commit
a58b35e382
18
flake.lock
18
flake.lock
|
@ -71,11 +71,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1680390120,
|
"lastModified": 1681005198,
|
||||||
"narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
|
"narHash": "sha256-5LrnBeXR7Hv8OXh6eany7br4qBW+ZNl4LKf1CJu9zbg=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
|
"rev": "e45cc0138829ad86e7ff17a76acf2d05e781e30a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -87,11 +87,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1680334310,
|
"lastModified": 1681269223,
|
||||||
"narHash": "sha256-ISWz16oGxBhF7wqAxefMPwFag6SlsA9up8muV79V9ck=",
|
"narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "884e3b68be02ff9d61a042bc9bd9dd2a358f95da",
|
"rev": "87edbd74246ccdfa64503f334ed86fa04010bab9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -116,11 +116,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1680404136,
|
"lastModified": 1681209176,
|
||||||
"narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
|
"narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "b93eb910f768f9788737bfed596a598557e5625d",
|
"rev": "00d5fd73756d424de5263b92235563bc06f2c6e1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -1,12 +1,16 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
SOGo-hostname = "mail.${config.fsr.domain}";
|
sogo-hostname = "mail.${config.fsr.domain}";
|
||||||
domain = config.fsr.domain;
|
domain = config.fsr.domain;
|
||||||
|
pg-port = toString config.services.postgresql.port;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets.ldap_search = {
|
sops.secrets.ldap_search = {
|
||||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||||
};
|
};
|
||||||
|
sops.secrets.postgres_sogo = {
|
||||||
|
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||||
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
sogo = {
|
sogo = {
|
||||||
|
@ -20,30 +24,39 @@ in
|
||||||
UIDFieldName = uid;
|
UIDFieldName = uid;
|
||||||
baseDN = "ou = users, dc=ifsr, dc=de";
|
baseDN = "ou = users, dc=ifsr, dc=de";
|
||||||
bindDN = "uid=search, ou=users, dc=ifsr, dc=de";
|
bindDN = "uid=search, ou=users, dc=ifsr, dc=de";
|
||||||
bindPassword = ${config.sops.secrets.ldap_search.path};
|
bindPassword = LDAP_SEARCH;
|
||||||
hostname = "ldap://localhost";
|
hostname = "ldap://localhost";
|
||||||
canAuthenticate = YES;
|
canAuthenticate = YES;
|
||||||
id = directory;
|
id = directory;
|
||||||
|
|
||||||
});
|
});
|
||||||
SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";
|
SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile";
|
||||||
SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
|
SOGoFolderInfoURL = "postgreql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info";
|
||||||
OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
|
OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder";
|
||||||
|
|
||||||
''; # Hier ist bindPassword noch nicht vollständig
|
''; # Hier ist bindPassword noch nicht vollständig
|
||||||
vhostName = "${SOGo-hostname}";
|
configReplaces = {
|
||||||
|
"LDAP_SEARCH" = config.sops.secrets.ldap_search.path;
|
||||||
|
"POSTGRES_PASSWORD" = config.sops.secrets.postgres_sogo.path;
|
||||||
|
};
|
||||||
|
vhostName = "${sogo-hostname}";
|
||||||
timezone = "Europe/Berlin";
|
timezone = "Europe/Berlin";
|
||||||
};
|
};
|
||||||
postgresql = {
|
postgresql = {
|
||||||
ensureUsers = [{
|
enable = true;
|
||||||
name = "SOGo";
|
ensureUsers = [
|
||||||
}];
|
{
|
||||||
ensureDatabases = [ "SOGo" ];
|
name = "sogo";
|
||||||
|
ensurePermissions = {
|
||||||
|
"DATABASE sogo" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
ensureDatabases = [ "sogo" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
nginx = {
|
nginx = {
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
virtualHosts."${SOGo-hostname}" = {
|
virtualHosts."${sogo-hostname}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations = {
|
locations = {
|
||||||
|
@ -52,10 +65,22 @@ in
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.sogo.after = [ "sogo-pgsetup.service" ];
|
||||||
|
|
||||||
|
systemd.services.sogo-pgsetup = {
|
||||||
|
description = "Prepare Sogo postgres database";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "networking.target" "postgresql.service" ];
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
|
||||||
|
path = [ pkgs.sudo config.services.postgresql.package ];
|
||||||
|
script = ''
|
||||||
|
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
|
postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
|
||||||
postgres_hedgedoc: ENC[AES256_GCM,data:PLsPSfAb/b4UyXVW5w/zKkIBySIuPceRx8TvoA1DNok=,iv:v2FtaaJME9Nf/nQNPtpGFwTOXVk5hx7JUc20WI6CpkI=,tag:7obCT3uIPkrYecsraxwWag==,type:str]
|
postgres_hedgedoc: ENC[AES256_GCM,data:PLsPSfAb/b4UyXVW5w/zKkIBySIuPceRx8TvoA1DNok=,iv:v2FtaaJME9Nf/nQNPtpGFwTOXVk5hx7JUc20WI6CpkI=,tag:7obCT3uIPkrYecsraxwWag==,type:str]
|
||||||
postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
|
postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
|
||||||
|
postgres_sogo: ENC[AES256_GCM,data:CkHaLVcDuznmjXWNBDKzXdjMY8EkCg6ARHtVkZxNNgI=,iv:CpzmvN/caV+xozQnxEtR99ZJtMAdH5rSt3SHAKiHAIE=,tag:IeNR2z9FG+XepYwsYEHaoA==,type:str]
|
||||||
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
||||||
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
||||||
wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
|
wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
|
||||||
|
@ -29,8 +30,8 @@ sops:
|
||||||
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
|
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
|
||||||
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
|
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-04-03T21:11:07Z"
|
lastmodified: "2023-04-03T21:29:19Z"
|
||||||
mac: ENC[AES256_GCM,data:rRaRGEZ0OSuABW2Fh2bKIt9eu8XQf+fHGFYhYzENwl46KErNAtRuw1Zphx1xOBh6hTFcpfc2IzbuLlBtLN7SyL0Z7az2ze/ds1I8cnz08Q9sv/BgrcF6zYOdvd1XetwuQsGPIxKvi3FDr/KBET5DbXGS2TOw58VgeurUMAiuXU0=,iv:dfsXrOYHwmfvg9UtTPLtpgV/PaFOlzgEMNliwgzePww=,tag:vRvupS+FtwaaQvaKFyHGAA==,type:str]
|
mac: ENC[AES256_GCM,data:rpUgxzTSUAHjCJKIvCXRGSiJF3G4LyTqQXL1x9yUeEe18WHEBWowllMF4S2sqKDU4WLwElCjz/vU8/W3HjrhHK8DHBRIw+7ztol7e3KZdiRJuj+3yazsxo34DkM4mMvA125llFJhhys3w+9WOrdlY9mVITv8uVfLbSYBDLZ6dAg=,iv:K7QXSE7YixdZcPAJo7vXkPvjFuOzkglIxHQefCFYHig=,tag:7gsDdVKLOvjfTQVU0orreA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2022-11-18T16:37:48Z"
|
- created_at: "2022-11-18T16:37:48Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
|
@ -2,6 +2,7 @@ wg-fsr: ENC[AES256_GCM,data:lowgrdHM,iv:DueIQ7nAFo/5NJrjvMwiUIYBtQ0xks1/DEfQDzgD
|
||||||
postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str]
|
postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str]
|
||||||
postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str]
|
postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str]
|
||||||
postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str]
|
postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str]
|
||||||
|
postgres_sogo: ENC[AES256_GCM,data:L2n5FxSQ6PPaLecmcg==,iv:9aykDfFp5Ysqpi14J7Aj0w3yeLYHVFdnx7fxCvLqK80=,tag:22VqPcPp/Y57FKM0RmSiiA==,type:str]
|
||||||
nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
|
nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
|
||||||
hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
|
hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
|
||||||
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
|
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
|
||||||
|
@ -29,8 +30,8 @@ sops:
|
||||||
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
|
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
|
||||||
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
|
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-04-03T21:11:24Z"
|
lastmodified: "2023-04-03T21:29:36Z"
|
||||||
mac: ENC[AES256_GCM,data:SheawpXSXX7pWeGwpZkQa4deAI9tdq4hb/Ms2L5TrjimD3CFA+tBGnwZZat7VR/4UQ+8AsReShZwYZR9vhP90NAjlODjaL3GU3bo5+WGT0jfLyEdPmmSnQsv8n2jipKWPZLb6GNBLYNF06p43KyKi7Vl7ie2KSDt6BonZqEo89Q=,iv:Z45sHZv/eIfBf7uE8Vyv7mRdsrdJPj13EoKrSKjW8C0=,tag:PfWEUmLtC6t1gKXJj8y/+Q==,type:str]
|
mac: ENC[AES256_GCM,data:tsnXkf9D/EzNozBWEK8fca0S+vSc4fH0y9KXpjlYtcFkgjSjvuwnlo2tH3stdEAo5odHO/rsW29uCvCDomTHwMUeKWmD7NdUAVbBuUNfl6pl6gll9p+9yfTB5lZH9QpFGnC/6ANbwhLN7vBO5ZCRbfpl5hlIN4iQ25GyiPZ/GCM=,iv:2YWxDXfsonj+Td/ZeEBKZYuDpGktEVYw1LBPxqIyofA=,tag:aaX98g7PtGh5Ob81EWmHcA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2022-11-18T16:37:58Z"
|
- created_at: "2022-11-18T16:37:58Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
Loading…
Reference in a new issue