services/filehost: Init.

config/services/filehost.nix

@@ -0,0 +1,189 @@
+{ config, lib, pkgs, tf, ... }: with lib; let
+  toKeyValue = generators.toKeyValue {
+    mkKeyValue = generators.mkKeyValueDefault {} " = ";
+  };
+  installerReplacement = pkgs.writeShellScriptBin "installer_replacement" ''
+       set -exu
+        if [[ ! -f "/var/lib/xbackbone/state/installed" ]]; then
+          mkdir -p /var/lib/xbackbone/files
+          mkdir -p /var/lib/xbackbone/www
+          mkdir -p /var/lib/xbackbone/state
+          cp -Lr ${pkgs.xbackbone}/* /var/lib/xbackbone/www
+          cp ${config.secrets.files.xbackbone-config.path} /var/lib/xbackbone/www/config.php
+          chmod -R 0770 /var/lib/xbackbone/www
+          chown -R xbackbone:nginx /var/lib/xbackbone/www
+          touch /var/lib/xbackbone/state/installed
+        fi
+  '';
+in {
+  kw.secrets.variables.xbackbone-ldap = {
+    path = "secrets/xbackbone";
+    field = "password";
+  };
+
+  secrets.files.xbackbone-config = {
+    text = ''
+<?php
+return [
+	'base_url' => 'https://files.kittywit.ch', // no trailing slash
+	'storage' => [
+		'driver' => 'local',
+		'path' => '/var/lib/xbackbone/files',
+	],
+	'db' => [
+		'connection' => 'sqlite', // current support for sqlite and mysql
+		'dsn' => '/var/lib/xbackbone/xbackbone.db', // if sqlite should be an absolute path
+		'username' => null, // username and password not needed for sqlite
+		'password' => null,
+        ],
+        'ldap' => [
+            'enabled' => true, // enable it
+            'schema' => 'ldaps', // use 'ldap' or 'ldaps' Default is 'ldap'
+            'host' => 'auth.kittywit.ch', // set the ldap host
+            'port' => 636, // ldap port
+            'base_domain' => 'ou=users,dc=kittywit,dc=ch', // the base_dn string
+            'search_filter' => '(&(|(uid=????)(mail=????))(objectClass=inetOrgPerson))', // ???? is replaced with user provided username
+            'rdn_attribute' => 'uid=', // the attribute to use as username
+            'service_account_dn' => 'cn=xbackbone,ou=services,dc=kittywit,dc=ch', // LDAP Service Account Full DN
+            'service_account_password' => "${tf.variables.xbackbone-ldap.ref}",
+        ]
+];
+  '';
+    owner = "xbackbone";
+    group = "xbackbone";
+    mode = "0440";
+  };
+
+  systemd.tmpfiles.rules = [
+    "v /var/lib/xbackbone 0770 xbackbone nginx"
+    "v /var/lib/xbackbone/files 0770 xbackbone nginx"
+  ];
+
+  users.users.xbackbone = {
+    isSystemUser = true;
+    group = "xbackbone";
+    home = "/var/lib/xbackbone";
+  };
+
+  users.groups.xbackbone.members = [
+    "xbackbone"
+    config.services.nginx.user
+  ];
+
+  systemd.services.xbackbone = {
+    after = [ "network.target" ];
+    wantedBy = [ "phpfpm-xbackbone.service" ];
+    script = "${installerReplacement}/bin/installer_replacement";
+    serviceConfig = {
+      User = "xbackbone";
+      Group = "nginx";
+      Type = "oneshot";
+      StateDirectory = "xbackbone";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "files.${config.network.dns.domain}" = {
+      root = "/var/lib/xbackbone/www";
+      locations = {
+        "/" = {
+          extraConfig = ''
+            try_files $uri $uri/ /index.php?$query_string;
+          '';
+        };
+          "~ \\.php$" = {
+            extraConfig = ''
+              include ${pkgs.nginx}/conf/fastcgi_params;
+              fastcgi_pass    unix:${config.services.phpfpm.pools.xbackbone.socket};
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
+              fastcgi_index   index.php;
+              fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+              fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+            '';
+          };
+        };
+        extraConfig = ''
+client_max_body_size 512M;
+index index.php index.html index.htm;
+error_page 404 /index.php;
+
+location /app {
+  return 403;
+}
+
+location /bin {
+  return 403;
+}
+
+location /bootstrap {
+  return 403;
+}
+
+location /resources {
+  return 403;
+}
+
+location /storage {
+  return 403;
+}
+
+location /vendor {
+  return 403;
+}
+
+location /logs {
+  return 403;
+}
+
+location CHANGELOG.md {
+  return 403;
+}
+        '';
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  services.phpfpm = {
+    pools.xbackbone = {
+      user = "xbackbone";
+      group = "nginx";
+      phpEnv = {
+        PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
+      };
+      settings = {
+        "pm" = "dynamic";
+        "pm.max_children" = "32";
+        "pm.start_servers" = "2";
+        "pm.min_spare_servers" = "2";
+        "pm.max_spare_servers" = "4";
+        "pm.max_requests" = "500";
+        "listen.owner" = "xbackbone";
+        "listen.group" = "xbackbone";
+      };
+      phpPackage = pkgs.php80.buildEnv {
+        extraConfig = toKeyValue {
+          upload_max_filesize = "512M";
+          post_max_size = "512M";
+          memory_limit = "512M";
+        };
+        extensions = { enabled, all }: (
+          with all;
+          enabled ++ [
+            sqlite3
+            intl
+            zip
+            ldap
+            gd
+          ]
+        );
+      };
+    };
+  };
+
+  deploy.tf.dns.records.services_filehost = {
+    inherit (config.network.dns) zone;
+    domain = "files";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+}

config/services/openldap/default.nix

@@ -59,20 +59,27 @@
               ''{0}to attrs=userPassword
                 by anonymous auth
                 by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
+                  by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
                 by self write
                 by * none''
                 ''{1}to dn.subtree="dc=kittywit,dc=ch"
                   by dn.exact="cn=root,dc=kittywit,dc=ch" manage
-                  by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read''
+                  by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
+                  by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
+                  by dn.subtree="ou=users,dc=kittywit,dc=ch" read
+                ''
               ''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch"
                    by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
+                    by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
                    by dn.subtree="ou=users,dc=kittywit,dc=ch" read
+                   by dn.subtree="ou=services,dc=kittywit,dc=ch" read
                      by * none''
               ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch"
                    by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
                    by dn.subtree="ou=services,dc=kittywit,dc=ch" read
                      by * none''
-              ''{4}to * by * read''
+              ''{4}to attrs=mail by self read''
+              ''{5}to * by * read''
             ];
           };
         };

config/services/tt-rss.nix

@@ -63,7 +63,7 @@
       define('LDAP_AUTH_LOGIN_ATTRIB', 'mail');
       define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
       // ??? will be replaced with the entered username(escaped) at login
-      define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(mail=???))');
+      define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???))');
       // Optional configuration
       define('LDAP_AUTH_LOG_ATTEMPTS', TRUE);
       // Enable Debug Logging

nix/sources.json

@@ -89,10 +89,10 @@
         "homepage": null,
         "owner": "kittywitch",
         "repo": "nixexprs",
-        "rev": "2a5bc583c5d93448345e5bba0134ef2ac4eafb2e",
-        "sha256": "0yqlrf2yv3bsbvrdq6ijk4gpwpmmbg59q76xzk2f47xaahwaqxwq",
+        "rev": "2d97bec12deba01402b7189be5116b13b5b5e793",
+        "sha256": "05fngks2g2vgmwlw7amydxmv2zwf2rgzc7xnvf9h1crm99nndzd0",
         "type": "tarball",
-        "url": "https://github.com/kittywitch/nixexprs/archive/2a5bc583c5d93448345e5bba0134ef2ac4eafb2e.tar.gz",
+        "url": "https://github.com/kittywitch/nixexprs/archive/2d97bec12deba01402b7189be5116b13b5b5e793.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "niv": {

overlays/exprs

@@ -1 +1 @@
-Subproject commit 2a5bc583c5d93448345e5bba0134ef2ac4eafb2e
+Subproject commit 2d97bec12deba01402b7189be5116b13b5b5e793