wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

[Draft] Fixes for the mail configuration #22

Merged
rouven0 merged 19 commits from mail into main 2023-04-03 23:19:32 +02:00
Conversation 3 Commits 19 Files changed 16 +172 -447
16 changed files with 172 additions and 447 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
README.md
View file

@ -27,16 +27,3 @@ nixos-rebuild switch --flake .#<hostname>
3. Change one letter in one of the yml entries to let sops know it has to regenerate the MAC 3. Change one letter in one of the yml entries to let sops know it has to regenerate the MAC
4. Close the file. Open it again and revert the change you just did in step 3. 4. Close the file. Open it again and revert the change you just did in step 3.
</details> </details>
<details>
<summary>DKIM Key generation</summary>
Commands to create the dkim key:
```bash
cd /var/lib/rspamd/dkim
```
```bash
DOMAIN=ifsr.de;rspamadm dkim_keygen -d "$DOMAIN" -s quitte -k "$DOMAIN".quitte.key >> "$DOMAIN".quitte.pub
```
</details>

20
flake.nix
View file

@ -14,23 +14,6 @@
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
nixosConfigurations = { nixosConfigurations = {
birne = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./hosts/birne/configuration.nix
./modules/base.nix
./modules/autoupdate.nix
./modules/desktop.nix
./modules/printing.nix
./modules/wifi.nix
./modules/options.nix
{
fsr.enable_office_bloat = true;
}
];
};
sanddorn = nixpkgs.lib.nixosSystem { sanddorn = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
@ -42,8 +25,6 @@
./hosts/sanddorn/configuration.nix ./hosts/sanddorn/configuration.nix
./modules/infoscreen.nix ./modules/infoscreen.nix
./modules/base.nix ./modules/base.nix
./modules/autoupdate.nix
./modules/wifi.nix
./modules/desktop.nix ./modules/desktop.nix
./modules/options.nix ./modules/options.nix
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
@ -83,6 +64,7 @@
./hosts/quitte/configuration.nix ./hosts/quitte/configuration.nix
./modules/options.nix ./modules/options.nix
./modules/base.nix ./modules/base.nix
./modules/ldap.nix
# ./modules/keycloak.nix replaced by portunus # ./modules/keycloak.nix replaced by portunus
./modules/nginx.nix ./modules/nginx.nix
./modules/hedgedoc.nix ./modules/hedgedoc.nix

41
hosts/birne/configuration.nix
View file

@ -1,41 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking = {
hostName = "birne";
interfaces.wlp4s0.useDHCP = true;
interfaces.enp1s0.useDHCP = true;
wireless = {
enable = true;
interfaces = [ "wlp4s0" ];
};
};
nixpkgs.config.allowUnfree = true;
users.users.printer = {
isNormalUser = true;
password = "printer";
extraGroups = [ ];
};
environment.systemPackages = with pkgs; [
firefox
];
system.stateVersion = "21.05";
}

33
hosts/birne/hardware-configuration.nix
View file

@ -1,33 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/9799b183-a191-484e-b9a4-05e29412af25";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/CF58-EB12";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/94622e8e-8b58-4b3b-9494-d144ccaeb486"; }];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

24
hosts/quitte/wireguard_server.nix
View file

@ -1,24 +0,0 @@
{ config, ... }:
{
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.wg-quick.interfaces = {
wg-dvb = {
# pubkey: 8iQQSCI14dObcrMw0/rZJxfvpOAhy3CU+haJq2nyIzc=
address = [ "10.13.37.1/32" ];
privateKeyFile = config.sops.secrets.wg-seckey.path;
listenPort = 51820;
peers = [
{
# Tassilo
publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
allowedIPs = [ "10.13.37.2/32" ];
persistentKeepalive = 25;
}
];
};
};
}

81
keys/pgp/fugi.asc
View file

@ -11,59 +11,32 @@ Cp+QKOAMgAuzGA2l3k2Us75TbmbdjGQIXAHxfnLTc7yDaTWaVZtGMVMph4ood7RR
8s+7lZi/Demr5Y4D/VC2vH60n5oGw3osoTAWCgcrA6/eOL0yCDPq0dDhpEea25j6 8s+7lZi/Demr5Y4D/VC2vH60n5oGw3osoTAWCgcrA6/eOL0yCDPq0dDhpEea25j6
9ttrlWbwR0WvsjWQf4DgEFqcvPdjRfPk/pLtkPlLIvMZE3L4wD1RAni0adhyBP0i 9ttrlWbwR0WvsjWQf4DgEFqcvPdjRfPk/pLtkPlLIvMZE3L4wD1RAni0adhyBP0i
oLEND7uAViobqWgQfP8qYvfolSO+NEwwGSZCAH+hHXyV/YNtTlrnPUYuPQARAQAB oLEND7uAViobqWgQfP8qYvfolSO+NEwwGSZCAH+hHXyV/YNtTlrnPUYuPQARAQAB
tB5MdWNhcyBGdWdtYW5uIDxsdWNhc0BmdWdpLmRldj6JAk4EEwEIADgWIQS/N5A6 tBJGdWdpIDxtZUBmdWdpLmRldj6JAlEEEwEIADsCGwMFCwkIBwIGFQoJCAsCBBYC
5v0pTExnTuJEcqIAkb+nkgUCYO2/mwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX AwECHgECF4AWIQS/N5A65v0pTExnTuJEcqIAkb+nkgUCY7sNHwIZAQAKCRBEcqIA
gAAKCRBEcqIAkb+nkpa3D/0V46q3j00NiRW1wG8u1LM1sXt3vPCovXw+snALD/NP kb+nkskdEACoQD1K+0THmBEsTwYMXap5zyjgrFM8wYhvEmny6OX+QWeXyd1s1Gnu
ddTzuDVZP9yKNOZI1Z1cA9VxBupxhmvJ4Nj+9WtxNSoTLvqwwDxiD9OmWudVM2fT nPImp6Pk/7GtfJoJvUS5Iw/6I7VTb5QrI2Pxs8ZQpEcv6jI7GK9jCqNAgrRbgWPC
+PEqtqfxAPK4OD63ahZWehkXUWDeNqNWYEJryztoum68WV6h5dWNO+hPcow6p+x4 M/Pxucg8MNwNtMqn7am58tssi+Mlft1mBvNsAXUFLJp1cG7660m3A8qEzmzVbrT0
PCT/JKZFepR1/KQ3hs6JfzkVIZEwlRxvmebKR677lKVovtDp/Hs6MsQPijdXtiu5 EQgzdY+RlKjm+SaXdpq7l+oTN8q8e3KZtAIXL/nE8JbZbg/+cxlqkkbdmbQyO4d/
vQi5YIR++1qOHBf11qdK4bCzzacUoVTwrf5nenk6uoTGNatbHyLY36Mot2c4UvV+ HN94b/0Bf1dgAXAZU4AVY1q9OZWXW19CiRsdwqEL9QnFhqYQknS/yU4kccSxmWBC
+0hOCZY/471D8pc/wd9XgirE+kHlVXhPc5mp83e42wKyOAay92p1fgm/2PhQUYLX i3fAnWWV2a0xnCrtJV3Hkgzaqjzs1+zySM15lbN42QWCb/FaoOaHHRVlULRrKIdu
QR1PThHA9pVnhOy5/5XhhdZ98Cqw254gQHe1At+nAlf6t64QnUcOnh/0oDBufxhE AtzqMgx0uhQvnoB4WP6LKscU+dQybRcmWvXGpJ1H67Q9sshbAJ8/M6PIkv+ixTge
5VLd7fF5Sqn3yMc9JfbDlCCIhBwxVj8e3hMGwp58LstskmfebD+PyD6fgZHjVAmy 9qDppPNgRQWfk4IkU070Ed2n6utwlH9T1UFtj2HfXbbs/EENlMMMGHKV5bfjLYO1
j72SS6Le6eCW5tiHZ5Ii2cRc0EnmtpdqhLpeCOym9AWmEFc9ZvmUmGxyLLmFzC3f wBMOmxneME65387gCC0VyC1mODHybrncbC/0wHeW4zKsEMP7xLC2YHnQMeo+nwW/
l1yLMHKNJygJ4q/t4mG/vmkXi6T/t2MCgpz05AaMSSLILWN7KylBc4QtslgBUlVO ZbIyOAT1vSGcVGONy6Dm+o8dgmCkzxDtG+2h3VJ+oxSZXO4rhZD718HLEFLFJy31
fIsoxVYPrHBQj49BKbNoYjM0lmE4QcVPcHtSW166cusAQEkJSDGn4oxg/U/4x9Rv dra9QAZS6Id4TWBX/ssGHqfLROW9w915O5vUlMPMgWdadl+Gu/b6BLQeTHVjYXMg
UIkCMwQRAQoAHRYhBMYbspcSh6aHhOhEJCpYFQA7RhNEBQJhCmUeAAoJECpYFQA7 RnVnbWFubiA8bHVjYXNAZnVnaS5kZXY+iQJOBBMBCAA4AhsDBQsJCAcCBhUKCQgL
RhNEwsMQAI4zoMf3LY6UkyPPD6l2hA3opzxBajBQto4/B6gdQYV9h9GCs9SXzuQj AgQWAgMBAh4BAheAFiEEvzeQOub9KUxMZ07iRHKiAJG/p5IFAmO7DR8ACgkQRHKi
TIRykJX+10dgTRNpa6qTzUoYvDpG/22Z36/i63bRdVfCxBRphB6Ue/PIszomQZNY AJG/p5KGYRAAoAGdF9xjBXt3XNRTQapCelA/GeNtUTTqd7AsEeTe2vpl2Wro+mqw
/qBiWxrl4RRZ5tX7ny5IVF3eDHNwMp597NVuQvWbr8aqGjrFM9dz8TvDwbQulQbP d77997LzugxrqEOxmMTp8aqeu5eg7QZbYxIWRDESzIfLu3/mFK7RWtwUMnq9E+Nw
2UmZN301rqfIaCk3kCSWoDGAEOShWz4G/u7ExpXLbDZwercsQs2w9moUgVdB47H3 1+6TM3r/wIg6vY6fLFZpUmnL3M7BXEBynCWXy0N39BtzcTD8SxYCco8Ud0ZD2Ike
HjT9tGEsFutcaOYXvKFIqh6wRg0iprP/g23WBzGZO5bf6fG3EzFaOoPWwBnJsxtx Pt/5xN5WHs+FyII4mUo8TDwW8hQbyMOQGu06prkG8NHn5PVQk3Fc4aqAwfYl9PaS
HbOGeeSgNmb6vYZv+XkjONINGJORkiNrC75bV0Y+GURGTZYqLmXsA1Cz1G14AHWc GTfvz3POEL2+7e9cbc7wUaG6W0wVtS97j4BRLmDn2HmfcD611TX0Axfoji3wevYi
+astcLigOXJAzwKavYMaITWst9yVeZzYc91TMRDWXYK/93mgnc36xLs6SVJcsjGM 2wvxidnVbvVUYpEq7cJ2XYBcE4gGTSADr6SnQtw5E6JyNkSZHCoNFv96VrROisIg
FQRdWXotJYJsGfKgf/7WEVjhWuJtAjugd28kjDfnl0PiJLC/tNJMmS2sVPX/f993 Phhjtu21i8Ad6uBnNJa1bM0rrSL4YVSPT1UrhDsLdWVfB3TH5uAa+Ioss55dt22P
v+unm43UwWKJ1eu146Xpl73sqa9DBR4W0KDkz3zvzjRiIu90NlLCzLLhd6zxQZxh 2rG9MGKYMiOc0UpZEf8E7MndDP3hutQEVPHt94ccPPn6I33ZnvnNaORZAfPufrhl
w+f1VZs7g1EiVxNUfOTp4yKbKFpvLxjRDOTbuMyHVHNtAfHgWsTnph+RhDqqI/Jg Y/Hf7gTgvlDoctev7sZ62VWeWvgn5BMIKVrmV4MJW/UWUguQim8F/hrst8KE62JP
WrqIT6/CPJ0gA0zTZthhFiaADOlLVUoTC3+qI8Ne45yKv6U/VtSOiQLMBBEBCgC2 XEyvFoklx/f7osf0rbPcqQhKXUe8O+6n90Pt63Z3LptSx/PCxXsDwweuwoz1cTea
FiEEtCpbjpGyU4HWTEfFxF0eaL0IbKEFAmERWCcFgwHhM4BkFIAAAAAAFQBGbW9y ZuKmXywY1khbNMbKKTXn2vQ3jl/ZDZXGWBK0LF2O8Hn91J1VxybLczy5Ag0EYO2/
ZS1pbmZvQHNlbWlzb2wuZGV2aHR0cHM6Ly9zZW1pc29sLmRldi9zaWduLW1ldGEv
QkYzNzkwM0FFNkZEMjk0QzRDNjc0RUUyNDQ3MkEyMDA5MUJGQTc5Mi0aaHR0cHM6
Ly9zZW1pc29sLmRldi9jZXJ0aWZpY2F0aW9uLXBvbGljeS50eHQACgkQxF0eaL0I
bKGnqA//dIwfktys+FRQ7sS+rvWYTwp6C5fkSSOddHhYNrDIuIh7dgmg9yY17zqH
DSBSCsXZQVxQRu2iD+rCiqK3A1Lc1K3p8RxF/Ey/1J62XQ74TTqsMOVyvmDiO756
ijrOEPCE4M0A+0YHic4/wCJ6jsxan2iNKLsggbSSOvzmTtp2uPUnPocNE+m6ndrQ
ec6dtJ+QzPmYRuTAjEfWgSzQTLiOpZy6RkMuNsaFGJ0Xk+gVWEwTcejkKamS6f8n
A/AhESJ2YeGUasAEggQbcug+AmVAtwyqJ6cXE96jeBHbaHJPzWoXqLcWAV4D2Rg6
lYJqOQHpMtsG5hu/AzUwscrlOkKu6XM4wFWH3x3W37tbZeFouGyt+zioNqlsCr2+
mOmWxG2OioPrMY6Ud43EY8HsO9SdFDY7MIAfN+XOeq9WjmGe6t4W2cTTfu1EaYVe
16Qj8/0kdbY5mL0eZElo5tvRcNEmM50bwi1kKtjWXDW91chBluMZp7jc6pPaHyVM
ldRyVi0Zp2blgHw5LGrjCYYMz8xeElbKXcE7/1L/xMTopj3JtwdPpM63610jrbPW
uUr6qUm6ZQ9jnY/vJAoMepjRD6cuhRs77QUt8dVYWjRQzALQwXvsW/1ySDCIaJu7
JH4GXfFjVGvzVRelhsK4FB/JjUEGCyL3XOixiniQFTrK68KbugO0IEx1Y2FzIEZ1
Z21hbm4gPGx1Y2FzQGRlcmZ1Z2kuZGU+iQJOBBMBCAA4FiEEvzeQOub9KUxMZ07i
RHKiAJG/p5IFAmElKLkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQRHKi
AJG/p5LuGA//Up4hOatiNvd/zkYJvHwnKPZy1zd3W7i5ytp8OgcitqbZyS4FKXAf
XcDnSwxHKrgtf6mNiQgB9/VMR1T/lVjawXvkLnrCKIiqnBbWmL5MItX6rVI+Cxij
MI2EyoFC5gRo97RRPX97i7I5Yi/S3WqfeQ1+7FyRwTA4rU6/pedxlWoYfwsQOGPG
UwWK11v/Avl2mftnN1zpUpyhdQ+uwLRT2wwg7IdSEUBMHxywhoWuKNny+p2vSu0A
C1qUwGgQaw2jtUoHZox64r+TEYBtOmfrt5dpyf442Lz0yNkOVvVZEf72DiODlyg3
kkHvLlp7kKIkOKvt6td8Kry5HvotXtllwAqtL4bl8fKaI0CrBc2Duko8gXZMIF+S
rhYChZ4sFNGQDAlFGDhUEsgnGCkuY/Z8SZH1wR5obwOewJe+zp3YoPACqj2IDTZl
bHcxfa6+8FYVJob3ZoLleN6fWjSP6dLdL4BUkhPdGw/TNTQzlT0S3Rt3yajqOXDU
cd3bqCCduRuaYtNwh9FPgj87A/eCmf/zidLnX4s0GIMg6PegzIrYAVJWidpMJkv+
3FR2UhK8iIR9YxOpjIFDWhTzA4cLk+FvmLyjlbQ2n+mgdv3E3bqqHvEQQaO18NOL
ZUa17ZB/W/CGCwrfWyUpYZrCaDNGTGiP8EiDSTAgq2eL6iRArb0J3065Ag0EYO2/
mwEQANOkIongJ5zRz8NJLm94roMWnyi6QVASwR6MeBCXsudn6CZnQiSZX5XfOdEQ mwEQANOkIongJ5zRz8NJLm94roMWnyi6QVASwR6MeBCXsudn6CZnQiSZX5XfOdEQ
IynYSMRGuRQbSw29qXfzy2U2PVv6J7OuKcpYK66VHyLBfuKIt20W+lGJH9Vubj5u IynYSMRGuRQbSw29qXfzy2U2PVv6J7OuKcpYK66VHyLBfuKIt20W+lGJH9Vubj5u
2dgEC9Tk/jjPtHgOwusWN3qmXt1C0iBB2iLXjlTfWn8o+iUhfcspc2t8/z6DM8mw 2dgEC9Tk/jjPtHgOwusWN3qmXt1C0iBB2iLXjlTfWn8o+iUhfcspc2t8/z6DM8mw
@ -87,5 +60,5 @@ TEHp3JGG1j+bJxEpa0iKsaCWz2DNNv40lIrlFtzGarVBSF4fgAJoevhL+ZyY0RfR
G42CTa2EDMpPZnvSkyOUIQIPVduqv5D0NQg2X97T3yBLlu0k3FORiXiutJF2y2Fr G42CTa2EDMpPZnvSkyOUIQIPVduqv5D0NQg2X97T3yBLlu0k3FORiXiutJF2y2Fr
LpLVjBvNfedMx5pInZ1UcfugH3ptCMqBP6F8qkMZm6WXPiP4/+8ObN1JzHwUi0+A LpLVjBvNfedMx5pInZ1UcfugH3ptCMqBP6F8qkMZm6WXPiP4/+8ObN1JzHwUi0+A
lESg8VM66bBC0U4xCXxIUhTNRtACJt3e7jkjNLAKPG7LQg== lESg8VM66bBC0U4xCXxIUhTNRtACJt3e7jkjNLAKPG7LQg==
=6HqB =XbNH
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

10
modules/autoupdate.nix
View file

@ -1,10 +0,0 @@
{ pkgs, config, ... }:
{
system.autoUpgrade = {
enable = true;
dates = "12:00";
# might need to move this into the configuration of `birne`?
allowReboot = true;
};
}

36
modules/hedgedoc.nix
View file

@ -25,7 +25,6 @@ in
protocolUseSSL = true; protocolUseSSL = true;
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
sessionSecret = "\${SESSION_SECRET}"; sessionSecret = "\${SESSION_SECRET}";
allowAnonymousEdits = true;
csp = { csp = {
enable = true; enable = true;
directives = { directives = {
@ -34,6 +33,26 @@ in
upgradeInsecureRequest = "auto"; upgradeInsecureRequest = "auto";
addDefaults = true; addDefaults = true;
}; };
allowGravatar = false;
## authentication
# disable email
email = false;
allowEmailRegister = false;
# allow anonymous editing, but not creation of pads
allowAnonymous = false;
allowAnonymousEdits = true;
tanneberger commented 2023-03-31 15:07:40 +02:00 (Migrated from github.com)
Review
Copy link

do we want to quickly move that into a different pr ? because looks pretty unrelated

do we want to quickly move that into a different pr ? because looks pretty unrelated
rouven0 commented 2023-03-31 15:13:41 +02:00 (Migrated from github.com)
Review
Copy link

These extra changes are unintended as said above. Something went wrong while rebasing this branch. Most of the commits in this pr are already on main.

These extra changes are unintended as said above. Something went wrong while rebasing this branch. Most of the commits in this pr are already on main.
defaultPermission = "limited";
# ldap auth
ldap = rec {
url = "ldap://localhost";
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
searchFilter = "(uid={{username}})";
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid";
providerName = "iFSR";
};
}; };
}; };
@ -52,12 +71,23 @@ in
}; };
}; };
sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; sops.secrets =
sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; let
user = config.systemd.services.hedgedoc.serviceConfig.User;
in
{
postgres_hedgedoc.owner = user;
hedgedoc_session_secret.owner = user;
hedgedoc_ldap_search = {
key = "portunus_search";
owner = user;
};
};
systemd.services.hedgedoc.preStart = lib.mkBefore '' systemd.services.hedgedoc.preStart = lib.mkBefore ''
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
''; '';
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];

64
modules/keycloak.nix
View file

@ -1,64 +0,0 @@
{ pkgs, config, lib, ... }: {
sops.secrets.postgres_keycloak = {
owner = config.systemd.services.keycloak.serviceConfig.User;
group = "keycloak";
};
users.users.keycloak = {
name = "keycloak";
isSystemUser = true;
group = "keycloak";
};
users.groups.keycloak = {
name = "keycloak";
members = [ "keycloak" ];
};
services = {
keycloak = {
enable = true;
settings = {
hostname = "keycloak.quitte.tassilo-tanneberger.de";
http-host = "127.0.0.1";
http-port = 8000;
https-port = 8001;
proxy = "edge";
};
database = {
username = "keycloak";
type = "postgresql";
passwordFile = config.sops.secrets.postgres_keycloak.path;
name = "keycloak";
host = "localhost";
createLocally = true;
};
};
postgresql = {
enable = true;
};
nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"${config.services.keycloak.settings.hostname}" = {
enableACME = true;
forceSSL = true;
http2 = true;
locations = {
"/" =
let
cfg = config.services.keycloak.settings;
in
{
proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
};
};
};
};
};
};
}

25
modules/ldap.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: { config, pkgs, ... }:
let let
domain = "auth.${config.fsr.domain}"; domain = "auth.${config.fsr.domain}";
@ -89,6 +89,29 @@ in
daemon.enable = true; daemon.enable = true;
}; };
security.pam.services.sshd.text = ''
# Account management.
account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
account required pam_unix.so
# Authentication management.
auth sufficient pam_unix.so likeauth try_first_pass
auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok sha512
password sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
session required pam_loginuid.so
session optional pam_mkhomedir.so
session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
services.nginx = { services.nginx = {
enable = true; enable = true;

107
modules/mail.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
let let
hostname = "mail.${config.fsr.domain}"; hostname = "mail.${config.fsr.domain}";
domain = config.fsr.domain; domain = config.fsr.domain;
@ -6,7 +6,9 @@ let
# brauchen wir das überhaupt? # brauchen wir das überhaupt?
#ldap-aliases = pkgs.writeText "ldap-aliases.cf" '' #ldap-aliases = pkgs.writeText "ldap-aliases.cf" ''
#server_host = ldap://localhost #server_host = ldap://localhost
#search_base = ou=mail, dc=ifsr, dc=de #search_base = dc=ifsr, dc=de
#query_filter = (&(objectClass=posixAccount)(uid=%n))
#result_attribute=mail
#''; #'';
dovecot-ldap-args = pkgs.writeText "ldap-args" '' dovecot-ldap-args = pkgs.writeText "ldap-args" ''
uris = ldap://localhost uris = ldap://localhost
@ -17,8 +19,8 @@ let
ldap_version = 3 ldap_version = 3
scope = subtree scope = subtree
base = dc=ifsr, dc=de base = dc=ifsr, dc=de
user_filter = (&(objectClass=posixAccount)(uid=%n)) user_filter = (&(objectClass=posixAccount)(mail=%u))
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_filter = (&(objectClass=posixAccount)(mail=%u))
''; '';
in in
{ {
@ -26,33 +28,85 @@ in
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
networking.firewall.allowedTCPPorts = [ 25 465 993 ]; networking.firewall.allowedTCPPorts = [ 25 465 993 ];
users.users.postfix.extraGroups = [ "opendkim" ];
services = { services = {
postfix = { postfix = {
enable = true; enable = true;
enableSubmissions = true;
hostname = "${hostname}"; hostname = "${hostname}";
domain = "${domain}"; domain = "${domain}";
relayHost = "";
origin = "${domain}"; origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ]; destination = [ "${hostname}" "${domain}" "localhost" ];
networks = [ "127.0.0.1" "141.30.30.169" ];
sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslKey = "/var/lib/acme/${hostname}/key.pem"; sslKey = "/var/lib/acme/${hostname}/key.pem";
extraAliases = ''
# Taken from kaki, maybe we can throw out some at some point
# General redirections for pseudo accounts
bin: root
daemon: root
named: root
nobody: root
uucp: root
www: root
ftp-bugs: root
postfix: root
# Well-known aliases
manager: root
dumper: root
operator: root
abuse: postmaster
# trap decode to catch security attacks
decode: root
'';
config = { config = {
home_mailbox = "Maildir/";
smtp_use_tls = true;
smtp_tls_security_level = "encrypt";
smtpd_use_tls = true;
smtpd_tls_security_level = lib.mkForce "encrypt";
smtpd_tls_auth_only = true;
smtpd_tls_protocols = [
"!SSLv2"
"!SSLv3"
"!TLSv1"
"!TLSv1.1"
];
smtpd_recipient_restrictions = [ smtpd_recipient_restrictions = [
"reject_unauth_destination"
"permit_sasl_authenticated" "permit_sasl_authenticated"
"permit_mynetworks" "permit_mynetworks"
"reject_unauth_destination"
"reject_non_fqdn_hostname"
"reject_non_fqdn_sender"
"reject_non_fqdn_recipient"
"reject_unknown_sender_domain"
"reject_unknown_recipient_domain"
"reject_unauth_destination"
"reject_unauth_pipelining"
"reject_invalid_hostname"
];
smtpd_relay_restrictions = [
"permit_sasl_authenticated"
"permit_mynetworks"
"reject_unauth_destination"
]; ];
#alias_maps = [ "ldap:${ldap-aliases}" ]; #alias_maps = [ "ldap:${ldap-aliases}" ];
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
smtpd_sasl_auth_enable = true; smtpd_sasl_auth_enable = true;
smtpd_sasl_path = "/var/lib/postfix/auth"; smtpd_sasl_path = "/var/lib/postfix/auth";
virtual_mailbox_base = "/var/mail"; smtpd_sasl_type = "dovecot";
# virtual_mailbox_base = "/var/mail";
}; };
}; };
dovecot2 = { dovecot2 = {
enable = true; enable = true;
enableImap = true; enableImap = true;
enableQuota = false; enableQuota = false;
mailLocation = "maildir:~/Maildir";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
sslServerKey = "/var/lib/acme/${hostname}/key.pem"; sslServerKey = "/var/lib/acme/${hostname}/key.pem";
mailboxes = { mailboxes = {
@ -74,7 +128,6 @@ in
}; };
}; };
extraConfig = '' extraConfig = ''
mail_location = maildir:/var/mail/%u
passdb { passdb {
driver = ldap driver = ldap
args = ${dovecot-ldap-args} args = ${dovecot-ldap-args}
@ -92,6 +145,14 @@ in
} }
''; '';
}; };
opendkim = {
enable = true;
domains = "csl:${config.fsr.domain}";
selector = config.networking.hostName;
configFile = pkgs.writeText "opendkim-config" ''
UMask 0117
'';
};
rspamd = { rspamd = {
enable = true; enable = true;
postfix.enable = true; postfix.enable = true;
@ -101,12 +162,6 @@ in
read_servers = "127.0.0.1"; read_servers = "127.0.0.1";
write_servers = "127.0.0.1"; write_servers = "127.0.0.1";
''; '';
"dkim_signing.conf".text = ''
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "quitte";
sign_authenticated = true;
use_domain = "header";
'';
}; };
}; };
redis = { redis = {
@ -140,27 +195,3 @@ in
}; };
}; };
} }

19
modules/nginx.nix
View file

@ -1,6 +1,23 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
services.nginx.enable = true; services.nginx = {
enable = true;
appendHttpConfig = ''
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
# IP addresses to not anonymize
127.0.0.1 $remote_addr;
::1 $remote_addr;
default 0.0.0.0;
}
log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log anon_ip;
'';
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {

36
modules/printing.nix
View file

@ -1,36 +0,0 @@
{ pkgs, config, ... }:
{
# Enable CUPS to print documents.
services = {
printing.enable = true;
printing.drivers = with pkgs; [
gutenprint
gutenprintBin
hplip
hplipWithPlugin
];
avahi.enable = true;
};
environment.systemPackages = with pkgs; [
gnome.gnome-control-center
];
# set up Heiko
hardware.printers.ensurePrinters = [
{
description = "Drucker im FSR Buero";
deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
location = "FSR Buero";
model = "Kyocera ECOSYS M6630cidn KPDL";
name = "Heiko";
}
{
description = "Drucker im FSR Buero";
deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
location = "FSR Buero";
model = "Kyocera ECOSYS M6630cidn KPDL";
name = "Heiko";
}
];
}

24
modules/wifi.nix
View file

@ -1,24 +0,0 @@
#
# Useful config
# https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam
# https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos
#
{ pkgs, config, ... }:
let
password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)";
in
{
networking = {
wireless = {
enable = true;
networks = {
"FSR" = {
priority = 10;
pskRaw = "9dbdf08e1205b1167a812a35cfac4b49a86e155eec707bd47f4d06d829e7d168";
};
};
};
};
}

43
secrets/birne.test.yaml
View file

@ -1,43 +0,0 @@
fsr_wifi: ENC[AES256_GCM,data:CD0ge6d5+gc=,iv:yuWfwwGm2HOKvMQQ9lF4TFOqvCU2z06sqS+pzhCFhfY=,tag:1+8MwcPUGgtcdXvTNAuR5g==,type:str]
fsr_wifi_psk: ENC[AES256_GCM,data:uwq/nkKm9eDdMxUJMQ==,iv:q9mzhfkPBM1oTQN69tSEiQmf3hYZ4pGJEqjVEjU//FI=,tag:g0p+S2jlkAT0jY5hBRKuXw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySHgvQThoSmpXOUc1a3lN
dXR6ZElYYlppOXNISXM0bURxQjdIU3pDL2wwCmNoT0pYTEdubWh3eFc3VzVwdnR3
TU5CbFlBTWxYaHRjamUzamIzQ1VnbFEKLS0tIDVUSEVtKzh1aVp1ekxVd2xRWHVo
dEExQkJySmo5eGtEdXVvd1FFVVhpdFUKNx1FXti0qWKDRYM6wsIUceXbjzra5ezc
0fNI2r7qnVQ1QghtKnibwMUR1q4/DphKEm4eX4e6q+jfHleHCSk6+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-03-05T13:53:02Z"
mac: ENC[AES256_GCM,data:ZpEk+wpGQz2ul+Me6i45wXkzvuxzwkibLcljBs2KjTAgjH6F4q1JyXuY271JD95A5HgEvv4Atm3sbHaG+hghXy/36WSFw5jJRBwOjDrOSSAq12+UFeYjgSA2EwbvgbBdIO6VgaRLnXtobtLFG5qaVzUAvSevo6n8vBhEjSHEEJk=,iv:iZ9bJ+it3s6lB8piPeKjVy4QYzwYGUb4EUwvnCR753Q=,tag:Nveq//4C1tiwGOkeXV7a0A==,type:str]
pgp:
- created_at: "2022-03-05T13:42:43Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAvxLI7hxutYG0KDovCjpGKIZA1JyNjp1/QYLKz3QDUFsZ
Ykwmixkt2wjTQjn9aE66ujLiEzMDfV2VZ6ao7Ehg04fysU1WurqEB5D+hiS6SCc2
3DgvlPeicY+87oZin1iaqL505MzQCEVbmcar++VCdQIGUZSQvbn1Nxn3RxKjHCjm
RW0juiSH1FUIZdBPL9NgUEixv7KpdEBxO5JR30GxDgYMG1Xji9Y2KsBy9XP5Lhn2
ziuzs6vTfFTuVUdylJNkT6yVgK4V7oEkIMiVPGFYXSUWT3TNZ0qRwuk6UJYLfvnY
Mt0jyKyi+hRIWPQEjBmpK/siBsQGSCXsRe84g+LUtdfPbvqwdZb59qy5B65z/ku/
6EQIaPRkgCa5AED3gJQCbBYhvymdgl8ZZcXkVV1Ap2VgKS5o0s+CNjdiNkXdGTL/
NdE7kehGJCtsHUVGs2I8TfLg/uVgJTKEodTq8eLu8WhVkNKzk9aFBCfHKYtkXBIi
ZIXUHNbPtXDL4aHgOTuTYjWM8bhW0pdnkGX7daqPsfNqgR9hzOo3TzoR3DRDK91w
cvUZ9hApYJ0OVxuPa38JGiYn3826iSSRK8qPjAndE4HhYgT/lZvu8/vZAW6EF/yH
8exruofMHNBNNdotkYDnyaFO6C+00SMcTUkG49vRqQKwrBygAoPLEKQhDBgczcnU
aAEJAhBWRVtwhCZtQV1MCl5u0IbSlxQiIH93FrdTfbJQdKM+LFlwkXOngO4blGOi
1tQbkiyLzIio+yoyfvbXZOIeMkLA3GynsKtxjnYYipXkuv3LP5BvZiH+bzG9jPW4
jXrR59MZPJLY
=hWOx
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
unencrypted_suffix: _unencrypted
version: 3.7.1

43
secrets/birne.yaml
View file

@ -1,43 +0,0 @@
fsr_wifi: ENC[AES256_GCM,data:nzfwY2UygQSdboRvfDxVSrUE+WLBJLYBLw==,iv:yR3lCbyUSg97+MnuwUkXEsHtSGuYOPYRgvW/YZYDhv0=,tag:eN/lqD1BetqnFDAFJE6D2g==,type:str]
fsr_wifi_psk: ENC[AES256_GCM,data:A1Z809FJ0fUd93QcX5NNnfVxyzUZMuPGC6Hu4M9LpRoMOTrMcRPMDaR0N+cgmV7rnjYvzm4gTSTEcnqsnLGyNA==,iv:WMs3/I3SEDJwcpyqclCfxKcx61m/6BcwbGaGS4I4a5s=,tag:oYG8M3NQ2lkcUGr2K5YUEg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1jyxk2z69pm8hpz5zlf5lh05vrws2sprum3ucx2xjpq8efctcfdaq0jhs3w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQXByc2lJWnQ0Rm1Wb1V5
aVFaY0cwcnVlUFRKNGNYYjJjMnB5NVlkendRCkxJZ0JILzVvbDZRNzlYaWtEREJr
VmYzaUNiU0VmTkZzckhJeS84OU5TUkUKLS0tIG5qTnVtbHV3TWh0cW4xYlJiV0Ji
MFQrNkJxUUVFSStPenM4Tmx6dlVsSm8KQMPsuc/E89aDek3csMarrKm5qcfQKf3u
2ApD8dEN+L1L9bbJGAY6uNM6sXu5eTAGD7+Rc0duZIdDCg0LGFV8jw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-03-05T13:52:43Z"
mac: ENC[AES256_GCM,data:/uszrMeVsVlpjFyI29/Sasr8jY3/elnnbbUDmZ1+3YHzoujQRZe47VOpfOgs/XZym+jj7MZInu5Y361YalFb0ArS7GmexZA88rFvOqHPIIUuk2h1iCHLpZRafg96x737snna7L7zHNJFJLBhqcpdt0U4U6SZjXlJ9UgR96c6Agk=,iv:4kCCIhUEfc0GCzoh+3cNxB3cnn71/0jmKI1r62dYFmk=,tag:REOoImReJds8LBKZpeu78w==,type:str]
pgp:
- created_at: "2022-03-05T13:41:12Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/+Jis1dE0ZmxKIaqJKc1itSqd09ieVJDMmei410O2VycU3
98YHvdrkRcG+3tLkvzebATANyHcJeefjt4uvQnMjlswX5DHm3JxNYnfOhCQNpexl
80Lp/0qmnCy1rd2C8/Mr9ub2frupEGeBgU4TwA1LW5X1f89NP9R7b6tBcVMyF/OW
+WWu2g+0yLC9rle0a5QeIkrKsmyB5+dEYOakCMunKCYXE+MS4ULkZqFxhJ8ckTo7
rKiR8UwzDL+iMl4zLgeNF5Uw7WH8tdHiD3thHQvzjL9++Tg4jZWdgtjdICs1ye2y
sUGzk0RhjXT/Q3rBwQbiivZq7s3ngBpom0co74+X6DORMN0P8WUdox7j4KUS3/oA
KwtyUF92dK9uJwckyN7LXho7zVTnZXV7jjupBacjr0TeHgYzP1eDhbsC6mFlWv2x
mHeK7hQF6VBNi1tAVlcMktbuxZRtc8P0ljFeSXRDoLJKdduIb3TKbGSsAHs1lX+n
CEK2kfS+V6g4CXaSsAsDqIZ75k6bJYRd8M81a1XvSAMB1fzQYDU1zrPGquggOBku
S0R0y0po7OwnqQ0HBgVHC8uU8hbG/EIvA1Wpw9FQnjGugi0pOoIiynqJWzttFwvq
XBV27Z7wumWzwij9uFt+TEy7Olulu/Vi/56tiyUNnbklwQqe1mj1m4nnu6z6v4TU
aAEJAhDM3iZRqVMChcCd6A/btYAwNnZrJNzxj+BIV5/+sAk3wjqc6UM7+qdBuzsH
uYq+HBTcdQgpoyqtFryrjQvCsksB6O4eS62FIAKfD65HaxNYQLUYNJ4Xs3NIqroH
MogSWSOw4clo
=8/Ez
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
unencrypted_suffix: _unencrypted
version: 3.7.1