From 2df501fe19203f0b31769444477947f2bfc5f512 Mon Sep 17 00:00:00 2001 From: kat witch Date: Fri, 17 Sep 2021 20:37:26 +0100 Subject: [PATCH] services/{vikunja,tt-rss}: init, mail: services ldap, gitea: oauth --- config/hosts/daiyousei.nix | 2 + config/services/gitea/default.nix | 6 +- config/services/mail/dovecot.nix | 28 +++++++ config/services/mail/postfix.nix | 17 +++- config/services/openldap/default.nix | 6 +- config/services/openldap/services.ldif | 5 ++ config/services/tt-rss.nix | 80 ++++++++++++++++++ config/services/vaultwarden/default.nix | 2 +- config/services/vikunja/default.nix | 105 ++++++++++++++++++++++++ 9 files changed, 247 insertions(+), 4 deletions(-) create mode 100644 config/services/openldap/services.ldif create mode 100644 config/services/tt-rss.nix create mode 100644 config/services/vikunja/default.nix diff --git a/config/hosts/daiyousei.nix b/config/hosts/daiyousei.nix index fd3d5b06..7aba4ad4 100644 --- a/config/hosts/daiyousei.nix +++ b/config/hosts/daiyousei.nix @@ -5,6 +5,8 @@ profiles.network services.nginx services.keycloak + services.vikunja + services.tt-rss services.roundcube services.openldap services.mail diff --git a/config/services/gitea/default.nix b/config/services/gitea/default.nix index 83bb64b3..bc5b2ff3 100644 --- a/config/services/gitea/default.nix +++ b/config/services/gitea/default.nix @@ -42,10 +42,14 @@ settings = { security = { DISABLE_GIT_HOOKS = false; }; api = { ENABLE_SWAGGER = true; }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + }; mailer = { ENABLED = true; SUBJECT = "%(APP_NAME)s"; - HOST = "kyouko.kittywit.ch:465"; + HOST = "daiyousei.kittywit.ch:465"; USER = "gitea@kittywit.ch"; #SEND_AS_PLAIN_TEXT = true; USE_SENDMAIL = false; diff --git a/config/services/mail/dovecot.nix b/config/services/mail/dovecot.nix index f8b878d6..6e501283 100644 --- a/config/services/mail/dovecot.nix +++ b/config/services/mail/dovecot.nix @@ -19,6 +19,25 @@ let scope = subtree default_pass_scheme = SSHA ''; + ldapConfig-services = pkgs.writeText "dovecot-ldap.conf" '' + uris = ldaps://auth.kittywit.ch:636 + dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch + dnpass = "@ldap-password@" + auth_bind = no + ldap_version = 3 + base = ou=services,dc=kittywit,dc=ch + user_filter = (&(objectClass=mailAccount)(mail=%u)) + user_attrs = \ + quota=quota_rule=*:bytes=%$, \ + =home=/var/vmail/%d/%n/, \ + =mail=maildir:/var/vmail/%d/%n/Maildir + pass_attrs = mail=user,userPassword=password + pass_filter = (&(objectClass=mailAccount)(mail=%u)) + iterate_attrs = =user=%{ldap:mail} + iterate_filter = (objectClass=mailAccount) + scope = subtree + default_pass_scheme = SSHA + ''; in { security.acme.certs.dovecot_domains = { @@ -100,10 +119,18 @@ in args = /run/dovecot2/ldap.conf driver = ldap } + userdb { + args = /run/dovecot2/ldap-services.conf + driver = ldap + } passdb { args = /run/dovecot2/ldap.conf driver = ldap } + passdb { + args = /run/dovecot2/ldap-services.conf + driver = ldap + } service imap-login { client_limit = 1000 @@ -168,6 +195,7 @@ in systemd.services.dovecot2.preStart = '' sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig} > /run/dovecot2/ldap.conf + sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig-services} > /run/dovecot2/ldap-services.conf ''; networking.firewall.allowedTCPPorts = [ diff --git a/config/services/mail/postfix.nix b/config/services/mail/postfix.nix index 4bc7abed..1cf2564d 100644 --- a/config/services/mail/postfix.nix +++ b/config/services/mail/postfix.nix @@ -56,6 +56,21 @@ in { group = "postfix"; }; + accountsmap-services-ldap = { + text = '' + server_host = ${ldaps} + search_base = ou=services,dc=kittywit,dc=ch + query_filter = (&(objectClass=mailAccount)(mail=%s)) + result_attribute = mail + version = 3 + bind = yes + bind_dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch + bind_pw = ${tf.variables.postfix-ldap-password.ref} + ''; + owner = "postfix"; + group = "postfix"; + }; + aliases-ldap = { text = '' server_host = ${ldaps} @@ -104,7 +119,7 @@ in { mailbox_transport = lmtp:unix:private/dovecot-lmtp masquerade_domains = ldap:${config.secrets.files.domains-ldap.path} virtual_mailbox_domains = ldap:${config.secrets.files.domains-ldap.path} - virtual_alias_maps = ldap:${config.secrets.files.accountsmap-ldap.path},ldap:${config.secrets.files.aliases-ldap.path},regexp:/var/lib/postfix/conf/virtual-regex + virtual_alias_maps = ldap:${config.secrets.files.accountsmap-ldap.path},ldap:${config.secrets.files.accountsmap-services-ldap.path},ldap:${config.secrets.files.aliases-ldap.path},regexp:/var/lib/postfix/conf/virtual-regex virtual_transport = lmtp:unix:private/dovecot-lmtp smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/run/rspamd/rspamd-milter.sock non_smtpd_milters = unix:/run/opendkim/opendkim.sock diff --git a/config/services/openldap/default.nix b/config/services/openldap/default.nix index ed049d0d..57026046 100644 --- a/config/services/openldap/default.nix +++ b/config/services/openldap/default.nix @@ -68,7 +68,11 @@ by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.subtree="ou=users,dc=kittywit,dc=ch" read by * none'' - ''{3}to * by * read'' + ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch" + by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read + by dn.subtree="ou=services,dc=kittywit,dc=ch" read + by * none'' + ''{4}to * by * read'' ]; }; }; diff --git a/config/services/openldap/services.ldif b/config/services/openldap/services.ldif new file mode 100644 index 00000000..40997d8f --- /dev/null +++ b/config/services/openldap/services.ldif @@ -0,0 +1,5 @@ +dn: ou=services,dc=kittywit,dc=ch +objectClass: top +objectClass: organizationalUnit +description: kittywitch +ou: services diff --git a/config/services/tt-rss.nix b/config/services/tt-rss.nix new file mode 100644 index 00000000..57787b0b --- /dev/null +++ b/config/services/tt-rss.nix @@ -0,0 +1,80 @@ +{ config, pkgs, lib, tf, ... }: with lib; { + kw.secrets.variables = mapListToAttrs + (field: + nameValuePair "ttrss-${field}" { + path = "secrets/ttrss"; + inherit field; + }) [ "password" "ldap" ]; + + secrets.files = { + ttrss-ldap-password = { + text = tf.variables.ttrss-ldap.ref; + owner = "tt_rss"; + group = "tt_rss"; + }; + }; + secrets.files = { + ttrss-db-password = { + text = tf.variables.ttrss-password.ref; + owner = "tt_rss"; + group = "tt_rss"; + }; + }; + + deploy.tf.dns.records.services_ttrss = { + inherit (config.network.dns) zone; + domain = "rss"; + cname = { inherit (config.network.addresses.public) target; }; + }; + + services.tt-rss = { + enable = true; + virtualHost = "rss.kittywit.ch"; + selfUrlPath = "https://rss.kittywit.ch"; + + pluginPackages = [ + pkgs.tt-rss-plugin-auth-ldap + ]; + themePackages = [ + pkgs.tt-rss-theme-feedly + ]; + plugins = [ + "auth_internal" + "auth_ldap" + "note" + "updater" + "api_feedreader" + ]; + + database = { + createLocally = true; + type = "pgsql"; + host = "/run/postgresql"; + }; + + extraConfig = '' + putenv('LDAP_DB_PASS=' . file_get_contents("${config.secrets.files.ttrss-db-password.path}")); + define('LDAP_AUTH_SERVER_URI', 'ldap://127.0.0.1:389/'); + define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps:// + define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', FALSE); // Allows untrusted certificate + define('LDAP_AUTH_BINDDN', 'cn=root,dc=kittywit,dc=ch'); + define('LDAP_AUTH_BINDPW', file_get_contents('${config.secrets.files.ttrss-ldap-password.path}')); + define('LDAP_AUTH_BASEDN', 'ou=users,dc=kittywit,dc=ch'); + define('LDAP_AUTH_LOGIN_ATTRIB', 'mail'); + define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); + // ??? will be replaced with the entered username(escaped) at login + define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(mail=???))'); + // Optional configuration + define('LDAP_AUTH_LOG_ATTEMPTS', TRUE); + // Enable Debug Logging + define('LDAP_AUTH_DEBUG', TRUE); + ''; + }; + + services.nginx = { + virtualHosts."rss.kittywit.ch" = { + enableACME = true; + forceSSL = true; + }; + }; +} diff --git a/config/services/vaultwarden/default.nix b/config/services/vaultwarden/default.nix index cc87d4d7..951cfa59 100644 --- a/config/services/vaultwarden/default.nix +++ b/config/services/vaultwarden/default.nix @@ -10,7 +10,7 @@ secrets.files.vaultwarden-env = { text = '' ADMIN_TOKEN=${tf.variables.vaultwarden-password.ref} - SMTP_HOST=kyouko.kittywit.ch + SMTP_HOST=daiyousei.kittywit.ch SMTP_FROM=vaultwarden@kittywit.ch SMTP_FROM_NAME=Vaultwarden SMTP_PORT=465 diff --git a/config/services/vikunja/default.nix b/config/services/vikunja/default.nix new file mode 100644 index 00000000..9cced937 --- /dev/null +++ b/config/services/vikunja/default.nix @@ -0,0 +1,105 @@ +{ config, pkgs, lib, tf, ... }: with lib; + +let + settings = { + database = { + inherit (config.services.vikunja.database) type host user database path; + }; + service = { + frontendurl = "${config.services.vikunja.frontendScheme}://${config.services.vikunja.frontendHostname}/"; + JWTSecret = tf.variables.vikunja-jwt.ref; + timezone = "Europe/London"; + }; + mailer = { + enabled = true; + host = "daiyousei.kittywit.ch"; + port = 465; + forcessl = true; + username = "vikunja@kittywit.ch"; + password = tf.variables.vikunja-email.ref; + fromemail = "vikunja@kittywit.ch"; + }; + files = { + basepath = "/var/lib/vikunja/files"; + }; + log.http = "off"; + auth = { + local = { + enabled = false; + }; + openid = { + enabled = true; + providers = [{ + name = "keycloak"; + authurl = "https://auth.kittywit.ch/auth/realms/kittywitch"; + clientid = "vikunja"; + clientsecret = tf.variables.vikunja-secret.ref; + }]; + }; + }; + }; +in { + + kw.secrets.variables = (mapListToAttrs + (field: + nameValuePair "vikunja-${field}" { + path = "secrets/vikunja"; + inherit field; + }) [ "secret" "email" "jwt" ]); + + secrets.files.vikunja-config = { + text = builtins.toJSON settings; + owner = "vikunja"; + group = "vikunja"; + }; + + deploy.tf.dns.records.services_vikunja = { + inherit (config.network.dns) zone; + domain = "todo"; + cname = { inherit (config.network.addresses.public) target; }; + }; + + environment.etc."vikunja/config.yaml".source = mkForce config.secrets.files.vikunja-config.path; + + services.vikunja = { + enable = true; + frontendScheme = "https"; + frontendHostname = "todo.${config.network.dns.domain}"; + database = { + type = "postgres"; + user = "vikunja"; + database = "vikunja"; + host = "/run/postgresql"; + }; + }; + services.nginx.virtualHosts."${config.services.vikunja.frontendHostname}" = { + enableACME = true; + forceSSL = true; + }; + + services.postgresql = { + ensureDatabases = [ "vikunja" ]; + ensureUsers = [ + { name = "vikunja"; + ensurePermissions = { "DATABASE vikunja" = "ALL PRIVILEGES"; }; + } + ]; + }; + + systemd.services.vikunja-api = { + serviceConfig = { + DynamicUser = lib.mkForce false; + User = "vikunja"; + Group = "vikunja"; + }; + }; + + users.users.vikunja = { + description = "Vikunja Service"; + createHome = false; + group = "vikunja"; + isSystemUser = true; + }; + + users.groups.vikunja = {}; +}