trying to make sogo a little bit more secure
This commit is contained in:
parent
c813f3ac83
commit
a8824ce574
18
flake.lock
18
flake.lock
|
@ -71,11 +71,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1676162277,
|
||||
"narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=",
|
||||
"lastModified": 1681005198,
|
||||
"narHash": "sha256-5LrnBeXR7Hv8OXh6eany7br4qBW+ZNl4LKf1CJu9zbg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d863ca850a06d91365c01620dcac342574ecf46f",
|
||||
"rev": "e45cc0138829ad86e7ff17a76acf2d05e781e30a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -87,11 +87,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1676375384,
|
||||
"narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
|
||||
"lastModified": 1681269223,
|
||||
"narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c43f676c938662072772339be6269226c77b51b8",
|
||||
"rev": "87edbd74246ccdfa64503f334ed86fa04010bab9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -116,11 +116,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1676171095,
|
||||
"narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=",
|
||||
"lastModified": 1681209176,
|
||||
"narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade",
|
||||
"rev": "00d5fd73756d424de5263b92235563bc06f2c6e1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
SOGo-hostname = "mail.${config.fsr.domain}";
|
||||
sogo-hostname = "mail.${config.fsr.domain}";
|
||||
domain = config.fsr.domain;
|
||||
in
|
||||
{
|
||||
sops.secrets.ldap_search = {
|
||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||
};
|
||||
sops.secrets.postgres_sogo = {
|
||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||
};
|
||||
|
||||
services = {
|
||||
sogo = {
|
||||
|
@ -20,7 +23,7 @@ in
|
|||
UIDFieldName = uid;
|
||||
baseDN = "ou = users, dc=ifsr, dc=de";
|
||||
bindDN = "uid=search, ou=users, dc=ifsr, dc=de";
|
||||
bindPassword = ${config.sops.secrets.ldap_search.path};
|
||||
bindPassword = LDAP_SEARCH;
|
||||
hostname = "ldap://localhost";
|
||||
canAuthenticate = YES;
|
||||
id = directory;
|
||||
|
@ -29,21 +32,29 @@ in
|
|||
SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";
|
||||
SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
|
||||
OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
|
||||
|
||||
''; # Hier ist bindPassword noch nicht vollständig
|
||||
vhostName = "${SOGo-hostname}";
|
||||
configReplaces = {
|
||||
LDAP_SEARCH = config.sops.secrets.ldap_search.path;
|
||||
};
|
||||
vhostName = "${sogo-hostname}";
|
||||
timezone = "Europe/Berlin";
|
||||
};
|
||||
postgresql = {
|
||||
ensureUsers = [{
|
||||
name = "SOGo";
|
||||
}];
|
||||
ensureDatabases = [ "SOGo" ];
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "sogo";
|
||||
ensurePermissions = {
|
||||
"DATABASE sogo" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
ensureDatabases = [ "sogo" ];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."${SOGo-hostname}" = {
|
||||
virtualHosts."${sogo-hostname}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
|
@ -52,10 +63,22 @@ in
|
|||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.sogo.after = [ "sogo-pgsetup.service" ];
|
||||
|
||||
systemd.services.sogo-pgsetup = {
|
||||
description = "Prepare Sogo postgres database";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "networking.target" "postgresql.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
path = [ pkgs.sudo config.services.postgresql.package ];
|
||||
script = ''
|
||||
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'"
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
|
||||
postgres_hedgedoc: ENC[AES256_GCM,data:PLsPSfAb/b4UyXVW5w/zKkIBySIuPceRx8TvoA1DNok=,iv:v2FtaaJME9Nf/nQNPtpGFwTOXVk5hx7JUc20WI6CpkI=,tag:7obCT3uIPkrYecsraxwWag==,type:str]
|
||||
postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
|
||||
postgres_sogo: ENC[AES256_GCM,data:CkHaLVcDuznmjXWNBDKzXdjMY8EkCg6ARHtVkZxNNgI=,iv:CpzmvN/caV+xozQnxEtR99ZJtMAdH5rSt3SHAKiHAIE=,tag:IeNR2z9FG+XepYwsYEHaoA==,type:str]
|
||||
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
||||
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
||||
wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
|
||||
|
@ -29,8 +30,8 @@ sops:
|
|||
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
|
||||
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-03T21:11:07Z"
|
||||
mac: ENC[AES256_GCM,data:rRaRGEZ0OSuABW2Fh2bKIt9eu8XQf+fHGFYhYzENwl46KErNAtRuw1Zphx1xOBh6hTFcpfc2IzbuLlBtLN7SyL0Z7az2ze/ds1I8cnz08Q9sv/BgrcF6zYOdvd1XetwuQsGPIxKvi3FDr/KBET5DbXGS2TOw58VgeurUMAiuXU0=,iv:dfsXrOYHwmfvg9UtTPLtpgV/PaFOlzgEMNliwgzePww=,tag:vRvupS+FtwaaQvaKFyHGAA==,type:str]
|
||||
lastmodified: "2023-04-03T21:29:19Z"
|
||||
mac: ENC[AES256_GCM,data:rpUgxzTSUAHjCJKIvCXRGSiJF3G4LyTqQXL1x9yUeEe18WHEBWowllMF4S2sqKDU4WLwElCjz/vU8/W3HjrhHK8DHBRIw+7ztol7e3KZdiRJuj+3yazsxo34DkM4mMvA125llFJhhys3w+9WOrdlY9mVITv8uVfLbSYBDLZ6dAg=,iv:K7QXSE7YixdZcPAJo7vXkPvjFuOzkglIxHQefCFYHig=,tag:7gsDdVKLOvjfTQVU0orreA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-11-18T16:37:48Z"
|
||||
enc: |
|
||||
|
|
|
@ -2,6 +2,7 @@ wg-fsr: ENC[AES256_GCM,data:lowgrdHM,iv:DueIQ7nAFo/5NJrjvMwiUIYBtQ0xks1/DEfQDzgD
|
|||
postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str]
|
||||
postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str]
|
||||
postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str]
|
||||
postgres_sogo: ENC[AES256_GCM,data:L2n5FxSQ6PPaLecmcg==,iv:9aykDfFp5Ysqpi14J7Aj0w3yeLYHVFdnx7fxCvLqK80=,tag:22VqPcPp/Y57FKM0RmSiiA==,type:str]
|
||||
nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
|
||||
hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
|
||||
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
|
||||
|
@ -29,8 +30,8 @@ sops:
|
|||
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
|
||||
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-03T21:11:24Z"
|
||||
mac: ENC[AES256_GCM,data:SheawpXSXX7pWeGwpZkQa4deAI9tdq4hb/Ms2L5TrjimD3CFA+tBGnwZZat7VR/4UQ+8AsReShZwYZR9vhP90NAjlODjaL3GU3bo5+WGT0jfLyEdPmmSnQsv8n2jipKWPZLb6GNBLYNF06p43KyKi7Vl7ie2KSDt6BonZqEo89Q=,iv:Z45sHZv/eIfBf7uE8Vyv7mRdsrdJPj13EoKrSKjW8C0=,tag:PfWEUmLtC6t1gKXJj8y/+Q==,type:str]
|
||||
lastmodified: "2023-04-03T21:29:36Z"
|
||||
mac: ENC[AES256_GCM,data:tsnXkf9D/EzNozBWEK8fca0S+vSc4fH0y9KXpjlYtcFkgjSjvuwnlo2tH3stdEAo5odHO/rsW29uCvCDomTHwMUeKWmD7NdUAVbBuUNfl6pl6gll9p+9yfTB5lZH9QpFGnC/6ANbwhLN7vBO5ZCRbfpl5hlIN4iQ25GyiPZ/GCM=,iv:2YWxDXfsonj+Td/ZeEBKZYuDpGktEVYw1LBPxqIyofA=,tag:aaX98g7PtGh5Ob81EWmHcA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-11-18T16:37:58Z"
|
||||
enc: |
|
||||
|
|
Loading…
Reference in a new issue