From 336d26ff3b0e2072fb1fa5879f3108a3b238ecf4 Mon Sep 17 00:00:00 2001 From: Bereich Administration Rechentechnik Date: Fri, 24 Jan 2025 16:51:13 +0100 Subject: [PATCH] work in progrss, dovecot ldap not working --- configuration.nix | 82 ++++++++++++++++++----------- flake.lock | 104 ++++++++++++++++++++++++++++++++++++- flake.nix | 8 +-- hardware-configuration.nix | 9 +--- 4 files changed, 161 insertions(+), 42 deletions(-) diff --git a/configuration.nix b/configuration.nix index d593a86..cb4d232 100644 --- a/configuration.nix +++ b/configuration.nix @@ -20,11 +20,11 @@ networking.hostName = "authentik"; networking.interfaces.ens18.ipv4.addresses = [ { - address = "10.0.0.3"; + address = "141.56.51.18"; prefixLength = 24; } ]; - networking.defaultGateway.address = "10.0.0.1"; + networking.defaultGateway.address = "141.56.51.254"; networking.nameservers = [ "141.56.1.1" "141.56.1.2" ]; time.timeZone = "Europe/Berlin"; @@ -36,9 +36,15 @@ useXkbConfig = true; # use xkb.options in tty. }; + users.groups.authentik = { }; + users.users.authentik = { + isSystemUser = true; + extraGroups = [ "docker" ]; + group = "authentik"; + }; users.users.administration = { isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. packages = with pkgs; [ ]; }; @@ -68,37 +74,53 @@ disable_startup_analytics = true; avatars = "initials"; }; + + nginx = { + enable = true; + enableACME = true; + host = "auth.htw.stura-dresden.de"; + }; + }; + services.dovecot2 = { + extraConfig = '' + auth_verbose = yes + auth_debug = yes + auth_debug_passwords = yes + ''; }; - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 389 9000 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; + services.nginx.virtualHosts."auth.htw.stura-dresden.de".locations."/".extraConfig = '' + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + mailserver = { + enable = true; + fqdn = "mail.htw.stura-dresden.de"; + domains = [ "htw.stura-dresden.de" ]; + ldap = { + enable = true; + bind = { + dn = "cn=dovecot,ou=users,dc=auth,dc=htw,dc=stura-dresden,dc=de"; + passwordFile = "/var/lib/dovecot_ldap_passwd"; + }; + dovecot = { }; + searchBase = "dc=auth,dc=htw,dc=stura-dresden,dc=de"; + searchScope = "sub"; + uris = [ + "ldap://localhost:389" + ]; + }; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; + certificateScheme = "acme-nginx"; + }; - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.11"; # Did you read the comment? + virtualisation.docker.enable = true; + security.acme.acceptTerms = true; + security.acme.defaults.email = "cert@stura.htw-dresden.de"; + + networking.firewall.allowedTCPPorts = [ 80 443 389 9000 ]; + + system.stateVersion = "24.11"; } diff --git a/flake.lock b/flake.lock index a50958f..9a388c6 100644 --- a/flake.lock +++ b/flake.lock @@ -42,6 +42,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "flake-compat": { "flake": false, "locked": { @@ -58,6 +74,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -97,6 +129,27 @@ "type": "github" } }, + "mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1712828206, + "narHash": "sha256-9b+73fDYFVMph6q0jYONHyq45OCc77/6rri+EPbyFoQ=", + "owner": "GoldsteinE", + "repo": "simple-nixos-mailserver", + "rev": "a9f6b3097f6121d7bcb4170043fc5e641f8a35f9", + "type": "github" + }, + "original": { + "owner": "GoldsteinE", + "repo": "simple-nixos-mailserver", + "type": "github" + } + }, "napalm": { "inputs": { "flake-utils": [ @@ -174,6 +227,21 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1709703039, + "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1737469691, "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", @@ -223,7 +291,8 @@ "root": { "inputs": { "authentik": "authentik", - "nixpkgs": "nixpkgs_2" + "mailserver": "mailserver", + "nixpkgs": "nixpkgs_3" } }, "systems": { @@ -241,6 +310,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -262,6 +346,24 @@ "repo": "treefmt-nix", "type": "github" } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 08aaa39..04c71ea 100644 --- a/flake.nix +++ b/flake.nix @@ -13,10 +13,11 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; authentik = { url = "github:nix-community/authentik-nix"; - }; + }; + mailserver.url = "github:GoldsteinE/simple-nixos-mailserver"; }; - outputs = { self, nixpkgs, authentik }: { + outputs = { self, nixpkgs, authentik, mailserver }: { formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; nixosConfigurations = { @@ -24,7 +25,8 @@ system = "x86_64-linux"; modules = [ ./configuration.nix - authentik.nixosModules.default + authentik.nixosModules.default + mailserver.nixosModules.mailserver ]; }; }; diff --git a/hardware-configuration.nix b/hardware-configuration.nix index b640750..ebaac35 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -16,18 +16,11 @@ fileSystems."/" = { - device = "/dev/disk/by-uuid/ca98acfb-7698-4bc2-a7a0-f24fc0fc3c46"; + device = "/dev/sda1"; fsType = "ext4"; }; swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; }