkf9D/EzNozBWEK8fca0S+vSc4fH0y9KXpjlYtcFkgjSjvuwnlo2tH3stdEAo5odHO/rsW29uCvCDomTHwMUeKWmD7NdUAVbBuUNfl6pl6gll9p+9yfTB5lZH9QpFGnC/6ANbwhLN7vBO5ZCRbfpl5hlIN4iQ25GyiPZ/GCM=,iv:2YWxDXfsonj+Td/ZeEBKZYuDpGktEVYw1LBPxqIyofA=,tag:aaX98g7PtGh5Ob81EWmHcA==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: | From 9cda0097fc63a99c26c0d516cffe286d08fdad4a Mon Sep 17 00:00:00 2001 From: revol-xut Date: Thu, 13 Apr 2023 18:52:15 +0200 Subject: [PATCH 2/3] fixing database string --- modules/sogo.nix | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/modules/sogo.nix b/modules/sogo.nix index 269162f..11b5e62 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -2,6 +2,7 @@ let sogo-hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; + pg-port = config.services.postgresql.port; in { sops.secrets.ldap_search = { @@ -29,28 +30,29 @@ in id = directory; }); - SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"; - SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"; + SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile"; + SOGoFolderInfoURL = "postgreql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder"; ''; # Hier ist bindPassword noch nicht vollständig configReplaces = { - LDAP_SEARCH = config.sops.secrets.ldap_search.path; + LDAP_SEARCH = config.sops.secrets.ldap_search.path; + POSTGRES_PASSWORD = config.sops.secrets.postgres_sogo; }; vhostName = "${sogo-hostname}"; timezone = "Europe/Berlin"; }; - postgresql = { - enable = true; - ensureUsers = [ - { - name = "sogo"; - ensurePermissions = { - "DATABASE sogo" = "ALL PRIVILEGES"; - }; - } - ]; - ensureDatabases = [ "sogo" ]; - }; + postgresql = { + enable = true; + ensureUsers = [ + { + name = "sogo"; + ensurePermissions = { + "DATABASE sogo" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "sogo" ]; + }; nginx = { recommendedProxySettings = true; From 25b6d7189631b74f44c3e7a305f655e3f0b6fa88 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Thu, 13 Apr 2023 19:35:10 +0200 Subject: [PATCH 3/3] fixing the secrets --- modules/sogo.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/sogo.nix b/modules/sogo.nix index 11b5e62..92b716f 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -2,7 +2,7 @@ let sogo-hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; - pg-port = config.services.postgresql.port; + pg-port = toString config.services.postgresql.port; in { sops.secrets.ldap_search = { @@ -35,8 +35,8 @@ in OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder"; ''; # Hier ist bindPassword noch nicht vollständig configReplaces = { - LDAP_SEARCH = config.sops.secrets.ldap_search.path; - POSTGRES_PASSWORD = config.sops.secrets.postgres_sogo; + "LDAP_SEARCH" = config.sops.secrets.ldap_search.path; + "POSTGRES_PASSWORD" = config.sops.secrets.postgres_sogo.path; }; vhostName = "${sogo-hostname}"; timezone = "Europe/Berlin";