Merge branch 'main' into '#35_add_nextcloud'

# Conflicts:
#   ITD_Firewall.csv
This commit is contained in:
silver 2023-10-25 18:43:45 +00:00
commit 422ee6b2c8
8 changed files with 163 additions and 65 deletions

View file

@ -16,10 +16,110 @@ with lib; let
# thought you could escape racket?
create_filter = groups: create_filter_join (create_filter_array groups);
create_skynet_email = accounts: mailbox: (map (account: "${account}+${mailbox}@skynet.ie") accounts);
# using +mailbox puts the mail in a seperate folder
create_skynet_email_int = accounts: mailbox: (map (account: "${account}@skynet.ie") accounts);
groups_to_accounts = groups: builtins.concatMap (x: config.skynet.users.${x}) groups;
create_skynet_email_attribute = mailbox: groups: (create_skynet_email_int (groups_to_accounts groups) mailbox) ++ ["int_${mailbox}@skynet.ie"];
create_skynet_email = mailbox: groups: {
name = "${mailbox}@skynet.ie";
value = create_skynet_email_attribute mailbox groups;
};
create_skynet_service_mailboxes = builtins.listToAttrs (map (mailbox: (create_skynet_email mailbox.account mailbox.members)) service_mailboxes);
create_skynet_email_admin = mailbox: (create_skynet_email config.skynet.users.admin mailbox) ++ ["${mailbox}_int@skynet.ie"];
create_skynet_email_committee = mailbox: (create_skynet_email config.skynet.users.committee mailbox) ++ ["${mailbox}_int@skynet.ie"];
create_config_to = concatStringsSep "\",\"" (map (mailbox: "${mailbox.account}") service_mailboxes);
service_mailboxes = [
{
account = "root";
members = ["admin"];
}
{
account = "abuse";
members = ["admin"];
}
{
account = "accounts";
members = ["committee"];
}
{
account = "compsoc";
members = ["committee"];
}
{
account = "contact";
members = ["committee"];
}
{
account = "dbadmin";
members = ["admin"];
}
{
account = "dnsadm";
members = ["admin"];
}
{
account = "hostmaster";
members = ["admin"];
}
{
account = "intersocsrep";
members = ["committee"];
}
{
account = "mailman";
members = ["admin"];
}
{
account = "security";
members = ["admin"];
}
{
account = "sysadm";
members = ["admin"];
}
{
account = "webadmin";
members = ["admin"];
}
{
account = "pycon2023";
members = ["committee"];
}
{
account = "skynet_topdesk";
members = ["admin"];
}
{
account = "topdesk";
members = ["admin"];
}
];
configFile =
pkgs.writeText "basic_sieve"
''
require "copy";
require "mailbox";
require "imap4flags";
require ["fileinto", "reject"];
require "variables";
require "regex";
# this should be close to teh last step
if allof (
address :localpart ["To"] ["${toString create_config_to}"],
address :domain ["To"] "skynet.ie"
){
if address :matches ["To"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
}
}
}
'';
in {
imports = [
./dns.nix
@ -260,21 +360,7 @@ in {
lmtpSaveToDetailMailbox = "yes";
extraVirtualAliases = {
"abuse@skynet.ie" = create_skynet_email_admin "abuse";
"accounts@skynet.ie" = create_skynet_email_committee "accounts";
"compsoc@skynet.ie" = create_skynet_email_committee "compsoc";
"contact@skynet.ie" = create_skynet_email_committee "contact";
"dbadmin@skynet.ie" = create_skynet_email_admin "dbadmin";
"dnsadm@skynet.ie" = create_skynet_email_admin "dnsadm";
"hostmaster@skynet.ie" = create_skynet_email_admin "hostmaster";
"intersocsrep@skynet.ie" = create_skynet_email_committee "intersocsrep";
"mailman@skynet.ie" = create_skynet_email_admin "mailman";
"security@skynet.ie" = create_skynet_email_admin "security";
"sysadm@skynet.ie" = create_skynet_email_admin "sysadm";
"webadmin@skynet.ie" = create_skynet_email_admin "webadmin";
"pycon2023@skynet.ie" = create_skynet_email_committee "pycon2023";
};
extraVirtualAliases = create_skynet_service_mailboxes;
# use the letsencrypt certs
certificateScheme = "acme";
@ -315,6 +401,10 @@ in {
];
};
services.dovecot2.sieveScripts = {
before = configFile;
};
# tune the spam filter
/*
services.rspamd.extraConfig = ''

View file

@ -10,6 +10,7 @@ Gonna use a priper nixos module for this
}:
with lib; let
cfg = config.services.skynet_ldap;
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
# these are needed for teh program in question
imports = [
@ -79,7 +80,7 @@ in {
};
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
domain
];
skynet_dns.records = [
@ -97,7 +98,7 @@ in {
];
services.nginx.virtualHosts = {
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
${domain} = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
@ -190,29 +191,33 @@ in {
olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path;
#olcOverlay = "memberof";
olcAccess = [
/*
custom access rules for userPassword attributes
*/
'' {0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by anonymous auth
by * none''
''
{0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by anonymous auth
by * none
''
'' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by * read''
''
{1}to attrs=mail,sshPublicKey,cn,sn
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by * read
''
/*
allow read on anything else
*/
'' {2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read''
''
{2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read
''
];
};

View file

@ -24,24 +24,12 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.4.1
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.5.1
NAME 'skDiscord'
DESC 'Discord username'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.6.1
NAME 'skCreated'
DESC 'When the account was created'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
#olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.7.1
# NAME 'skEnabled'
# DESC 'TRUE/FALSE'
# EQUALITY booleanMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
# )
# https://github.com/variablenix/ldap-mail-schema/blob/master/quota.schema
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.8.1
NAME 'quotaEmail'
@ -55,16 +43,10 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.9.1
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255}
)
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.10.1
NAME 'skSecure'
DESC '1 if secure'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
olcObjectClasses: ( 1.3.6.1.4.1.24441.1.1.1
NAME 'skPerson'
DESC 'skynet person'
SUP top AUXILIARY
MUST ( skMail $ skCreated )
MAY ( skMemberOf $ skID $ skDiscord $ quotaEmail $ quotaDisk $ skSecure )
MAY ( skMemberOf $ skID $ quotaEmail $ quotaDisk )
)

View file

@ -78,6 +78,7 @@ in {
alias = "/home/$user/public_html/";
index = "index.html";
extraConfig = "autoindex on;";
tryFiles = "$uri$args $uri$args/ /index.html";
};
};
};