Merge branch 'main' into '#35_add_nextcloud'
# Conflicts: # ITD_Firewall.csv
This commit is contained in:
commit
422ee6b2c8
8 changed files with 163 additions and 65 deletions
|
@ -16,10 +16,110 @@ with lib; let
|
|||
# thought you could escape racket?
|
||||
create_filter = groups: create_filter_join (create_filter_array groups);
|
||||
|
||||
create_skynet_email = accounts: mailbox: (map (account: "${account}+${mailbox}@skynet.ie") accounts);
|
||||
# using +mailbox puts the mail in a seperate folder
|
||||
create_skynet_email_int = accounts: mailbox: (map (account: "${account}@skynet.ie") accounts);
|
||||
groups_to_accounts = groups: builtins.concatMap (x: config.skynet.users.${x}) groups;
|
||||
create_skynet_email_attribute = mailbox: groups: (create_skynet_email_int (groups_to_accounts groups) mailbox) ++ ["int_${mailbox}@skynet.ie"];
|
||||
create_skynet_email = mailbox: groups: {
|
||||
name = "${mailbox}@skynet.ie";
|
||||
value = create_skynet_email_attribute mailbox groups;
|
||||
};
|
||||
create_skynet_service_mailboxes = builtins.listToAttrs (map (mailbox: (create_skynet_email mailbox.account mailbox.members)) service_mailboxes);
|
||||
|
||||
create_skynet_email_admin = mailbox: (create_skynet_email config.skynet.users.admin mailbox) ++ ["${mailbox}_int@skynet.ie"];
|
||||
create_skynet_email_committee = mailbox: (create_skynet_email config.skynet.users.committee mailbox) ++ ["${mailbox}_int@skynet.ie"];
|
||||
create_config_to = concatStringsSep "\",\"" (map (mailbox: "${mailbox.account}") service_mailboxes);
|
||||
|
||||
service_mailboxes = [
|
||||
{
|
||||
account = "root";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "abuse";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "accounts";
|
||||
members = ["committee"];
|
||||
}
|
||||
{
|
||||
account = "compsoc";
|
||||
members = ["committee"];
|
||||
}
|
||||
{
|
||||
account = "contact";
|
||||
members = ["committee"];
|
||||
}
|
||||
{
|
||||
account = "dbadmin";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "dnsadm";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "hostmaster";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "intersocsrep";
|
||||
members = ["committee"];
|
||||
}
|
||||
{
|
||||
account = "mailman";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "security";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "sysadm";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "webadmin";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "pycon2023";
|
||||
members = ["committee"];
|
||||
}
|
||||
{
|
||||
account = "skynet_topdesk";
|
||||
members = ["admin"];
|
||||
}
|
||||
{
|
||||
account = "topdesk";
|
||||
members = ["admin"];
|
||||
}
|
||||
];
|
||||
|
||||
configFile =
|
||||
pkgs.writeText "basic_sieve"
|
||||
''
|
||||
require "copy";
|
||||
require "mailbox";
|
||||
require "imap4flags";
|
||||
require ["fileinto", "reject"];
|
||||
require "variables";
|
||||
require "regex";
|
||||
|
||||
# this should be close to teh last step
|
||||
if allof (
|
||||
address :localpart ["To"] ["${toString create_config_to}"],
|
||||
address :domain ["To"] "skynet.ie"
|
||||
){
|
||||
if address :matches ["To"] "*@skynet.ie" {
|
||||
if header :is "X-Spam" "Yes" {
|
||||
fileinto :create "''${1}.Junk";
|
||||
stop;
|
||||
} else {
|
||||
fileinto :create "''${1}";
|
||||
}
|
||||
}
|
||||
}
|
||||
'';
|
||||
in {
|
||||
imports = [
|
||||
./dns.nix
|
||||
|
@ -260,21 +360,7 @@ in {
|
|||
|
||||
lmtpSaveToDetailMailbox = "yes";
|
||||
|
||||
extraVirtualAliases = {
|
||||
"abuse@skynet.ie" = create_skynet_email_admin "abuse";
|
||||
"accounts@skynet.ie" = create_skynet_email_committee "accounts";
|
||||
"compsoc@skynet.ie" = create_skynet_email_committee "compsoc";
|
||||
"contact@skynet.ie" = create_skynet_email_committee "contact";
|
||||
"dbadmin@skynet.ie" = create_skynet_email_admin "dbadmin";
|
||||
"dnsadm@skynet.ie" = create_skynet_email_admin "dnsadm";
|
||||
"hostmaster@skynet.ie" = create_skynet_email_admin "hostmaster";
|
||||
"intersocsrep@skynet.ie" = create_skynet_email_committee "intersocsrep";
|
||||
"mailman@skynet.ie" = create_skynet_email_admin "mailman";
|
||||
"security@skynet.ie" = create_skynet_email_admin "security";
|
||||
"sysadm@skynet.ie" = create_skynet_email_admin "sysadm";
|
||||
"webadmin@skynet.ie" = create_skynet_email_admin "webadmin";
|
||||
"pycon2023@skynet.ie" = create_skynet_email_committee "pycon2023";
|
||||
};
|
||||
extraVirtualAliases = create_skynet_service_mailboxes;
|
||||
|
||||
# use the letsencrypt certs
|
||||
certificateScheme = "acme";
|
||||
|
@ -315,6 +401,10 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
services.dovecot2.sieveScripts = {
|
||||
before = configFile;
|
||||
};
|
||||
|
||||
# tune the spam filter
|
||||
/*
|
||||
services.rspamd.extraConfig = ''
|
||||
|
|
|
@ -10,6 +10,7 @@ Gonna use a priper nixos module for this
|
|||
}:
|
||||
with lib; let
|
||||
cfg = config.services.skynet_ldap;
|
||||
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||
in {
|
||||
# these are needed for teh program in question
|
||||
imports = [
|
||||
|
@ -79,7 +80,7 @@ in {
|
|||
};
|
||||
|
||||
skynet_acme.domains = [
|
||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||
domain
|
||||
];
|
||||
|
||||
skynet_dns.records = [
|
||||
|
@ -97,7 +98,7 @@ in {
|
|||
];
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
||||
${domain} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "skynet";
|
||||
locations."/" = {
|
||||
|
@ -190,29 +191,33 @@ in {
|
|||
olcRootDN = "cn=admin,${cfg.base}";
|
||||
olcRootPW.path = config.age.secrets.ldap_pw.path;
|
||||
|
||||
#olcOverlay = "memberof";
|
||||
|
||||
olcAccess = [
|
||||
/*
|
||||
custom access rules for userPassword attributes
|
||||
*/
|
||||
'' {0}to attrs=userPassword
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
''
|
||||
{0}to attrs=userPassword
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
''
|
||||
|
||||
'' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by * read''
|
||||
''
|
||||
{1}to attrs=mail,sshPublicKey,cn,sn
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by self write
|
||||
by * read
|
||||
''
|
||||
|
||||
/*
|
||||
allow read on anything else
|
||||
*/
|
||||
'' {2}to *
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by * read''
|
||||
''
|
||||
{2}to *
|
||||
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
|
||||
by * read
|
||||
''
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -24,24 +24,12 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.4.1
|
|||
EQUALITY caseIgnoreMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||
)
|
||||
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.5.1
|
||||
NAME 'skDiscord'
|
||||
DESC 'Discord username'
|
||||
EQUALITY caseIgnoreMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||
)
|
||||
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.6.1
|
||||
NAME 'skCreated'
|
||||
DESC 'When the account was created'
|
||||
EQUALITY caseIgnoreMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||
)
|
||||
#olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.7.1
|
||||
# NAME 'skEnabled'
|
||||
# DESC 'TRUE/FALSE'
|
||||
# EQUALITY booleanMatch
|
||||
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||||
# )
|
||||
# https://github.com/variablenix/ldap-mail-schema/blob/master/quota.schema
|
||||
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.8.1
|
||||
NAME 'quotaEmail'
|
||||
|
@ -55,16 +43,10 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.9.1
|
|||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255}
|
||||
)
|
||||
olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.10.1
|
||||
NAME 'skSecure'
|
||||
DESC '1 if secure'
|
||||
EQUALITY caseIgnoreMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||||
)
|
||||
olcObjectClasses: ( 1.3.6.1.4.1.24441.1.1.1
|
||||
NAME 'skPerson'
|
||||
DESC 'skynet person'
|
||||
SUP top AUXILIARY
|
||||
MUST ( skMail $ skCreated )
|
||||
MAY ( skMemberOf $ skID $ skDiscord $ quotaEmail $ quotaDisk $ skSecure )
|
||||
MAY ( skMemberOf $ skID $ quotaEmail $ quotaDisk )
|
||||
)
|
||||
|
|
|
@ -78,6 +78,7 @@ in {
|
|||
alias = "/home/$user/public_html/";
|
||||
index = "index.html";
|
||||
extraConfig = "autoindex on;";
|
||||
tryFiles = "$uri$args $uri$args/ /index.html";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue