services/{vikunja,tt-rss}: init, mail: services ldap, gitea: oauth

2026-02-09 12:29:19 -08:00 · 2021-09-17 20:37:26 +01:00 · 2021-09-17 20:37:26 +01:00 · 2df501fe19
commit 2df501fe19
parent 57a3bd8986
9 changed files with 247 additions and 4 deletions
--- a/config/hosts/daiyousei.nix
+++ b/config/hosts/daiyousei.nix
@ -5,6 +5,8 @@
    profiles.network
    services.nginx
    services.keycloak
+    services.vikunja
+    services.tt-rss
    services.roundcube
    services.openldap
    services.mail
--- a/config/services/gitea/default.nix
+++ b/config/services/gitea/default.nix
@ -42,10 +42,14 @@
    settings = {
      security = { DISABLE_GIT_HOOKS = false; };
      api = { ENABLE_SWAGGER = true; };
+      openid = {
+        ENABLE_OPENID_SIGNIN = true;
+        ENABLE_OPENID_SIGNUP = true;
+      };
      mailer = {
        ENABLED = true;
        SUBJECT = "%(APP_NAME)s";
-        HOST = "kyouko.kittywit.ch:465";
+        HOST = "daiyousei.kittywit.ch:465";
        USER = "gitea@kittywit.ch";
        #SEND_AS_PLAIN_TEXT = true;
        USE_SENDMAIL = false;
--- a/config/services/mail/dovecot.nix
+++ b/config/services/mail/dovecot.nix
@ -19,6 +19,25 @@ let
    scope = subtree
    default_pass_scheme = SSHA
  '';
+  ldapConfig-services = pkgs.writeText "dovecot-ldap.conf" ''
+    uris = ldaps://auth.kittywit.ch:636
+    dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch
+    dnpass = "@ldap-password@"
+    auth_bind = no
+    ldap_version = 3
+    base = ou=services,dc=kittywit,dc=ch
+    user_filter = (&(objectClass=mailAccount)(mail=%u))
+    user_attrs = \
+      quota=quota_rule=*:bytes=%$, \
+      =home=/var/vmail/%d/%n/, \
+      =mail=maildir:/var/vmail/%d/%n/Maildir
+    pass_attrs = mail=user,userPassword=password
+    pass_filter = (&(objectClass=mailAccount)(mail=%u))
+    iterate_attrs = =user=%{ldap:mail}
+    iterate_filter = (objectClass=mailAccount)
+    scope = subtree
+    default_pass_scheme = SSHA
+  '';
 in
 {
  security.acme.certs.dovecot_domains = {
@ -100,10 +119,18 @@ in
        args = /run/dovecot2/ldap.conf
        driver = ldap
      }
+      userdb {
+        args = /run/dovecot2/ldap-services.conf
+        driver = ldap
+      }
      passdb {
        args = /run/dovecot2/ldap.conf
        driver = ldap
      }
+      passdb {
+        args = /run/dovecot2/ldap-services.conf
+        driver = ldap
+      }

      service imap-login {
        client_limit = 1000
@ -168,6 +195,7 @@ in

  systemd.services.dovecot2.preStart = ''
    sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig} > /run/dovecot2/ldap.conf
+    sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig-services} > /run/dovecot2/ldap-services.conf
  '';

  networking.firewall.allowedTCPPorts = [
--- a/config/services/mail/postfix.nix
+++ b/config/services/mail/postfix.nix
@ -56,6 +56,21 @@ in {
      group = "postfix";
    };

+    accountsmap-services-ldap = {
+      text = ''
+        server_host = ${ldaps}
+        search_base = ou=services,dc=kittywit,dc=ch
+        query_filter = (&(objectClass=mailAccount)(mail=%s))
+        result_attribute = mail
+        version = 3
+        bind = yes
+        bind_dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch
+        bind_pw = ${tf.variables.postfix-ldap-password.ref}
+      '';
+      owner = "postfix";
+      group = "postfix";
+    };
+
    aliases-ldap = {
      text = ''
        server_host = ${ldaps}
@ -104,7 +119,7 @@ in {
      mailbox_transport = lmtp:unix:private/dovecot-lmtp
      masquerade_domains = ldap:${config.secrets.files.domains-ldap.path}
      virtual_mailbox_domains = ldap:${config.secrets.files.domains-ldap.path}
-      virtual_alias_maps = ldap:${config.secrets.files.accountsmap-ldap.path},ldap:${config.secrets.files.aliases-ldap.path},regexp:/var/lib/postfix/conf/virtual-regex
+      virtual_alias_maps = ldap:${config.secrets.files.accountsmap-ldap.path},ldap:${config.secrets.files.accountsmap-services-ldap.path},ldap:${config.secrets.files.aliases-ldap.path},regexp:/var/lib/postfix/conf/virtual-regex
      virtual_transport = lmtp:unix:private/dovecot-lmtp
      smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/run/rspamd/rspamd-milter.sock
      non_smtpd_milters = unix:/run/opendkim/opendkim.sock
--- a/config/services/openldap/default.nix
+++ b/config/services/openldap/default.nix
@ -68,7 +68,11 @@
                   by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
                   by dn.subtree="ou=users,dc=kittywit,dc=ch" read
                     by * none''
-              ''{3}to * by * read''
+              ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch"
+                   by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
+                   by dn.subtree="ou=services,dc=kittywit,dc=ch" read
+                     by * none''
+              ''{4}to * by * read''
            ];
          };
        };
--- a/config/services/openldap/services.ldif
+++ b/config/services/openldap/services.ldif
@ -0,0 +1,5 @@
+dn: ou=services,dc=kittywit,dc=ch
+objectClass: top
+objectClass: organizationalUnit
+description: kittywitch
+ou: services
--- a/config/services/tt-rss.nix
+++ b/config/services/tt-rss.nix
@ -0,0 +1,80 @@
+{ config, pkgs, lib, tf, ... }: with lib; {
+  kw.secrets.variables = mapListToAttrs
+    (field:
+      nameValuePair "ttrss-${field}" {
+        path = "secrets/ttrss";
+        inherit field;
+      }) [ "password" "ldap" ];
+
+  secrets.files = {
+    ttrss-ldap-password = {
+      text = tf.variables.ttrss-ldap.ref;
+      owner = "tt_rss";
+      group = "tt_rss";
+    };
+  };
+  secrets.files = {
+    ttrss-db-password = {
+      text = tf.variables.ttrss-password.ref;
+      owner = "tt_rss";
+      group = "tt_rss";
+    };
+  };
+
+  deploy.tf.dns.records.services_ttrss = {
+    inherit (config.network.dns) zone;
+    domain = "rss";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  services.tt-rss = {
+    enable = true;
+    virtualHost = "rss.kittywit.ch";
+    selfUrlPath = "https://rss.kittywit.ch";
+
+    pluginPackages = [
+      pkgs.tt-rss-plugin-auth-ldap
+    ];
+    themePackages = [
+      pkgs.tt-rss-theme-feedly
+    ];
+    plugins = [
+      "auth_internal"
+      "auth_ldap"
+      "note"
+      "updater"
+      "api_feedreader"
+    ];
+
+    database = {
+      createLocally = true;
+      type = "pgsql";
+      host = "/run/postgresql";
+    };
+
+    extraConfig = ''
+      putenv('LDAP_DB_PASS=' . file_get_contents("${config.secrets.files.ttrss-db-password.path}"));
+      define('LDAP_AUTH_SERVER_URI', 'ldap://127.0.0.1:389/');
+      define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
+      define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', FALSE); // Allows untrusted certificate
+      define('LDAP_AUTH_BINDDN', 'cn=root,dc=kittywit,dc=ch');
+      define('LDAP_AUTH_BINDPW', file_get_contents('${config.secrets.files.ttrss-ldap-password.path}'));
+      define('LDAP_AUTH_BASEDN', 'ou=users,dc=kittywit,dc=ch');
+      define('LDAP_AUTH_LOGIN_ATTRIB', 'mail');
+      define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
+      // ??? will be replaced with the entered username(escaped) at login
+      define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(mail=???))');
+      // Optional configuration
+      define('LDAP_AUTH_LOG_ATTEMPTS', TRUE);
+      // Enable Debug Logging
+      define('LDAP_AUTH_DEBUG', TRUE);
+    '';
+  };
+
+  services.nginx = {
+    virtualHosts."rss.kittywit.ch" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
--- a/config/services/vaultwarden/default.nix
+++ b/config/services/vaultwarden/default.nix
@ -10,7 +10,7 @@
  secrets.files.vaultwarden-env = {
    text = ''
      ADMIN_TOKEN=${tf.variables.vaultwarden-password.ref}
-      SMTP_HOST=kyouko.kittywit.ch
+      SMTP_HOST=daiyousei.kittywit.ch
      SMTP_FROM=vaultwarden@kittywit.ch
      SMTP_FROM_NAME=Vaultwarden
      SMTP_PORT=465
--- a/config/services/vikunja/default.nix
+++ b/config/services/vikunja/default.nix
@ -0,0 +1,105 @@
+{ config, pkgs, lib, tf, ... }: with lib;
+
+let
+  settings = {
+    database = {
+      inherit (config.services.vikunja.database) type host user database path;
+    };
+    service = {
+      frontendurl = "${config.services.vikunja.frontendScheme}://${config.services.vikunja.frontendHostname}/";
+      JWTSecret = tf.variables.vikunja-jwt.ref;
+      timezone = "Europe/London";
+    };
+    mailer = {
+      enabled = true;
+      host = "daiyousei.kittywit.ch";
+      port = 465;
+      forcessl = true;
+      username = "vikunja@kittywit.ch";
+      password = tf.variables.vikunja-email.ref;
+      fromemail = "vikunja@kittywit.ch";
+    };
+    files = {
+        basepath = "/var/lib/vikunja/files";
+    };
+    log.http = "off";
+    auth = {
+      local = {
+        enabled = false;
+      };
+      openid = {
+        enabled = true;
+        providers = [{
+          name = "keycloak";
+          authurl = "https://auth.kittywit.ch/auth/realms/kittywitch";
+          clientid = "vikunja";
+          clientsecret = tf.variables.vikunja-secret.ref;
+        }];
+      };
+    };
+  };
+in {
+
+  kw.secrets.variables = (mapListToAttrs
+    (field:
+      nameValuePair "vikunja-${field}" {
+        path = "secrets/vikunja";
+        inherit field;
+      }) [ "secret" "email" "jwt" ]);
+
+  secrets.files.vikunja-config = {
+    text = builtins.toJSON settings;
+    owner = "vikunja";
+    group = "vikunja";
+  };
+
+  deploy.tf.dns.records.services_vikunja = {
+    inherit (config.network.dns) zone;
+    domain = "todo";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  environment.etc."vikunja/config.yaml".source = mkForce config.secrets.files.vikunja-config.path;
+
+  services.vikunja = {
+    enable = true;
+    frontendScheme = "https";
+    frontendHostname = "todo.${config.network.dns.domain}";
+    database = {
+      type = "postgres";
+      user = "vikunja";
+      database = "vikunja";
+      host = "/run/postgresql";
+    };
+  };
+  services.nginx.virtualHosts."${config.services.vikunja.frontendHostname}" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "vikunja" ];
+    ensureUsers = [
+      { name = "vikunja";
+        ensurePermissions = { "DATABASE vikunja" = "ALL PRIVILEGES"; };
+      }
+    ];
+  };
+
+  systemd.services.vikunja-api = {
+    serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = "vikunja";
+      Group = "vikunja";
+    };
+  };
+
+  users.users.vikunja = {
+    description = "Vikunja Service";
+    createHome = false;
+    group = "vikunja";
+    isSystemUser = true;
+  };
+
+  users.groups.vikunja = {};
+}