diff --git a/applications/email.nix b/applications/email.nix index 76c2117..9293279 100644 --- a/applications/email.nix +++ b/applications/email.nix @@ -1,6 +1,15 @@ { config, pkgs, lib, ...}: with lib; let cfg = config.services.skynet_email; + + # create teh new strings + create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); + + create_filter_join = (x: concatStringsSep "" x); + + # thought you could escape racket? + create_filter = (groups: create_filter_join (create_filter_array groups) ); + in { imports = [ @@ -31,7 +40,7 @@ domain = mkOption { type = types.str; - default = "ulcompsoc.ie"; + default = "skynet.ie"; description = lib.mdDoc "domaino"; }; @@ -41,6 +50,19 @@ description = lib.mdDoc "mailserver subdomain"; }; + groups = mkOption { + type = types.listOf types.str; + default = [ + # general skynet users + "skynet-users" + # C&S folsk get access + "skynet-cns" + # skynet service accounts + "skynet-service" + ]; + description = lib.mdDoc "Groups we want to allow access to the email"; + }; + ldap = { hosts = mkOption { type = types.listOf types.str; @@ -69,7 +91,6 @@ }; }; - }; config = mkIf cfg.enable { @@ -102,12 +123,8 @@ cfg.domain ]; - #hierarchySeparator = "/"; - - # 100MB max size - messageSizeLimit = 100000000; - - #localDnsResolver = false; + # 20MB max size + messageSizeLimit = 20000000; ldap = { enable = true; @@ -116,37 +133,25 @@ dn = cfg.ldap.bind_dn; passwordFile = config.age.secrets.ldap_pw.path; }; + searchBase = cfg.ldap.searchBase; searchScope = "sub"; - dovecot = { - #userAttrs = "uidNumber=uid,gidNumber=gid,skMail=mail"; - # use the set email account - #userFilter = "(&(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))(uid=%n))"; - #userFilter = "(&(objectClass=posixAccount)(uid=%u))"; userFilter = "(skMail=%u)"; - # "fix" until userAttrs is fixed - #passAttrs = ''uid=user,userPassword=password - #user_attrs = uidNumber=uid,gidNumber=gid,mail=/var/vmail/%u/%d - #''; - passFilter = "(skMail=%u)"; + # accept emails in, but only allow access to paid up members + passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))"; }; postfix = { - filter = "(skMail=%s)"; - - # these may be reversed??? - # https://gist.github.com/calbrecht/bca39174f39a74e52a6d05bf630ad495 + filter = "(|(skMail=%s)(uid=%s))"; uidAttribute = "skMail"; mailAttribute = "skMail"; }; - }; - # feckin spammers rejectRecipients = [ diff --git a/applications/games/minecraft.nix b/applications/games/minecraft.nix index 4458b0b..0728d8c 100644 --- a/applications/games/minecraft.nix +++ b/applications/games/minecraft.nix @@ -64,6 +64,7 @@ # gsoc.minecraft.games.skynet.ie "gsoc.${cfg.domain.sub} CNAME ${cfg.host.name}" + "gsoc_abridged.${cfg.domain.sub} CNAME ${cfg.host.name}" ]; }; @@ -107,7 +108,7 @@ ports = [ "25565:25565/tcp" ]; expose = [ "25565" ]; command = [ - "--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002" + "--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003" ]; }; diff --git a/applications/restic.nix b/applications/restic.nix index 32cd827..ee858aa 100644 --- a/applications/restic.nix +++ b/applications/restic.nix @@ -39,7 +39,7 @@ { name = value.config.services.skynet_backup.host.name; value = base // { - repositoryFile = "${destination}/${value.config.services.skynet_backup.host.name}"; + repositoryFile = "/etc/skynet/restic/${value.config.services.skynet_backup.host.name}"; backupPrepareCommand = '' #!${pkgs.stdenv.shell} diff --git a/flake.lock b/flake.lock index c1003f7..1ebe789 100644 --- a/flake.lock +++ b/flake.lock @@ -280,11 +280,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1684569145, - "narHash": "sha256-Dr8KAgjiGuigTgEp7zFO08zPA5o0RxzoPad+oDtg/G0=", + "lastModified": 1688416558, + "narHash": "sha256-v9UudcBYAHssB+e6Mip+5dOClFlPwy80wJjbpUMomJk=", "owner": "mweinelt", "repo": "nixos-mailserver", - "rev": "5d13cf0550bd5b201b28f116acc5f4b19dd5d753", + "rev": "a1c985f325300fc8bca3e8dfe5a9676c10ab1055", "type": "gitlab" }, "original": { diff --git a/machines/agentjones.nix b/machines/agentjones.nix index 8a6d46f..c2e52eb 100644 --- a/machines/agentjones.nix +++ b/machines/agentjones.nix @@ -50,7 +50,7 @@ in { eno2 = { ipv4.addresses = [ { - address = "193.1.99.72"; + address = ip_pub; prefixLength = 26; } ]; @@ -60,7 +60,7 @@ in { ipv4.addresses = [ { # internal address - address = "193.1.99.125"; + address = ip_priv; prefixLength = 26; } ]; diff --git a/machines/gir.nix b/machines/gir.nix index 9886c6b..5b28030 100644 --- a/machines/gir.nix +++ b/machines/gir.nix @@ -53,5 +53,7 @@ in { # the name is used for dns name = name; }; + + domain = "ulcompsoc.ie"; }; } diff --git a/machines/hardware/RM007.nix b/machines/hardware/RM007.nix new file mode 100644 index 0000000..02ecb10 --- /dev/null +++ b/machines/hardware/RM007.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/76CE-C65E"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/neuromancer.nix b/machines/neuromancer.nix index a397ae5..fa23d4d 100644 --- a/machines/neuromancer.nix +++ b/machines/neuromancer.nix @@ -20,9 +20,21 @@ let in { imports = [ + ./hardware/RM007.nix ../applications/restic.nix ]; + + networking.hostName = name; + # this has to be defined for any physical servers + # vms are defined by teh vm host + networking.interfaces.eno1.ipv4.addresses = [ + { + address = ip_pub; + prefixLength = 26; + } + ]; + deployment = { targetHost = hostname; targetPort = 22; @@ -42,7 +54,9 @@ in { }; services.skynet_backup = { - normal.backups = ["/etc/skynet"]; + normal.backups = [ + #"/etc/skynet" + ]; host = {