From 480d5b4fcec921cc64dda3c01036b44a6e821b82 Mon Sep 17 00:00:00 2001 From: kat witch Date: Sat, 18 Sep 2021 03:31:54 +0100 Subject: [PATCH] services/filehost: Init. --- config/services/filehost.nix | 189 +++++++++++++++++++++++++++ config/services/openldap/default.nix | 11 +- config/services/tt-rss.nix | 2 +- nix/sources.json | 6 +- overlays/exprs | 2 +- 5 files changed, 203 insertions(+), 7 deletions(-) create mode 100644 config/services/filehost.nix diff --git a/config/services/filehost.nix b/config/services/filehost.nix new file mode 100644 index 00000000..f1bc07a3 --- /dev/null +++ b/config/services/filehost.nix @@ -0,0 +1,189 @@ +{ config, lib, pkgs, tf, ... }: with lib; let + toKeyValue = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault {} " = "; + }; + installerReplacement = pkgs.writeShellScriptBin "installer_replacement" '' + set -exu + if [[ ! -f "/var/lib/xbackbone/state/installed" ]]; then + mkdir -p /var/lib/xbackbone/files + mkdir -p /var/lib/xbackbone/www + mkdir -p /var/lib/xbackbone/state + cp -Lr ${pkgs.xbackbone}/* /var/lib/xbackbone/www + cp ${config.secrets.files.xbackbone-config.path} /var/lib/xbackbone/www/config.php + chmod -R 0770 /var/lib/xbackbone/www + chown -R xbackbone:nginx /var/lib/xbackbone/www + touch /var/lib/xbackbone/state/installed + fi + ''; +in { + kw.secrets.variables.xbackbone-ldap = { + path = "secrets/xbackbone"; + field = "password"; + }; + + secrets.files.xbackbone-config = { + text = '' + 'https://files.kittywit.ch', // no trailing slash + 'storage' => [ + 'driver' => 'local', + 'path' => '/var/lib/xbackbone/files', + ], + 'db' => [ + 'connection' => 'sqlite', // current support for sqlite and mysql + 'dsn' => '/var/lib/xbackbone/xbackbone.db', // if sqlite should be an absolute path + 'username' => null, // username and password not needed for sqlite + 'password' => null, + ], + 'ldap' => [ + 'enabled' => true, // enable it + 'schema' => 'ldaps', // use 'ldap' or 'ldaps' Default is 'ldap' + 'host' => 'auth.kittywit.ch', // set the ldap host + 'port' => 636, // ldap port + 'base_domain' => 'ou=users,dc=kittywit,dc=ch', // the base_dn string + 'search_filter' => '(&(|(uid=????)(mail=????))(objectClass=inetOrgPerson))', // ???? is replaced with user provided username + 'rdn_attribute' => 'uid=', // the attribute to use as username + 'service_account_dn' => 'cn=xbackbone,ou=services,dc=kittywit,dc=ch', // LDAP Service Account Full DN + 'service_account_password' => "${tf.variables.xbackbone-ldap.ref}", + ] +]; + ''; + owner = "xbackbone"; + group = "xbackbone"; + mode = "0440"; + }; + + systemd.tmpfiles.rules = [ + "v /var/lib/xbackbone 0770 xbackbone nginx" + "v /var/lib/xbackbone/files 0770 xbackbone nginx" + ]; + + users.users.xbackbone = { + isSystemUser = true; + group = "xbackbone"; + home = "/var/lib/xbackbone"; + }; + + users.groups.xbackbone.members = [ + "xbackbone" + config.services.nginx.user + ]; + + systemd.services.xbackbone = { + after = [ "network.target" ]; + wantedBy = [ "phpfpm-xbackbone.service" ]; + script = "${installerReplacement}/bin/installer_replacement"; + serviceConfig = { + User = "xbackbone"; + Group = "nginx"; + Type = "oneshot"; + StateDirectory = "xbackbone"; + }; + }; + + services.nginx.virtualHosts = { + "files.${config.network.dns.domain}" = { + root = "/var/lib/xbackbone/www"; + locations = { + "/" = { + extraConfig = '' + try_files $uri $uri/ /index.php?$query_string; + ''; + }; + "~ \\.php$" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_pass unix:${config.services.phpfpm.pools.xbackbone.socket}; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + ''; + }; + }; + extraConfig = '' +client_max_body_size 512M; +index index.php index.html index.htm; +error_page 404 /index.php; + +location /app { + return 403; +} + +location /bin { + return 403; +} + +location /bootstrap { + return 403; +} + +location /resources { + return 403; +} + +location /storage { + return 403; +} + +location /vendor { + return 403; +} + +location /logs { + return 403; +} + +location CHANGELOG.md { + return 403; +} + ''; + enableACME = true; + forceSSL = true; + }; + }; + + services.phpfpm = { + pools.xbackbone = { + user = "xbackbone"; + group = "nginx"; + phpEnv = { + PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; + }; + settings = { + "pm" = "dynamic"; + "pm.max_children" = "32"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "2"; + "pm.max_spare_servers" = "4"; + "pm.max_requests" = "500"; + "listen.owner" = "xbackbone"; + "listen.group" = "xbackbone"; + }; + phpPackage = pkgs.php80.buildEnv { + extraConfig = toKeyValue { + upload_max_filesize = "512M"; + post_max_size = "512M"; + memory_limit = "512M"; + }; + extensions = { enabled, all }: ( + with all; + enabled ++ [ + sqlite3 + intl + zip + ldap + gd + ] + ); + }; + }; + }; + + deploy.tf.dns.records.services_filehost = { + inherit (config.network.dns) zone; + domain = "files"; + cname = { inherit (config.network.addresses.public) target; }; + }; +} diff --git a/config/services/openldap/default.nix b/config/services/openldap/default.nix index 57026046..f4a87484 100644 --- a/config/services/openldap/default.nix +++ b/config/services/openldap/default.nix @@ -59,20 +59,27 @@ ''{0}to attrs=userPassword by anonymous auth by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read + by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read by self write by * none'' ''{1}to dn.subtree="dc=kittywit,dc=ch" by dn.exact="cn=root,dc=kittywit,dc=ch" manage - by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read'' + by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read + by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read + by dn.subtree="ou=users,dc=kittywit,dc=ch" read + '' ''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch" by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read + by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read by dn.subtree="ou=users,dc=kittywit,dc=ch" read + by dn.subtree="ou=services,dc=kittywit,dc=ch" read by * none'' ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch" by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.subtree="ou=services,dc=kittywit,dc=ch" read by * none'' - ''{4}to * by * read'' + ''{4}to attrs=mail by self read'' + ''{5}to * by * read'' ]; }; }; diff --git a/config/services/tt-rss.nix b/config/services/tt-rss.nix index 57787b0b..0182faba 100644 --- a/config/services/tt-rss.nix +++ b/config/services/tt-rss.nix @@ -63,7 +63,7 @@ define('LDAP_AUTH_LOGIN_ATTRIB', 'mail'); define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); // ??? will be replaced with the entered username(escaped) at login - define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(mail=???))'); + define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???))'); // Optional configuration define('LDAP_AUTH_LOG_ATTEMPTS', TRUE); // Enable Debug Logging diff --git a/nix/sources.json b/nix/sources.json index ebdfd6e6..9a57e174 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -89,10 +89,10 @@ "homepage": null, "owner": "kittywitch", "repo": "nixexprs", - "rev": "2a5bc583c5d93448345e5bba0134ef2ac4eafb2e", - "sha256": "0yqlrf2yv3bsbvrdq6ijk4gpwpmmbg59q76xzk2f47xaahwaqxwq", + "rev": "2d97bec12deba01402b7189be5116b13b5b5e793", + "sha256": "05fngks2g2vgmwlw7amydxmv2zwf2rgzc7xnvf9h1crm99nndzd0", "type": "tarball", - "url": "https://github.com/kittywitch/nixexprs/archive/2a5bc583c5d93448345e5bba0134ef2ac4eafb2e.tar.gz", + "url": "https://github.com/kittywitch/nixexprs/archive/2d97bec12deba01402b7189be5116b13b5b5e793.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "niv": { diff --git a/overlays/exprs b/overlays/exprs index 2a5bc583..2d97bec1 160000 --- a/overlays/exprs +++ b/overlays/exprs @@ -1 +1 @@ -Subproject commit 2a5bc583c5d93448345e5bba0134ef2ac4eafb2e +Subproject commit 2d97bec12deba01402b7189be5116b13b5b5e793