many changes

hosts/web-arm/modules/authelia/default.nix

@@ -3,31 +3,24 @@
 {
   sops.secrets.authelia-jwt-secret = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
   sops.secrets.authelia-backend-ldap-password = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
   sops.secrets.authelia-storage-encryption-key = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
   sops.secrets.authelia-session-secret = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
   sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
   sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
   sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
     owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
   };
 
   services.authelia.instances.main = {
@@ -150,9 +143,6 @@
   
       notifier = {
         disable_startup_check = false;
-        # filesystem = {
-        #   filename = "/var/lib/authelia-main/notification.txt";
-        # };
         smtp = {
           host = "mail.cloonar.com";
           port = 25;
@@ -164,6 +154,21 @@
         oidc = {
           ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
           ## See: https://www.authelia.com/c/oidc
+          # authorization_policies = {
+          #   support = {
+          #     default_policy = "deny";
+          #     rules = [
+          #       {
+          #         policy = "two_factor";
+          #         subject = "group:support"; # Deny access to users of services group
+          #       }
+          #       {
+          #         policy = "two_factor";
+          #         subject = "group:admin"; # Deny access to users of services group
+          #       }
+          #     ];
+          #   };
+          # };
           clients = [
             {
               id = "gitea";
@@ -183,12 +188,11 @@
             {
               id = "nextcloud";
               description = "Nextcloud";
-              secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw";
+              secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw";
               public = false;
               authorization_policy = "one_factor";
               redirect_uris = [ 
                 "https://nextcloud.cloonar.com/apps/oidc_login/oidc"
-                "https://cloud.cloonar.com/apps/user_oidc/code"
               ];
               pre_configured_consent_duration = "1y";
               scopes = [
@@ -215,6 +219,22 @@
               ];
               userinfo_signing_algorithm = "none";
             }
+            {
+              id = "freescout";
+              description = "FreeScout Support platform";
+              secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A";
+              public = false;
+              authorization_policy = "one_factor";
+              redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
+              pre_configured_consent_duration = "1y";
+              scopes = [
+                "openid"
+                "profile"
+                "email"
+                "groups"
+              ];
+              userinfo_signing_algorithm = "none";
+            }
           ];
         };
       };

hosts/web-arm/modules/bitwarden/default.nix

@@ -50,7 +50,7 @@ in {
   };
 
   systemd.services.vaultwarden.serviceConfig = {
-    EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
+    EnvironmentFile = [config.sops.secrets.vaultwarden-env.path];
   };
 
   systemd.services.vaultwarden_ldap = {
@@ -58,8 +58,8 @@ in {
 
     preStart = ''
       sed \
-        -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
-        -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
+        -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.vaultwarden-ldap-password.path})=" \
+        -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.vaultwarden-admin-token.path})=" \
         ${ldapConfigFile} \
         > /run/vaultwarden_ldap/config.toml
     '';
@@ -97,10 +97,9 @@ in {
   };
 
   sops.secrets = {
-    bitwarden-admin-token.owner = "vaultwarden_ldap";
-    bitwarden-ldap-password.owner = "vaultwarden_ldap";
-    bitwarden-db-password.owner = "vaultwarden";
-    bitwarden-smtp-password.owner = "vaultwarden";
+    vaultwarden-admin-token.owner = "vaultwarden_ldap";
+    vaultwarden-ldap-password.owner = "vaultwarden_ldap";
+    vaultwarden-env.owner = "vaultwarden";
   };
 
   users.users.vaultwarden_ldap = {
@@ -110,5 +109,16 @@ in {
 
   users.groups.vaultwarden_ldap = {};
 
-  services.mysqlBackup.databases = [ "bitwarden" ];
+  services.mysql = {
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensurePermissions = {
+          "vaultwarden.*" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+    ensureDatabases = [ "vaultwarden" ];
+  };
+  services.mysqlBackup.databases = [ "vaultwarden" ];
 }

hosts/web-arm/modules/collabora.nix

@@ -6,7 +6,8 @@
     ports = [ "9980:9980/tcp" ];
     environment = {
       server_name = "code.cloonar.com";
-      aliasgroup1 = "https://cloud.cloonar.com:443";
+      aliasgroup1 = "https://nextcloud.cloonar.com:443";
+      aliasgroup2 = "https://cloud.cloonar.com:443";
       dictionaries = "en_US";
       extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
     };

hosts/web-arm/modules/grafana.nix

@@ -15,7 +15,7 @@ let
       [servers.attributes]
       name = "givenName"
       surname = "sn"
-      username = "uid"
+      username = "mail"
       email =  "mail"
       member_of = "memberOf"
 
@@ -27,13 +27,17 @@ let
   };
 in
 {
-  systemd.services.grafana.script = lib.mkBefore "export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)";
+  systemd.services.grafana.script = lib.mkBefore ''
+    export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)
+    export PUSHOVER_API_TOKEN=$(cat /run/secrets/pushover-api-token)
+    export PUSHOVER_USER_KEY=$(cat /run/secrets/pushover-user-key)
+  '';
   services.grafana = {
     enable = true;
     settings = {
       analytics.reporting_enabled = false;
-      # "auth.ldap".enabled = true;
-      # "auth.ldap".config_file = toString ldap;
+      "auth.ldap".enabled = true;
+      "auth.ldap".config_file = toString ldap;
 
       "auth.generic_oauth" = {
         enabled = true;
@@ -47,6 +51,8 @@ in
         api_url = "https://auth.cloonar.com/api/oidc/userinfo";
         login_attribute_path = "preferred_username";
         groups_attribute_path = "groups";
+        role_attribute_path = "contains(groups, 'Administrators') && 'Admin' || contains(groups, 'editor') && 'Editor' || 'Viewer'";
+        allow_assign_grafana_admin = true;
         name_attribute_path = "name";
         use_pkce = true;
       };
@@ -81,6 +87,37 @@ in
 
       security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
     };
+    provision = {
+      alerting = {
+        contactPoints.settings = {
+          apiVersion = 1;
+
+          contactPoints = [{
+            orgId = 1;
+            name = "cp_dominik";
+            receivers = [{
+              uid = "dominik";
+              type = "pushover";
+              settings = {
+                security.apiToken = "$__file{${config.sops.secrets.pushover-api-token.path}}";
+                security.userKey = "$__file{${config.sops.secrets.pushover-user-key.path}}";
+                apiToken = "\${PUSHOVER_API_TOKEN}";
+                userKey = "\${PUSHOVER_USER_KEY}";
+                device = "iphone";
+                priority = "2";
+                retry = "30";
+                expire = "120";
+                sound = "siren";
+                okSound = "magic";
+                message = ''
+                  {{ template "default.message" . }}
+                '';
+              };
+            }];
+          }];
+        };
+      };
+    };
   };
 
   services.nginx.virtualHosts."grafana.cloonar.com" = {
@@ -103,5 +140,7 @@ in
     grafana-admin-password.owner = "grafana";
     grafana-ldap-password.owner = "grafana";
     grafana-oauth-secret.owner = "grafana";
+    pushover-api-token.owner = "grafana";
+    pushover-user-key.owner = "grafana";
   };
 }

hosts/web-arm/modules/loki.nix

@@ -103,15 +103,15 @@ in
 
       limits_config.ingestion_burst_size_mb = 16;
 
-      # ruler = {
-      #   storage = {
-      #     type = "local";
-      #     local.directory = rulerDir;
-      #   };
-      #   rule_path = "/var/lib/loki/ruler";
-      #   alertmanager_url = "http://alertmanager.cloonar.com";
-      #   ring.kvstore.store = "inmemory";
-      # };
+      ruler = {
+        storage = {
+          type = "local";
+          local.directory = rulerDir;
+        };
+        rule_path = "/var/lib/loki/ruler";
+        alertmanager_url = "http://alertmanager.cloonar.com";
+        ring.kvstore.store = "inmemory";
+      };
 
       query_range.cache_results = true;
       query_range.parallelise_shardable_queries = false;

hosts/web-arm/modules/mysql.nix

@@ -69,6 +69,8 @@ in {
     settings = {
       mysqld = {
         max_allowed_packet = "64M";
+        transaction_isolation = "READ-COMMITTED";
+        binlog_format = "ROW";
       };
     };
   };

hosts/web-arm/modules/nextcloud/default.nix

@@ -1,30 +1,67 @@
-{ pkgs, config, ... }:
+{ pkgs, config, ... }: 
 {
   sops.secrets.nextcloud-adminpass.owner = "nextcloud";
+  sops.secrets.nextcloud-secrets.owner = "nextcloud";
+  sops.secrets.nextcloud-smb-credentials.owner = "nextcloud";
 
   services.nextcloud = {                
     enable = true;                   
     hostName = "nextcloud.cloonar.com";
     https = true;
-    package = pkgs.nextcloud27;
+    package = pkgs.nextcloud29;
     # Instead of using pkgs.nextcloud27Packages.apps,
     # we'll reference the package version specified above
-    extraApps = with config.services.nextcloud.package.packages.apps; {
-      inherit contacts calendar tasks deck;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) calendar contacts deck groupfolders mail richdocuments tasks;
       oidc_login = pkgs.fetchNextcloudApp rec {
-        url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v2.6.0/oidc_login.tar.gz";
-        sha256 = "sha256-MZ/Pgqrb8Y9aH1vd3BfuPhfLOmYyZQO2xVasdj+rCo4=";
+        url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.1.1/oidc_login.tar.gz";
+        sha256 = "sha256-EVHDDFtz92lZviuTqr+St7agfBWok83HpfuL6DFCoTE=";
+        license = "gpl3";
       };
     };
+    autoUpdateApps.enable = true;
     extraAppsEnable = true;
-
     database.createLocally = true;
-    enableBrokenCiphersForSSE = false;
 
+    caching.apcu = true;
+    configureRedis = true;
+    phpOptions."opcache.interned_strings_buffer" = "23";
     config = {
       adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
       dbtype = "mysql";
     };
+
+    secretFile = config.sops.secrets.nextcloud-secrets.path;
+
+    settings = {
+      log_type = "errorlog";
+      allow_user_to_change_display_name = false;
+      maintenance_window_start = 1;
+      lost_password_link = "disabled";
+      oidc_login_provider_url = "https://auth.cloonar.com";
+      oidc_login_client_id = "nextcloud";
+      oidc_login_button_text = "Log in with Authelia";
+      oidc_login_auto_redirect = false;
+      oidc_login_proxy_ldap = true;
+      oidc_login_attributes = {
+        id = "preferred_username";
+        name = "name";
+        mail = "email";
+        groups = "groups";
+        ldap_uid = "email";
+      };
+      oidc_login_scope = "openid profile email groups";
+      default_phone_region = "AT";
+    };
+  };
+
+  environment.systemPackages = [ pkgs.cifs-utils ];
+  fileSystems."/var/lib/nextcloud/data" = {
+    device = "//u149513.your-backup.de/u149513-sub4/";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users,file_mode=0770,dir_mode=0770";
+      in ["${automount_opts},credentials=${config.sops.secrets.nextcloud-smb-credentials.path},uid=983,gid=964"];
   };
 
   services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
@@ -33,5 +70,17 @@
     acmeRoot = null;
   };
 
+  services.mysql = {
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions = {
+          "nextcloud.*" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+    ensureDatabases = [ "nextcloud" ];
+  };
+
   services.mysqlBackup.databases = [ "nextcloud" ];
 }

hosts/web-arm/modules/zammad/default.nix

@@ -1,117 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.zammad = {
-    enable = true;
-    port = 3010;
-    secretKeyBaseFile = config.sops.secrets.zammad-key-base.path;
-    database = {
-      createLocally = true;
-    };
-  };
-  
-  services.nginx.enable = true;
-  services.nginx.virtualHosts."support.cloonar.com" = {
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-
-    extraConfig = ''
-      # Virtual endpoint created by nginx to forward auth requests.
-      location /authelia {
-        internal;
-        set $upstream_authelia http://127.0.0.1:9091/api/verify;
-        proxy_pass_request_body off;
-        proxy_pass $upstream_authelia;    
-        proxy_set_header Content-Length "";
-
-        # Timeout if the real server is dead
-        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
-
-        # [REQUIRED] Needed by Authelia to check authorizations of the resource.
-        # Provide either X-Original-URL and X-Forwarded-Proto or
-        # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
-        # Those headers will be used by Authelia to deduce the target url of the     user.
-        # Basic Proxy Config
-        client_body_buffer_size 128k;
-        proxy_set_header Host $host;
-        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr; 
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-Uri $request_uri;
-        proxy_set_header X-Forwarded-Ssl on;
-        proxy_redirect  http://  $scheme://;
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
-        proxy_cache_bypass $cookie_session;
-        proxy_no_cache $cookie_session;
-        proxy_buffers 4 32k;
-
-        # Advanced Proxy Config
-        send_timeout 5m;
-        proxy_read_timeout 240;
-        proxy_send_timeout 240;
-        proxy_connect_timeout 240;
-      }
-    '';
-
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:3010";
-      proxyWebsockets = true;
-      extraConfig =
-        "proxy_connect_timeout  300;" +
-        "proxy_send_timeout     300;" +
-        "proxy_read_timeout     300;" +
-        "send_timeout           300;"
-      ;
-    };
-    locations."/auth/sso" = {
-      proxyPass = "http://127.0.0.1:3010";
-      proxyWebsockets = true;
-
-      extraConfig = ''
-        # Basic Authelia Config
-        # Send a subsequent request to Authelia to verify if the user is authenticated
-        # and has the right permissions to access the resource.
-        auth_request /authelia;
-        # Set the `target_url` variable based on the request. It will be used to build the portal
-        # URL with the correct redirection parameter.
-        auth_request_set $target_url $scheme://$http_host$request_uri;
-        # Set the X-Forwarded-User and X-Forwarded-Groups with the headers
-        # returned by Authelia for the backends which can consume them.
-        # This is not safe, as the backend must make sure that they come from the
-        # proxy. In the future, it's gonna be safe to just use OAuth.
-        auth_request_set $user $upstream_http_remote_user;
-        auth_request_set $groups $upstream_http_remote_groups;
-        auth_request_set $name $upstream_http_remote_name;
-        auth_request_set $email $upstream_http_remote_email;
-        proxy_set_header Remote-User $user;
-        proxy_set_header Remote-Groups $groups;
-        proxy_set_header Remote-Name $name;
-        proxy_set_header Remote-Email $email;
-        # If Authelia returns 401, then nginx redirects the user to the login portal.
-        # If it returns 200, then the request pass through to the backend.
-        # For other type of errors, nginx will handle them as usual.
-        error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
-      '';
-    };
-    locations."/ws" = {
-      proxyPass = "http://127.0.0.1:6042";
-      proxyWebsockets = true;
-      extraConfig =
-        "proxy_read_timeout     86400;" +
-        "send_timeout           300;"
-      ;
-    };
-  };
-
-  sops.secrets = {
-    zammad-db-password.sopsFile = ./secrets.yaml;
-    zammad-key-base.owner = "zammad";
-  };
-
-  services.postgresqlBackup.enable = true;
-  services.postgresqlBackup.databases = [ "zammad" ];
-}

hosts/web-arm/modules/zammad/secrets.yaml

@@ -1,40 +0,0 @@
-zammad-db-password: ENC[AES256_GCM,data:FFsTnwQcL8V1ZWvZ9a15FWcHnsrC7nuDW155reSmfg/IRhRfrtnvbCDQ0N3AMh7TBiyG3x5za/6orV04CplUgQ==,iv:inQXkwlTbGaKgU3nfOtIYMcheBdGv8xa7dCad8WrGEc=,tag:fxjNRCUpS6RMipk4D08new==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:z2v1GrjRFoaDY9tPaAsUJPVRHZhSOrXWCZhhm5E6rmH4s6QWU1EW7aY4PPgditdcathLRWkDlBT5c3SQ8Cd2DPLp/SVn9Xd8w8g/lrplhNC2sJXUyB+CUgdEnBBN0XPMsFWNx9EIrqGrF/A8js5eKtQON9fCNytaHMOsCCc0rNE=,iv:oHKiXE9U0h846XVpCrcD/dFJ1MAXCYrnM80CwaWgALc=,tag:W88DsRWvdudMscH+UBPy/Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUc0RlQUt4VHU1eWZrdlF5
-            UFhjSU5TWFlGbTIwbzVlaStHaWRTdS92d0YwCkJQRlh0eWVNRW9SdUFXQUZzNFYw
-            dktoSmFqbWxDbXR0dDNTNy8zTHYwQUEKLS0tIFFwQkdvK2QvSmFGaVRBaVFMeEFi
-            YUZ6b1dzUGZkL2t4aU5tTjA4UC9KU3cKmhugvvIexQqpVtGp7aLKU7WSQNxk0cTO
-            +8MWF1v0mztJlGbiWk5OOzT9L8TO7GDGXfi8GyMVgVBvaA7tFF709w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZGRWbnVxVUdHWndEanlk
-            Wmp4WS8yUjdrVSsxTHFNcjFUWm5IZytaZVRzCmorZTJRSnBRTE5qK2xiZGtYNXZH
-            RjBDdWE5NjE3ZWtXRU5Fc2FaVFkzNUEKLS0tIGwvUjVBL2NpdTFsY04zbktJRGxF
-            QWo1Vm56dnZWQ2l1K3hzVlZDL3BaTHMKw9CjtbS9hyW42prUhlTIcmcb4Z6OaxRr
-            T7RJZxXefEr4myJYI5B3pqbXlBpSLLwS4lgtoqHmmYuSNjL8/xoksw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicStLZGZvdGJyMyszMkFo
-            S2xTeUM5ZEIrbUxqbXBxQTUyeHhJVTAzUm40Ck5KbngvdWYvVk5VYTRCUWhZeFkw
-            eFJKVEZ3VnpuL3BmOFVQdCs2K3hoTUUKLS0tIEhFRXZyRlpPZUpEanFMU1oweVJ2
-            RVJjc0FUb0NFMHk2M3gxTmhMYjlrTDgKR0tfq1CWU8OdeeigOsKqNx2sszVtPWjH
-            yXcqe/jLAnvS/Ut/afEyfGYEiyyzJXLp9TGjV1fAp9y2K2noD8/TwQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-29T10:54:56Z"
-    mac: ENC[AES256_GCM,data:OX49RTucGWdH1RkbXfkiMLH2Lj65v554WSfJxkCkIu/dFagCH90QSRiX/15HTsI//ffwKVurDivC6H6OByK2eWdaeCYTEn2029GjdL4RhJhXy0RLXEq5D/KVRu73O9Xe6M36asc/OenzPcmbHAvddD14y9vaOsVTL0H15ydVrwg=,iv:+uBt1Mvj+WMM4CvAOwmOXhZJVZBXVDCXA8iSXpdjktU=,tag:AeipsBJ8PA22OfUxXA8bIA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3