feat: add scana11y to ldap

fleet.nix

@@ -31,6 +31,10 @@
       username = "nb";
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR";
     }
+    {
+      username = "nb-new";
+      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR";
+    }
     {
       username = "fw";
       key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtxpJAFohRtBaET9e7EE4I6UmeUT/h1ZTD1zeOHFiWB/AT71ooDT4/QukJOA3LqklDjtDQHH+qjGY50Wa8/oGTA/X3aBDPg5GAHN+U+kYO2UTC69VVjh4TTS35ijg+AdgegtMI4c0VIUMZB24tthV9KEbD20w6XnTzy2Q6PjbBrwsOeHYr9pkygJZDU65ZeKmLyR6yLaadHzXX1I7V2SwiakPEebhQaGipm540d+tAbirKCHcmiORkpd++e3dfwi25hC9bCQ7b3bdaFPAmuhhFEid4jpCt79X+l0qqpClgRLziBjYykNJDFKAljFBJA11/3ofPCuaBCDUuJVhAH044gtT3sbvJq1prd8ElZy6L1yc5YbfFgDMwi71Y2hef780NmDs5Opk9xUCKqdl1YfLyUDgdiiaZ8uhUMd2Ai9BAxJAXtcz/V41ngt3YkUVyGTZdTAODIKk44blGIkgs7JO4yam4UB1curbD0faIZnWLyS5pdFQ+FI05YVjoHXJdme8=";

hosts/mail/modules/openldap.nix

@@ -330,6 +330,42 @@ in {
         ];
       };
 
+      "olcDatabase={9}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{9}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=scana11y,dc=com";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to attrs=pgpPublicKey
+              by self write
+              by anonymous read
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+          ''
+            {2}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+
       # "cn=module{0},cn=config" = {
       #   attrs = {
       #     objectClass = "olcModuleList";

hosts/nb/modules/desktop/default.nix

@@ -65,6 +65,7 @@ in {
     pinentry
     rbw
     rofi-rbw
+    swayimg
     thunderbird
     vlc
     wl-clipboard

hosts/web-arm/configuration.nix

@@ -45,6 +45,9 @@
     ./sites/support.cloonar.dev.nix
     ./sites/stage.cloonar-technologies.at.nix
 
+    ./sites/stage.scana11y.com.nix
+    ./sites/scana11y.com.nix
+
     ./sites/cloonar.dev.nix
     ./sites/paraclub.at.nix
     ./sites/api.paraclub.at.nix

hosts/web-arm/sites/scana11y.com.nix

@@ -0,0 +1,45 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "scana11y.com";
+  dataDir = "/var/www/${domain}";
+  user = builtins.replaceStrings ["." "-"] ["_" "_"] domain;
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = "/var/lib/acme/acme-challenge";
+
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html$is_args$args;
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${user}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID20OFQ9ZbRC2GFH5cii7mAhyD28GBwqM+1+2b36HI4k"
+    ];
+  };
+  users.groups.${user} = {};
+}

hosts/web-arm/sites/stage.scana11y.com.nix

@@ -0,0 +1,45 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "stage.scana11y.com";
+  dataDir = "/var/www/${domain}";
+  user = builtins.replaceStrings ["." "-"] ["_" "_"] domain;
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = "/var/lib/acme/acme-challenge";
+
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html$is_args$args;
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${user}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIM0XUH9EUucDsvJKqwytgsTRcSsu6KmqAZ9LVgPre2"
+    ];
+  };
+  users.groups.${user} = {};
+}

iso/configuration.nix

@@ -1,5 +1,9 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+let
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in {
 	imports = [
+    "${impermanence}/nixos.nix"
 		<nixpkgs/nixos/modules/profiles/all-hardware.nix>
 		<nixpkgs/nixos/modules/profiles/base.nix>
 		#installer-only ./hardware-configuration.nix
@@ -50,5 +54,34 @@
 		zip
 	];
 
+  environment.persistence."/nix/persist" = {
+    hideMounts = true;
+    directories = [
+      "/home"
+    ];
+  };
+  environment.persistence."/nix/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/etc/nixos"
+      "/root/.ssh"
+      "/var/bento"
+      "/var/log"
+      "/var/lib/bluetooth"
+      "/var/lib/docker"
+      "/var/lib/flatpak"
+      "/var/lib/fprint"
+      "/var/lib/nixos"
+      "/var/lib/mysql"
+      "/etc/NetworkManager/system-connections"
+    ];
+    files = [
+      { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+    ];
+  };
+
   system.stateVersion = "23.05"; # Did you read the comment?
 }

iso/default.nix

@@ -44,10 +44,12 @@
 					wait-for mkfs.fat -F 32 -n boot /dev/disk/by-partlabel/BOOT
 
 					wait-for [ -b /dev/disk/by-partlabel/NIXOS ]
-					mkfs.btrfs -f -L nixos /dev/disk/by-partlabel/NIXOS
+					${cryptsetup}/bin/cryptsetup luksFormat --type=luks2 --label=root /dev/disk/by-partlabel/NIXOS /dev/zero --keyfile-size=1
+					${cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-partlabel/NIXOS root --key-file=/dev/zero --keyfile-size=1
+					mkfs.btrfs -f -L nixos /dev/mapper/root
 
 					sync
-          mount /dev/disk/by-partlabel/NIXOS /mnt
+          mount /dev/mapper/root /mnt
 
           btrfs subvolume create /mnt/@
           btrfs subvolume create /mnt/@nix-store
@@ -56,14 +58,56 @@
           umount /mnt
 
 					sync
-          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/disk/by-partlabel/NIXOS /mnt
+          mount -t tmpfs -o size=16G,mode=755 tmpfs /mnt
+          mkdir -p /mnt/nix
+          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/root /mnt/nix
           mkdir -p /mnt/nix/{store,persist}
-          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/disk/by-partlabel/NIXOS /mnt/nix/store
+          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/mapper/root /mnt/nix/store
-          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/disk/by-partlabel/NIXOS /mnt/nix/persist
+          mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/mapper/root /mnt/nix/persist
+
+          mkdir -p /mnt/nix/persist/home
+
+          mkdir -p /mnt/etc/nixos
+          mkdir -p /mnt/nix/persist/system/etc/nixos
+          mount --bind /mnt/nix/persist/system/etc/nixos /mnt/etc/nixos
+          mkdir -p /mnt/root/.ssh
+          mkdir -p /mnt/nix/persist/system/root/.ssh
+          mount --bind /mnt/nix/persist/system/root/.ssh /mnt/root/.ssh
+          mkdir -p /mnt/var/bento
+          mkdir -p /mnt/nix/persist/system/var/bento
+          mount --bind /mnt/nix/persist/system/var/bento /mnt/var/bento
+          mkdir -p /mnt/var/log
+          mkdir -p /mnt/nix/persist/system/var/log
+          mount --bind /mnt/nix/persist/system/var/log /mnt/var/log
+          mkdir -p /mnt/var/lib/bluetooth
+          mkdir -p /mnt/nix/persist/system/var/lib/bluetooth
+          mount --bind /mnt/nix/persist/system/var/lib/bluetooth /mnt/var/lib/bluetooth
+          mkdir -p /mnt/var/lib/docker
+          mkdir -p /mnt/nix/persist/system/var/lib/docker
+          mount --bind /mnt/nix/persist/system/var/lib/docker /mnt/var/lib/docker
+          mkdir -p /mnt/var/lib/flatpak
+          mkdir -p /mnt/nix/persist/system/var/lib/flatpak
+          mount --bind /mnt/nix/persist/system/var/lib/flatpak /mnt/var/lib/flatpak
+          mkdir -p /mnt/var/lib/fprint
+          mkdir -p /mnt/nix/persist/system/var/lib/fprint
+          mount --bind /mnt/nix/persist/system/var/lib/fprint /mnt/var/lib/fprint
+          mkdir -p /mnt/var/lib/nixos
+          mkdir -p /mnt/nix/persist/system/var/lib/nixos
+          mount --bind /mnt/nix/persist/system/var/lib/nixos /mnt/var/lib/nixos
+          mkdir -p /mnt/var/lib/mysql
+          mkdir -p /mnt/nix/persist/system/var/lib/mysql
+          mount --bind /mnt/nix/persist/system/var/lib/mysql /mnt/var/lib/mysql
+          mkdir -p /mnt/etc/NetworkManager/system-connections
+          mkdir -p /mnt/nix/persist/system/etc/NetworkManager/system-connections
+          mount --bind /mnt/nix/persist/system/etc/NetworkManager/system-connections /mnt/etc/NetworkManager/system-connections
 
 					mkdir /mnt/boot
 					wait-for mount /dev/disk/by-label/boot /mnt/boot
 
+          mkdir -p /mnt/nix/persist/system/etc/ssh
+          ssh-keygen -t ed25519 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_ed25519_key
+          ssh-keygen -t rsa     -b 4096 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_rsa_key
+
 					install -D ${./configuration.nix} /mnt/etc/nixos/configuration.nix
 					install -D ${./hardware-configuration.nix} /mnt/etc/nixos/hardware-configuration.nix
 

iso/hardware-configuration.nix

@@ -6,9 +6,29 @@
 		fsType = "vfat";
 	};
 
-  fileSystems."/"  = {
+  fileSystems."/" = {
-    device = "/dev/disk/by-partlabel/NIXOS";
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "size=16G" "mode=755" ];
+  };
+
+	boot.initrd.luks.devices.root = {
+		device = "/dev/disk/by-label/root";
+
+		# WARNING: Leaks some metadata, see cryptsetup man page for --allow-discards.
+		allowDiscards = true;
+
+		# Set your own key with:
+		# cryptsetup luksChangeKey /dev/disk/by-label/root --key-file=/dev/zero --keyfile-size=1
+		# You can then delete the rest of this block.
+		keyFile = "/dev/zero";
+		keyFileSize = 1;
+	};
+
+  fileSystems."/nix"  = {
+    device = "/dev/mapper/root";
     fsType = "btrfs";
+    neededForBoot = true;
     options = [
       "subvol=@"
       "ssd"
@@ -19,8 +39,9 @@
   };
 
   fileSystems."/nix/store" = {
-    device = "/dev/disk/by-uuid/…";
+    device = "/dev/mapper/root";
     fsType = "btrfs";
+    neededForBoot = true;
     options = [
       "subvol=@nix-store"
       "ssd"
@@ -31,8 +52,9 @@
   };
 
   fileSystems."/nix/persist"  = {
-    device = "/dev/disk/by-partlabel/NIXOS";
+    device = "/dev/mapper/root";
     fsType = "btrfs";
+    neededForBoot = true;
     options = [
       "subvol=@nix-persist"
       "ssd"