diff --git a/README.md b/README.md index 41f2f4d..fadce9b 100755 --- a/README.md +++ b/README.md @@ -27,16 +27,3 @@ nixos-rebuild switch --flake .# 3. Change one letter in one of the yml entries to let sops know it has to regenerate the MAC 4. Close the file. Open it again and revert the change you just did in step 3. - -
- DKIM Key generation - - Commands to create the dkim key: - ```bash - cd /var/lib/rspamd/dkim - ``` - ```bash - DOMAIN=ifsr.de;rspamadm dkim_keygen -d "$DOMAIN" -s quitte -k "$DOMAIN".quitte.key >> "$DOMAIN".quitte.pub - ``` - -
diff --git a/flake.nix b/flake.nix index ebc5522..7b5ad3d 100755 --- a/flake.nix +++ b/flake.nix @@ -14,23 +14,6 @@ formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; nixosConfigurations = { - birne = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./hosts/birne/configuration.nix - - ./modules/base.nix - ./modules/autoupdate.nix - ./modules/desktop.nix - ./modules/printing.nix - ./modules/wifi.nix - ./modules/options.nix - { - fsr.enable_office_bloat = true; - } - - ]; - }; sanddorn = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ @@ -42,8 +25,6 @@ ./hosts/sanddorn/configuration.nix ./modules/infoscreen.nix ./modules/base.nix - ./modules/autoupdate.nix - ./modules/wifi.nix ./modules/desktop.nix ./modules/options.nix "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" @@ -83,6 +64,7 @@ ./hosts/quitte/configuration.nix ./modules/options.nix ./modules/base.nix + ./modules/ldap.nix # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix diff --git a/hosts/birne/configuration.nix b/hosts/birne/configuration.nix deleted file mode 100755 index 5ab2329..0000000 --- a/hosts/birne/configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking = { - hostName = "birne"; - interfaces.wlp4s0.useDHCP = true; - interfaces.enp1s0.useDHCP = true; - wireless = { - enable = true; - interfaces = [ "wlp4s0" ]; - }; - }; - - nixpkgs.config.allowUnfree = true; - users.users.printer = { - isNormalUser = true; - password = "printer"; - extraGroups = [ ]; - }; - - environment.systemPackages = with pkgs; [ - firefox - ]; - - system.stateVersion = "21.05"; - -} - diff --git a/hosts/birne/hardware-configuration.nix b/hosts/birne/hardware-configuration.nix deleted file mode 100755 index 5ad5d2a..0000000 --- a/hosts/birne/hardware-configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" "wl" ]; - boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/9799b183-a191-484e-b9a4-05e29412af25"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/CF58-EB12"; - fsType = "vfat"; - }; - - swapDevices = - [{ device = "/dev/disk/by-uuid/94622e8e-8b58-4b3b-9494-d144ccaeb486"; }]; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/quitte/wireguard_server.nix b/hosts/quitte/wireguard_server.nix deleted file mode 100644 index 7a4f113..0000000 --- a/hosts/quitte/wireguard_server.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, ... }: - -{ - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - - networking.wg-quick.interfaces = { - wg-dvb = { - # pubkey: 8iQQSCI14dObcrMw0/rZJxfvpOAhy3CU+haJq2nyIzc= - address = [ "10.13.37.1/32" ]; - privateKeyFile = config.sops.secrets.wg-seckey.path; - listenPort = 51820; - peers = [ - { - # Tassilo - publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y="; - allowedIPs = [ "10.13.37.2/32" ]; - persistentKeepalive = 25; - } - ]; - }; - }; -} - - diff --git a/keys/pgp/fugi.asc b/keys/pgp/fugi.asc index 1e3a740..d552962 100755 --- a/keys/pgp/fugi.asc +++ b/keys/pgp/fugi.asc @@ -11,59 +11,32 @@ Cp+QKOAMgAuzGA2l3k2Us75TbmbdjGQIXAHxfnLTc7yDaTWaVZtGMVMph4ood7RR 8s+7lZi/Demr5Y4D/VC2vH60n5oGw3osoTAWCgcrA6/eOL0yCDPq0dDhpEea25j6 9ttrlWbwR0WvsjWQf4DgEFqcvPdjRfPk/pLtkPlLIvMZE3L4wD1RAni0adhyBP0i oLEND7uAViobqWgQfP8qYvfolSO+NEwwGSZCAH+hHXyV/YNtTlrnPUYuPQARAQAB -tB5MdWNhcyBGdWdtYW5uIDxsdWNhc0BmdWdpLmRldj6JAk4EEwEIADgWIQS/N5A6 -5v0pTExnTuJEcqIAkb+nkgUCYO2/mwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX -gAAKCRBEcqIAkb+nkpa3D/0V46q3j00NiRW1wG8u1LM1sXt3vPCovXw+snALD/NP -ddTzuDVZP9yKNOZI1Z1cA9VxBupxhmvJ4Nj+9WtxNSoTLvqwwDxiD9OmWudVM2fT -+PEqtqfxAPK4OD63ahZWehkXUWDeNqNWYEJryztoum68WV6h5dWNO+hPcow6p+x4 -PCT/JKZFepR1/KQ3hs6JfzkVIZEwlRxvmebKR677lKVovtDp/Hs6MsQPijdXtiu5 -vQi5YIR++1qOHBf11qdK4bCzzacUoVTwrf5nenk6uoTGNatbHyLY36Mot2c4UvV+ -+0hOCZY/471D8pc/wd9XgirE+kHlVXhPc5mp83e42wKyOAay92p1fgm/2PhQUYLX -QR1PThHA9pVnhOy5/5XhhdZ98Cqw254gQHe1At+nAlf6t64QnUcOnh/0oDBufxhE -5VLd7fF5Sqn3yMc9JfbDlCCIhBwxVj8e3hMGwp58LstskmfebD+PyD6fgZHjVAmy -j72SS6Le6eCW5tiHZ5Ii2cRc0EnmtpdqhLpeCOym9AWmEFc9ZvmUmGxyLLmFzC3f -l1yLMHKNJygJ4q/t4mG/vmkXi6T/t2MCgpz05AaMSSLILWN7KylBc4QtslgBUlVO -fIsoxVYPrHBQj49BKbNoYjM0lmE4QcVPcHtSW166cusAQEkJSDGn4oxg/U/4x9Rv -UIkCMwQRAQoAHRYhBMYbspcSh6aHhOhEJCpYFQA7RhNEBQJhCmUeAAoJECpYFQA7 -RhNEwsMQAI4zoMf3LY6UkyPPD6l2hA3opzxBajBQto4/B6gdQYV9h9GCs9SXzuQj -TIRykJX+10dgTRNpa6qTzUoYvDpG/22Z36/i63bRdVfCxBRphB6Ue/PIszomQZNY -/qBiWxrl4RRZ5tX7ny5IVF3eDHNwMp597NVuQvWbr8aqGjrFM9dz8TvDwbQulQbP -2UmZN301rqfIaCk3kCSWoDGAEOShWz4G/u7ExpXLbDZwercsQs2w9moUgVdB47H3 -HjT9tGEsFutcaOYXvKFIqh6wRg0iprP/g23WBzGZO5bf6fG3EzFaOoPWwBnJsxtx -HbOGeeSgNmb6vYZv+XkjONINGJORkiNrC75bV0Y+GURGTZYqLmXsA1Cz1G14AHWc -+astcLigOXJAzwKavYMaITWst9yVeZzYc91TMRDWXYK/93mgnc36xLs6SVJcsjGM -FQRdWXotJYJsGfKgf/7WEVjhWuJtAjugd28kjDfnl0PiJLC/tNJMmS2sVPX/f993 -v+unm43UwWKJ1eu146Xpl73sqa9DBR4W0KDkz3zvzjRiIu90NlLCzLLhd6zxQZxh -w+f1VZs7g1EiVxNUfOTp4yKbKFpvLxjRDOTbuMyHVHNtAfHgWsTnph+RhDqqI/Jg -WrqIT6/CPJ0gA0zTZthhFiaADOlLVUoTC3+qI8Ne45yKv6U/VtSOiQLMBBEBCgC2 -FiEEtCpbjpGyU4HWTEfFxF0eaL0IbKEFAmERWCcFgwHhM4BkFIAAAAAAFQBGbW9y -ZS1pbmZvQHNlbWlzb2wuZGV2aHR0cHM6Ly9zZW1pc29sLmRldi9zaWduLW1ldGEv -QkYzNzkwM0FFNkZEMjk0QzRDNjc0RUUyNDQ3MkEyMDA5MUJGQTc5Mi0aaHR0cHM6 -Ly9zZW1pc29sLmRldi9jZXJ0aWZpY2F0aW9uLXBvbGljeS50eHQACgkQxF0eaL0I -bKGnqA//dIwfktys+FRQ7sS+rvWYTwp6C5fkSSOddHhYNrDIuIh7dgmg9yY17zqH -DSBSCsXZQVxQRu2iD+rCiqK3A1Lc1K3p8RxF/Ey/1J62XQ74TTqsMOVyvmDiO756 -ijrOEPCE4M0A+0YHic4/wCJ6jsxan2iNKLsggbSSOvzmTtp2uPUnPocNE+m6ndrQ -ec6dtJ+QzPmYRuTAjEfWgSzQTLiOpZy6RkMuNsaFGJ0Xk+gVWEwTcejkKamS6f8n -A/AhESJ2YeGUasAEggQbcug+AmVAtwyqJ6cXE96jeBHbaHJPzWoXqLcWAV4D2Rg6 -lYJqOQHpMtsG5hu/AzUwscrlOkKu6XM4wFWH3x3W37tbZeFouGyt+zioNqlsCr2+ -mOmWxG2OioPrMY6Ud43EY8HsO9SdFDY7MIAfN+XOeq9WjmGe6t4W2cTTfu1EaYVe -16Qj8/0kdbY5mL0eZElo5tvRcNEmM50bwi1kKtjWXDW91chBluMZp7jc6pPaHyVM -ldRyVi0Zp2blgHw5LGrjCYYMz8xeElbKXcE7/1L/xMTopj3JtwdPpM63610jrbPW -uUr6qUm6ZQ9jnY/vJAoMepjRD6cuhRs77QUt8dVYWjRQzALQwXvsW/1ySDCIaJu7 -JH4GXfFjVGvzVRelhsK4FB/JjUEGCyL3XOixiniQFTrK68KbugO0IEx1Y2FzIEZ1 -Z21hbm4gPGx1Y2FzQGRlcmZ1Z2kuZGU+iQJOBBMBCAA4FiEEvzeQOub9KUxMZ07i -RHKiAJG/p5IFAmElKLkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQRHKi -AJG/p5LuGA//Up4hOatiNvd/zkYJvHwnKPZy1zd3W7i5ytp8OgcitqbZyS4FKXAf -XcDnSwxHKrgtf6mNiQgB9/VMR1T/lVjawXvkLnrCKIiqnBbWmL5MItX6rVI+Cxij -MI2EyoFC5gRo97RRPX97i7I5Yi/S3WqfeQ1+7FyRwTA4rU6/pedxlWoYfwsQOGPG -UwWK11v/Avl2mftnN1zpUpyhdQ+uwLRT2wwg7IdSEUBMHxywhoWuKNny+p2vSu0A -C1qUwGgQaw2jtUoHZox64r+TEYBtOmfrt5dpyf442Lz0yNkOVvVZEf72DiODlyg3 -kkHvLlp7kKIkOKvt6td8Kry5HvotXtllwAqtL4bl8fKaI0CrBc2Duko8gXZMIF+S -rhYChZ4sFNGQDAlFGDhUEsgnGCkuY/Z8SZH1wR5obwOewJe+zp3YoPACqj2IDTZl -bHcxfa6+8FYVJob3ZoLleN6fWjSP6dLdL4BUkhPdGw/TNTQzlT0S3Rt3yajqOXDU -cd3bqCCduRuaYtNwh9FPgj87A/eCmf/zidLnX4s0GIMg6PegzIrYAVJWidpMJkv+ -3FR2UhK8iIR9YxOpjIFDWhTzA4cLk+FvmLyjlbQ2n+mgdv3E3bqqHvEQQaO18NOL -ZUa17ZB/W/CGCwrfWyUpYZrCaDNGTGiP8EiDSTAgq2eL6iRArb0J3065Ag0EYO2/ +tBJGdWdpIDxtZUBmdWdpLmRldj6JAlEEEwEIADsCGwMFCwkIBwIGFQoJCAsCBBYC +AwECHgECF4AWIQS/N5A65v0pTExnTuJEcqIAkb+nkgUCY7sNHwIZAQAKCRBEcqIA +kb+nkskdEACoQD1K+0THmBEsTwYMXap5zyjgrFM8wYhvEmny6OX+QWeXyd1s1Gnu +nPImp6Pk/7GtfJoJvUS5Iw/6I7VTb5QrI2Pxs8ZQpEcv6jI7GK9jCqNAgrRbgWPC +M/Pxucg8MNwNtMqn7am58tssi+Mlft1mBvNsAXUFLJp1cG7660m3A8qEzmzVbrT0 +EQgzdY+RlKjm+SaXdpq7l+oTN8q8e3KZtAIXL/nE8JbZbg/+cxlqkkbdmbQyO4d/ +HN94b/0Bf1dgAXAZU4AVY1q9OZWXW19CiRsdwqEL9QnFhqYQknS/yU4kccSxmWBC +i3fAnWWV2a0xnCrtJV3Hkgzaqjzs1+zySM15lbN42QWCb/FaoOaHHRVlULRrKIdu +AtzqMgx0uhQvnoB4WP6LKscU+dQybRcmWvXGpJ1H67Q9sshbAJ8/M6PIkv+ixTge +9qDppPNgRQWfk4IkU070Ed2n6utwlH9T1UFtj2HfXbbs/EENlMMMGHKV5bfjLYO1 +wBMOmxneME65387gCC0VyC1mODHybrncbC/0wHeW4zKsEMP7xLC2YHnQMeo+nwW/ +ZbIyOAT1vSGcVGONy6Dm+o8dgmCkzxDtG+2h3VJ+oxSZXO4rhZD718HLEFLFJy31 +dra9QAZS6Id4TWBX/ssGHqfLROW9w915O5vUlMPMgWdadl+Gu/b6BLQeTHVjYXMg +RnVnbWFubiA8bHVjYXNAZnVnaS5kZXY+iQJOBBMBCAA4AhsDBQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAFiEEvzeQOub9KUxMZ07iRHKiAJG/p5IFAmO7DR8ACgkQRHKi +AJG/p5KGYRAAoAGdF9xjBXt3XNRTQapCelA/GeNtUTTqd7AsEeTe2vpl2Wro+mqw +d77997LzugxrqEOxmMTp8aqeu5eg7QZbYxIWRDESzIfLu3/mFK7RWtwUMnq9E+Nw +1+6TM3r/wIg6vY6fLFZpUmnL3M7BXEBynCWXy0N39BtzcTD8SxYCco8Ud0ZD2Ike +Pt/5xN5WHs+FyII4mUo8TDwW8hQbyMOQGu06prkG8NHn5PVQk3Fc4aqAwfYl9PaS +GTfvz3POEL2+7e9cbc7wUaG6W0wVtS97j4BRLmDn2HmfcD611TX0Axfoji3wevYi +2wvxidnVbvVUYpEq7cJ2XYBcE4gGTSADr6SnQtw5E6JyNkSZHCoNFv96VrROisIg +Phhjtu21i8Ad6uBnNJa1bM0rrSL4YVSPT1UrhDsLdWVfB3TH5uAa+Ioss55dt22P +2rG9MGKYMiOc0UpZEf8E7MndDP3hutQEVPHt94ccPPn6I33ZnvnNaORZAfPufrhl +Y/Hf7gTgvlDoctev7sZ62VWeWvgn5BMIKVrmV4MJW/UWUguQim8F/hrst8KE62JP +XEyvFoklx/f7osf0rbPcqQhKXUe8O+6n90Pt63Z3LptSx/PCxXsDwweuwoz1cTea +ZuKmXywY1khbNMbKKTXn2vQ3jl/ZDZXGWBK0LF2O8Hn91J1VxybLczy5Ag0EYO2/ mwEQANOkIongJ5zRz8NJLm94roMWnyi6QVASwR6MeBCXsudn6CZnQiSZX5XfOdEQ IynYSMRGuRQbSw29qXfzy2U2PVv6J7OuKcpYK66VHyLBfuKIt20W+lGJH9Vubj5u 2dgEC9Tk/jjPtHgOwusWN3qmXt1C0iBB2iLXjlTfWn8o+iUhfcspc2t8/z6DM8mw @@ -87,5 +60,5 @@ TEHp3JGG1j+bJxEpa0iKsaCWz2DNNv40lIrlFtzGarVBSF4fgAJoevhL+ZyY0RfR G42CTa2EDMpPZnvSkyOUIQIPVduqv5D0NQg2X97T3yBLlu0k3FORiXiutJF2y2Fr LpLVjBvNfedMx5pInZ1UcfugH3ptCMqBP6F8qkMZm6WXPiP4/+8ObN1JzHwUi0+A lESg8VM66bBC0U4xCXxIUhTNRtACJt3e7jkjNLAKPG7LQg== -=6HqB +=XbNH -----END PGP PUBLIC KEY BLOCK----- diff --git a/modules/autoupdate.nix b/modules/autoupdate.nix deleted file mode 100755 index 7152937..0000000 --- a/modules/autoupdate.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, config, ... }: - -{ - system.autoUpgrade = { - enable = true; - dates = "12:00"; - # might need to move this into the configuration of `birne`? - allowReboot = true; - }; -} diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index e88af66..debcdca 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -25,7 +25,6 @@ in protocolUseSSL = true; dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; sessionSecret = "\${SESSION_SECRET}"; - allowAnonymousEdits = true; csp = { enable = true; directives = { @@ -34,6 +33,26 @@ in upgradeInsecureRequest = "auto"; addDefaults = true; }; + allowGravatar = false; + + ## authentication + # disable email + email = false; + allowEmailRegister = false; + # allow anonymous editing, but not creation of pads + allowAnonymous = false; + allowAnonymousEdits = true; + defaultPermission = "limited"; + # ldap auth + ldap = rec { + url = "ldap://localhost"; + searchBase = "ou=users,${config.services.portunus.ldap.suffix}"; + searchFilter = "(uid={{username}})"; + bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}"; + bindCredentials = "\${LDAP_CREDENTIALS}"; + useridField = "uid"; + providerName = "iFSR"; + }; }; }; @@ -52,12 +71,23 @@ in }; }; - sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; - sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; + sops.secrets = + let + user = config.systemd.services.hedgedoc.serviceConfig.User; + in + { + postgres_hedgedoc.owner = user; + hedgedoc_session_secret.owner = user; + hedgedoc_ldap_search = { + key = "portunus_search"; + owner = user; + }; + }; systemd.services.hedgedoc.preStart = lib.mkBefore '' export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" + export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})" ''; systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; diff --git a/modules/keycloak.nix b/modules/keycloak.nix deleted file mode 100644 index 881980b..0000000 --- a/modules/keycloak.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ pkgs, config, lib, ... }: { - - sops.secrets.postgres_keycloak = { - owner = config.systemd.services.keycloak.serviceConfig.User; - group = "keycloak"; - }; - - users.users.keycloak = { - name = "keycloak"; - isSystemUser = true; - group = "keycloak"; - }; - - users.groups.keycloak = { - name = "keycloak"; - members = [ "keycloak" ]; - }; - - services = { - keycloak = { - enable = true; - - settings = { - hostname = "keycloak.quitte.tassilo-tanneberger.de"; - http-host = "127.0.0.1"; - http-port = 8000; - https-port = 8001; - proxy = "edge"; - }; - - database = { - username = "keycloak"; - type = "postgresql"; - passwordFile = config.sops.secrets.postgres_keycloak.path; - name = "keycloak"; - host = "localhost"; - createLocally = true; - }; - }; - postgresql = { - enable = true; - }; - nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "${config.services.keycloak.settings.hostname}" = { - enableACME = true; - forceSSL = true; - http2 = true; - locations = { - "/" = - let - cfg = config.services.keycloak.settings; - in - { - proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}"; - }; - }; - }; - }; - }; - }; -} diff --git a/modules/ldap.nix b/modules/ldap.nix index dd459e0..fbde7cb 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let domain = "auth.${config.fsr.domain}"; @@ -89,6 +89,29 @@ in daemon.enable = true; }; + security.pam.services.sshd.text = '' + # Account management. + account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + account required pam_unix.so + + # Authentication management. + auth sufficient pam_unix.so likeauth try_first_pass + auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass + auth required pam_deny.so + + # Password management. + password sufficient pam_unix.so nullok sha512 + password sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + + # Session management. + session required pam_env.so conffile=/etc/pam/environment readenv=0 + session required pam_unix.so + session required pam_loginuid.so + session optional pam_mkhomedir.so + session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + + ''; services.nginx = { enable = true; diff --git a/modules/mail.nix b/modules/mail.nix index 6457c47..8a4db0e 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; @@ -6,7 +6,9 @@ let # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #server_host = ldap://localhost - #search_base = ou=mail, dc=ifsr, dc=de + #search_base = dc=ifsr, dc=de + #query_filter = (&(objectClass=posixAccount)(uid=%n)) + #result_attribute=mail #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost @@ -17,8 +19,8 @@ let ldap_version = 3 scope = subtree base = dc=ifsr, dc=de - user_filter = (&(objectClass=posixAccount)(uid=%n)) - pass_filter = (&(objectClass=posixAccount)(uid=%n)) + user_filter = (&(objectClass=posixAccount)(mail=%u)) + pass_filter = (&(objectClass=posixAccount)(mail=%u)) ''; in { @@ -26,33 +28,85 @@ in sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + users.users.postfix.extraGroups = [ "opendkim" ]; services = { postfix = { enable = true; + enableSubmissions = true; hostname = "${hostname}"; domain = "${domain}"; - relayHost = ""; origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; + networks = [ "127.0.0.1" "141.30.30.169" ]; sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; + extraAliases = '' + # Taken from kaki, maybe we can throw out some at some point + # General redirections for pseudo accounts + bin: root + daemon: root + named: root + nobody: root + uucp: root + www: root + ftp-bugs: root + postfix: root + + # Well-known aliases + manager: root + dumper: root + operator: root + abuse: postmaster + + # trap decode to catch security attacks + decode: root + ''; config = { + home_mailbox = "Maildir/"; + smtp_use_tls = true; + smtp_tls_security_level = "encrypt"; + smtpd_use_tls = true; + smtpd_tls_security_level = lib.mkForce "encrypt"; + smtpd_tls_auth_only = true; + smtpd_tls_protocols = [ + "!SSLv2" + "!SSLv3" + "!TLSv1" + "!TLSv1.1" + ]; smtpd_recipient_restrictions = [ - "reject_unauth_destination" "permit_sasl_authenticated" "permit_mynetworks" + "reject_unauth_destination" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_sender_domain" + "reject_unknown_recipient_domain" + "reject_unauth_destination" + "reject_unauth_pipelining" + "reject_invalid_hostname" + ]; + smtpd_relay_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" ]; #alias_maps = [ "ldap:${ldap-aliases}" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; - virtual_mailbox_base = "/var/mail"; + smtpd_sasl_type = "dovecot"; + # virtual_mailbox_base = "/var/mail"; }; }; dovecot2 = { enable = true; enableImap = true; enableQuota = false; + mailLocation = "maildir:~/Maildir"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { @@ -74,7 +128,6 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/mail/%u passdb { driver = ldap args = ${dovecot-ldap-args} @@ -92,6 +145,14 @@ in } ''; }; + opendkim = { + enable = true; + domains = "csl:${config.fsr.domain}"; + selector = config.networking.hostName; + configFile = pkgs.writeText "opendkim-config" '' + UMask 0117 + ''; + }; rspamd = { enable = true; postfix.enable = true; @@ -101,12 +162,6 @@ in read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; ''; - "dkim_signing.conf".text = '' - path = "/var/lib/rspamd/dkim/$domain.$selector.key"; - selector = "quitte"; - sign_authenticated = true; - use_domain = "header"; - ''; }; }; redis = { @@ -140,27 +195,3 @@ in }; }; } - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/modules/nginx.nix b/modules/nginx.nix index c97c327..7cc17f2 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,6 +1,23 @@ { config, pkgs, ... }: { - services.nginx.enable = true; + services.nginx = { + enable = true; + appendHttpConfig = '' + map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+\.\d+)\. $ip.0; + ~(?P[^:]+:[^:]+): $ip::; + # IP addresses to not anonymize + 127.0.0.1 $remote_addr; + ::1 $remote_addr; + default 0.0.0.0; + } + log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log anon_ip; + ''; + }; security.acme = { acceptTerms = true; defaults = { diff --git a/modules/printing.nix b/modules/printing.nix deleted file mode 100755 index c99e4ae..0000000 --- a/modules/printing.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ pkgs, config, ... }: - -{ - # Enable CUPS to print documents. - services = { - printing.enable = true; - printing.drivers = with pkgs; [ - gutenprint - gutenprintBin - hplip - hplipWithPlugin - ]; - avahi.enable = true; - }; - - environment.systemPackages = with pkgs; [ - gnome.gnome-control-center - ]; - # set up Heiko - hardware.printers.ensurePrinters = [ - { - description = "Drucker im FSR Buero"; - deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0"; - location = "FSR Buero"; - model = "Kyocera ECOSYS M6630cidn KPDL"; - name = "Heiko"; - } - { - description = "Drucker im FSR Buero"; - deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0"; - location = "FSR Buero"; - model = "Kyocera ECOSYS M6630cidn KPDL"; - name = "Heiko"; - } - ]; -} diff --git a/modules/wifi.nix b/modules/wifi.nix deleted file mode 100755 index 561186e..0000000 --- a/modules/wifi.nix +++ /dev/null @@ -1,24 +0,0 @@ -# -# Useful config -# https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam -# https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos -# -{ pkgs, config, ... }: -let - password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)"; -in -{ - networking = { - wireless = { - enable = true; - networks = { - "FSR" = { - priority = 10; - pskRaw = "9dbdf08e1205b1167a812a35cfac4b49a86e155eec707bd47f4d06d829e7d168"; - }; - }; - }; - }; -} - - diff --git a/secrets/birne.test.yaml b/secrets/birne.test.yaml deleted file mode 100755 index aa848a4..0000000 --- a/secrets/birne.test.yaml +++ /dev/null @@ -1,43 +0,0 @@ -fsr_wifi: ENC[AES256_GCM,data:CD0ge6d5+gc=,iv:yuWfwwGm2HOKvMQQ9lF4TFOqvCU2z06sqS+pzhCFhfY=,tag:1+8MwcPUGgtcdXvTNAuR5g==,type:str] -fsr_wifi_psk: ENC[AES256_GCM,data:uwq/nkKm9eDdMxUJMQ==,iv:q9mzhfkPBM1oTQN69tSEiQmf3hYZ4pGJEqjVEjU//FI=,tag:g0p+S2jlkAT0jY5hBRKuXw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySHgvQThoSmpXOUc1a3lN - dXR6ZElYYlppOXNISXM0bURxQjdIU3pDL2wwCmNoT0pYTEdubWh3eFc3VzVwdnR3 - TU5CbFlBTWxYaHRjamUzamIzQ1VnbFEKLS0tIDVUSEVtKzh1aVp1ekxVd2xRWHVo - dEExQkJySmo5eGtEdXVvd1FFVVhpdFUKNx1FXti0qWKDRYM6wsIUceXbjzra5ezc - 0fNI2r7qnVQ1QghtKnibwMUR1q4/DphKEm4eX4e6q+jfHleHCSk6+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-05T13:53:02Z" - mac: ENC[AES256_GCM,data:ZpEk+wpGQz2ul+Me6i45wXkzvuxzwkibLcljBs2KjTAgjH6F4q1JyXuY271JD95A5HgEvv4Atm3sbHaG+hghXy/36WSFw5jJRBwOjDrOSSAq12+UFeYjgSA2EwbvgbBdIO6VgaRLnXtobtLFG5qaVzUAvSevo6n8vBhEjSHEEJk=,iv:iZ9bJ+it3s6lB8piPeKjVy4QYzwYGUb4EUwvnCR753Q=,tag:Nveq//4C1tiwGOkeXV7a0A==,type:str] - pgp: - - created_at: "2022-03-05T13:42:43Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA/YLzOYaRIJJARAAvxLI7hxutYG0KDovCjpGKIZA1JyNjp1/QYLKz3QDUFsZ - Ykwmixkt2wjTQjn9aE66ujLiEzMDfV2VZ6ao7Ehg04fysU1WurqEB5D+hiS6SCc2 - 3DgvlPeicY+87oZin1iaqL505MzQCEVbmcar++VCdQIGUZSQvbn1Nxn3RxKjHCjm - RW0juiSH1FUIZdBPL9NgUEixv7KpdEBxO5JR30GxDgYMG1Xji9Y2KsBy9XP5Lhn2 - ziuzs6vTfFTuVUdylJNkT6yVgK4V7oEkIMiVPGFYXSUWT3TNZ0qRwuk6UJYLfvnY - Mt0jyKyi+hRIWPQEjBmpK/siBsQGSCXsRe84g+LUtdfPbvqwdZb59qy5B65z/ku/ - 6EQIaPRkgCa5AED3gJQCbBYhvymdgl8ZZcXkVV1Ap2VgKS5o0s+CNjdiNkXdGTL/ - NdE7kehGJCtsHUVGs2I8TfLg/uVgJTKEodTq8eLu8WhVkNKzk9aFBCfHKYtkXBIi - ZIXUHNbPtXDL4aHgOTuTYjWM8bhW0pdnkGX7daqPsfNqgR9hzOo3TzoR3DRDK91w - cvUZ9hApYJ0OVxuPa38JGiYn3826iSSRK8qPjAndE4HhYgT/lZvu8/vZAW6EF/yH - 8exruofMHNBNNdotkYDnyaFO6C+00SMcTUkG49vRqQKwrBygAoPLEKQhDBgczcnU - aAEJAhBWRVtwhCZtQV1MCl5u0IbSlxQiIH93FrdTfbJQdKM+LFlwkXOngO4blGOi - 1tQbkiyLzIio+yoyfvbXZOIeMkLA3GynsKtxjnYYipXkuv3LP5BvZiH+bzG9jPW4 - jXrR59MZPJLY - =hWOx - -----END PGP MESSAGE----- - fp: 91EBE87016391323642A6803B966009D57E69CC6 - unencrypted_suffix: _unencrypted - version: 3.7.1 diff --git a/secrets/birne.yaml b/secrets/birne.yaml deleted file mode 100755 index a638ef7..0000000 --- a/secrets/birne.yaml +++ /dev/null @@ -1,43 +0,0 @@ -fsr_wifi: ENC[AES256_GCM,data:nzfwY2UygQSdboRvfDxVSrUE+WLBJLYBLw==,iv:yR3lCbyUSg97+MnuwUkXEsHtSGuYOPYRgvW/YZYDhv0=,tag:eN/lqD1BetqnFDAFJE6D2g==,type:str] -fsr_wifi_psk: ENC[AES256_GCM,data:A1Z809FJ0fUd93QcX5NNnfVxyzUZMuPGC6Hu4M9LpRoMOTrMcRPMDaR0N+cgmV7rnjYvzm4gTSTEcnqsnLGyNA==,iv:WMs3/I3SEDJwcpyqclCfxKcx61m/6BcwbGaGS4I4a5s=,tag:oYG8M3NQ2lkcUGr2K5YUEg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1jyxk2z69pm8hpz5zlf5lh05vrws2sprum3ucx2xjpq8efctcfdaq0jhs3w - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQXByc2lJWnQ0Rm1Wb1V5 - aVFaY0cwcnVlUFRKNGNYYjJjMnB5NVlkendRCkxJZ0JILzVvbDZRNzlYaWtEREJr - VmYzaUNiU0VmTkZzckhJeS84OU5TUkUKLS0tIG5qTnVtbHV3TWh0cW4xYlJiV0Ji - MFQrNkJxUUVFSStPenM4Tmx6dlVsSm8KQMPsuc/E89aDek3csMarrKm5qcfQKf3u - 2ApD8dEN+L1L9bbJGAY6uNM6sXu5eTAGD7+Rc0duZIdDCg0LGFV8jw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-05T13:52:43Z" - mac: ENC[AES256_GCM,data:/uszrMeVsVlpjFyI29/Sasr8jY3/elnnbbUDmZ1+3YHzoujQRZe47VOpfOgs/XZym+jj7MZInu5Y361YalFb0ArS7GmexZA88rFvOqHPIIUuk2h1iCHLpZRafg96x737snna7L7zHNJFJLBhqcpdt0U4U6SZjXlJ9UgR96c6Agk=,iv:4kCCIhUEfc0GCzoh+3cNxB3cnn71/0jmKI1r62dYFmk=,tag:REOoImReJds8LBKZpeu78w==,type:str] - pgp: - - created_at: "2022-03-05T13:41:12Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA/YLzOYaRIJJAQ/+Jis1dE0ZmxKIaqJKc1itSqd09ieVJDMmei410O2VycU3 - 98YHvdrkRcG+3tLkvzebATANyHcJeefjt4uvQnMjlswX5DHm3JxNYnfOhCQNpexl - 80Lp/0qmnCy1rd2C8/Mr9ub2frupEGeBgU4TwA1LW5X1f89NP9R7b6tBcVMyF/OW - +WWu2g+0yLC9rle0a5QeIkrKsmyB5+dEYOakCMunKCYXE+MS4ULkZqFxhJ8ckTo7 - rKiR8UwzDL+iMl4zLgeNF5Uw7WH8tdHiD3thHQvzjL9++Tg4jZWdgtjdICs1ye2y - sUGzk0RhjXT/Q3rBwQbiivZq7s3ngBpom0co74+X6DORMN0P8WUdox7j4KUS3/oA - KwtyUF92dK9uJwckyN7LXho7zVTnZXV7jjupBacjr0TeHgYzP1eDhbsC6mFlWv2x - mHeK7hQF6VBNi1tAVlcMktbuxZRtc8P0ljFeSXRDoLJKdduIb3TKbGSsAHs1lX+n - CEK2kfS+V6g4CXaSsAsDqIZ75k6bJYRd8M81a1XvSAMB1fzQYDU1zrPGquggOBku - S0R0y0po7OwnqQ0HBgVHC8uU8hbG/EIvA1Wpw9FQnjGugi0pOoIiynqJWzttFwvq - XBV27Z7wumWzwij9uFt+TEy7Olulu/Vi/56tiyUNnbklwQqe1mj1m4nnu6z6v4TU - aAEJAhDM3iZRqVMChcCd6A/btYAwNnZrJNzxj+BIV5/+sAk3wjqc6UM7+qdBuzsH - uYq+HBTcdQgpoyqtFryrjQvCsksB6O4eS62FIAKfD65HaxNYQLUYNJ4Xs3NIqroH - MogSWSOw4clo - =8/Ez - -----END PGP MESSAGE----- - fp: 91EBE87016391323642A6803B966009D57E69CC6 - unencrypted_suffix: _unencrypted - version: 3.7.1