summaryrefslogtreecommitdiff
path: root/env
diff options
context:
space:
mode:
authorAlejandro Soto <alejandro@34project.org>2024-07-14 17:53:13 -0600
committerAlejandro Soto <alejandro@34project.org>2024-07-15 09:34:00 -0600
commit02abf4ed0131237c25e0a10db50fa4c41a902a50 (patch)
tree20904894fc0952806e341cdaff5941e81b3ce51c /env
parent08e746700341dda3e3bdf704332fc3c07053d3e7 (diff)
sys: final merge of dmz, hv into sys
Diffstat (limited to 'env')
-rw-r--r--env/acme/default.nix48
-rw-r--r--env/acme/domains.nix12
-rw-r--r--env/default.nix8
-rw-r--r--env/dhe.nix6
-rw-r--r--env/users/default.nix143
-rw-r--r--env/users/mailbox.nix241
-rw-r--r--env/users/users.nix1
-rw-r--r--env/users/virtual.nix1
8 files changed, 0 insertions, 460 deletions
diff --git a/env/acme/default.nix b/env/acme/default.nix
deleted file mode 100644
index 9b3db80..0000000
--- a/env/acme/default.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ config, lib, ... }:
-with lib; let
- cfg = config.local;
-in
-{
- options.local = with types; {
- domains = mkOption {
- type = attrsOf (attrsOf str);
- };
-
- certs = mapAttrs
- (_: _: {
- enable = mkEnableOption "TLS cert for ${name}";
- })
- cfg.domains;
- };
-
- config = {
- security.acme = {
- acceptTerms = true;
-
- defaults = {
- email = "security@${config.networking.domain}";
- renewInterval = "weekly";
-
- webroot =
- if config.security.acme.defaults.dnsProvider == null
- then "/var/lib/acme/acme-challenge"
- else null;
- };
-
- certs =
- let
- domainSort = sort (a: b: splitString "." a < splitString "." b);
-
- certConfig = domains: {
- domain = domains.main;
- extraDomainNames = domainSort (attrValues (filterAttrs (k: _: k != "main") domains));
- };
- in
- mapAttrs'
- (_: value: nameValuePair value.main (certConfig value))
- (filterAttrs (name: _: cfg.certs.${name}.enable) cfg.domains);
- };
-
- local.domains = import ./domains.nix;
- };
-}
diff --git a/env/acme/domains.nix b/env/acme/domains.nix
deleted file mode 100644
index 0412391..0000000
--- a/env/acme/domains.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- host = {
- main = "34project.org";
- www = "www.34project.org";
- mail = "mail.34project.org";
- };
-
- smtp.main = "smtp.34project.org";
- imap.main = "imap.34project.org";
-
- git.main = "git.cluster451.org";
-}
diff --git a/env/default.nix b/env/default.nix
deleted file mode 100644
index d9b85ab..0000000
--- a/env/default.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-{ lib, ... }:
-with lib; {
- imports = [
- ./acme
- ./dhe.nix
- ./users
- ];
-}
diff --git a/env/dhe.nix b/env/dhe.nix
deleted file mode 100644
index 7a95f2d..0000000
--- a/env/dhe.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ ... }: {
- config.security.dhparams = {
- enable = true;
- defaultBitSize = 2048;
- };
-}
diff --git a/env/users/default.nix b/env/users/default.nix
deleted file mode 100644
index 0e77e0d..0000000
--- a/env/users/default.nix
+++ /dev/null
@@ -1,143 +0,0 @@
-{ config, lib, ... }:
-with lib; let
- cfg = config.local;
- inherit (config.networking) domain;
-in
-{
- imports = [
- ./mailbox.nix
- ];
-
- options.local = with types; let
- mailOption = mkOption {
- default = { };
-
- type = submodule {
- options.certs = mkOption {
- type = listOf str;
- default = [ ];
- };
- };
- };
- in
- {
- sysadmin = mkOption {
- type = str;
- };
-
- users = mkOption {
- default = { };
-
- type = attrsOf (submodule ({ config, ... }: {
- options = {
- uid = mkOption {
- type = int;
- };
-
- gid = mkOption {
- type = int;
- };
-
- gecos = mkOption {
- type = str;
- default = "";
- };
-
- sysadmin = mkOption {
- type = bool;
- default = false;
- };
-
- groups = mkOption {
- type = listOf str;
- default = [ ];
- };
-
- allowLogin = mkOption {
- type = bool;
- default = true;
- };
-
- hardAliases = mkOption {
- type = listOf str;
- default = [ ];
- };
-
- mail = mailOption;
- };
-
- config.groups = mkBefore (optional config.sysadmin "wheel");
- }));
- };
-
- virtual = mkOption {
- default = { };
-
- type = attrsOf (submodule ({ name, ... }: {
- options = {
- aliases = mkOption {
- type = attrsOf (listOf str);
- default = { };
- };
-
- rules = mkOption {
- default = [ ];
-
- type = listOf (submodule {
- options = {
- pattern = mkOption {
- type = str;
- };
-
- targets = mkOption {
- type = listOf str;
- };
- };
- });
- };
-
- users = mkOption {
- default = { };
-
- type = attrsOf (submodule {
- options.mail = mailOption;
- });
- };
- };
-
- config.aliases =
- let
- sysadmin = mkDefault [ "sysadmin@${name}" ];
- in
- {
- abuse = sysadmin;
- security = sysadmin;
- webmaster = sysadmin;
- hostmaster = sysadmin;
- postmaster = sysadmin;
-
- sysadmin = mkDefault [ "sysadmin@${domain}" ];
- };
- }));
- };
- };
-
- config.local = mkMerge [
- {
- users = import ./users.nix;
- virtual = import ./virtual.nix;
-
- sysadmin =
- (findSingle
- (user: user.value.sysadmin)
- (throw "no user is declared as sysadmin")
- (throw "more than one user is declared as sysadmin")
- (mapAttrsToList nameValuePair cfg.users)
- ).name;
- }
-
- {
- virtual.${domain}.aliases.sysadmin = [ cfg.sysadmin ];
- }
- ];
-}
diff --git a/env/users/mailbox.nix b/env/users/mailbox.nix
deleted file mode 100644
index eaec5fc..0000000
--- a/env/users/mailbox.nix
+++ /dev/null
@@ -1,241 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib; let
- cfg = config.local;
-in
-{
- options.local.mailHost = with types; {
- enable = mkEnableOption "mailbox host service";
-
- security.acme.defaults.dnsProvider = "gandiv5";
-
- mdaListen = mkOption {
- type = str;
- };
-
- saslPort = mkOption {
- type = port;
- };
-
- lmtpPort = mkOption {
- type = port;
- };
- };
-
- config =
- let
- imapHostname = cfg.domains.imap.main;
- in
- mkIf cfg.mailHost.enable {
- services.dovecot2 =
- let
- cert = config.security.acme.certs.${imapHostname}.directory;
- in
- {
- enable = true;
- enablePAM = false;
- enableLmtp = true;
-
- sslServerKey = "${cert}/key.pem";
- sslServerCert = "${cert}/fullchain.pem";
-
- modules = [ pkgs.dovecot_pigeonhole ];
-
- mailUser = "vmail";
- mailGroup = "vmail";
- mailLocation = "maildir:~/mail";
- mailPlugins.perProtocol.lmtp.enable = [ "sieve" ];
-
- extraConfig =
- let
- inherit (config.networking) domain;
-
- # https://dovecot.org/list/dovecot/2019-March/115250.html
- # Otra solución posible (https://serverfault.com/a/1062274/980378):
- # auth_username_format = %{if;%d;eq;${domain};%Ln;%Lu}
- localEntry = canonical: username: ''
- ${username}:::::::user=${canonical} nopassword userdb_user=${canonical}
- '';
-
- localMailboxes =
- pkgs.writeText "local-mailboxes"
- (concatStrings
- (flatten (mapAttrsToList
- (canonical: user:
- map (localEntry canonical) ([ canonical ] ++ user.hardAliases))
- cfg.users)));
-
- localCerts =
- flatten (mapAttrsToList
- (canonical: user:
- let
- certNames = {
- inherit canonical;
- logins = [ canonical ] ++ user.hardAliases;
- };
- in
- map (flip nameValuePair certNames) user.mail.certs)
- cfg.users);
-
- vmailCerts =
- flatten (flatten (mapAttrsToList
- (domain: virtual: mapAttrsToList
- (username: user:
- let
- address = "${username}@${domain}";
-
- certNames = {
- canonical = address;
- logins = [ address ];
- };
- in
- map (flip nameValuePair certNames) user.mail.certs)
- virtual.users)
- cfg.virtual));
-
- certLogins =
- pkgs.writeText "cert-logins"
- (concatStrings (flatten (mapAttrsToList
- (uuid: names: map
- (addr: ''
- ${uuid}.mail-client@nodomain,${addr}:::::::user=${names.canonical}
- '')
- names.logins)
- (listToAttrs (localCerts ++ vmailCerts)))));
-
- vmailPath = "/var/lib/vmail/%{if;%d;ne;;%Ld;${domain}}";
- in
- ''
- auth_mechanisms = plain login external
-
- #TODO: automatizar implantación de archivo de CA
-
- # Orden de concatenación de mail-fullchain-crl.crt:
- # - Issuing CA cert
- # - Issuing CA CRL
- # - Intermediate CA cert
- # - Intermediate CA CRL
- # - Root CA cert
- # - Root CA CRL
- ssl_ca = </var/trust/ca/mail-fullchain-crl.crt
- ssl_require_crl = yes
- ssl_verify_client_cert = yes
-
- # Esto descarta @domain.tld de locales explícitos, pero lo exige para los demás.
- # Implicación: locales implícitos sin dominio fallan en autenticar
- auth_username_format = %{if;%Ld;eq;${domain};%Ln;%{if;%d;ne;;%Lu;%Ln@nodomain}}
- auth_ssl_username_from_cert = yes
-
- # TODO: los defaults de nixpkgs dejan los sockets bajo
- # /run/dovecot2 con demasiados permisos rwx, arreglar
-
- service auth {
- inet_listener mta-sasl {
- port = ${toString cfg.mailHost.saslPort}
- address = ${cfg.mailHost.mdaListen}
- }
- }
-
- service lmtp {
- inet_listener mta-lmtp {
- port = ${toString cfg.mailHost.lmtpPort}
- address = ${cfg.mailHost.mdaListen}
- }
- }
-
- # FIXME: Esta cadena de passdbs hace que 'doveadm user lookup'
- # falle para usuarios locales, pero todo lo demás sirve. Parece
- # ser debido a que pam no puede enumerar.
-
- passdb {
- driver = static
- args = nopassword
-
- master = yes
- mechanisms = external
-
- result_success = continue-fail
- result_failure = return-fail
- result_internalfail = return-fail
- }
-
- passdb {
- driver = passwd-file
- args = scheme=PLAIN username_format=%{master_user},%Lu ${certLogins}
-
- mechanisms = external
- override_fields = nopassword
-
- result_failure = return-fail
- result_internalfail = return-fail
- }
-
- passdb {
- driver = passwd-file
- args = username_format=%Ln ${vmailPath}/passwd
- }
-
- passdb {
- driver = passwd-file
- args = scheme=PLAIN ${localMailboxes}
-
- # Esta es una forma de determinar si se encontró el usuario en
- # el passwd-file por medio de nopassword sin realmente
- # autenticarlo. Cuidado con result_success, porque si eso se
- # configura mal se permite inicio de sesión con cualquier
- # contraseña (!!!).
- result_success = continue
- result_failure = return-fail
- result_internalfail = return-fail
-
- username_filter = !*@*
- }
-
- passdb {
- driver = pam
- args = dovecot2
- username_filter = !*@*
- #TODO: algo como 'override_fields = allow_nets=...'
- }
-
- userdb {
- driver = passwd-file
- args = username_format=%Ln ${vmailPath}/passwd
- override_fields = uid=vmail gid=vmail home=${vmailPath}/home/%Ln
- }
-
- userdb {
- driver = passwd-file
- args = ${localMailboxes}
-
- result_success = continue-ok
- result_internalfail = return-fail
- skip = found
- }
-
- userdb {
- driver = passwd
- args = blocking=no
- skip = notfound
- }
- '';
- };
-
- security = {
- # Necesario debido a 'enablePAM = false'
- pam.services.dovecot2 = { };
-
- acme.certs.${imapHostname} = {
- inherit (config.services.dovecot2) group;
- };
- };
-
- users = {
- users.${config.services.dovecot2.mailUser}.uid = 995;
- groups.${config.services.dovecot2.mailGroup}.gid = 993;
- };
-
- networking.firewall.allowedTCPPorts = [ 143 993 ];
-
- local.certs.imap.enable = true;
- };
-}
diff --git a/env/users/users.nix b/env/users/users.nix
deleted file mode 100644
index 1bb3788..0000000
--- a/env/users/users.nix
+++ /dev/null
@@ -1 +0,0 @@
-# This file has been lustrated.
diff --git a/env/users/virtual.nix b/env/users/virtual.nix
deleted file mode 100644
index 1bb3788..0000000
--- a/env/users/virtual.nix
+++ /dev/null
@@ -1 +0,0 @@
-# This file has been lustrated.
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 12:31:27 +0000