wurzel/fruitbasket
10
1
Fork 1
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: wurzel:main
Branches Tags
wurzel:main
wurzel:purgetunus
wurzel:upgrade-24.05
wurzel:monitoring
wurzel:nix-remote
..
compare: wurzel:purgetunus
Branches Tags
wurzel:main
wurzel:purgetunus
wurzel:upgrade-24.05
wurzel:monitoring
wurzel:nix-remote

1 commit
main ... purgetunus

Author SHA1 Message Date
quitte
0e89677675
portunus: remove 2024-07-07 14:05:59 +02:00
44 changed files with 548 additions and 1570 deletions
Show stats Expand all files Collapse all files

4
.sops.yaml
View file

@ -10,7 +10,6 @@ keys:
- &joachim B1A16011B86BACB56ADB713DB712039D23133661
- &jonasga FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
- &hendrik FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
- &frieder age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6
- &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t
- &tomate age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d
@ -27,7 +26,6 @@ creation_rules:
- *jonasga
- *hendrik
age:
- *frieder
- *quitte
- path_regex: secrets/tomate\.yaml$
key_groups:
@ -41,7 +39,6 @@ creation_rules:
- *jonasga
- *hendrik
age:
- *frieder
- *tomate
- path_regex: secrets/admin\.yaml$
key_groups:
@ -54,4 +51,3 @@ creation_rules:
- *joachim
- *jonasga
- *hendrik
- *frieder

158
flake.lock generated
View file

@ -7,11 +7,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1730751072,
"narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
"lastModified": 1714117615,
"narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
"owner": "fsr",
"repo": "course-management",
"rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
"rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
"type": "github"
},
"original": {
@ -27,11 +27,11 @@
]
},
"locked": {
"lastModified": 1730889586,
"narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
"lastModified": 1698049587,
"narHash": "sha256-gNxpJdxSrpWMTBSGFO4HfXgr+FiAGtwEXCvxd6W8IUQ=",
"ref": "refs/heads/main",
"rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
"revCount": 9,
"rev": "2d05abcd2b4e59db421c86fa9adaffa3dccb1086",
"revCount": 7,
"type": "git",
"url": "https://git.ifsr.de/ese/manual-website"
},
@ -45,11 +45,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
@ -63,11 +63,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
@ -78,7 +78,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_5"
"systems": "systems_4"
},
"locked": {
"lastModified": 1681202837,
@ -101,11 +101,11 @@
]
},
"locked": {
"lastModified": 1739371104,
"narHash": "sha256-k7RZrUCxPPV2htf5bSEGlailgMSXh0c5DTPY6uvB1QY=",
"lastModified": 1708628927,
"narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
"owner": "fsr",
"repo": "kpp",
"rev": "c98d8003aaf7b8b085c674ce6d931cb6014a5c95",
"rev": "05e370097af21ddb776bec907942c60e6aebc394",
"type": "github"
},
"original": {
@ -123,11 +123,11 @@
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"lastModified": 1698974481,
"narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
"type": "github"
},
"original": {
@ -143,11 +143,11 @@
]
},
"locked": {
"lastModified": 1738466368,
"narHash": "sha256-PZhUjtvQZOH3PO0EYdTpQvcqkgkq1NkP2A6w9SPHYsk=",
"lastModified": 1720334033,
"narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "46a8f5fc9552b776bfc5c5c96ea3bede33f68f52",
"rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
"type": "github"
},
"original": {
@ -158,11 +158,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1701253981,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github"
},
"original": {
@ -172,18 +172,34 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720282526,
"narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1738574474,
"narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=",
"lastModified": 1720244366,
"narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c",
"rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
@ -202,27 +218,6 @@
"type": "indirect"
}
},
"notenrechner": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1738260727,
"narHash": "sha256-dqwlhg3L5SPoHSWbdI10EL0Vs/7BGW76h+q05laKyTA=",
"ref": "refs/heads/main",
"rev": "72c70b74f9216a3cb2913df91c8edf8516de1800",
"revCount": 9,
"type": "git",
"url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
},
"original": {
"type": "git",
"url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_2",
@ -235,11 +230,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1730284601,
"narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
"lastModified": 1701399357,
"narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
"rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
"type": "github"
},
"original": {
@ -275,7 +270,6 @@
"kpp": "kpp",
"nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs_2",
"notenrechner": "notenrechner",
"print-interface": "print-interface",
"sops-nix": "sops-nix",
"vscode-server": "vscode-server"
@ -285,14 +279,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1738291974,
"narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
"lastModified": 1720321395,
"narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
"rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
"type": "github"
},
"original": {
@ -360,21 +355,6 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
@ -384,11 +364,11 @@
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"lastModified": 1699786194,
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github"
},
"original": {
@ -397,35 +377,17 @@
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1729422940,
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
"lastModified": 1713958148,
"narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
"rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
"type": "github"
},
"original": {

17
flake.nix
View file

@ -1,6 +1,6 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nix-index-database.url = "github:nix-community/nix-index-database";
@ -14,9 +14,6 @@
ese-manual.url = "git+https://git.ifsr.de/ese/manual-website";
ese-manual.inputs.nixpkgs.follows = "nixpkgs";
vscode-server.url = "github:nix-community/nixos-vscode-server";
notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git";
notenrechner.inputs.nixpkgs.follows = "nixpkgs";
course-management = {
url = "github:fsr/course-management";
@ -39,7 +36,6 @@
supportedSystems = [ "x86_64-linux" ];
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
in
{
packages = forAllSystems (system: rec {
@ -81,24 +77,21 @@
./modules/courses
./modules/wiki
./modules/matrix
./modules/keycloak
./modules/monitoring
./modules/nix-serve.nix
./modules/hedgedoc.nix
./modules/padlist.nix
./modules/nextcloud.nix
./modules/keycloak.nix
./modules/monitoring.nix
./modules/vaultwarden.nix
./modules/forgejo
./modules/kanboard.nix
./modules/zammad.nix
# ./modules/decisions.nix
./modules/stream.nix
./modules/decisions.nix
# ./modules/struktur-bot.nix
{
nixpkgs.overlays = [
self.overlays.default
];
nixpkgs.overlays = [ self.overlays.default ];
sops.defaultSopsFile = ./secrets/quitte.yaml;
}
];

14
hosts/quitte/configuration.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
imports =
@ -16,6 +16,7 @@
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
services.zfs = {
trim.enable = true;
@ -26,17 +27,6 @@
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
security.sudo.extraRules = [
{
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
groups = [ "admins" ];
}
];
# prevent fork bombs
security.pam.loginLimits = [
{

26
hosts/quitte/network.nix
View file

@ -2,10 +2,10 @@
{
networking = {
# portunus module does weird things to this, so we force it to some sane values
hosts = {
"127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
"::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
};
# hosts = {
# "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
# "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
# };
hostId = "a71c81fc";
domain = "ifsr.de";
hostName = "quitte";
@ -31,26 +31,14 @@
networks."10-wired-default" = {
matchConfig.Name = "enp65s0f0np0";
address = [
"141.30.30.194/26"
"2a13:dd85:b23:1::1337/64"
];
address = [ "141.30.30.169/25" ];
routes = [
{
Gateway = "141.30.30.193";
}
{
Gateway = "fe80::7a24:59ff:fe5e:6e2f";
routeConfig.Gateway = "141.30.30.129";
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
];
DNS = "141.30.1.1";
LLDP = true;
EmitLLDP = "nearest-bridge";
};

1
hosts/tomate/configuration.nix
View file

@ -106,6 +106,7 @@
};
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {

2
hosts/tomate/network.nix
View file

@ -27,7 +27,7 @@
address = [ "141.30.86.196/26" ];
routes = [
{
Gateway = "141.30.86.193";
routeConfig.Gateway = "141.30.86.193";
}
];
networkConfig = {

1
keys/ssh/frieder
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH70IC7DaiGBYdftUhuOE9CatcdYj2L50eZfztQA+pVs fried@Frieders-Void-Laptop

3
modules/core/bacula.nix
View file

@ -14,9 +14,8 @@
enable = true;
name = "ifsr-quitte";
extraClientConfig = ''
Comm Compression = no
Maximum Concurrent Jobs = 20
FDAddress = 141.30.30.194
FDAddress = 141.30.30.169
PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = ${config.sops.secrets."bacula/keypair".path}

3
modules/core/base.nix
View file

@ -73,7 +73,6 @@
time.timeZone = "Europe/Berlin";
# basic shell & editor
programs.vim.enable = true;
programs.vim.defaultEditor = true;
# List packages installed in system profile. To search, run:
@ -105,7 +104,6 @@
ltrace
strace
mtr
nix-output-monitor
traceroute
smartmontools
sysstat
@ -114,7 +112,6 @@
eza
zsh
unzip
yazi
];
}

5
modules/core/fail2ban.nix
View file

@ -15,14 +15,13 @@
enabled = true
# aggressive mode to add blocking for aborted connections
filter = dovecot[mode=aggressive]
maxretry = 15
maxretry = 3
'';
postfix = ''
enabled = true
filter = postfix[mode=aggressive]
maxretry = 15
maxretry = 3
'';
sshd.settings.maxretry = 15;
};
};
}

2
modules/core/logging.nix
View file

@ -3,9 +3,7 @@
services.rsyslogd = {
enable = true;
defaultConfig = ''
$FileCreateMode 0640
:programname, isequal, "postfix" /var/log/postfix.log
:programname, isequal, "portunus" /var/log/portunus.log
auth.* -/var/log/auth.log
'';

4
modules/core/nginx.nix
View file

@ -7,14 +7,10 @@
({ name, ... }: {
enableACME = true;
forceSSL = true;
# enable http3 for all hosts
quic = true;
http3 = true;
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
})
);

2
modules/core/podman.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
# From: https://nixos.wiki/wiki/Podman
virtualisation.containers.enable = true;

1
modules/core/postgres.nix
View file

@ -5,6 +5,7 @@
enable = true;
location = "/var/lib/backup/postgresql";
databases = [
"directus_ese"
"course-management"
"git"
"grafana"

1
modules/courses/default.nix
View file

@ -3,6 +3,7 @@ let
hostName = "kurse.${config.networking.domain}";
in
{
imports = [ ./phil.nix ];
sops.secrets =
let inherit (config.services.course-management) user;
in

2
modules/decisions.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, pkgs, ... }:
let
domain = "decisions.${config.networking.domain}";
in

30
modules/forgejo/actions.nix
View file

@ -1,30 +0,0 @@
{ config, pkgs, ... }:
{
sops.secrets."forgejo/runner-token" = { };
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances."quitte" = {
enable = true;
labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# provide native execution on the host
# "native:host"
];
tokenFile = config.sops.secrets."forgejo/runner-token".path;
url = "https://git.ifsr.de";
name = "quitte";
settings = {
container = {
# use podman's default network, otherwise dns was not working for some reason
network = "podman";
# don't mount the docker socket into the build containers,
# this would basically mean root on the host...
docker_host = "-";
};
};
};
};
}

25
modules/forgejo/default.nix
View file

@ -4,9 +4,9 @@ let
gitUser = "git";
in
{
imports = [
./actions.nix
];
# imports = [
# ./actions.nix
# ];
sops.secrets.gitea_ldap_search = {
key = "portunus/search-password";
owner = config.services.forgejo.user;
@ -22,9 +22,17 @@ in
services.forgejo = {
enable = true;
# package = pkgs.forgejo.overrideAttrs (_old: {
# # patches = [
# # # migration fix
# # (pkgs.fetchpatch {
# # url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
# # hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
# # })
# # ];
# });
user = gitUser;
group = gitUser;
package = pkgs.forgejo;
lfs.enable = true;
database = {
@ -71,25 +79,22 @@ in
PROVIDER = "db";
};
actions.ENABLED = true;
# federation.ENABLED = true;
webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
};
};
systemd.services.forgejo.preStart =
let
exe = lib.getExe config.services.forgejo.package;
portunus = config.services.portunus;
basedn = "ou=users,${portunus.ldap.suffix}";
basedn = "ou=users,dc=ifsr,dc=de";
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol unencrypted \
--host '${portunus.domain}' \
--host 'auth.ifsr.de' \
--port 389 \
--user-search-base '${basedn}' \
--user-filter '(&(objectClass=posixAccount)(uid=%s))' \
--admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
--admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
--username-attribute uid \
--firstname-attribute givenName \
--surname-attribute sn \

5
modules/hedgedoc.nix
View file

@ -49,15 +49,14 @@ in
# allow anonymous editing, but not creation of pads
allowAnonymous = false;
allowAnonymousEdits = true;
allowAnonymousUploads = false;
defaultPermission = "limited";
defaultNotePath = builtins.toString template;
# ldap auth
ldap = rec {
url = "ldap://localhost";
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
searchBase = "ou=users,dc=ifsr,dc=de";
searchFilter = "(uid={{username}})";
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
bindDn = "uid=search,${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid";
providerName = "iFSR";

4
modules/kanboard.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, pkgs, ... }:
let
domain = "kanboard.${config.networking.domain}";
domain_short = "kb.${config.networking.domain}";
@ -8,7 +8,7 @@ in
virtualisation.oci-containers = {
containers.kanboard = {
image = "ghcr.io/kanboard/kanboard:v1.2.43";
image = "ghcr.io/kanboard/kanboard:v1.2.36";
volumes = [
"kanboard_data:/var/www/app/data"
"kanboard_plugins:/var/www/app/plugins"

9
modules/keycloak/default.nix → modules/keycloak.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
let
domain = "sso.${config.networking.domain}";
in
@ -12,9 +12,7 @@ in
http-port = 8086;
https-port = 19000;
hostname = domain;
proxy-headers = "xforwarded";
http-enabled = true;
hostname-strict-https = false;
proxy = "edge";
};
# The module requires a password for the DB and works best with its own DB config
# Does an automatic Postgresql configuration
@ -22,9 +20,6 @@ in
passwordFile = config.sops.secrets."keycloak/db".path;
};
initialAdminPassword = "plschangeme";
themes = with pkgs ; {
ifsr = keycloak_ifsr_theme;
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/" = {

15
modules/keycloak/theme.nix
View file

@ -1,15 +0,0 @@
{ stdenv }:
stdenv.mkDerivation rec {
name = "keycloak_ifsr_theme";
version = "1.1";
src = ./theme;
nativeBuildInputs = [ ];
buildInputs = [ ];
installPhase = ''
mkdir -p $out
cp -a login $out
'';
}

772
modules/keycloak/theme/login/resources/css/login.css
View file

@ -1,772 +0,0 @@
.login-pf {
background: none;
}
.login-pf body {
background: url(../img/background.jpg) no-repeat center center fixed;
background-size: cover;
height: 100%;
}
/*IE compatibility*/
.pf-c-form-control {
font-size: 14px;
font-size: var(--pf-global--FontSize--sm);
border-width: 1px;
border-width: var(--pf-global--BorderWidth--sm);;
border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
background-color: #FFFFFF;
background-color: var(--pf-global--BackgroundColor--100);
height: 36px;
height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
padding: 5px 0.5rem;
padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
}
textarea.pf-c-form-control {
height: auto;
}
.pf-c-form-control:hover, .pf-c-form-control:focus {
border-bottom-color: #0066CC;
border-bottom-color: var(--pf-global--primary-color--100);
border-bottom-width: 2px;
border-bottom-width: var(--pf-global--BorderWidth--md);
}
.pf-c-form-control[aria-invalid=true] {
border-bottom-color: #C9190B;
border-bottom-color: var(--pf-global--danger-color--100);
border-bottom-width: 2px;
border-bottom-width: var(--pf-global--BorderWidth--md);
}
.pf-c-check__label, .pf-c-radio__label {
font-size: 14px;
font-size: var(--pf-global--FontSize--sm);
}
.pf-c-alert.pf-m-inline {
margin-bottom: 0.5rem; /* default - IE compatibility */
margin-bottom: var(--pf-global--spacer--sm);
padding: 0.25rem;
padding: var(--pf-global--spacer--xs);
border: solid #ededed;
border: solid var(--pf-global--BorderColor--300);
border-width: 1px;
border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
display: -ms-flexbox;
display: grid;
-ms-grid-columns: max-content 1fr max-content;
grid-template-columns:max-content 1fr max-content;
grid-template-columns: var(--pf-c-alert--grid-template-columns);
grid-template-rows: 1fr auto;
grid-template-rows: var(--pf-c-alert--grid-template-rows);
}
.pf-c-alert.pf-m-inline::before {
position: absolute;
top: -1px;
top: var(--pf-c-alert--m-inline--before--Top);
bottom: -1px;
bottom: var(--pf-c-alert--m-inline--before--Bottom);
left: 0;
width: 3px;
width: var(--pf-c-alert--m-inline--before--Width);
content: ;
background-color: #FFFFFF;
background-color: var(--pf-global--BackgroundColor--100);
}
.pf-c-alert.pf-m-inline.pf-m-success::before {
background-color: #92D400;
background-color: var(--pf-global--success-color--100);
}
.pf-c-alert.pf-m-inline.pf-m-danger::before {
background-color: #C9190B;
background-color: var(--pf-global--danger-color--100);
}
.pf-c-alert.pf-m-inline.pf-m-warning::before {
background-color: #F0AB00;
background-color: var(--pf-global--warning-color--100);
}
.pf-c-alert.pf-m-inline .pf-c-alert__icon {
padding: 1rem 0.5rem 1rem 1rem;
padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
font-size: 16px;
font-size: var(--pf-c-alert--m-inline__icon--FontSize);
}
.pf-c-alert.pf-m-success .pf-c-alert__icon {
color: #92D400;
color: var(--pf-global--success-color--100);
}
.pf-c-alert.pf-m-success .pf-c-alert__title {
color: #486B00;
color: var(--pf-global--success-color--200);
}
.pf-c-alert.pf-m-danger .pf-c-alert__icon {
color: #C9190B;
color: var(--pf-global--danger-color--100);
}
.pf-c-alert.pf-m-danger .pf-c-alert__title {
color: #A30000;
color: var(--pf-global--danger-color--200);
}
.pf-c-alert.pf-m-warning .pf-c-alert__icon {
color: #F0AB00;
color: var(--pf-global--warning-color--100);
}
.pf-c-alert.pf-m-warning .pf-c-alert__title {
color: #795600;
color: var(--pf-global--warning-color--200);
}
.pf-c-alert__title {
font-size: 14px; /* default - IE compatibility */
font-size: var(--pf-global--FontSize--sm);
padding: 5px 8px;
padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
}
.pf-c-button{
padding:0.375rem 1rem;
padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
}
/* default - IE compatibility */
.pf-m-primary {
color: #FFFFFF;
background-color: #0066CC;
background-color: var(--pf-global--primary-color--100);
}
/* default - IE compatibility */
.pf-m-primary:hover {
background-color: #004080;
background-color: var(--pf-global--primary-color--200);
}
/* default - IE compatibility */
.pf-c-button.pf-m-control {
border: solid 1px;
border: solid var(--pf-global--BorderWidth--sm);
border-color: rgba(230, 230, 230, 0.5);
}
/*End of IE compatibility*/
h1#kc-page-title {
margin-top: 10px;
}
#kc-locale ul {
background-color: #FFF;
background-color: var(--pf-global--BackgroundColor--100);
display: none;
top: 20px;
min-width: 100px;
padding: 0;
}
#kc-locale-dropdown{
display: inline-block;
}
#kc-locale-dropdown:hover ul {
display:block;
}
/* IE compatibility */
#kc-locale-dropdown a {
color: #6A6E73;
color: var(--pf-global--Color--200);
text-align: right;
font-size: 14px;
font-size: var(--pf-global--FontSize--sm);
}
/* IE compatibility */
a#kc-current-locale-link::after {
content: 2c5;
margin-left: 4px;
margin-left: var(--pf-global--spacer--xs)
}
.login-pf .container {
padding-top: 40px;
}
.login-pf a:hover {
color: #0099d3;
}
#kc-logo {
width: 100%;
}
div.kc-logo-text {
background-image: url(../img/agdsn_logo.png);
background-repeat: no-repeat;
background-size: auto;
position: relative;
top: 0%;
left: 25%;
width: 950px;
height: 250px;
}
div.kc-logo-text span {
display: none;
}
#kc-header {
color: #ededed;
overflow: visible;
white-space: nowrap;
}
#kc-header-wrapper {
font-size: 29px;
text-transform: uppercase;
letter-spacing: 3px;
line-height: 1.2em;
padding: 62px 10px 20px;
white-space: normal;
}
#kc-content {
width: 100%;
}
#kc-attempted-username {
font-size: 20px;
font-family: inherit;
font-weight: normal;
padding-right: 10px;
}
#kc-username {
text-align: center;
margin-bottom:-10px;
}
#kc-webauthn-settings-form {
padding-top: 8px;
}
#kc-form-webauthn .select-auth-box-parent {
pointer-events: none;
}
#kc-form-webauthn .select-auth-box-desc {
color: var(--pf-global--palette--black-600);
}
#kc-form-webauthn .select-auth-box-headline {
color: var(--pf-global--Color--300);
}
#kc-form-webauthn .select-auth-box-icon {
flex: 0 0 3em;
}
#kc-form-webauthn .select-auth-box-icon-properties {
margin-top: 10px;
font-size: 1.8em;
}
#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
margin-top: 3px;
}
#kc-form-webauthn .pf-l-stack__item {
margin: -1px 0;
}
#kc-content-wrapper {
margin-top: 20px;
}
#kc-form-wrapper {
margin-top: 10px;
}
#kc-info {
margin: 20px -40px -30px;
}
#kc-info-wrapper {
font-size: 13px;
padding: 15px 35px;
background-color: #F0F0F0;
}
#kc-form-options span {
display: block;
}
#kc-form-options .checkbox {
margin-top: 0;
color: #72767b;
}
#kc-terms-text {
margin-bottom: 20px;
}
#kc-registration {
margin-bottom: 0;
}
/* TOTP */
.subtitle {
text-align: right;
margin-top: 30px;
color: #909090;
}
.required {
color: #A30000; /* default - IE compatibility */
color: var(--pf-global--danger-color--200);
}
ol#kc-totp-settings {
margin: 0;
padding-left: 20px;
}
ul#kc-totp-supported-apps {
margin-bottom: 10px;
}
#kc-totp-secret-qr-code {
max-width:150px;
max-height:150px;
}
#kc-totp-secret-key {
background-color: #fff;
color: #333333;
font-size: 16px;
padding: 10px 0;
}
/* OAuth */
#kc-oauth h3 {
margin-top: 0;
}
#kc-oauth ul {
list-style: none;
padding: 0;
margin: 0;
}
#kc-oauth ul li {
border-top: 1px solid rgba(255, 255, 255, 0.1);
font-size: 12px;
padding: 10px 0;
}
#kc-oauth ul li:first-of-type {
border-top: 0;
}
#kc-oauth .kc-role {
display: inline-block;
width: 50%;
}
/* Code */
#kc-code textarea {
width: 100%;
height: 8em;
}
/* Social */
.kc-social-links {
margin-top: 20px;
}
.kc-social-provider-logo {
font-size: 23px;
width: 30px;
height: 25px;
float: left;
}
.kc-social-gray {
color: #737679; /* default - IE compatibility */
color: var(--pf-global--Color--200);
}
.kc-social-item {
margin-bottom: 0.5rem; /* default - IE compatibility */
margin-bottom: var(--pf-global--spacer--sm);
font-size: 15px;
text-align: center;
}
.kc-social-provider-name {
position: relative;
top: 3px;
}
.kc-social-icon-text {
left: -15px;
}
.kc-social-grid {
display:grid;
grid-column-gap: 10px;
grid-row-gap: 5px;
grid-column-end: span 6;
--pf-l-grid__item--GridColumnEnd: span 6;
}
.kc-social-grid .kc-social-icon-text {
left: -10px;
}
.kc-login-tooltip {
position: relative;
display: inline-block;
}
.kc-social-section {
text-align: center;
}
.kc-social-section hr{
margin-bottom: 10px
}
.kc-login-tooltip .kc-tooltip-text{
top:-3px;
left:160%;
background-color: black;
visibility: hidden;
color: #fff;
min-width:130px;
text-align: center;
border-radius: 2px;
box-shadow:0 1px 8px rgba(0,0,0,0.6);
padding: 5px;
position: absolute;
opacity:0;
transition:opacity 0.5s;
}
/* Show tooltip */
.kc-login-tooltip:hover .kc-tooltip-text {
visibility: visible;
opacity:0.7;
}
/* Arrow for tooltip */
.kc-login-tooltip .kc-tooltip-text::after {
content: ;
position: absolute;
top: 15px;
right: 100%;
margin-top: -5px;
border-width: 5px;
border-style: solid;
border-color: transparent black transparent transparent;
}
@media (min-width: 768px) {
#kc-container-wrapper {
position: absolute;
width: 100%;
}
.login-pf .container {
padding-right: 80px;
}
#kc-locale {
position: relative;
text-align: right;
z-index: 9999;
}
}
@media (max-width: 767px) {
.login-pf body {
background: white;
}
#kc-header {
padding-left: 15px;
padding-right: 15px;
float: none;
text-align: left;
}
#kc-header-wrapper {
font-size: 16px;
font-weight: bold;
padding: 20px 60px 0 0;
color: #72767b;
letter-spacing: 0;
}
div.kc-logo-text {
margin: 0;
width: 150px;
height: 32px;
background-size: 100%;
}
#kc-form {
float: none;
}
#kc-info-wrapper {
border-top: 1px solid rgba(255, 255, 255, 0.1);
background-color: transparent;
}
.login-pf .container {
padding-top: 15px;
padding-bottom: 15px;
}
#kc-locale {
position: absolute;
width: 200px;
top: 20px;
right: 20px;
text-align: right;
z-index: 9999;
}
}
@media (min-height: 646px) {
#kc-container-wrapper {
bottom: 12%;
}
}
@media (max-height: 645px) {
#kc-container-wrapper {
padding-top: 50px;
top: 20%;
}
}
.card-pf form.form-actions .btn {
float: right;
margin-left: 10px;
}
#kc-form-buttons {
margin-top: 20px;
}
.login-pf-page .login-pf-brand {
margin-top: 20px;
max-width: 360px;
width: 40%;
}
/* Internet Explorer 11 compatibility workaround for select-authenticator screen */
@media all and (-ms-high-contrast: none),
(-ms-high-contrast: active) {
.select-auth-box-parent {
border-top: 1px solid #f0f0f0;
padding-top: 1rem;
padding-bottom: 1rem;
cursor: pointer;
}
.select-auth-box-headline {
font-size: 16px;
color: #06c;
font-weight: bold;
}
.select-auth-box-desc {
font-size: 14px;
}
.pf-l-stack {
flex-basis: 100%;
}
}
/* End of IE11 workaround for select-authenticator screen */
.select-auth-box-arrow{
display: flex;
align-items: center;
margin-right: 2rem;
}
.select-auth-box-icon{
display: flex;
flex: 0 0 2em;
justify-content: center;
margin-right: 1rem;
margin-left: 3rem;
}
.select-auth-box-parent{
border-top: 1px solid var(--pf-global--palette--black-200);
padding-top: 1rem;
padding-bottom: 1rem;
cursor: pointer;
}
.select-auth-box-parent:hover{
background-color: #f7f8f8;
}
.select-auth-container {
}
.select-auth-box-headline {
font-size: var(--pf-global--FontSize--md);
color: var(--pf-global--primary-color--100);
font-weight: bold;
}
.select-auth-box-desc {
font-size: var(--pf-global--FontSize--sm);
}
.select-auth-box-paragraph {
text-align: center;
font-size: var(--pf-global--FontSize--md);
margin-bottom: 5px;
}
.card-pf {
margin: 0 auto;
box-shadow: var(--pf-global--BoxShadow--lg);
padding: 0 20px;
max-width: 500px;
border-top: 4px solid;
border-color: #0066CC; /* default - IE compatibility */
border-color: var(--pf-global--primary-color--100);
}
/*phone*/
@media (max-width: 767px) {
.login-pf-page .card-pf {
max-width: none;
margin-left: 0;
margin-right: 0;
padding-top: 0;
border-top: 0;
box-shadow: 0 0;
}
.kc-social-grid {
grid-column-end: 12;
--pf-l-grid__item--GridColumnEnd: span 12;
}
.kc-social-grid .kc-social-icon-text {
left: -15px;
}
}
.login-pf-page .login-pf-signup {
font-size: 15px;
color: #72767b;
}
#kc-content-wrapper .row {
margin-left: 0;
margin-right: 0;
}
.login-pf-page.login-pf-page-accounts {
margin-left: auto;
margin-right: auto;
}
.login-pf-page .btn-primary {
margin-top: 0;
}
.login-pf-page .list-view-pf .list-group-item {
border-bottom: 1px solid #ededed;
}
.login-pf-page .list-view-pf-description {
width: 100%;
}
#kc-form-login div.form-group:last-of-type,
#kc-register-form div.form-group:last-of-type,
#kc-update-profile-form div.form-group:last-of-type {
margin-bottom: 0px;
}
.no-bottom-margin {
margin-bottom: 0;
}
#kc-back {
margin-top: 5px;
}
/* Recovery codes */
.kc-recovery-codes-warning {
margin-bottom: 32px;
}
.kc-recovery-codes-warning .pf-c-alert__description p {
font-size: 0.875rem;
}
.kc-recovery-codes-list {
list-style: none;
columns: 2;
margin: 16px 0;
padding: 16px 16px 8px 16px;
border: 1px solid #D2D2D2;
}
.kc-recovery-codes-list li {
margin-bottom: 8px;
font-size: 11px;
}
.kc-recovery-codes-list li span {
color: #6A6E73;
width: 16px;
text-align: right;
display: inline-block;
margin-right: 1px;
}
.kc-recovery-codes-actions {
margin-bottom: 24px;
}
.kc-recovery-codes-actions button {
padding-left: 0;
}
.kc-recovery-codes-actions button i {
margin-right: 8px;
}
.kc-recovery-codes-confirmation {
align-items: baseline;
margin-bottom: 16px;
}
/* End Recovery codes */

BIN
modules/keycloak/theme/login/resources/img/background.jpg
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1.1 MiB

4
modules/keycloak/theme/login/theme.properties
View file

@ -1,4 +0,0 @@
parent=keycloak
import=common/keycloak
styles=css/login.css

221
modules/ldap/default.nix
View file

@ -1,90 +1,175 @@
{ config, pkgs, ... }:
{ config, pkgs, system, ... }:
let
domain = "auth.${config.networking.domain}";
seedSettings = {
groups = [
{
name = "admins";
long_name = "Portunus Admin";
members = [ "admin" ];
permissions.portunus.is_admin = true;
}
{
name = "search";
long_name = "LDAP search group";
members = [ "search" ];
permissions.ldap.can_read = true;
}
{
name = "fsr";
long_name = "Mitglieder des iFSR";
}
];
users = [
{
login_name = "admin";
given_name = "admin";
family_name = "admin";
password.from_command = [
"${pkgs.coreutils}/bin/cat"
config.sops.secrets."portunus/admin-password".path
];
}
{
login_name = "search";
given_name = "search";
family_name = "search";
password.from_command = [
"${pkgs.coreutils}/bin/cat"
config.sops.secrets."portunus/search-password".path
];
}
];
};
# seedSettings = {
# groups = [
# {
# name = "admins";
# long_name = "Portunus Admin";
# members = [ "admin" ];
# permissions.portunus.is_admin = true;
# }
# {
# name = "search";
# long_name = "LDAP search group";
# members = [ "search" ];
# permissions.ldap.can_read = true;
# }
# {
# name = "fsr";
# long_name = "Mitglieder des iFSR";
# }
# ];
# users = [
# {
# login_name = "admin";
# given_name = "admin";
# family_name = "admin";
# password.from_command = [
# "${pkgs.coreutils}/bin/cat"
# config.sops.secrets."portunus/admin-password".path
# ];
# }
# {
# login_name = "search";
# given_name = "search";
# family_name = "search";
# password.from_command = [
# "${pkgs.coreutils}/bin/cat"
# config.sops.secrets."portunus/search-password".path
# ];
# }
# ];
# };
in
{
sops.secrets = {
"portunus/admin-password".owner = config.services.portunus.user;
"portunus/search-password".owner = config.services.portunus.user;
};
# sops.secrets = {
# "portunus/admin-password".owner = config.services.portunus.user;
# "portunus/search-password".owner = config.services.portunus.user;
# };
services.portunus = {
# services.portunus = {
# enable = true;
# package = pkgs.portunus.overrideAttrs (_old: {
# patches = [
# ./0001-update-user-validation-regex.patch
# ./0002-both-ldap-and-ldaps.patch
# ./0003-gecos-ascii-escape.patch
# ./0004-make-givenName-optional.patch
# ];
# doCheck = false; # posix regex related tests break
# });
# inherit domain seedSettings;
# port = 8681;
# ldap = {
# suffix = "dc=ifsr,dc=de";
# searchUserName = "search";
# # normally disables port 389 (but not with our patch), use 636 with tls
# # `portunus.domain` resolves to localhost
# tls = true;
# };
# };
services.openldap = {
enable = true;
package = pkgs.portunus.overrideAttrs (_old: {
patches = [
./0001-update-user-validation-regex.patch
./0002-both-ldap-and-ldaps.patch
./0003-gecos-ascii-escape.patch
./0004-make-givenName-optional.patch
];
doCheck = false; # posix regex related tests break
});
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns";
inherit domain seedSettings;
port = 8681;
ldap = {
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
# olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
# normally disables port 389 (but not with our patch), use 636 with tls
# `portunus.domain` resolves to localhost
tls = true;
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
# attributetype ( 9999.1.1 NAME 'isMemberOf'
# DESC 'back-reference to groups this user is a member of'
# SUP distinguishedName )
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
# "${pkgs.writeText "openssh.schema" ''
# attributetype ( 9999.1.2 NAME 'sshPublicKey'
# DESC 'SSH public key used by this user'
# SUP name )
# ''}"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=ifsr,dc=de";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=portunus,dc=ifsr,dc=de";
olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by dn.base="cn=portunus,dc=ifsr,dc=de" write
by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
by self read
by anonymous auth
''
];
};
children = {
"olcOverlay={2}memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
olcOverlay = "{2}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
};
};
};
};
};
systemd.services.openldap = {
wants = [ "acme-${domain}.service" ];
after = [ "acme-${domain}.service" ];
};
# security.acme.defaults.group = "certs";
# users.groups.certs.members = [ "openldap" ];
# certificate permissions
users.users.openldap.extraGroups = [ "nginx" ];
security.pam.services.sshd.makeHomeDir = true;
services.nginx = {
enable = true;
virtualHosts."${config.services.portunus.domain}" = {
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
};
virtualHosts."${domain}" = {
# locations = {
# "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
# };
};
};
networking.firewall = {
extraInputRules = ''
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
'';
};
}

8
modules/mail/postfix.nix
View file

@ -44,9 +44,11 @@ in
# hostname used in helo command. It is recommended to have this match the reverse dns entry
smtp_helo_name = config.networking.rDNS;
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
smtp_tls_security_level = "may";
smtpd_tls_security_level = "may";
smtpd_tls_auth_only = true;
smtp_use_tls = true;
# smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
# smtpd_tls_security_level = lib.mkForce "encrypt";
# smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"

9
modules/mail/rspamd.nix
View file

@ -141,26 +141,22 @@ in
filter = "email:domain";
map = "/var/lib/rspamd/whitelist.sender.domain.map";
action = "accept";
regexp = true;
}
WHITELIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/whitelist.sender.email.map";
action = "accept";
regexp = true;
}
BLACKLIST_SENDER_DOMAIN {
type = "from";
filter = "email:domain";
map = "/var/lib/rspamd/blacklist.sender.domain.map";
action = "reject";
regexp = true;
}
BLACKLIST_SENDER_EMAIL {
type = "from";
map = "/var/lib/rspamd/blacklist.sender.email.map";
action = "reject";
regexp = true;
}
BLACKLIST_SUBJECT_KEYWORDS {
type = "header";
@ -193,11 +189,6 @@ in
"/" = {
proxyPass = "http://127.0.0.1:11334";
proxyWebsockets = true;
extraConfig = ''
allow 141.30.0.0/16;
allow 141.76.0.0/16;
deny all;
'';
};
};
};

34
modules/matrix/default.nix
View file

@ -27,9 +27,6 @@ in
key = "portunus/search-password";
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
};
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
services = {
postgresql = {
@ -99,22 +96,21 @@ in
extraConfigFiles = [
(pkgs.writeTextFile {
name = "matrix-synapse-extra-config.yml";
text = let portunus = config.services.portunus; in
''
modules:
- module: ldap_auth_provider.LdapAuthProviderModule
config:
enabled: true
uri: ldap://localhost
base: ou=users,${portunus.ldap.suffix}
# taken from kaki config
attributes:
uid: uid
mail: uid
name: cn
bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
'';
text = ''
modules:
- module: ldap_auth_provider.LdapAuthProviderModule
config:
enabled: true
uri: ldap://localhost
base: ou=users,dc=ifsr,dc=de
# taken from kaki config
attributes:
uid: uid
mail: uid
name: cn
bind_dn: uid=search,ou=users,dc=ifsr,dc=de
bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
'';
})
];
};

22
modules/monitoring/default.nix → modules/monitoring.nix
View file

@ -37,8 +37,12 @@ in
token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
};
};
};
services.postgresql = {
@ -61,6 +65,10 @@ in
enabledCollectors = [ "systemd" ];
port = 9002;
};
postfix = {
enable = true;
port = 9003;
};
};
scrapeConfigs = [
{
@ -70,6 +78,13 @@ in
}];
scrape_interval = "15s";
}
{
job_name = "postfix";
static_configs = [{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
}];
# scrape_interval = "60s";
}
{
job_name = "rspamd";
static_configs = [{
@ -77,13 +92,6 @@ in
}];
scrape_interval = "15s";
}
{
job_name = "fabric";
static_configs = [{
targets = [ "127.0.0.1:25585" ];
}];
scrape_interval = "60s";
}
];
};

4
modules/nextcloud.nix
View file

@ -15,7 +15,7 @@ in
nextcloud = {
enable = true;
configureRedis = true;
package = pkgs.nextcloud30;
package = pkgs.nextcloud29;
hostName = domain;
https = true; # Use https for all urls
phpExtraExtensions = all: [
@ -59,7 +59,7 @@ in
occ = lib.getExe config.services.nextcloud.occ;
ldapConfig = rec {
ldapAgentName = "uid=search,ou=users,${ldapBase}";
ldapBase = config.services.portunus.ldap.suffix;
ldapBase = "dc=ifsr,dc=de";
ldapBaseGroups = "ou=groups,${ldapBase}";
ldapBaseUsers = "ou=users,${ldapBase}";
ldapConfigurationActive = "1";

1
modules/padlist.nix
View file

@ -43,7 +43,6 @@ in
'';
};
"/vendor".return = "403";
"/.git".return = "403";
};
};
};

2
modules/web/default.nix
View file

@ -11,7 +11,5 @@
./sharepic.nix
./userdir.nix
./ftp.nix
./hyperilo.nix
./notenrechner.nix
];
}

83
modules/web/ese.nix
View file

@ -1,33 +1,80 @@
{ config, pkgs, ... }:
let
domain = "ese.${config.networking.domain}";
webRoot = "/srv/web/ese";
cms-domain = "directus-ese.${config.networking.domain}";
in
{
sops.secrets."directus_env" = { };
environment.systemPackages = [ pkgs.nodejs_22 ];
virtualisation.oci-containers = {
containers.directus-ese = {
image = "directus/directus:latest";
volumes = [
"/srv/web/directus-ese/uploads:/directus/uploads"
"/srv/web/directus-ese/database:/directus/database"
];
extraOptions = [ "--network=host" ];
environment = {
"DB_CLIENT" = "pg";
"DB_HOST" = "localhost";
"DB_PORT" = "5432";
"DB_DATABASE" = "directus_ese";
"DB_USER" = "directus_ese";
"PUBLIC_URL" = "https://directus-ese.ifsr.de";
"AUTH_PROVIDERS" = "keycloak";
"AUTH_KEYCLOAK_DRIVER" = "openid";
"AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
"AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
"AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
"AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION" = "true";
"AUTH_KEYCLOAK_DEFAULT_ROLE_ID" = "a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
};
environmentFiles = [
config.sops.secrets."directus_env".path
];
};
};
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "directus_ese";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "directus_ese" ];
};
services.nginx = {
virtualHosts."${cms-domain}" = {
locations."/" = {
extraConfig = ''
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
'';
proxyPass = "http://127.0.0.1:8055";
};
};
virtualHosts."${domain}" = {
locations."= /" = {
return = "302 /2025/";
return = "301 /2024/";
};
locations."/" = {
root = webRoot;
root = "/srv/web/ese/served";
tryFiles = "$uri $uri/ =404";
};
# cache static assets
locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
root = webRoot;
extraConfig = ''
expires 1y;
'';
};
};
};
users.users."ese-deploy" = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
];
};
}

138
modules/web/ftp.nix
View file

@ -22,137 +22,15 @@ in
'';
locations."=/403.html" = {
root = pkgs.writeTextDir "403.html" ''
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>403 Forbidden - iFSR</title>
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
background-color: #f8f9fa;
margin: 0;
padding: 1rem;
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
}
.container {
background: white;
padding: 2rem;
border-radius: 12px;
box-shadow: 0 2px 15px rgba(0, 0, 0, 0.1);
text-align: center;
max-width: 600px;
width: 100%;
}
.error-code {
font-size: 3.5rem;
font-weight: bold;
color: #dc3545;
margin: 0;
line-height: 1;
}
.error-title {
font-size: 1.5rem;
color: #343a40;
margin: 1rem 0;
}
.error-message {
color: #495057;
margin: 1rem 0;
line-height: 1.6;
}
.language-section {
padding: 1.5rem;
margin: 1rem 0;
background: #f8f9fa;
border-radius: 8px;
text-align: left;
}
.language-header {
display: flex;
align-items: center;
gap: 0.5rem;
font-weight: bold;
margin-bottom: 1rem;
color: #343a40;
}
.help-list {
margin: 0;
padding-left: 1.2rem;
list-style-type: none;
}
.help-list li {
margin: 0.5rem 0;
position: relative;
}
.help-list li:before {
content: "";
position: absolute;
left: -1.2rem;
color: #6c757d;
}
.logo {
width: 180px;
height: auto;
margin-bottom: 1.5rem;
}
@media (max-width: 480px) {
.container {
padding: 1.5rem;
}
.language-section {
padding: 1rem;
margin: 0.5rem 0;
}
.error-code {
font-size: 3rem;
}
.error-title {
font-size: 1.25rem;
}
.logo {
width: 150px;
}
}
</style>
</head>
<body>
<div class="container">
<img src="https://ifsr.de/user/themes/ifsr/images/logo.svg" alt="iFSR Logo" class="logo">
<h1 class="error-code">403</h1>
<h2 class="error-title">Zugriff verweigert / Access Forbidden</h2>
<div class="language-section">
<div class="language-header">
🇩🇪 Deutsch
</div>
<p class="error-message">
Dieser Ordner ist nur aus dem Uni-Netz zugänglich.
</p>
<ul class="help-list">
<li>Stellen Sie sicher, dass Sie mit dem TUD-Netzwerk verbunden sind</li>
<li>Oder wählen Sie sich über VPN ein</li>
</ul>
</div>
<div class="language-section">
<div class="language-header">
🇬🇧 English
</div>
<p class="error-message">
This directory is only accessible from the TUD network.
</p>
<ul class="help-list">
<li>Make sure you are connected to the TUD network</li>
<li>Or connect via VPN</li>
</ul>
</div>
</div>
</body>
<head>
<title>403 Forbidden</title>
</head>
<body>
<center><h1>403 Forbidden</h1></center>
<center>Dieser Ordner ist nur aus dem Uni-Netz zug&aumlnglich.</center>
<center>This directory is only accessible from the TUD network.</center>
</body>
</html>
'';
};

34
modules/web/hyperilo.nix
View file

@ -1,34 +0,0 @@
{ ... }:
{
# provide access to iLO of colocated server
# in case of questions, contact @bennofs
services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
forceSSL = true;
locations."/".proxyPass = "https://192.168.0.120:443";
locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
locations."/".extraConfig = ''
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_capitalized;
'';
};
# HP iLO requires uppercase Upgrade, not lowercase "upgrade"
services.nginx.commonHttpConfig = ''
map $http_upgrade $connection_upgrade_capitalized {
default Upgrade;
''' close;
}
'';
systemd.network.networks."20-hyperilo" = {
matchConfig.Name = "eno8303";
address = [ "192.168.0.1/24" ];
networkConfig.LLDP = true;
networkConfig.EmitLLDP = "nearest-bridge";
};
sops.secrets."hyperilo_htaccess".owner = "nginx";
}

9
modules/web/notenrechner.nix
View file

@ -1,9 +0,0 @@
{ config, specialArgs, ... }:
let
domain = "notenrechner.${config.networking.domain}";
in
{
services.nginx.virtualHosts."${domain}" = {
root = specialArgs.notenrechner.packages."x86_64-linux".default;
};
}

60
modules/web/sharepic.nix
View file

@ -1,14 +1,60 @@
{ pkgs, config, ... }:
{ pkgs, config, lib, ... }:
let
domain = "sharepic.${config.networking.domain}";
user = "sharepic";
group = "sharepic";
in
{
services.nginx.virtualHosts."${domain}" = {
root = pkgs.fetchFromGitHub {
owner = "jannikmenzel";
repo = "iFSR-Sharepicgenerator";
rev = "ac721d5fff2dba1f046939a6d6532b1a8cfceba8";
hash = "sha256-of+N58TDt2BcbDVEriKn6rjQVl0GdV4ZMEblrdUutZk=";
users.users.${user} = {
group = group;
isSystemUser = true;
};
users.groups.${group} = { };
services.phpfpm.pools.sharepic = {
user = "sharepic";
group = "sharepic";
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
services.nginx = {
enable = true;
virtualHosts."${domain}" = {
root = "/srv/web/sharepic";
extraConfig = ''
index index.php index.html;
'';
locations = {
"/" = {
tryFiles = "$uri $uri/ =404";
};
"~ \.php$" = {
extraConfig = ''
try_files $uri =404;
fastcgi_pass unix:${config.services.phpfpm.pools.sharepic.socket};
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
'';
};
"/data".return = "403";
};
};
};
}

24
modules/wiki/fsr.nix
View file

@ -64,8 +64,7 @@ in
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
$wgOpenIDConnect_MigrateUsersByEmail = true;
//$wgOpenIDConnect_MigrateUsersByUserName = true;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect",
"data" => [
@ -77,18 +76,21 @@ in
'';
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
# the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
SyntaxHighlight_GeSHi = null;
PluggableAuth = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz";
hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA=";
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
};
OpenIDConnect = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_42-6c28c16.tar.gz";
hash = "sha256-X5kUuvxINbuXaLMKRcLOl2L3qbnMT72lg2NA3A9Daj8=";
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
};
VisualEditor = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
};
SyntaxHighlight = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
};
};
};

48
overlays/default.nix
View file

@ -1,8 +1,7 @@
_final: prev:
let
inherit (prev) fetchurl;
inherit (prev) fetchpatch;
inherit (prev) callPackage;
inherit (prev) fetchFromGitHub;
in
{
# AGDSN is running an outdated version that we have to comply to
@ -13,42 +12,17 @@ in
sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
};
}));
# Mailman internal server error fix
# https://gitlab.com/mailman/mailman/-/issues/1137
# https://github.com/NixOS/nixpkgs/pull/321136
pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
(_python-final: python-prev: {
readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
propagatedBuildInputs = [ python-prev.cmarkgfm ];
});
})
];
keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
portunus = callPackage ./portunus.nix { };
mediawiki = (prev.mediawiki.overrideAttrs (_old: rec {
version = "1.43.0";
src = fetchurl {
url = "https://releases.wikimedia.org/mediawiki/${prev.lib.versions.majorMinor version}/mediawiki-${version}.tar.gz";
hash = "sha256-VuCn/i/3jlC5yHs9WJ8tjfW8qwAY5FSypKI5yFhr2O4=";
# (hopefully) fix systemd journal reading
prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
patches = [
./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
];
src = fetchFromGitHub {
owner = "adangel";
repo = "postfix_exporter";
rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
};
}));
hedgedoc = prev.hedgedoc.overrideAttrs ({ patches ? [ ], ... }: {
patches = patches ++ [
./hedgedoc/0001-anonymous-uploads.patch
];
});
# patch to remove the nixspam blocklist. Remove after next rspamd release
rspamd = prev.rspamd.overrideAttrs ({ patches ? [ ], ... }: {
patches = patches ++ [
(fetchpatch {
url = "https://patch-diff.githubusercontent.com/raw/rspamd/rspamd/pull/5300.diff";
hash = "sha256-7zY+l5ADLWgPTTBNG/GxX23uX2OwQ33hyzSuokTLgqc=";
})
];
});
}

62
overlays/hedgedoc/0001-anonymous-uploads.patch
View file

@ -1,62 +0,0 @@
diff --git a/app.js b/app.js
index d41dbfbd7..faf686cfa 100644
--- a/app.js
+++ b/app.js
@@ -203,6 +203,7 @@ app.locals.serverURL = config.serverURL
app.locals.sourceURL = config.sourceURL
app.locals.allowAnonymous = config.allowAnonymous
app.locals.allowAnonymousEdits = config.allowAnonymousEdits
+app.locals.allowAnonymousUploads = config.allowAnonymousUploads
app.locals.disableNoteCreation = config.disableNoteCreation
app.locals.authProviders = {
facebook: config.isFacebookEnable,
diff --git a/lib/config/default.js b/lib/config/default.js
index d038e5311..9ab9a6bb1 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -33,6 +33,7 @@ module.exports = {
protocolUseSSL: false,
allowAnonymous: true,
allowAnonymousEdits: false,
+ allowAnonymousUploads: false,
allowFreeURL: false,
requireFreeURLAuthentication: false,
disableNoteCreation: false,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index da50a660d..b74d122f4 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -31,6 +31,7 @@ module.exports = {
allowOrigin: toArrayConfig(process.env.CMD_ALLOW_ORIGIN),
allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS),
allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
+ allowAnonymousUploads: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_UPLOADS),
allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index c40ffc961..20c2da83b 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -22,6 +22,7 @@ module.exports = {
allowOrigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
+ allowAnonymousUploads: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_UPLOADS),
allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
dbURL: process.env.HMD_DB_URL,
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index d9964827b..7321bc805 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -59,8 +59,7 @@ async function checkUploadType (filePath) {
imageRouter.post('/uploadimage', function (req, res) {
if (
!req.isAuthenticated() &&
- !config.allowAnonymous &&
- !config.allowAnonymousEdits
+ !config.allowAnonymousUploads
) {
logger.error(
'Image upload error: Anonymous edits and therefore uploads are not allowed'

32
overlays/portunus.nix
View file

@ -1,32 +0,0 @@
{ lib
, buildGoModule
, fetchFromGitHub
, libxcrypt-legacy
, nixosTests
}:
buildGoModule rec {
pname = "portunus";
version = "2.1.1";
src = fetchFromGitHub {
owner = "majewsky";
repo = "portunus";
rev = "v${version}";
sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM=";
};
buildInputs = [ libxcrypt-legacy ];
vendorHash = null;
passthru.tests = { inherit (nixosTests) portunus; };
meta = with lib; {
description = "Self-contained user/group management and authentication service";
homepage = "https://github.com/majewsky/portunus";
license = licenses.gpl3Plus;
platforms = platforms.linux;
maintainers = with maintainers; [ majewsky ] ++ teams.c3d2.members;
};
}

217
secrets/quitte.yaml
View file

File diff suppressed because one or more lines are too long