wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: wurzel:4fdca3ba1a4191c56e51819707350aa167bc1825
Branches Tags
wurzel:main
wurzel:purgetunus
wurzel:upgrade-24.05
wurzel:monitoring
wurzel:nix-remote
...
compare: wurzel:f54d5fd867da73ee8a69ffb890b1159c44d680c2
Branches Tags
wurzel:main
wurzel:purgetunus
wurzel:upgrade-24.05
wurzel:monitoring
wurzel:nix-remote

56 commits
4fdca3ba1a ... f54d5fd867

Author SHA1 Message Date
Rouven Seifert f54d5fd867 forgejo actions: disable native for now 2024-09-03 11:24:41 +02:00
Rouven Seifert 5286041789 forgejo: initial runner configuration 2024-09-03 11:24:41 +02:00
quitte 703002d148 forgejo: allow *.ifsr.de webhooks 2024-09-03 10:44:26 +02:00
quitte 382bbc6601 forgejo: federation 2024-09-03 10:17:25 +02:00
quitte 6416be37f5 kanboard: move away from podman because of nftables and podman bug 2024-09-02 11:14:02 +02:00
quitte 23a5062f7b kanboard: update 2024-09-02 10:34:23 +02:00
quitte a6ada675df save the teich!!! 2024-09-02 09:49:25 +02:00
Rouven Seifert e470b83cb6
keycloak: remove dangling file 2024-09-01 22:40:52 +02:00
Benno Fünfstück c1a0b67261 add hyperilo reverse proxy 2024-09-01 21:39:45 +02:00
Rouven Seifert 0d0512a539
keycloak: add ifsr theme 2024-08-31 22:15:42 +02:00
Rouven Seifert c4d2b5fd08
readd stream.ifsr.de 2024-08-31 13:48:18 +02:00
Rouven Seifert c5cc3bd8b8
updates 2024-08-31 2024-08-31 13:39:27 +02:00
Jonas Gaffke 923d8a8697 minecraft: allow monitoring ip 2024-08-29 07:59:46 +02:00
Rouven Seifert a506e7d550
updates 2024-08-28 2024-08-28 16:38:24 +02:00
Rouven Seifert 62b344a2c2
minecraft: switch to fabric 2024-08-26 13:53:44 +02:00
Rouven Seifert 72566b656a
updates 2024-08-23 2024-08-23 13:48:08 +02:00
quitte ab1e4d10ee update 2024-08-21 2024-08-21 18:13:05 +02:00
quitte f268507d85 base: add yazi 2024-08-21 18:07:15 +02:00
Rouven Seifert df82b2e35b
updates 2024-08-20 2024-08-20 20:21:06 +02:00
Rouven Seifert 7d1cf705ee
updates 2024-08-14 2024-08-14 14:03:32 +02:00
Rouven Seifert 697df17b33
updates 2024-08-13 2024-08-13 16:49:57 +02:00
Rouven Seifert 530570699a
updates 2024-08-12 2024-08-12 16:01:18 +02:00
Rouven Seifert 3fae2321f3
updates 2024-08-07 2024-08-07 11:39:49 +02:00
Rouven Seifert 00104e593c
updates 2024-08-01 2024-08-01 16:26:34 +02:00
Rouven Seifert 33497714db
updates 2024-07-30 2024-07-30 13:01:00 +02:00
Rouven Seifert d7389d41da
updates 2024-07-27 2024-07-27 13:40:58 +02:00
Lyn Fugmann 42b3613b95
add mailman error fix 2024-07-26 13:10:36 +02:00
Rouven Seifert 799c9a67ff
logging: fix filemodes 2024-07-24 10:53:35 +02:00
Rouven Seifert 6d6e00f5bf
bluemap: render hourly 2024-07-22 18:09:36 +02:00
Rouven Seifert 49d48dc8d4
minecraft: fix server and init bluemap 2024-07-22 18:05:26 +02:00
Rouven Seifert 7a9e841a5f
treewide: format 2024-07-22 18:05:07 +02:00
Rouven Seifert 85f8932908
minecraft-server: init 2024-07-22 13:26:53 +02:00
Rouven Seifert 21a1000dad
updates: 2024-07-19 2024-07-19 10:58:00 +02:00
Rouven Seifert fe5836b8c9
updates 2024-07-15 2024-07-15 17:15:39 +02:00
Rouven Seifert 340781cafd
rspamd: allow more regexes in blacklists 2024-07-14 14:32:25 +02:00
Rouven Seifert 2fc48b6708
updates 2024-07-12 2024-07-12 14:02:43 +02:00
Rouven Seifert 3480be73ef
updates 2024-07-07 2024-07-07 14:04:55 +02:00
Rouven Seifert e027043637
decisions: disable faulty service 2024-07-05 13:25:22 +02:00
Rouven Seifert 4a2984115f
mail: fix learing scripts 2024-07-05 13:25:06 +02:00
Rouven Seifert 8426ca4c6a
nix: flake update 2024-07-04 11:10:41 +02:00
Rouven Seifert d2e06a075e
nginx: disable http/3 
quictls is unmaintained for 5 months now
 2024-07-02 10:43:23 +02:00
Rouven Seifert 4df70a68cc
nix: flake update 2024-07-02 10:35:44 +02:00
Rouven Seifert b8c52bf8f4
nix: flake update 2024-07-01 11:38:26 +02:00
Rouven Seifert 6814cd7485
nix: flake update 2024-06-28 13:43:07 +02:00
Rouven Seifert 5a3fdbb77e
nix: flake update 2024-06-25 17:38:19 +02:00
Rouven Seifert 033e1fad2d
drop nixos-unstable 2024-06-21 18:47:49 +02:00
Rouven Seifert a971e3f100
nextcloud: update to 29 2024-06-21 14:59:46 +02:00
Rouven Seifert a0cb59cd48
rspamd: init reputation module 2024-06-21 14:59:00 +02:00
Rouven Seifert d01694587a
mlx5_core got fixed 2024-06-21 14:55:59 +02:00
Rouven Seifert fe1add7e9d
dovecot fixes 2024-06-21 14:46:36 +02:00
Rouven Seifert ef50b987a4 Merge pull request 'nixos: upgrade to 24.05' (#93) from upgrade-24.05 into main 
Reviewed-on: #93
 2024-06-21 13:35:26 +02:00
Rouven Seifert 97de6f6489
fix warnings 2024-06-21 13:31:41 +02:00
Rouven Seifert 54a86b59ed
imap: disable port 143 2024-06-20 13:13:10 +02:00
Rouven Seifert 121f077fd0
Revert "web: init crimecampus" 
This reverts commit 05152b6db4.
 2024-06-16 18:30:08 +02:00
Rouven Seifert f1c3ecffe2
upstream loose changes on quitte 2024-06-16 18:29:36 +02:00
Rouven Seifert 059a4ebf0e
nixos: upgrade to 24.05 and fix errors 2024-06-16 18:12:57 +02:00
33 changed files with 1256 additions and 216 deletions
Show stats Expand all files Collapse all files

171
flake.lock
View file

@ -3,9 +3,7 @@
"course-management": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs": "nixpkgs",
"poetry2nix": "poetry2nix"
},
"locked": {
@ -42,6 +40,22 @@
"url": "https://git.ifsr.de/ese/manual-website"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
@ -96,6 +110,24 @@
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"kpp": {
"inputs": {
"nixpkgs": [
@ -103,11 +135,11 @@
]
},
"locked": {
"lastModified": 1708628927,
"narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
"lastModified": 1724255946,
"narHash": "sha256-YVT/QE2PCDzx4eq1i3PqOOpQVXJstN18e0sFB/UbAY0=",
"owner": "fsr",
"repo": "kpp",
"rev": "05e370097af21ddb776bec907942c60e6aebc394",
"rev": "ce98b985201a5453aee708a3fc13bbccf2357f8e",
"type": "github"
},
"original": {
@ -145,11 +177,11 @@
]
},
"locked": {
"lastModified": 1716170277,
"narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"lastModified": 1724576102,
"narHash": "sha256-uM7n5nNL6fmA0bwMJBNll11f4cMWOFa2Ni6F5KeIldM=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"rev": "e333d62b70b179da1dd78d94315e8a390f2d12e5",
"type": "github"
},
"original": {
@ -158,45 +190,35 @@
"type": "github"
}
},
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724982042,
"narHash": "sha256-IwHIZYo1fyloQxvBy15QVzMALNEa7Jo6tzXVJj7U9Ws=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "32b632e29b141cc4c441b6e5504d33a9564dc3e6",
"type": "github"
},
"original": {
"owner": "Infinidoge",
"repo": "nix-minecraft",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1716361217,
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
"lastModified": 1701253981,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1716061101,
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1716509168,
"narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github"
},
"original": {
@ -206,7 +228,39 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1721524707,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1725001927,
"narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@ -271,8 +325,8 @@
"ese-manual": "ese-manual",
"kpp": "kpp",
"nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_2",
"print-interface": "print-interface",
"sops-nix": "sops-nix",
"vscode-server": "vscode-server"
@ -286,11 +340,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1716400300,
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
"lastModified": 1723501126,
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
"type": "github"
},
"original": {
@ -358,6 +412,21 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
@ -382,8 +451,8 @@
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1713958148,

19
flake.nix
View file

@ -1,7 +1,6 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nix-index-database.url = "github:nix-community/nix-index-database";
@ -18,8 +17,10 @@
course-management = {
url = "github:fsr/course-management";
inputs.nixpkgs.follows = "nixpkgs";
# inputs.nixpkgs.follows = "nixpkgs";
};
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{ self
@ -31,12 +32,14 @@
, vscode-server
, course-management
, print-interface
, nix-minecraft
, ...
}@inputs:
let
supportedSystems = [ "x86_64-linux" ];
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
in
{
packages = forAllSystems (system: rec {
@ -68,6 +71,7 @@
ese-manual.nixosModules.default
course-management.nixosModules.default
vscode-server.nixosModules.default
nix-minecraft.nixosModules.minecraft-servers
./hosts/quitte/configuration.nix
./options
@ -78,21 +82,26 @@
./modules/courses
./modules/wiki
./modules/matrix
./modules/minecraft
./modules/keycloak
./modules/nix-serve.nix
./modules/hedgedoc.nix
./modules/padlist.nix
./modules/nextcloud.nix
./modules/keycloak.nix
./modules/monitoring.nix
./modules/vaultwarden.nix
./modules/forgejo
./modules/kanboard.nix
./modules/zammad.nix
./modules/decisions.nix
./modules/stream.nix
# ./modules/struktur-bot.nix
{
nixpkgs.overlays = [ self.overlays.default ];
nixpkgs.overlays = [
self.overlays.default
nix-minecraft.overlay
];
sops.defaultSopsFile = ./secrets/quitte.yaml;
}
];

15
hosts/quitte/configuration.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
imports =
@ -16,18 +16,7 @@
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# Pin Kernel Version as 6.6.28 has a broken networking driver
boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_6.override {
argsOverride = rec {
src = pkgs.fetchurl {
url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
sha256 = "sha256-Y55QBg48jyPtAXyxDP6sxrqI/1WDgSu3aFm0zGoSgpE=";
};
version = "6.6.27";
modDirVersion = "6.6.27";
};
});
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
services.zfs = {
trim.enable = true;

8
hosts/tomate/configuration.nix
View file

@ -50,13 +50,13 @@
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "de";
xkbVariant = "";
xkb.layout = "de";
xkb.variant = "";
};
# Configure console keymap
@ -90,7 +90,7 @@
services.avahi = {
enable = true;
nssmdns = true;
nssmdns4 = true;
openFirewall = true;
publish = {
enable = true;

5
modules/core/bacula.nix
View file

@ -26,7 +26,10 @@
mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
mail = root+backup = all, !skipped
'';
director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
director."abel-dir" = {
password = "@${config.sops.secrets."bacula/password".path}";
tls.enable = false;
};
};
environment.etc."bacula/bconsole.conf".text = ''
Director {

2
modules/core/base.nix
View file

@ -1,6 +1,5 @@
{ pkgs, config, ... }: {
nix = {
package = pkgs.nixUnstable; # or versioned attributes like nix_2_4
extraOptions = ''
experimental-features = nix-command flakes
'';
@ -113,6 +112,7 @@
eza
zsh
unzip
yazi
];
}

1
modules/core/logging.nix
View file

@ -3,6 +3,7 @@
services.rsyslogd = {
enable = true;
defaultConfig = ''
$FileCreateMode 0640
:programname, isequal, "postfix" /var/log/postfix.log
auth.* -/var/log/auth.log

4
modules/core/nginx.nix
View file

@ -7,14 +7,10 @@
({ name, ... }: {
enableACME = true;
forceSSL = true;
# enable http3 for all hosts
quic = true;
http3 = true;
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
})
);

20
modules/decisions.nix
View file

@ -33,14 +33,14 @@ in
};
};
systemd.services."decisions-to-db" = {
script = ''
set -eu
${pkgs.docker}/bin/docker exec decisions python tex_to_db.py
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
# systemd.services."decisions-to-db" = {
# script = ''
# set -eu
# ${pkgs.podman}/bin/podman exec decisions python tex_to_db.py
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "root";
# };
# };
}

19
modules/forgejo/actions.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances."quitte" = {
enable = true;
labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# provide native execution on the host
# "native:host"
];
#TODO get a token from git.ifsr.de and use it
# tokenfile = /"dev/null";
};
};
}

17
modules/forgejo/default.nix
View file

@ -4,9 +4,9 @@ let
gitUser = "git";
in
{
# imports = [
# ./actions.nix
# ];
imports = [
./actions.nix
];
sops.secrets.gitea_ldap_search = {
key = "portunus/search-password";
owner = config.services.forgejo.user;
@ -22,15 +22,6 @@ in
services.forgejo = {
enable = true;
package = pkgs.forgejo.overrideAttrs (_old: {
patches = [
# migration fix
(pkgs.fetchpatch {
url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
})
];
});
user = gitUser;
group = gitUser;
lfs.enable = true;
@ -79,6 +70,8 @@ in
PROVIDER = "db";
};
actions.ENABLED = true;
federation.ENABLED = true;
webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
};
};

64
modules/kanboard.nix
View file

@ -1,33 +1,65 @@
{ config, pkgs, ... }:
{ pkgs, config, lib, ... }:
let
domain = "kanboard.${config.networking.domain}";
domain_short = "kb.${config.networking.domain}";
user = "kanboard";
group = "kanboard";
in
{
sops.secrets."kanboard_env" = { };
virtualisation.oci-containers = {
containers.kanboard = {
image = "ghcr.io/kanboard/kanboard:v1.2.36";
volumes = [
"kanboard_data:/var/www/app/data"
"kanboard_plugins:/var/www/app/plugins"
];
ports = [ "127.0.0.1:8045:80" ];
environmentFiles = [
config.sops.secrets."kanboard_env".path
];
users.users.${user} = {
group = group;
isSystemUser = true;
};
users.groups.${group} = { };
services.phpfpm.pools.kanboard = {
user = "kanboard";
group = "kanboard";
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
services.nginx.enable = true;
services.nginx = {
virtualHosts."${domain_short}" = {
locations."/".return = "301 $scheme://${domain}$request_uri";
};
virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:8045";
root = "/srv/web/kanboard";
extraConfig = ''
index index.html index.php;
'';
locations = {
"/" = {
tryFiles = "$uri $uri/ =404";
};
"~ \.php$" = {
extraConfig = ''
try_files $uri =404;
fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket};
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
'';
};
"/data".return = "403";
};
};
};

7
modules/keycloak.nix → modules/keycloak/default.nix
View file

@ -1,4 +1,4 @@
{ config, nixpkgs-unstable, ... }:
{ config, pkgs, lib, ... }:
let
domain = "sso.${config.networking.domain}";
in
@ -7,7 +7,7 @@ in
services.keycloak = {
enable = true;
# we use unstable as the release in stable is insecure
package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
# package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
settings = {
http-port = 8086;
https-port = 19000;
@ -20,6 +20,9 @@ in
passwordFile = config.sops.secrets."keycloak/db".path;
};
initialAdminPassword = "plschangeme";
themes = with pkgs ; {
ifsr = keycloak_ifsr_theme;
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/" = {

15
modules/keycloak/theme.nix Normal file
View file

@ -0,0 +1,15 @@
{ stdenv }:
stdenv.mkDerivation rec {
name = "keycloak_ifsr_theme";
version = "1.1";
src = ./theme;
nativeBuildInputs = [ ];
buildInputs = [ ];
installPhase = ''
mkdir -p $out
cp -a login $out
'';
}

772
modules/keycloak/theme/login/resources/css/login.css Normal file
View file

@ -0,0 +1,772 @@
.login-pf {
background: none;
}
.login-pf body {
background: url(../img/background.jpg) no-repeat center center fixed;
background-size: cover;
height: 100%;
}
/*IE compatibility*/
.pf-c-form-control {
font-size: 14px;
font-size: var(--pf-global--FontSize--sm);
border-width: 1px;
border-width: var(--pf-global--BorderWidth--sm);;
border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
background-color: #FFFFFF;
background-color: var(--pf-global--BackgroundColor--100);
height: 36px;
height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
padding: 5px 0.5rem;
padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
}
textarea.pf-c-form-control {
height: auto;
}
.pf-c-form-control:hover, .pf-c-form-control:focus {
border-bottom-color: #0066CC;
border-bottom-color: var(--pf-global--primary-color--100);
border-bottom-width: 2px;
border-bottom-width: var(--pf-global--BorderWidth--md);
}
.pf-c-form-control[aria-invalid=true] {
border-bottom-color: #C9190B;
border-bottom-color: var(--pf-global--danger-color--100);
border-bottom-width: 2px;
border-bottom-width: var(--pf-global--BorderWidth--md);
}
.pf-c-check__label, .pf-c-radio__label {
font-size: 14px;
font-size: var(--pf-global--FontSize--sm);
}
.pf-c-alert.pf-m-inline {
margin-bottom: 0.5rem; /* default - IE compatibility */
margin-bottom: var(--pf-global--spacer--sm);
padding: 0.25rem;
padding: var(--pf-global--spacer--xs);
border: solid #ededed;
border: solid var(--pf-global--BorderColor--300);
border-width: 1px;
border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
display: -ms-flexbox;
display: grid;
-ms-grid-columns: max-content 1fr max-content;
grid-template-columns:max-content 1fr max-content;
grid-template-columns: var(--pf-c-alert--grid-template-columns);
grid-template-rows: 1fr auto;
grid-template-rows: var(--pf-c-alert--grid-template-rows);
}
.pf-c-alert.pf-m-inline::before {
position: absolute;
top: -1px;
top: var(--pf-c-alert--m-inline--before--Top);
bottom: -1px;
bottom: var(--pf-c-alert--m-inline--before--Bottom);
left: 0;
width: 3px;
width: var(--pf-c-alert--m-inline--before--Width);
content: ;
background-color: #FFFFFF;
background-color: var(--pf-global--BackgroundColor--100);
}
.pf-c-alert.pf-m-inline.pf-m-success::before {
background-color: #92D400;
background-color: var(--pf-global--success-color--100);
}
.pf-c-alert.pf-m-inline.pf-m-danger::before {
background-color: #C9190B;
background-color: var(--pf-global--danger-color--100);
}
.pf-c-alert.pf-m-inline.pf-m-warning::before {
background-color: #F0AB00;
background-color: var(--pf-global--warning-color--100);
}
.pf-c-alert.pf-m-inline .pf-c-alert__icon {
padding: 1rem 0.5rem 1rem 1rem;
padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
font-size: 16px;
font-size: var(--pf-c-alert--m-inline__icon--FontSize);
}
.pf-c-alert.pf-m-success .pf-c-alert__icon {
color: #92D400;
color: var(--pf-global--success-color--100);
}
.pf-c-alert.pf-m-success .pf-c-alert__title {
color: #486B00;
color: var(--pf-global--success-color--200);
}
.pf-c-alert.pf-m-danger .pf-c-alert__icon {
color: #C9190B;
color: var(--pf-global--danger-color--100);
}
.pf-c-alert.pf-m-danger .pf-c-alert__title {
color: #A30000;
color: var(--pf-global--danger-color--200);
}
.pf-c-alert.pf-m-warning .pf-c-alert__icon {
color: #F0AB00;
color: var(--pf-global--warning-color--100);
}
.pf-c-alert.pf-m-warning .pf-c-alert__title {
color: #795600;
color: var(--pf-global--warning-color--200);
}
.pf-c-alert__title {
font-size: 14px; /* default - IE compatibility */
font-size: var(--pf-global--FontSize--sm);
padding: 5px 8px;
padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
}
.pf-c-button{
padding:0.375rem 1rem;
padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
}
/* default - IE compatibility */
.pf-m-primary {
color: #FFFFFF;
background-color: #0066CC;
background-color: var(--pf-global--primary-color--100);
}
/* default - IE compatibility */
.pf-m-primary:hover {
background-color: #004080;
background-color: var(--pf-global--primary-color--200);
}
/* default - IE compatibility */
.pf-c-button.pf-m-control {
border: solid 1px;
border: solid var(--pf-global--BorderWidth--sm);
border-color: rgba(230, 230, 230, 0.5);
}
/*End of IE compatibility*/
h1#kc-page-title {
margin-top: 10px;
}
#kc-locale ul {
background-color: #FFF;
background-color: var(--pf-global--BackgroundColor--100);
display: none;
top: 20px;
min-width: 100px;
padding: 0;
}
#kc-locale-dropdown{
display: inline-block;
}
#kc-locale-dropdown:hover ul {
display:block;
}
/* IE compatibility */
#kc-locale-dropdown a {
color: #6A6E73;
color: var(--pf-global--Color--200);
text-align: right;
font-size: 14px;
font-size: var(--pf-global--FontSize--sm);
}
/* IE compatibility */
a#kc-current-locale-link::after {
content: 2c5;
margin-left: 4px;
margin-left: var(--pf-global--spacer--xs)
}
.login-pf .container {
padding-top: 40px;
}
.login-pf a:hover {
color: #0099d3;
}
#kc-logo {
width: 100%;
}
div.kc-logo-text {
background-image: url(../img/agdsn_logo.png);
background-repeat: no-repeat;
background-size: auto;
position: relative;
top: 0%;
left: 25%;
width: 950px;
height: 250px;
}
div.kc-logo-text span {
display: none;
}
#kc-header {
color: #ededed;
overflow: visible;
white-space: nowrap;
}
#kc-header-wrapper {
font-size: 29px;
text-transform: uppercase;
letter-spacing: 3px;
line-height: 1.2em;
padding: 62px 10px 20px;
white-space: normal;
}
#kc-content {
width: 100%;
}
#kc-attempted-username {
font-size: 20px;
font-family: inherit;
font-weight: normal;
padding-right: 10px;
}
#kc-username {
text-align: center;
margin-bottom:-10px;
}
#kc-webauthn-settings-form {
padding-top: 8px;
}
#kc-form-webauthn .select-auth-box-parent {
pointer-events: none;
}
#kc-form-webauthn .select-auth-box-desc {
color: var(--pf-global--palette--black-600);
}
#kc-form-webauthn .select-auth-box-headline {
color: var(--pf-global--Color--300);
}
#kc-form-webauthn .select-auth-box-icon {
flex: 0 0 3em;
}
#kc-form-webauthn .select-auth-box-icon-properties {
margin-top: 10px;
font-size: 1.8em;
}
#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
margin-top: 3px;
}
#kc-form-webauthn .pf-l-stack__item {
margin: -1px 0;
}
#kc-content-wrapper {
margin-top: 20px;
}
#kc-form-wrapper {
margin-top: 10px;
}
#kc-info {
margin: 20px -40px -30px;
}
#kc-info-wrapper {
font-size: 13px;
padding: 15px 35px;
background-color: #F0F0F0;
}
#kc-form-options span {
display: block;
}
#kc-form-options .checkbox {
margin-top: 0;
color: #72767b;
}
#kc-terms-text {
margin-bottom: 20px;
}
#kc-registration {
margin-bottom: 0;
}
/* TOTP */
.subtitle {
text-align: right;
margin-top: 30px;
color: #909090;
}
.required {
color: #A30000; /* default - IE compatibility */
color: var(--pf-global--danger-color--200);
}
ol#kc-totp-settings {
margin: 0;
padding-left: 20px;
}
ul#kc-totp-supported-apps {
margin-bottom: 10px;
}
#kc-totp-secret-qr-code {
max-width:150px;
max-height:150px;
}
#kc-totp-secret-key {
background-color: #fff;
color: #333333;
font-size: 16px;
padding: 10px 0;
}
/* OAuth */
#kc-oauth h3 {
margin-top: 0;
}
#kc-oauth ul {
list-style: none;
padding: 0;
margin: 0;
}
#kc-oauth ul li {
border-top: 1px solid rgba(255, 255, 255, 0.1);
font-size: 12px;
padding: 10px 0;
}
#kc-oauth ul li:first-of-type {
border-top: 0;
}
#kc-oauth .kc-role {
display: inline-block;
width: 50%;
}
/* Code */
#kc-code textarea {
width: 100%;
height: 8em;
}
/* Social */
.kc-social-links {
margin-top: 20px;
}
.kc-social-provider-logo {
font-size: 23px;
width: 30px;
height: 25px;
float: left;
}
.kc-social-gray {
color: #737679; /* default - IE compatibility */
color: var(--pf-global--Color--200);
}
.kc-social-item {
margin-bottom: 0.5rem; /* default - IE compatibility */
margin-bottom: var(--pf-global--spacer--sm);
font-size: 15px;
text-align: center;
}
.kc-social-provider-name {
position: relative;
top: 3px;
}
.kc-social-icon-text {
left: -15px;
}
.kc-social-grid {
display:grid;
grid-column-gap: 10px;
grid-row-gap: 5px;
grid-column-end: span 6;
--pf-l-grid__item--GridColumnEnd: span 6;
}
.kc-social-grid .kc-social-icon-text {
left: -10px;
}
.kc-login-tooltip {
position: relative;
display: inline-block;
}
.kc-social-section {
text-align: center;
}
.kc-social-section hr{
margin-bottom: 10px
}
.kc-login-tooltip .kc-tooltip-text{
top:-3px;
left:160%;
background-color: black;
visibility: hidden;
color: #fff;
min-width:130px;
text-align: center;
border-radius: 2px;
box-shadow:0 1px 8px rgba(0,0,0,0.6);
padding: 5px;
position: absolute;
opacity:0;
transition:opacity 0.5s;
}
/* Show tooltip */
.kc-login-tooltip:hover .kc-tooltip-text {
visibility: visible;
opacity:0.7;
}
/* Arrow for tooltip */
.kc-login-tooltip .kc-tooltip-text::after {
content: ;
position: absolute;
top: 15px;
right: 100%;
margin-top: -5px;
border-width: 5px;
border-style: solid;
border-color: transparent black transparent transparent;
}
@media (min-width: 768px) {
#kc-container-wrapper {
position: absolute;
width: 100%;
}
.login-pf .container {
padding-right: 80px;
}
#kc-locale {
position: relative;
text-align: right;
z-index: 9999;
}
}
@media (max-width: 767px) {
.login-pf body {
background: white;
}
#kc-header {
padding-left: 15px;
padding-right: 15px;
float: none;
text-align: left;
}
#kc-header-wrapper {
font-size: 16px;
font-weight: bold;
padding: 20px 60px 0 0;
color: #72767b;
letter-spacing: 0;
}
div.kc-logo-text {
margin: 0;
width: 150px;
height: 32px;
background-size: 100%;
}
#kc-form {
float: none;
}
#kc-info-wrapper {
border-top: 1px solid rgba(255, 255, 255, 0.1);
background-color: transparent;
}
.login-pf .container {
padding-top: 15px;
padding-bottom: 15px;
}
#kc-locale {
position: absolute;
width: 200px;
top: 20px;
right: 20px;
text-align: right;
z-index: 9999;
}
}
@media (min-height: 646px) {
#kc-container-wrapper {
bottom: 12%;
}
}
@media (max-height: 645px) {
#kc-container-wrapper {
padding-top: 50px;
top: 20%;
}
}
.card-pf form.form-actions .btn {
float: right;
margin-left: 10px;
}
#kc-form-buttons {
margin-top: 20px;
}
.login-pf-page .login-pf-brand {
margin-top: 20px;
max-width: 360px;
width: 40%;
}
/* Internet Explorer 11 compatibility workaround for select-authenticator screen */
@media all and (-ms-high-contrast: none),
(-ms-high-contrast: active) {
.select-auth-box-parent {
border-top: 1px solid #f0f0f0;
padding-top: 1rem;
padding-bottom: 1rem;
cursor: pointer;
}
.select-auth-box-headline {
font-size: 16px;
color: #06c;
font-weight: bold;
}
.select-auth-box-desc {
font-size: 14px;
}
.pf-l-stack {
flex-basis: 100%;
}
}
/* End of IE11 workaround for select-authenticator screen */
.select-auth-box-arrow{
display: flex;
align-items: center;
margin-right: 2rem;
}
.select-auth-box-icon{
display: flex;
flex: 0 0 2em;
justify-content: center;
margin-right: 1rem;
margin-left: 3rem;
}
.select-auth-box-parent{
border-top: 1px solid var(--pf-global--palette--black-200);
padding-top: 1rem;
padding-bottom: 1rem;
cursor: pointer;
}
.select-auth-box-parent:hover{
background-color: #f7f8f8;
}
.select-auth-container {
}
.select-auth-box-headline {
font-size: var(--pf-global--FontSize--md);
color: var(--pf-global--primary-color--100);
font-weight: bold;
}
.select-auth-box-desc {
font-size: var(--pf-global--FontSize--sm);
}
.select-auth-box-paragraph {
text-align: center;
font-size: var(--pf-global--FontSize--md);
margin-bottom: 5px;
}
.card-pf {
margin: 0 auto;
box-shadow: var(--pf-global--BoxShadow--lg);
padding: 0 20px;
max-width: 500px;
border-top: 4px solid;
border-color: #0066CC; /* default - IE compatibility */
border-color: var(--pf-global--primary-color--100);
}
/*phone*/
@media (max-width: 767px) {
.login-pf-page .card-pf {
max-width: none;
margin-left: 0;
margin-right: 0;
padding-top: 0;
border-top: 0;
box-shadow: 0 0;
}
.kc-social-grid {
grid-column-end: 12;
--pf-l-grid__item--GridColumnEnd: span 12;
}
.kc-social-grid .kc-social-icon-text {
left: -15px;
}
}
.login-pf-page .login-pf-signup {
font-size: 15px;
color: #72767b;
}
#kc-content-wrapper .row {
margin-left: 0;
margin-right: 0;
}
.login-pf-page.login-pf-page-accounts {
margin-left: auto;
margin-right: auto;
}
.login-pf-page .btn-primary {
margin-top: 0;
}
.login-pf-page .list-view-pf .list-group-item {
border-bottom: 1px solid #ededed;
}
.login-pf-page .list-view-pf-description {
width: 100%;
}
#kc-form-login div.form-group:last-of-type,
#kc-register-form div.form-group:last-of-type,
#kc-update-profile-form div.form-group:last-of-type {
margin-bottom: 0px;
}
.no-bottom-margin {
margin-bottom: 0;
}
#kc-back {
margin-top: 5px;
}
/* Recovery codes */
.kc-recovery-codes-warning {
margin-bottom: 32px;
}
.kc-recovery-codes-warning .pf-c-alert__description p {
font-size: 0.875rem;
}
.kc-recovery-codes-list {
list-style: none;
columns: 2;
margin: 16px 0;
padding: 16px 16px 8px 16px;
border: 1px solid #D2D2D2;
}
.kc-recovery-codes-list li {
margin-bottom: 8px;
font-size: 11px;
}
.kc-recovery-codes-list li span {
color: #6A6E73;
width: 16px;
text-align: right;
display: inline-block;
margin-right: 1px;
}
.kc-recovery-codes-actions {
margin-bottom: 24px;
}
.kc-recovery-codes-actions button {
padding-left: 0;
}
.kc-recovery-codes-actions button i {
margin-right: 8px;
}
.kc-recovery-codes-confirmation {
align-items: baseline;
margin-bottom: 16px;
}
/* End Recovery codes */

BIN
modules/keycloak/theme/login/resources/img/background.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.1 MiB

4
modules/keycloak/theme/login/theme.properties Normal file
View file

@ -0,0 +1,4 @@
parent=keycloak
import=common/keycloak
styles=css/login.css

11
modules/ldap/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, nixpkgs-unstable, system, ... }:
{ config, pkgs, system, ... }:
let
domain = "auth.${config.networking.domain}";
seedSettings = {
@ -43,15 +43,6 @@ let
};
in
{
# Use portunus from unstable branch until 24.05 is here
disabledModules = [ "services/misc/portunus.nix" ];
imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ];
nixpkgs.overlays = [
(_self: _super: {
inherit (nixpkgs-unstable.legacyPackages.${system}) portunus;
})
];
sops.secrets = {
"portunus/admin-password".owner = config.services.portunus.user;
"portunus/search-password".owner = config.services.portunus.user;

77
modules/mail/dovecot2.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ lib, config, pkgs, ... }:
let
hostname = "mail.${config.networking.domain}";
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
@ -16,40 +16,10 @@ let
in
{
networking.firewall.allowedTCPPorts = [
143 # IMAP
993 # IMAPS
4190 # Managesieve
];
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
environment.etc = {
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_spam
'';
mode = "0555";
};
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
text = ''
#!/bin/sh
${pkgs.rspamd}/bin/rspamc learn_ham
'';
mode = "0555";
};
"dovecot/sieve/report-spam.sieve" = {
source = ./report-spam.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
"dovecot/sieve/report-ham.sieve" = {
source = ./report-ham.sieve;
user = "dovecot2";
group = "dovecot2";
mode = "0544";
};
};
services.dovecot2 = {
enable = true;
enableImap = true;
@ -101,7 +71,18 @@ in
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
mailUser = "vmail";
mailGroup = "vmail";
sieveScripts = {
sieve = {
# just pot something in here to prevent empty strings
extensions = [ "notify" ];
pipeBins = map lib.getExe [
(pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham")
(pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam")
];
plugins = [
"sieve_imapsieve"
"sieve_extprograms"
];
scripts = {
before = pkgs.writeText "spam.sieve" ''
require "fileinto";
@ -112,6 +93,23 @@ in
}
'';
};
};
imapsieve.mailbox = [
{
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
name = "Spam";
causes = [ "COPY" "APPEND" "FLAG" ];
before = ./report-spam.sieve;
}
{
# From Junk folder to elsewhere
name = "*";
from = "Spam";
causes = [ "COPY" ];
before = ./report-ham.sieve;
}
];
extraConfig = ''
auth_username_format = %Ln
passdb {
@ -152,21 +150,6 @@ in
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY APPEND FLAG
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
# Ham: From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
listescape_char = "\\"
}

2
modules/mail/report-ham.sieve
View file

@ -12,4 +12,4 @@ if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "sa-learn-ham.sh" [ "${username}" ];
pipe :copy "learn-ham.sh" [ "${username}" ];

2
modules/mail/report-spam.sieve
View file

@ -4,4 +4,4 @@ if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "sa-learn-spam.sh" [ "${username}" ];
pipe :copy "learn-spam.sh" [ "${username}" ];

72
modules/mail/rspamd.nix
View file

@ -55,6 +55,74 @@ in
path = /var/lib/rspamd/dkim/$domain.$selector.key;
'';
"reputation.conf".text = ''
rules {
ip_reputation = {
selector "ip" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "IP_REPUTATION";
}
spf_reputation = {
selector "spf" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "SPF_REPUTATION";
}
dkim_reputation = {
selector "dkim" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
}
generic_reputation = {
selector "generic" {
selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "GENERIC_REPUTATION";
}
}
'';
"groups.conf".text = ''
group "reputation" {
symbols = {
"IP_REPUTATION_HAM" {
weight = 1.0;
}
"IP_REPUTATION_SPAM" {
weight = 4.0;
}
"DKIM_REPUTATION" {
weight = 1.0;
}
"SPF_REPUTATION_HAM" {
weight = 1.0;
}
"SPF_REPUTATION_SPAM" {
weight = 2.0;
}
"GENERIC_REPUTATION" {
weight = 1.0;
}
}
}
'';
"multimap.conf".text =
let
@ -73,22 +141,26 @@ in
filter = "email:domain";
map = "/var/lib/rspamd/whitelist.sender.domain.map";
action = "accept";
regexp = true;
}
WHITELIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/whitelist.sender.email.map";
action = "accept";
regexp = true;
}
BLACKLIST_SENDER_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/blacklist.sender.domain.map";
action = "reject";
regexp = true;
}
BLACKLIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/blacklist.sender.email.map";
action = "reject";
regexp = true;
}
BLACKLIST_SUBJECT_KEYWORDS {
type = "header";

52
modules/minecraft/default.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, config, lib, ... }:
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
services.minecraft-servers = {
enable = true;
eula = true;
servers.ifsr = {
enable = true;
package = pkgs.fabricServers.fabric-1_21;
jvmOpts = "-Xmx8192M -Xms8192M";
};
};
services.bluemap = {
enable = true;
host = "map.mc.ifsr.de";
eula = true;
onCalendar = "hourly";
defaultWorld = "/srv/minecraft/ifsr/world";
};
services.nginx.virtualHosts."map.mc.ifsr.de".extraConfig = ''
allow 141.30.0.0/16;
allow 141.76.0.0/16;
allow 217.160.244.15/32; # jonas uptime kuma
deny all;
'';
networking.firewall = {
extraInputRules = ''
ip saddr { 141.30.0.0/16, 141.76.0.0/16, 217.160.244.15/32 } tcp dport 25565 accept comment "Allow minecraft access from TU network and jonas monitoring"
'';
};
users.users.minecraft = {
isNormalUser = true;
isSystemUser = lib.mkForce false;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP rouven@thinkpad"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhdjiPvtAo/ZV36RjBBPSlixzeP3VN6cqa4YAmM5uXM ff00005@ff00005-laptop" # malte
];
};
security.sudo.extraRules = [
{
users = [ "minecraft" ];
commands = [
{ command = "/run/current-system/sw/bin/systemctl restart minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/systemctl start minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/systemctl stop minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
];
}
];
}

7
modules/monitoring.nix
View file

@ -85,6 +85,13 @@ in
}];
# scrape_interval = "60s";
}
{
job_name = "rspamd";
static_configs = [{
targets = [ "rspamd.ifsr.de:11334" ];
}];
scrape_interval = "15s";
}
];
};

4
modules/nextcloud.nix
View file

@ -15,7 +15,7 @@ in
nextcloud = {
enable = true;
configureRedis = true;
package = pkgs.nextcloud28;
package = pkgs.nextcloud29;
hostName = domain;
https = true; # Use https for all urls
phpExtraExtensions = all: [
@ -30,7 +30,7 @@ in
database.createLocally = true;
# enable HEIC image preview
extraOptions.enabledPreviewProviders = [
settings.enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"

7
modules/web/crimecampus.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
let
domain = "cc.${config.networking.domain}";
in
{
services.nginx.virtualHosts."${domain}".root = "/srv/web/regex";
}

2
modules/web/default.nix
View file

@ -1,7 +1,6 @@
{ ... }:
{
imports = [
./crimecampus.nix
./ifsrde.nix
./ese.nix
./infoscreen.nix
@ -12,5 +11,6 @@
./sharepic.nix
./userdir.nix
./ftp.nix
./hyperilo.nix
];
}

4
modules/web/ese.nix
View file

@ -5,7 +5,7 @@ let
in
{
sops.secrets."directus_env" = { };
environment.systemPackages = [ pkgs.nodejs_21 ];
environment.systemPackages = [ pkgs.nodejs_22 ];
virtualisation.oci-containers = {
containers.directus-ese = {
image = "directus/directus:latest";
@ -69,7 +69,7 @@ in
};
virtualHosts."${domain}" = {
locations."= /" = {
return = "301 /2023/";
return = "301 /2024/";
};
locations."/" = {
root = "/srv/web/ese/served";

23
modules/web/hyperilo.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
{
# provide access to iLO of colocated server
# in case of questions, contact @bennofs
services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
forceSSL = true;
locations."/".proxyPass = "https://192.168.0.120:443";
locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
locations."/".extraConfig = ''
proxy_ssl_verify off;
'';
};
systemd.network.networks."20-hyperilo" = {
matchConfig.Name = "eno8303";
address = [ "192.168.0.1/24" ];
networkConfig.LLDP = true;
networkConfig.EmitLLDP = "nearest-bridge";
};
sops.secrets."hyperilo_htaccess".owner = "nginx";
}

1
modules/web/userdir.nix
View file

@ -56,6 +56,7 @@ in
display_errors=0
post_max_size = 40M
upload_max_filesize = 40M
extension=sysvsem.so
'';
};
};

32
overlays/default.nix
View file

@ -2,6 +2,7 @@ _final: prev:
let
inherit (prev) fetchurl;
inherit (prev) fetchFromGitHub;
inherit (prev) callPackage;
in
{
# AGDSN is running an outdated version that we have to comply to
@ -13,16 +14,27 @@ in
};
}));
# (hopefully) fix systemd journal reading
prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
patches = [
./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
];
src = fetchFromGitHub {
owner = "adangel";
repo = "postfix_exporter";
rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
};
# prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
# patches = [
# ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
# ];
# src = fetchFromGitHub {
# owner = "adangel";
# repo = "postfix_exporter";
# rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
# hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
# };
# });
# Mailman internal server error fix
# https://gitlab.com/mailman/mailman/-/issues/1137
# https://github.com/NixOS/nixpkgs/pull/321136
pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
(python-final: python-prev: {
readme-renderer = python-prev.readme-renderer.overridePythonAttrs (oldAttrs: {
propagatedBuildInputs = [ python-prev.cmarkgfm ];
});
})
];
keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix {};
}

7
secrets/quitte.yaml
View file

File diff suppressed because one or more lines are too long