Merge branch 'main' into '#35_add_nextcloud'

# Conflicts: # ITD_Firewall.csv
2023-10-25 18:43:45 +00:00 · 2023-10-25 18:43:45 +00:00 · 422ee6b2c8
commit 422ee6b2c8
parent 211050fc27 2dcae4df6d
8 changed files with 163 additions and 65 deletions
--- a/applications/email.nix
+++ b/applications/email.nix
@ -16,10 +16,110 @@ with lib; let
  # thought you could escape racket?
  create_filter = groups: create_filter_join (create_filter_array groups);

-  create_skynet_email = accounts: mailbox: (map (account: "${account}+${mailbox}@skynet.ie") accounts);
+  # using +mailbox puts the mail in a seperate folder
+  create_skynet_email_int = accounts: mailbox: (map (account: "${account}@skynet.ie") accounts);
+  groups_to_accounts = groups: builtins.concatMap (x: config.skynet.users.${x}) groups;
+  create_skynet_email_attribute = mailbox: groups: (create_skynet_email_int (groups_to_accounts groups) mailbox) ++ ["int_${mailbox}@skynet.ie"];
+  create_skynet_email = mailbox: groups: {
+    name = "${mailbox}@skynet.ie";
+    value = create_skynet_email_attribute mailbox groups;
+  };
+  create_skynet_service_mailboxes = builtins.listToAttrs (map (mailbox: (create_skynet_email mailbox.account mailbox.members)) service_mailboxes);

-  create_skynet_email_admin = mailbox: (create_skynet_email config.skynet.users.admin mailbox) ++ ["${mailbox}_int@skynet.ie"];
-  create_skynet_email_committee = mailbox: (create_skynet_email config.skynet.users.committee mailbox) ++ ["${mailbox}_int@skynet.ie"];
+  create_config_to = concatStringsSep "\",\"" (map (mailbox: "${mailbox.account}") service_mailboxes);
+
+  service_mailboxes = [
+    {
+      account = "root";
+      members = ["admin"];
+    }
+    {
+      account = "abuse";
+      members = ["admin"];
+    }
+    {
+      account = "accounts";
+      members = ["committee"];
+    }
+    {
+      account = "compsoc";
+      members = ["committee"];
+    }
+    {
+      account = "contact";
+      members = ["committee"];
+    }
+    {
+      account = "dbadmin";
+      members = ["admin"];
+    }
+    {
+      account = "dnsadm";
+      members = ["admin"];
+    }
+    {
+      account = "hostmaster";
+      members = ["admin"];
+    }
+    {
+      account = "intersocsrep";
+      members = ["committee"];
+    }
+    {
+      account = "mailman";
+      members = ["admin"];
+    }
+    {
+      account = "security";
+      members = ["admin"];
+    }
+    {
+      account = "sysadm";
+      members = ["admin"];
+    }
+    {
+      account = "webadmin";
+      members = ["admin"];
+    }
+    {
+      account = "pycon2023";
+      members = ["committee"];
+    }
+    {
+      account = "skynet_topdesk";
+      members = ["admin"];
+    }
+    {
+      account = "topdesk";
+      members = ["admin"];
+    }
+  ];
+
+  configFile =
+    pkgs.writeText "basic_sieve"
+    ''
+      require "copy";
+      require "mailbox";
+      require "imap4flags";
+      require ["fileinto", "reject"];
+      require "variables";
+      require "regex";
+
+      # this should be close to teh last step
+      if allof (
+          address  :localpart ["To"] ["${toString create_config_to}"],
+          address  :domain ["To"] "skynet.ie"
+          ){
+          if address :matches ["To"] "*@skynet.ie" {
+            if header :is "X-Spam" "Yes" {
+              fileinto :create "''${1}.Junk";
+              stop;
+            } else {
+              fileinto :create "''${1}";
+            }
+          }
+      }
+    '';
 in {
  imports = [
    ./dns.nix
@ -260,21 +360,7 @@ in {

      lmtpSaveToDetailMailbox = "yes";

-      extraVirtualAliases = {
-        "abuse@skynet.ie" = create_skynet_email_admin "abuse";
-        "accounts@skynet.ie" = create_skynet_email_committee "accounts";
-        "compsoc@skynet.ie" = create_skynet_email_committee "compsoc";
-        "contact@skynet.ie" = create_skynet_email_committee "contact";
-        "dbadmin@skynet.ie" = create_skynet_email_admin "dbadmin";
-        "dnsadm@skynet.ie" = create_skynet_email_admin "dnsadm";
-        "hostmaster@skynet.ie" = create_skynet_email_admin "hostmaster";
-        "intersocsrep@skynet.ie" = create_skynet_email_committee "intersocsrep";
-        "mailman@skynet.ie" = create_skynet_email_admin "mailman";
-        "security@skynet.ie" = create_skynet_email_admin "security";
-        "sysadm@skynet.ie" = create_skynet_email_admin "sysadm";
-        "webadmin@skynet.ie" = create_skynet_email_admin "webadmin";
-        "pycon2023@skynet.ie" = create_skynet_email_committee "pycon2023";
-      };
+      extraVirtualAliases = create_skynet_service_mailboxes;

      # use the letsencrypt certs
      certificateScheme = "acme";
@ -315,6 +401,10 @@ in {
      ];
    };

+    services.dovecot2.sieveScripts = {
+      before = configFile;
+    };
+
    # tune the spam filter
    /*
    services.rspamd.extraConfig = ''
--- a/applications/ldap/server.nix
+++ b/applications/ldap/server.nix
@ -10,6 +10,7 @@ Gonna use a priper nixos module for this
 }:
 with lib; let
  cfg = config.services.skynet_ldap;
+  domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
 in {
  # these are needed for teh program in question
  imports = [
@ -79,7 +80,7 @@ in {
    };

    skynet_acme.domains = [
-      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
+      domain
    ];

    skynet_dns.records = [
@ -97,7 +98,7 @@ in {
    ];

    services.nginx.virtualHosts = {
-      "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
+      ${domain} = {
        forceSSL = true;
        useACMEHost = "skynet";
        locations."/" = {
@ -190,29 +191,33 @@ in {
              olcRootDN = "cn=admin,${cfg.base}";
              olcRootPW.path = config.age.secrets.ldap_pw.path;

-              #olcOverlay =  "memberof";
-
              olcAccess = [
                /*
                custom access rules for userPassword attributes
                */
-                ''                  {0}to attrs=userPassword
-                                      by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
-                                      by self write
-                                      by anonymous auth
-                                      by * none''
+                ''
+                  {0}to attrs=userPassword
+                    by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
+                    by self write
+                    by anonymous auth
+                    by * none
+                ''

-                ''                  {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
-                                      by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
-                                      by self write
-                                      by * read''
+                ''
+                  {1}to attrs=mail,sshPublicKey,cn,sn
+                    by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
+                    by self write
+                    by * read
+                ''

                /*
                allow read on anything else
                */
-                ''                  {2}to *
-                                      by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
-                                      by * read''
+                ''
+                  {2}to *
+                    by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
+                    by * read
+                ''
              ];
            };

--- a/applications/ldap/skMemberOf.ldif
+++ b/applications/ldap/skMemberOf.ldif
@ -24,24 +24,12 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.4.1
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
-olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.5.1
-    NAME 'skDiscord'
-    DESC 'Discord username'
-    EQUALITY caseIgnoreMatch
-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
-  )
 olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.6.1
    NAME 'skCreated'
    DESC 'When the account was created'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
-#olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.7.1
-#    NAME 'skEnabled'
-#    DESC 'TRUE/FALSE'
-#    EQUALITY booleanMatch
-#    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
-#  )
 # https://github.com/variablenix/ldap-mail-schema/blob/master/quota.schema
 olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.8.1
    NAME 'quotaEmail'
@ -55,16 +43,10 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.9.1
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255}
  )
-olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.10.1
-    NAME 'skSecure'
-    DESC '1 if secure'
-    EQUALITY caseIgnoreMatch
-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
-  )
 olcObjectClasses: ( 1.3.6.1.4.1.24441.1.1.1
    NAME 'skPerson'
    DESC 'skynet person'
    SUP top AUXILIARY
    MUST ( skMail $ skCreated )
-    MAY ( skMemberOf $ skID $ skDiscord $ quotaEmail $ quotaDisk $ skSecure )
+    MAY ( skMemberOf $ skID $ quotaEmail $ quotaDisk )
  )
--- a/applications/skynet_users.nix
+++ b/applications/skynet_users.nix
@ -78,6 +78,7 @@ in {
          alias = "/home/$user/public_html/";
          index = "index.html";
          extraConfig = "autoindex on;";
+          tryFiles = "$uri$args $uri$args/ /index.html";
        };
      };
    };