Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

changes

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-10-18 15:24:20 +02:00
parent c681eb3139
commit 3eb9ce0e89
21 changed files with 356 additions and 455 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
hosts/mail.social-grow.tech/modules/autoconfig.nix Normal file
View File

@@ -0,0 +1,31 @@
{ pkgs, lib, config, ... }:
let
domain = config.networking.domain;
in
{
services.nginx.virtualHosts."autoconfig.${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://localhost:1323/";
};
};
services.go-autoconfig = {
enable = true;
settings = {
service_addr = ":1323";
domain = domain;
imap = {
server = "imap.${domain}";
port = 993;
};
smtp = {
server = "mail.${domain}";
port = 587;
starttls = true;
};
};
};
}

39
hosts/mail.social-grow.tech/modules/dovecot.nix
View File

@@ -1,15 +1,19 @@
{ pkgs
, config
, ...
{
config,
lib,
pkgs,
...
}:
let
domain = config.networking.domain;
# domain = "cloonar.com";
components = lib.strings.splitString "." domain;
dcComponents = map (x: "dc=" + x) components;
ldapPath = builtins.concatStringsSep "," dcComponents;
ldapConfig = pkgs.writeText "dovecot-ldap.conf" ''
hosts = ldap.cloonar.com
hosts = ldap.${domain}
tls = yes
dn = "cn=vmail,ou=system,ou=users,dc=cloonar,dc=com"
dn = "cn=vmail,ou=system,ou=users,${ldapPath}"
dnpass = "@ldap-password@"
auth_bind = no
ldap_version = 3
@@ -36,27 +40,11 @@ let
exit 1
fi
doveadm user *@cloonar.com | while read user; do
doveadm user *@${domain} | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@optiprot.eu | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@superbros.tv | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@ghetto.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@szaku-consulting.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@korean-skin.care | while read user; do
doveadm user *@ekouniversity.com | while read user; do
doveadm -v sync -u $user $SERVER
done
'';
@@ -129,7 +117,7 @@ in
}
protocol lmtp {
postmaster_address=postmaster@${domain}
hostname=mail.cloonar.com
hostname=mail.${domain}
mail_plugins = $mail_plugins sieve
}
service auth {
@@ -253,7 +241,6 @@ in
security.acme.certs."imap.${domain}" = {
extraDomainNames = [
"imap-test.${domain}"
"imap-02.${domain}"
];
postRun = "systemctl restart dovecot2.service";
};

259
hosts/mail.social-grow.tech/modules/openldap.nix
View File

@@ -1,11 +1,14 @@
{
pkgs,
config,
lib,
pkgs,
...
}:
let
domain = config.networking.domain;
# domain = "cloonar.com";
components = lib.strings.splitString "." domain;
dcComponents = map (x: "dc=" + x) components;
ldapPath = builtins.concatStringsSep "," dcComponents;
in {
services.openldap = {
enable = true;
@@ -18,10 +21,11 @@ in {
olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
# olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCipherSuite = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcTLSProtocolMin = "3.3";
olcSecurity = "tls=1";
};
@@ -39,9 +43,9 @@ in {
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=cloonar,dc=com";
olcSuffix = "${ldapPath}";
olcRootDN = "cn=admin,dc=cloonar,dc=com";
olcRootDN = "cn=admin,${ldapPath}";
olcRootPW.path = config.sops.secrets.openldap-rootpw.path;
@@ -50,29 +54,29 @@ in {
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by dn="cn=owncloud,ou=system,ou=users,${ldapPath}" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{1}to attrs=loginShell
by self write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
{2}to dn.subtree="ou=system,ou=users,${ldapPath}"
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{3}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by dn="cn=admin,dc=cloonar,dc=com" write
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by dn="cn=admin,${ldapPath}" write
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
];
@@ -98,7 +102,7 @@ in {
olcAccess = [
''
{0}to *
by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read
by dn.exact="cn=netdata,ou=system,ou=users,${ldapPath}" read
by * none
''
];
@@ -110,23 +114,25 @@ in {
olcDatabase = "{3}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=ghetto,dc=at";
olcSuffix = "dc=ekouniversity,dc=com";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by dn="cn=admin,${ldapPath}" write
by dn="cn=owncloud,ou=system,ou=users,${ldapPath}" write
by dn="cn=authelia,ou=system,ou=users,${ldapPath}" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,${ldapPath}" read
by dn="cn=admin,${ldapPath}" write
by group.exact="cn=Administrators,ou=groups,${ldapPath}" write
by * read
''
];
@@ -142,155 +148,6 @@ in {
olcPPolicyHashCleartext = "TRUE";
};
"olcDatabase={4}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{4}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=superbros,dc=tv";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
"olcOverlay=memberof,olcDatabase={4}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={4}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcDatabase={6}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{6}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=szaku-consulting,dc=at";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "olcOverlay=memberof,olcDatabase={6}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
# olcOverlay = "memberof";
# olcMemberOfRefint = "TRUE";
# };
# "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
# olcOverlay = "ppolicy";
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={7}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{7}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=myhidden,dc=life";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "olcOverlay=memberof,olcDatabase={7}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
# olcOverlay = "memberof";
# olcMemberOfRefint = "TRUE";
# };
# "olcOverlay=ppolicy,olcDatabase={7}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
# olcOverlay = "ppolicy";
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={8}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{8}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=korean-skin,dc=care";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "cn=module{0},cn=config" = {
# attrs = {
# objectClass = "olcModuleList";
# cn = "module{0}";
# olcModuleLoad = "ppolicy.la";
# };
# };
"cn={3}cloonar,cn=schema" = {
attrs = {
cn = "{1}cloonar";
@@ -432,56 +289,6 @@ in {
''
];
};
# "cn={1}ttrss,cn=schema".attrs = {
# cn = "{1}ttrss";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss'
# SUP top AUXILIARY
# DESC 'Added to an account to allow tinytinyrss access'
# MUST ( mail $ userPassword ))
# ''
# ];
# };
# "cn={1}prometheus,cn=schema".attrs = {
# cn = "{1}prometheus";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28296.1.2.4
# NAME 'prometheus'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow prometheus access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}loki,cn=schema".attrs = {
# cn = "{1}loki";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28299.1.2.4
# NAME 'loki'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow loki access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}flood,cn=schema".attrs = {
# cn = "{1}flood";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# (1.3.6.1.4.1.28300.1.2.4 NAME 'flood'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow flood access'
# MUST (mail))
# ''
# ];
# };
};
};
@@ -495,10 +302,6 @@ in {
/* trigger the actual certificate generation for your hostname */
security.acme.certs."ldap.${domain}" = {
extraDomainNames = [
"ldap-test.${domain}"
"ldap-02.${domain}"
];
postRun = "systemctl restart openldap.service";
};

28
hosts/mail.social-grow.tech/modules/postfix.nix
View File

@@ -5,16 +5,18 @@
}:
let
domain = config.networking.domain;
ldapServer = "ldap.cloonar.com";
# domain = "cloonar.com";
components = lib.strings.splitString "." domain;
dcComponents = map (x: "dc=" + x) components;
ldapPath = builtins.concatStringsSep "," dcComponents;
ldapServer = "ldap.${domain}";
domains = pkgs.writeText "domains.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=domains,dc=cloonar,dc=com
search_base = ou=domains,${ldapPath}
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_dn = cn=vmail,ou=system,ou=users,${ldapPath}
bind_pw = @ldap-password@
scope = one
query_filter = (&(dc=%s)(objectClass=mailDomain))
@@ -28,7 +30,7 @@ let
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_dn = cn=vmail,ou=system,ou=users,${ldapPath}
bind_pw = @ldap-password@
scope = sub
query_filter = (&(uid=%u)(objectClass=mailAccount))
@@ -42,7 +44,7 @@ let
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_dn = cn=vmail,ou=system,ou=users,${ldapPath}
bind_pw = @ldap-password@
scope = sub
query_filter = (|(&(objectClass=mailAccount)(uid=%u))(&(objectClass=mailAlias)(mail=%s)))
@@ -56,7 +58,7 @@ let
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_dn = cn=vmail,ou=system,ou=users,${ldapPath}
bind_pw = @ldap-password@
scope = sub
query_filter = (&(objectClass=mailAccount)(uid=%u))
@@ -70,7 +72,7 @@ let
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_dn = cn=vmail,ou=system,ou=users,${ldapPath}
bind_pw = @ldap-password@
scope = one
query_filter = (&(objectClass=mailAlias)(mail=%s))
@@ -80,7 +82,7 @@ let
helo_access = pkgs.writeText "helo_access" ''
/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
${domain} REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
'';
in
@@ -89,7 +91,7 @@ in
enable = true;
enableSubmission = true;
hostname = "mail.${domain}";
domain = "cloonar.com";
domain = domain;
masterConfig."465" = {
type = "inet";
@@ -147,9 +149,9 @@ in
smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane";
smtpd_tls_cert_file = "/var/lib/acme/mail.cloonar.com/full.pem";
smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
smtpd_tls_cert_file = "/var/lib/acme/mail.${domain}/full.pem";
smtpd_tls_key_file = "/var/lib/acme/mail.${domain}/key.pem";
smtpd_tls_CAfile = "/var/lib/acme/mail.${domain}/fullchain.pem";
smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;