From e9674b5b0eb50b7242a2ae477ca3e595181f0d12 Mon Sep 17 00:00:00 2001 From: Fugi Date: Fri, 24 Feb 2023 17:57:55 +0100 Subject: [PATCH 01/16] configure ldap for hedgedoc (config adapted from kaki) --- flake.nix | 1 + modules/hedgedoc.nix | 36 +++++++++++++++++++++++++++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index ebc5522..eeed680 100755 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,7 @@ ./hosts/quitte/configuration.nix ./modules/options.nix ./modules/base.nix + ./modules/ldap.nix # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index e88af66..debcdca 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -25,7 +25,6 @@ in protocolUseSSL = true; dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; sessionSecret = "\${SESSION_SECRET}"; - allowAnonymousEdits = true; csp = { enable = true; directives = { @@ -34,6 +33,26 @@ in upgradeInsecureRequest = "auto"; addDefaults = true; }; + allowGravatar = false; + + ## authentication + # disable email + email = false; + allowEmailRegister = false; + # allow anonymous editing, but not creation of pads + allowAnonymous = false; + allowAnonymousEdits = true; + defaultPermission = "limited"; + # ldap auth + ldap = rec { + url = "ldap://localhost"; + searchBase = "ou=users,${config.services.portunus.ldap.suffix}"; + searchFilter = "(uid={{username}})"; + bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}"; + bindCredentials = "\${LDAP_CREDENTIALS}"; + useridField = "uid"; + providerName = "iFSR"; + }; }; }; @@ -52,12 +71,23 @@ in }; }; - sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; - sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; + sops.secrets = + let + user = config.systemd.services.hedgedoc.serviceConfig.User; + in + { + postgres_hedgedoc.owner = user; + hedgedoc_session_secret.owner = user; + hedgedoc_ldap_search = { + key = "portunus_search"; + owner = user; + }; + }; systemd.services.hedgedoc.preStart = lib.mkBefore '' export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" + export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})" ''; systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; -- 2.44.2 From 17bd90d3af9bb9b2022cd5d7056125bec93e1b31 Mon Sep 17 00:00:00 2001 From: Fugi Date: Wed, 1 Mar 2023 11:49:21 +0100 Subject: [PATCH 02/16] update fugi pgp key --- keys/pgp/fugi.asc | 81 ++++++++++++++++------------------------------- 1 file changed, 27 insertions(+), 54 deletions(-) diff --git a/keys/pgp/fugi.asc b/keys/pgp/fugi.asc index 1e3a740..d552962 100755 --- a/keys/pgp/fugi.asc +++ b/keys/pgp/fugi.asc @@ -11,59 +11,32 @@ Cp+QKOAMgAuzGA2l3k2Us75TbmbdjGQIXAHxfnLTc7yDaTWaVZtGMVMph4ood7RR 8s+7lZi/Demr5Y4D/VC2vH60n5oGw3osoTAWCgcrA6/eOL0yCDPq0dDhpEea25j6 9ttrlWbwR0WvsjWQf4DgEFqcvPdjRfPk/pLtkPlLIvMZE3L4wD1RAni0adhyBP0i oLEND7uAViobqWgQfP8qYvfolSO+NEwwGSZCAH+hHXyV/YNtTlrnPUYuPQARAQAB -tB5MdWNhcyBGdWdtYW5uIDxsdWNhc0BmdWdpLmRldj6JAk4EEwEIADgWIQS/N5A6 -5v0pTExnTuJEcqIAkb+nkgUCYO2/mwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX -gAAKCRBEcqIAkb+nkpa3D/0V46q3j00NiRW1wG8u1LM1sXt3vPCovXw+snALD/NP -ddTzuDVZP9yKNOZI1Z1cA9VxBupxhmvJ4Nj+9WtxNSoTLvqwwDxiD9OmWudVM2fT -+PEqtqfxAPK4OD63ahZWehkXUWDeNqNWYEJryztoum68WV6h5dWNO+hPcow6p+x4 -PCT/JKZFepR1/KQ3hs6JfzkVIZEwlRxvmebKR677lKVovtDp/Hs6MsQPijdXtiu5 -vQi5YIR++1qOHBf11qdK4bCzzacUoVTwrf5nenk6uoTGNatbHyLY36Mot2c4UvV+ -+0hOCZY/471D8pc/wd9XgirE+kHlVXhPc5mp83e42wKyOAay92p1fgm/2PhQUYLX -QR1PThHA9pVnhOy5/5XhhdZ98Cqw254gQHe1At+nAlf6t64QnUcOnh/0oDBufxhE -5VLd7fF5Sqn3yMc9JfbDlCCIhBwxVj8e3hMGwp58LstskmfebD+PyD6fgZHjVAmy -j72SS6Le6eCW5tiHZ5Ii2cRc0EnmtpdqhLpeCOym9AWmEFc9ZvmUmGxyLLmFzC3f -l1yLMHKNJygJ4q/t4mG/vmkXi6T/t2MCgpz05AaMSSLILWN7KylBc4QtslgBUlVO -fIsoxVYPrHBQj49BKbNoYjM0lmE4QcVPcHtSW166cusAQEkJSDGn4oxg/U/4x9Rv -UIkCMwQRAQoAHRYhBMYbspcSh6aHhOhEJCpYFQA7RhNEBQJhCmUeAAoJECpYFQA7 -RhNEwsMQAI4zoMf3LY6UkyPPD6l2hA3opzxBajBQto4/B6gdQYV9h9GCs9SXzuQj -TIRykJX+10dgTRNpa6qTzUoYvDpG/22Z36/i63bRdVfCxBRphB6Ue/PIszomQZNY -/qBiWxrl4RRZ5tX7ny5IVF3eDHNwMp597NVuQvWbr8aqGjrFM9dz8TvDwbQulQbP -2UmZN301rqfIaCk3kCSWoDGAEOShWz4G/u7ExpXLbDZwercsQs2w9moUgVdB47H3 -HjT9tGEsFutcaOYXvKFIqh6wRg0iprP/g23WBzGZO5bf6fG3EzFaOoPWwBnJsxtx -HbOGeeSgNmb6vYZv+XkjONINGJORkiNrC75bV0Y+GURGTZYqLmXsA1Cz1G14AHWc -+astcLigOXJAzwKavYMaITWst9yVeZzYc91TMRDWXYK/93mgnc36xLs6SVJcsjGM -FQRdWXotJYJsGfKgf/7WEVjhWuJtAjugd28kjDfnl0PiJLC/tNJMmS2sVPX/f993 -v+unm43UwWKJ1eu146Xpl73sqa9DBR4W0KDkz3zvzjRiIu90NlLCzLLhd6zxQZxh -w+f1VZs7g1EiVxNUfOTp4yKbKFpvLxjRDOTbuMyHVHNtAfHgWsTnph+RhDqqI/Jg -WrqIT6/CPJ0gA0zTZthhFiaADOlLVUoTC3+qI8Ne45yKv6U/VtSOiQLMBBEBCgC2 -FiEEtCpbjpGyU4HWTEfFxF0eaL0IbKEFAmERWCcFgwHhM4BkFIAAAAAAFQBGbW9y -ZS1pbmZvQHNlbWlzb2wuZGV2aHR0cHM6Ly9zZW1pc29sLmRldi9zaWduLW1ldGEv -QkYzNzkwM0FFNkZEMjk0QzRDNjc0RUUyNDQ3MkEyMDA5MUJGQTc5Mi0aaHR0cHM6 -Ly9zZW1pc29sLmRldi9jZXJ0aWZpY2F0aW9uLXBvbGljeS50eHQACgkQxF0eaL0I -bKGnqA//dIwfktys+FRQ7sS+rvWYTwp6C5fkSSOddHhYNrDIuIh7dgmg9yY17zqH -DSBSCsXZQVxQRu2iD+rCiqK3A1Lc1K3p8RxF/Ey/1J62XQ74TTqsMOVyvmDiO756 -ijrOEPCE4M0A+0YHic4/wCJ6jsxan2iNKLsggbSSOvzmTtp2uPUnPocNE+m6ndrQ -ec6dtJ+QzPmYRuTAjEfWgSzQTLiOpZy6RkMuNsaFGJ0Xk+gVWEwTcejkKamS6f8n -A/AhESJ2YeGUasAEggQbcug+AmVAtwyqJ6cXE96jeBHbaHJPzWoXqLcWAV4D2Rg6 -lYJqOQHpMtsG5hu/AzUwscrlOkKu6XM4wFWH3x3W37tbZeFouGyt+zioNqlsCr2+ -mOmWxG2OioPrMY6Ud43EY8HsO9SdFDY7MIAfN+XOeq9WjmGe6t4W2cTTfu1EaYVe -16Qj8/0kdbY5mL0eZElo5tvRcNEmM50bwi1kKtjWXDW91chBluMZp7jc6pPaHyVM -ldRyVi0Zp2blgHw5LGrjCYYMz8xeElbKXcE7/1L/xMTopj3JtwdPpM63610jrbPW -uUr6qUm6ZQ9jnY/vJAoMepjRD6cuhRs77QUt8dVYWjRQzALQwXvsW/1ySDCIaJu7 -JH4GXfFjVGvzVRelhsK4FB/JjUEGCyL3XOixiniQFTrK68KbugO0IEx1Y2FzIEZ1 -Z21hbm4gPGx1Y2FzQGRlcmZ1Z2kuZGU+iQJOBBMBCAA4FiEEvzeQOub9KUxMZ07i -RHKiAJG/p5IFAmElKLkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQRHKi -AJG/p5LuGA//Up4hOatiNvd/zkYJvHwnKPZy1zd3W7i5ytp8OgcitqbZyS4FKXAf -XcDnSwxHKrgtf6mNiQgB9/VMR1T/lVjawXvkLnrCKIiqnBbWmL5MItX6rVI+Cxij -MI2EyoFC5gRo97RRPX97i7I5Yi/S3WqfeQ1+7FyRwTA4rU6/pedxlWoYfwsQOGPG -UwWK11v/Avl2mftnN1zpUpyhdQ+uwLRT2wwg7IdSEUBMHxywhoWuKNny+p2vSu0A -C1qUwGgQaw2jtUoHZox64r+TEYBtOmfrt5dpyf442Lz0yNkOVvVZEf72DiODlyg3 -kkHvLlp7kKIkOKvt6td8Kry5HvotXtllwAqtL4bl8fKaI0CrBc2Duko8gXZMIF+S -rhYChZ4sFNGQDAlFGDhUEsgnGCkuY/Z8SZH1wR5obwOewJe+zp3YoPACqj2IDTZl -bHcxfa6+8FYVJob3ZoLleN6fWjSP6dLdL4BUkhPdGw/TNTQzlT0S3Rt3yajqOXDU -cd3bqCCduRuaYtNwh9FPgj87A/eCmf/zidLnX4s0GIMg6PegzIrYAVJWidpMJkv+ -3FR2UhK8iIR9YxOpjIFDWhTzA4cLk+FvmLyjlbQ2n+mgdv3E3bqqHvEQQaO18NOL -ZUa17ZB/W/CGCwrfWyUpYZrCaDNGTGiP8EiDSTAgq2eL6iRArb0J3065Ag0EYO2/ +tBJGdWdpIDxtZUBmdWdpLmRldj6JAlEEEwEIADsCGwMFCwkIBwIGFQoJCAsCBBYC +AwECHgECF4AWIQS/N5A65v0pTExnTuJEcqIAkb+nkgUCY7sNHwIZAQAKCRBEcqIA +kb+nkskdEACoQD1K+0THmBEsTwYMXap5zyjgrFM8wYhvEmny6OX+QWeXyd1s1Gnu +nPImp6Pk/7GtfJoJvUS5Iw/6I7VTb5QrI2Pxs8ZQpEcv6jI7GK9jCqNAgrRbgWPC +M/Pxucg8MNwNtMqn7am58tssi+Mlft1mBvNsAXUFLJp1cG7660m3A8qEzmzVbrT0 +EQgzdY+RlKjm+SaXdpq7l+oTN8q8e3KZtAIXL/nE8JbZbg/+cxlqkkbdmbQyO4d/ +HN94b/0Bf1dgAXAZU4AVY1q9OZWXW19CiRsdwqEL9QnFhqYQknS/yU4kccSxmWBC +i3fAnWWV2a0xnCrtJV3Hkgzaqjzs1+zySM15lbN42QWCb/FaoOaHHRVlULRrKIdu +AtzqMgx0uhQvnoB4WP6LKscU+dQybRcmWvXGpJ1H67Q9sshbAJ8/M6PIkv+ixTge +9qDppPNgRQWfk4IkU070Ed2n6utwlH9T1UFtj2HfXbbs/EENlMMMGHKV5bfjLYO1 +wBMOmxneME65387gCC0VyC1mODHybrncbC/0wHeW4zKsEMP7xLC2YHnQMeo+nwW/ +ZbIyOAT1vSGcVGONy6Dm+o8dgmCkzxDtG+2h3VJ+oxSZXO4rhZD718HLEFLFJy31 +dra9QAZS6Id4TWBX/ssGHqfLROW9w915O5vUlMPMgWdadl+Gu/b6BLQeTHVjYXMg +RnVnbWFubiA8bHVjYXNAZnVnaS5kZXY+iQJOBBMBCAA4AhsDBQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAFiEEvzeQOub9KUxMZ07iRHKiAJG/p5IFAmO7DR8ACgkQRHKi +AJG/p5KGYRAAoAGdF9xjBXt3XNRTQapCelA/GeNtUTTqd7AsEeTe2vpl2Wro+mqw +d77997LzugxrqEOxmMTp8aqeu5eg7QZbYxIWRDESzIfLu3/mFK7RWtwUMnq9E+Nw +1+6TM3r/wIg6vY6fLFZpUmnL3M7BXEBynCWXy0N39BtzcTD8SxYCco8Ud0ZD2Ike +Pt/5xN5WHs+FyII4mUo8TDwW8hQbyMOQGu06prkG8NHn5PVQk3Fc4aqAwfYl9PaS +GTfvz3POEL2+7e9cbc7wUaG6W0wVtS97j4BRLmDn2HmfcD611TX0Axfoji3wevYi +2wvxidnVbvVUYpEq7cJ2XYBcE4gGTSADr6SnQtw5E6JyNkSZHCoNFv96VrROisIg +Phhjtu21i8Ad6uBnNJa1bM0rrSL4YVSPT1UrhDsLdWVfB3TH5uAa+Ioss55dt22P +2rG9MGKYMiOc0UpZEf8E7MndDP3hutQEVPHt94ccPPn6I33ZnvnNaORZAfPufrhl +Y/Hf7gTgvlDoctev7sZ62VWeWvgn5BMIKVrmV4MJW/UWUguQim8F/hrst8KE62JP +XEyvFoklx/f7osf0rbPcqQhKXUe8O+6n90Pt63Z3LptSx/PCxXsDwweuwoz1cTea +ZuKmXywY1khbNMbKKTXn2vQ3jl/ZDZXGWBK0LF2O8Hn91J1VxybLczy5Ag0EYO2/ mwEQANOkIongJ5zRz8NJLm94roMWnyi6QVASwR6MeBCXsudn6CZnQiSZX5XfOdEQ IynYSMRGuRQbSw29qXfzy2U2PVv6J7OuKcpYK66VHyLBfuKIt20W+lGJH9Vubj5u 2dgEC9Tk/jjPtHgOwusWN3qmXt1C0iBB2iLXjlTfWn8o+iUhfcspc2t8/z6DM8mw @@ -87,5 +60,5 @@ TEHp3JGG1j+bJxEpa0iKsaCWz2DNNv40lIrlFtzGarVBSF4fgAJoevhL+ZyY0RfR G42CTa2EDMpPZnvSkyOUIQIPVduqv5D0NQg2X97T3yBLlu0k3FORiXiutJF2y2Fr LpLVjBvNfedMx5pInZ1UcfugH3ptCMqBP6F8qkMZm6WXPiP4/+8ObN1JzHwUi0+A lESg8VM66bBC0U4xCXxIUhTNRtACJt3e7jkjNLAKPG7LQg== -=6HqB +=XbNH -----END PGP PUBLIC KEY BLOCK----- -- 2.44.2 From 7dceb93e893fe80d15d7b48629124b614a359233 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 1 Mar 2023 15:30:23 +0100 Subject: [PATCH 03/16] Remove dkim keygen instructions Not needed anymore --- README.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/README.md b/README.md index 41f2f4d..fadce9b 100755 --- a/README.md +++ b/README.md @@ -27,16 +27,3 @@ nixos-rebuild switch --flake .# 3. Change one letter in one of the yml entries to let sops know it has to regenerate the MAC 4. Close the file. Open it again and revert the change you just did in step 3. - -
- DKIM Key generation - - Commands to create the dkim key: - ```bash - cd /var/lib/rspamd/dkim - ``` - ```bash - DOMAIN=ifsr.de;rspamadm dkim_keygen -d "$DOMAIN" -s quitte -k "$DOMAIN".quitte.key >> "$DOMAIN".quitte.pub - ``` - -
-- 2.44.2 From c06161a62abfb2e2dcf60636475036337ec15886 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 1 Mar 2023 16:39:41 +0100 Subject: [PATCH 04/16] anonymize ip adresses in nginx logs --- modules/nginx.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/nginx.nix b/modules/nginx.nix index c97c327..7cc17f2 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,6 +1,23 @@ { config, pkgs, ... }: { - services.nginx.enable = true; + services.nginx = { + enable = true; + appendHttpConfig = '' + map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+\.\d+)\. $ip.0; + ~(?P[^:]+:[^:]+): $ip::; + # IP addresses to not anonymize + 127.0.0.1 $remote_addr; + ::1 $remote_addr; + default 0.0.0.0; + } + log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log anon_ip; + ''; + }; security.acme = { acceptTerms = true; defaults = { -- 2.44.2 From 8a2f5c70612ab5a5125d1adb5ea8d81684aa5f2f Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 10 Mar 2023 15:47:56 +0100 Subject: [PATCH 05/16] removed garbage --- hosts/birne/configuration.nix | 41 ----------------- hosts/birne/hardware-configuration.nix | 33 ------------- modules/autoupdate.nix | 10 ---- modules/keycloak.nix | 64 -------------------------- modules/printing.nix | 36 --------------- modules/wifi.nix | 24 ---------- secrets/birne.test.yaml | 43 ----------------- secrets/birne.yaml | 43 ----------------- 8 files changed, 294 deletions(-) delete mode 100755 hosts/birne/configuration.nix delete mode 100755 hosts/birne/hardware-configuration.nix delete mode 100755 modules/autoupdate.nix delete mode 100644 modules/keycloak.nix delete mode 100755 modules/printing.nix delete mode 100755 modules/wifi.nix delete mode 100755 secrets/birne.test.yaml delete mode 100755 secrets/birne.yaml diff --git a/hosts/birne/configuration.nix b/hosts/birne/configuration.nix deleted file mode 100755 index 5ab2329..0000000 --- a/hosts/birne/configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking = { - hostName = "birne"; - interfaces.wlp4s0.useDHCP = true; - interfaces.enp1s0.useDHCP = true; - wireless = { - enable = true; - interfaces = [ "wlp4s0" ]; - }; - }; - - nixpkgs.config.allowUnfree = true; - users.users.printer = { - isNormalUser = true; - password = "printer"; - extraGroups = [ ]; - }; - - environment.systemPackages = with pkgs; [ - firefox - ]; - - system.stateVersion = "21.05"; - -} - diff --git a/hosts/birne/hardware-configuration.nix b/hosts/birne/hardware-configuration.nix deleted file mode 100755 index 5ad5d2a..0000000 --- a/hosts/birne/hardware-configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" "wl" ]; - boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/9799b183-a191-484e-b9a4-05e29412af25"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/CF58-EB12"; - fsType = "vfat"; - }; - - swapDevices = - [{ device = "/dev/disk/by-uuid/94622e8e-8b58-4b3b-9494-d144ccaeb486"; }]; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/modules/autoupdate.nix b/modules/autoupdate.nix deleted file mode 100755 index 7152937..0000000 --- a/modules/autoupdate.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, config, ... }: - -{ - system.autoUpgrade = { - enable = true; - dates = "12:00"; - # might need to move this into the configuration of `birne`? - allowReboot = true; - }; -} diff --git a/modules/keycloak.nix b/modules/keycloak.nix deleted file mode 100644 index 881980b..0000000 --- a/modules/keycloak.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ pkgs, config, lib, ... }: { - - sops.secrets.postgres_keycloak = { - owner = config.systemd.services.keycloak.serviceConfig.User; - group = "keycloak"; - }; - - users.users.keycloak = { - name = "keycloak"; - isSystemUser = true; - group = "keycloak"; - }; - - users.groups.keycloak = { - name = "keycloak"; - members = [ "keycloak" ]; - }; - - services = { - keycloak = { - enable = true; - - settings = { - hostname = "keycloak.quitte.tassilo-tanneberger.de"; - http-host = "127.0.0.1"; - http-port = 8000; - https-port = 8001; - proxy = "edge"; - }; - - database = { - username = "keycloak"; - type = "postgresql"; - passwordFile = config.sops.secrets.postgres_keycloak.path; - name = "keycloak"; - host = "localhost"; - createLocally = true; - }; - }; - postgresql = { - enable = true; - }; - nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "${config.services.keycloak.settings.hostname}" = { - enableACME = true; - forceSSL = true; - http2 = true; - locations = { - "/" = - let - cfg = config.services.keycloak.settings; - in - { - proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}"; - }; - }; - }; - }; - }; - }; -} diff --git a/modules/printing.nix b/modules/printing.nix deleted file mode 100755 index c99e4ae..0000000 --- a/modules/printing.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ pkgs, config, ... }: - -{ - # Enable CUPS to print documents. - services = { - printing.enable = true; - printing.drivers = with pkgs; [ - gutenprint - gutenprintBin - hplip - hplipWithPlugin - ]; - avahi.enable = true; - }; - - environment.systemPackages = with pkgs; [ - gnome.gnome-control-center - ]; - # set up Heiko - hardware.printers.ensurePrinters = [ - { - description = "Drucker im FSR Buero"; - deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0"; - location = "FSR Buero"; - model = "Kyocera ECOSYS M6630cidn KPDL"; - name = "Heiko"; - } - { - description = "Drucker im FSR Buero"; - deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0"; - location = "FSR Buero"; - model = "Kyocera ECOSYS M6630cidn KPDL"; - name = "Heiko"; - } - ]; -} diff --git a/modules/wifi.nix b/modules/wifi.nix deleted file mode 100755 index 561186e..0000000 --- a/modules/wifi.nix +++ /dev/null @@ -1,24 +0,0 @@ -# -# Useful config -# https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam -# https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos -# -{ pkgs, config, ... }: -let - password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)"; -in -{ - networking = { - wireless = { - enable = true; - networks = { - "FSR" = { - priority = 10; - pskRaw = "9dbdf08e1205b1167a812a35cfac4b49a86e155eec707bd47f4d06d829e7d168"; - }; - }; - }; - }; -} - - diff --git a/secrets/birne.test.yaml b/secrets/birne.test.yaml deleted file mode 100755 index aa848a4..0000000 --- a/secrets/birne.test.yaml +++ /dev/null @@ -1,43 +0,0 @@ -fsr_wifi: ENC[AES256_GCM,data:CD0ge6d5+gc=,iv:yuWfwwGm2HOKvMQQ9lF4TFOqvCU2z06sqS+pzhCFhfY=,tag:1+8MwcPUGgtcdXvTNAuR5g==,type:str] -fsr_wifi_psk: ENC[AES256_GCM,data:uwq/nkKm9eDdMxUJMQ==,iv:q9mzhfkPBM1oTQN69tSEiQmf3hYZ4pGJEqjVEjU//FI=,tag:g0p+S2jlkAT0jY5hBRKuXw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySHgvQThoSmpXOUc1a3lN - dXR6ZElYYlppOXNISXM0bURxQjdIU3pDL2wwCmNoT0pYTEdubWh3eFc3VzVwdnR3 - TU5CbFlBTWxYaHRjamUzamIzQ1VnbFEKLS0tIDVUSEVtKzh1aVp1ekxVd2xRWHVo - dEExQkJySmo5eGtEdXVvd1FFVVhpdFUKNx1FXti0qWKDRYM6wsIUceXbjzra5ezc - 0fNI2r7qnVQ1QghtKnibwMUR1q4/DphKEm4eX4e6q+jfHleHCSk6+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-05T13:53:02Z" - mac: ENC[AES256_GCM,data:ZpEk+wpGQz2ul+Me6i45wXkzvuxzwkibLcljBs2KjTAgjH6F4q1JyXuY271JD95A5HgEvv4Atm3sbHaG+hghXy/36WSFw5jJRBwOjDrOSSAq12+UFeYjgSA2EwbvgbBdIO6VgaRLnXtobtLFG5qaVzUAvSevo6n8vBhEjSHEEJk=,iv:iZ9bJ+it3s6lB8piPeKjVy4QYzwYGUb4EUwvnCR753Q=,tag:Nveq//4C1tiwGOkeXV7a0A==,type:str] - pgp: - - created_at: "2022-03-05T13:42:43Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA/YLzOYaRIJJARAAvxLI7hxutYG0KDovCjpGKIZA1JyNjp1/QYLKz3QDUFsZ - Ykwmixkt2wjTQjn9aE66ujLiEzMDfV2VZ6ao7Ehg04fysU1WurqEB5D+hiS6SCc2 - 3DgvlPeicY+87oZin1iaqL505MzQCEVbmcar++VCdQIGUZSQvbn1Nxn3RxKjHCjm - RW0juiSH1FUIZdBPL9NgUEixv7KpdEBxO5JR30GxDgYMG1Xji9Y2KsBy9XP5Lhn2 - ziuzs6vTfFTuVUdylJNkT6yVgK4V7oEkIMiVPGFYXSUWT3TNZ0qRwuk6UJYLfvnY - Mt0jyKyi+hRIWPQEjBmpK/siBsQGSCXsRe84g+LUtdfPbvqwdZb59qy5B65z/ku/ - 6EQIaPRkgCa5AED3gJQCbBYhvymdgl8ZZcXkVV1Ap2VgKS5o0s+CNjdiNkXdGTL/ - NdE7kehGJCtsHUVGs2I8TfLg/uVgJTKEodTq8eLu8WhVkNKzk9aFBCfHKYtkXBIi - ZIXUHNbPtXDL4aHgOTuTYjWM8bhW0pdnkGX7daqPsfNqgR9hzOo3TzoR3DRDK91w - cvUZ9hApYJ0OVxuPa38JGiYn3826iSSRK8qPjAndE4HhYgT/lZvu8/vZAW6EF/yH - 8exruofMHNBNNdotkYDnyaFO6C+00SMcTUkG49vRqQKwrBygAoPLEKQhDBgczcnU - aAEJAhBWRVtwhCZtQV1MCl5u0IbSlxQiIH93FrdTfbJQdKM+LFlwkXOngO4blGOi - 1tQbkiyLzIio+yoyfvbXZOIeMkLA3GynsKtxjnYYipXkuv3LP5BvZiH+bzG9jPW4 - jXrR59MZPJLY - =hWOx - -----END PGP MESSAGE----- - fp: 91EBE87016391323642A6803B966009D57E69CC6 - unencrypted_suffix: _unencrypted - version: 3.7.1 diff --git a/secrets/birne.yaml b/secrets/birne.yaml deleted file mode 100755 index a638ef7..0000000 --- a/secrets/birne.yaml +++ /dev/null @@ -1,43 +0,0 @@ -fsr_wifi: ENC[AES256_GCM,data:nzfwY2UygQSdboRvfDxVSrUE+WLBJLYBLw==,iv:yR3lCbyUSg97+MnuwUkXEsHtSGuYOPYRgvW/YZYDhv0=,tag:eN/lqD1BetqnFDAFJE6D2g==,type:str] -fsr_wifi_psk: ENC[AES256_GCM,data:A1Z809FJ0fUd93QcX5NNnfVxyzUZMuPGC6Hu4M9LpRoMOTrMcRPMDaR0N+cgmV7rnjYvzm4gTSTEcnqsnLGyNA==,iv:WMs3/I3SEDJwcpyqclCfxKcx61m/6BcwbGaGS4I4a5s=,tag:oYG8M3NQ2lkcUGr2K5YUEg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1jyxk2z69pm8hpz5zlf5lh05vrws2sprum3ucx2xjpq8efctcfdaq0jhs3w - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQXByc2lJWnQ0Rm1Wb1V5 - aVFaY0cwcnVlUFRKNGNYYjJjMnB5NVlkendRCkxJZ0JILzVvbDZRNzlYaWtEREJr - VmYzaUNiU0VmTkZzckhJeS84OU5TUkUKLS0tIG5qTnVtbHV3TWh0cW4xYlJiV0Ji - MFQrNkJxUUVFSStPenM4Tmx6dlVsSm8KQMPsuc/E89aDek3csMarrKm5qcfQKf3u - 2ApD8dEN+L1L9bbJGAY6uNM6sXu5eTAGD7+Rc0duZIdDCg0LGFV8jw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-05T13:52:43Z" - mac: ENC[AES256_GCM,data:/uszrMeVsVlpjFyI29/Sasr8jY3/elnnbbUDmZ1+3YHzoujQRZe47VOpfOgs/XZym+jj7MZInu5Y361YalFb0ArS7GmexZA88rFvOqHPIIUuk2h1iCHLpZRafg96x737snna7L7zHNJFJLBhqcpdt0U4U6SZjXlJ9UgR96c6Agk=,iv:4kCCIhUEfc0GCzoh+3cNxB3cnn71/0jmKI1r62dYFmk=,tag:REOoImReJds8LBKZpeu78w==,type:str] - pgp: - - created_at: "2022-03-05T13:41:12Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA/YLzOYaRIJJAQ/+Jis1dE0ZmxKIaqJKc1itSqd09ieVJDMmei410O2VycU3 - 98YHvdrkRcG+3tLkvzebATANyHcJeefjt4uvQnMjlswX5DHm3JxNYnfOhCQNpexl - 80Lp/0qmnCy1rd2C8/Mr9ub2frupEGeBgU4TwA1LW5X1f89NP9R7b6tBcVMyF/OW - +WWu2g+0yLC9rle0a5QeIkrKsmyB5+dEYOakCMunKCYXE+MS4ULkZqFxhJ8ckTo7 - rKiR8UwzDL+iMl4zLgeNF5Uw7WH8tdHiD3thHQvzjL9++Tg4jZWdgtjdICs1ye2y - sUGzk0RhjXT/Q3rBwQbiivZq7s3ngBpom0co74+X6DORMN0P8WUdox7j4KUS3/oA - KwtyUF92dK9uJwckyN7LXho7zVTnZXV7jjupBacjr0TeHgYzP1eDhbsC6mFlWv2x - mHeK7hQF6VBNi1tAVlcMktbuxZRtc8P0ljFeSXRDoLJKdduIb3TKbGSsAHs1lX+n - CEK2kfS+V6g4CXaSsAsDqIZ75k6bJYRd8M81a1XvSAMB1fzQYDU1zrPGquggOBku - S0R0y0po7OwnqQ0HBgVHC8uU8hbG/EIvA1Wpw9FQnjGugi0pOoIiynqJWzttFwvq - XBV27Z7wumWzwij9uFt+TEy7Olulu/Vi/56tiyUNnbklwQqe1mj1m4nnu6z6v4TU - aAEJAhDM3iZRqVMChcCd6A/btYAwNnZrJNzxj+BIV5/+sAk3wjqc6UM7+qdBuzsH - uYq+HBTcdQgpoyqtFryrjQvCsksB6O4eS62FIAKfD65HaxNYQLUYNJ4Xs3NIqroH - MogSWSOw4clo - =8/Ez - -----END PGP MESSAGE----- - fp: 91EBE87016391323642A6803B966009D57E69CC6 - unencrypted_suffix: _unencrypted - version: 3.7.1 -- 2.44.2 From a3d73cf6cdf6f10219a18f255ebbee16816e653b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 10 Mar 2023 15:51:38 +0100 Subject: [PATCH 06/16] removed old wireguard --- hosts/quitte/wireguard_server.nix | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 hosts/quitte/wireguard_server.nix diff --git a/hosts/quitte/wireguard_server.nix b/hosts/quitte/wireguard_server.nix deleted file mode 100644 index 7a4f113..0000000 --- a/hosts/quitte/wireguard_server.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, ... }: - -{ - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - - networking.wg-quick.interfaces = { - wg-dvb = { - # pubkey: 8iQQSCI14dObcrMw0/rZJxfvpOAhy3CU+haJq2nyIzc= - address = [ "10.13.37.1/32" ]; - privateKeyFile = config.sops.secrets.wg-seckey.path; - listenPort = 51820; - peers = [ - { - # Tassilo - publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y="; - allowedIPs = [ "10.13.37.2/32" ]; - persistentKeepalive = 25; - } - ]; - }; - }; -} - - -- 2.44.2 From adf2320e4a7992cffe80c4f1120f1b4f9b5aa811 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 10 Mar 2023 16:15:53 +0100 Subject: [PATCH 07/16] create a home dir upon login --- modules/ldap.nix | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index dd459e0..b1c5d46 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let domain = "auth.${config.fsr.domain}"; @@ -89,6 +89,30 @@ in daemon.enable = true; }; + security.pam.services.login.text = '' + # Account management. + account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + account required pam_unix.so + + # Authentication management. + auth sufficient pam_unix.so nullok likeauth try_first_pass + auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass + auth required pam_deny.so + + # Password management. + password sufficient pam_unix.so nullok sha512 + password sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + + # Session management. + session required pam_env.so conffile=/etc/pam/environment readenv=0 + session required pam_unix.so + session required pam_loginuid.so + session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent + session optional pam_mkhomedir.so + session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + + ''; services.nginx = { enable = true; -- 2.44.2 From 0ed90c81222a38c157dbf365e53b1e5ac543f005 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 10 Mar 2023 16:38:57 +0100 Subject: [PATCH 08/16] fixed homedir creation for sshd --- modules/ldap.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index b1c5d46..fbde7cb 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -89,13 +89,13 @@ in daemon.enable = true; }; - security.pam.services.login.text = '' + security.pam.services.sshd.text = '' # Account management. account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so account required pam_unix.so # Authentication management. - auth sufficient pam_unix.so nullok likeauth try_first_pass + auth sufficient pam_unix.so likeauth try_first_pass auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass auth required pam_deny.so @@ -107,7 +107,6 @@ in session required pam_env.so conffile=/etc/pam/environment readenv=0 session required pam_unix.so session required pam_loginuid.so - session required ${pkgs.linux-pam}/lib/security/pam_lastlog.so silent session optional pam_mkhomedir.so session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so -- 2.44.2 From eee6282d69aa8f31d2cd40d36da73d41f3068996 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 24 Feb 2023 17:11:53 +0100 Subject: [PATCH 09/16] mail: better ldap query and port fixes --- modules/mail.nix | 59 ++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 32 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index 6457c47..b220bd7 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -3,10 +3,13 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; rspamd-domain = "rspamd.${config.fsr.domain}"; + dkim-selector = "quitte"; # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #server_host = ldap://localhost - #search_base = ou=mail, dc=ifsr, dc=de + #search_base = dc=ifsr, dc=de + #query_filter = (&(objectClass=posixAccount)(uid=%n)) + #result_attribute=mail #''; dovecot-ldap-args = pkgs.writeText "ldap-args" '' uris = ldap://localhost @@ -17,8 +20,8 @@ let ldap_version = 3 scope = subtree base = dc=ifsr, dc=de - user_filter = (&(objectClass=posixAccount)(uid=%n)) - pass_filter = (&(objectClass=posixAccount)(uid=%n)) + user_filter = (&(objectClass=posixAccount)(mail=%u)) + pass_filter = (&(objectClass=posixAccount)(mail=%u)) ''; in { @@ -30,22 +33,30 @@ in services = { postfix = { enable = true; + enableSubmissions = true; hostname = "${hostname}"; domain = "${domain}"; - relayHost = ""; origin = "${domain}"; destination = [ "${hostname}" "${domain}" "localhost" ]; + networks = [ "127.0.0.1" "141.30.30.169" ]; sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { smtpd_recipient_restrictions = [ - "reject_unauth_destination" "permit_sasl_authenticated" "permit_mynetworks" + "reject_unauth_destination" + ]; + smtpd_relay_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" ]; #alias_maps = [ "ldap:${ldap-aliases}" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; + smtpd_sasl_type = "dovecot"; + #mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; virtual_mailbox_base = "/var/mail"; }; }; @@ -53,6 +64,7 @@ in enable = true; enableImap = true; enableQuota = false; + #enableLmtp = true; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { @@ -74,7 +86,7 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/mail/%u + mail_location = maildir:/var/mail/%n passdb { driver = ldap args = ${dovecot-ldap-args} @@ -90,6 +102,13 @@ in user = postfix } } + # service lmtp { + # unix_listener dovecot-lmtp { + # group = postfix + # mode = 0660 + # user = postfix + # } + # } ''; }; rspamd = { @@ -102,8 +121,8 @@ in write_servers = "127.0.0.1"; ''; "dkim_signing.conf".text = '' - path = "/var/lib/rspamd/dkim/$domain.$selector.key"; - selector = "quitte"; + path = "/var/lib/rspamd/dkim/${domain}.${dkim-selector}.key"; + selector = ${dkim-selector}; sign_authenticated = true; use_domain = "header"; ''; @@ -140,27 +159,3 @@ in }; }; } - - - - - - - - - - - - - - - - - - - - - - - - -- 2.44.2 From 041628def7cde7ad15528f0a17ca55bfd8868be0 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 1 Mar 2023 15:23:07 +0100 Subject: [PATCH 10/16] fixed dkim --- modules/mail.nix | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index b220bd7..ac7f163 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -3,7 +3,6 @@ let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; rspamd-domain = "rspamd.${config.fsr.domain}"; - dkim-selector = "quitte"; # brauchen wir das überhaupt? #ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #server_host = ldap://localhost @@ -29,6 +28,7 @@ in sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; + users.users.postfix.extraGroups = ["opendkim"]; services = { postfix = { @@ -53,10 +53,11 @@ in "reject_unauth_destination" ]; #alias_maps = [ "ldap:${ldap-aliases}" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_type = "dovecot"; - #mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; virtual_mailbox_base = "/var/mail"; }; }; @@ -64,7 +65,6 @@ in enable = true; enableImap = true; enableQuota = false; - #enableLmtp = true; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { @@ -102,13 +102,14 @@ in user = postfix } } - # service lmtp { - # unix_listener dovecot-lmtp { - # group = postfix - # mode = 0660 - # user = postfix - # } - # } + ''; + }; + opendkim = { + enable = true; + domains = "csl:${config.fsr.domain}"; + selector = config.networking.hostName; + configFile = pkgs.writeText "opendkim-config" '' + UMask 0117 ''; }; rspamd = { @@ -120,12 +121,6 @@ in read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; ''; - "dkim_signing.conf".text = '' - path = "/var/lib/rspamd/dkim/${domain}.${dkim-selector}.key"; - selector = ${dkim-selector}; - sign_authenticated = true; - use_domain = "header"; - ''; }; }; redis = { -- 2.44.2 From dd6374d37170cbe805c8d32aee27cd6e166d1049 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 1 Mar 2023 15:44:04 +0100 Subject: [PATCH 11/16] postfix security enhancements --- modules/mail.nix | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/modules/mail.nix b/modules/mail.nix index ac7f163..5d9c1b3 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -28,7 +28,7 @@ in sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; networking.firewall.allowedTCPPorts = [ 25 465 993 ]; - users.users.postfix.extraGroups = ["opendkim"]; + users.users.postfix.extraGroups = [ "opendkim" ]; services = { postfix = { @@ -42,10 +42,29 @@ in sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { + smtp_use_tls = true; + smtp_tls_security_level = "encrypt"; + smtpd_use_tls = true; + smtpd_tls_security_level = lib.mkForce "encrypt"; + smtpd_tls_auth_only = true; + smtpd_tls_protocols = [ + "!SSLv2" + "!SSLv3" + "!TLSv1" + "!TLSv1.1" + ]; smtpd_recipient_restrictions = [ "permit_sasl_authenticated" "permit_mynetworks" "reject_unauth_destination" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_sender_domain" + "reject_unknown_recipient_domain" + "reject_unauth_destination" + "reject_unauth_pipelining" + "reject_invalid_hostname" ]; smtpd_relay_restrictions = [ "permit_sasl_authenticated" @@ -53,7 +72,7 @@ in "reject_unauth_destination" ]; #alias_maps = [ "ldap:${ldap-aliases}" ]; - smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; -- 2.44.2 From 8f0f55a5ee5e52b6e09927474564d5fe7d95b05c Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 1 Mar 2023 16:34:15 +0100 Subject: [PATCH 12/16] missing lib fix --- modules/mail.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index 5d9c1b3..5b3ed68 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; -- 2.44.2 From e63e4d760c93d610760b2e35e3c7375f0415d379 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 22 Mar 2023 11:19:15 +0100 Subject: [PATCH 13/16] use homedir mailboxes --- modules/mail.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index 5b3ed68..cf86fc6 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -42,6 +42,7 @@ in sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; config = { + home_mailbox = "Maildir/"; smtp_use_tls = true; smtp_tls_security_level = "encrypt"; smtpd_use_tls = true; @@ -105,7 +106,6 @@ in }; }; extraConfig = '' - mail_location = maildir:/var/mail/%n passdb { driver = ldap args = ${dovecot-ldap-args} -- 2.44.2 From 36dbc82c75d9b5f7c1d68e2bd412453047f49628 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 24 Mar 2023 15:51:57 +0100 Subject: [PATCH 14/16] fix homedir mailboxes --- modules/mail.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/mail.nix b/modules/mail.nix index cf86fc6..f08aa36 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -78,13 +78,14 @@ in smtpd_sasl_auth_enable = true; smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_type = "dovecot"; - virtual_mailbox_base = "/var/mail"; + # virtual_mailbox_base = "/var/mail"; }; }; dovecot2 = { enable = true; enableImap = true; enableQuota = false; + mailLocation = "maildir:~/Maildir"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem"; mailboxes = { -- 2.44.2 From 1a162652226bd8d14e2ed400bbef138bdbf9f15a Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Fri, 24 Mar 2023 16:24:18 +0100 Subject: [PATCH 15/16] added important aliases --- modules/mail.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/modules/mail.nix b/modules/mail.nix index f08aa36..8a4db0e 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -41,6 +41,27 @@ in networks = [ "127.0.0.1" "141.30.30.169" ]; sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem"; + extraAliases = '' + # Taken from kaki, maybe we can throw out some at some point + # General redirections for pseudo accounts + bin: root + daemon: root + named: root + nobody: root + uucp: root + www: root + ftp-bugs: root + postfix: root + + # Well-known aliases + manager: root + dumper: root + operator: root + abuse: postmaster + + # trap decode to catch security attacks + decode: root + ''; config = { home_mailbox = "Maildir/"; smtp_use_tls = true; -- 2.44.2 From e6461fff1cca77c3bae74194c87632dcdbc031a9 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 31 Mar 2023 15:06:45 +0200 Subject: [PATCH 16/16] fixing nix flake check --- flake.nix | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/flake.nix b/flake.nix index eeed680..7b5ad3d 100755 --- a/flake.nix +++ b/flake.nix @@ -14,23 +14,6 @@ formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; nixosConfigurations = { - birne = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./hosts/birne/configuration.nix - - ./modules/base.nix - ./modules/autoupdate.nix - ./modules/desktop.nix - ./modules/printing.nix - ./modules/wifi.nix - ./modules/options.nix - { - fsr.enable_office_bloat = true; - } - - ]; - }; sanddorn = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ @@ -42,8 +25,6 @@ ./hosts/sanddorn/configuration.nix ./modules/infoscreen.nix ./modules/base.nix - ./modules/autoupdate.nix - ./modules/wifi.nix ./modules/desktop.nix ./modules/options.nix "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" -- 2.44.2