From c49a077711a7bcba5febbb5fe37648e739e2faf7 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 15 Jul 2023 21:20:45 +0200 Subject: [PATCH] feat(webserver): switch to caddy, add authelia, lldap, switch hedgedoc to LDAP auth --- .sops.yaml | 8 +- nix/devShells.nix | 2 + nix/os/containers/mailserver_secrets.yaml | 5 +- nix/os/containers/webserver.nix | 210 +++++++++++++++++----- nix/os/containers/webserver_secrets.yaml | 12 +- secrets/servers/dyndns.yaml | 5 +- 6 files changed, 192 insertions(+), 50 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 8f66ba8..00c147f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -40,4 +40,10 @@ creation_rules: - pgp: - *steveej age: - - *sj-vps-htz0 \ No newline at end of file + - *sj-vps-htz0 + - path_regex: ^secrets/holochain-infra/.+$ + key_groups: + - pgp: + - *steveej + age: + - *srv0-dmz0 \ No newline at end of file diff --git a/nix/devShells.nix b/nix/devShells.nix index d896815..e43a970 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -64,6 +64,8 @@ pkgs.stdenv.mkDerivation { fwupd ntfy + + hedgedoc-cli ]); # Set Environment Variables diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index fc19f84..fea5388 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -1,6 +1,7 @@ email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str] email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] +email_postmasterStefanjunkerDe: ENC[AES256_GCM,data:mUe2SbT1aj6yCav0X0lZ04rxYjJjQfKOqw==,iv:ZtOca09m2ne36cmLem/dNnmrsTV6fWaluuoPS85HdGc=,tag:2Z8RwuKJteXUKyuzpFzyfg==,type:str] dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str] dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] sops: @@ -18,8 +19,8 @@ sops: bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-09T17:29:20Z" - mac: ENC[AES256_GCM,data:EUW7B78IB2vRGOwPM4bRoz7kYO9xHGMepF0aCOUVBFL0JCmzZyP9/bWWHYVR2SrQ29P8YgvpF32gWPEdidPReW59QRU1IXpMxnZ20Xoa+8y8H2Pj5w9cs+km6jXtphTcxDdZhQVJfXVyQH6qNb9Ypc9myhVypA2Dp/GLQ8SokoY=,iv:PDhP1TGvSS73RhkjsM2Zc0cGT8o06QVsxwO6tPKFzuQ=,tag:cy6fi3BHIN0c/c2sLVVmhg==,type:str] + lastmodified: "2023-07-15T13:47:19Z" + mac: ENC[AES256_GCM,data:lx3SsJTnHwDyHhAEL6gPAgOZbOGTCHLTrPUzp9CAeo76Bf+gvlKaWd/8Jxy7vV80hLQ/2T5o04Gs8oEBVAi5iKmE1r4xrLtEFVS/yflvK+G0rigZ/2BCr5MneTO39Krpj+ruU2Lnb4TSKfas9qkqEuYQZ4BiP+OyB27mM+WQ4t0=,iv:HJ+jlaSVocCIf27bnRZQfkaM8DHYopoblbKvopLxZp0=,tag:0qfclbAAHY5JZ70//SPEIA==,type:str] pgp: - created_at: "2023-07-02T20:30:30Z" enc: |- diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 0ae87c4..c5d4fa5 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -27,56 +27,49 @@ domain = "www.stefanjunker.de"; }; - security.acme = { - acceptTerms = true; - certs."www.stefanjunker.de".email = "mail@stefanjunker.de"; - preliminarySelfsigned = true; - - # can be used for debugging - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - }; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets.hedgedoc_environment_file = { sopsFile = ./webserver_secrets.yaml; owner = config.users.users.hedgedoc.name; }; - services.nginx.enable = true; - services.nginx.recommendedProxySettings = true; - services.nginx.virtualHosts."www.stefanjunker.de" = { - default = true; - addSSL = true; - listen = [ - { - addr = "0.0.0.0"; - port = httpPort; - ssl = false; - } - { - addr = "0.0.0.0"; - port = httpsPort; - ssl = true; - } - ]; + services.caddy = { + enable = true; + virtualHosts."${config.services.ddclientovh.domain}" = { + extraConfig = let + port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; + path = "${config.services.authelia.instances.default.settings.server.path}"; + in '' + redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain} - root = "/var/www/stefanjunker.de/htdocs"; + respond "Hi!" + ''; + }; - enableACME = true; + virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; - locations."/hedgedoc/" = {proxyPass = "http://[::1]:3000/";}; + virtualHosts."authelia.${config.services.ddclientovh.domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; - locations."/hedgedoc/socket.io/" = { - proxyPass = "http://[::1]:3000/socket.io/"; - proxyWebsockets = true; + virtualHosts."lldap.${config.services.ddclientovh.domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; }; }; services.hedgedoc = { enable = true; settings = { - domain = "www.stefanjunker.de"; - urlPath = "hedgedoc"; + domain = "hedgedoc.${config.services.ddclientovh.domain}"; + urlPath = ""; protocolUseSSL = true; db = { dialect = "sqlite"; @@ -88,13 +81,18 @@ allowGravatar = false; allowFreeURL = false; defaultPermission = "private"; - allowEmailRegister = false; - # these are set via the `environmentFile` - dropbox = { - appKey = "$DROPBOX_APPKEY"; - clientID = "$DROPBOX_CLIENTID"; - clientSecret = "$DROPBOX_CLIENTSECRET"; + allowEmailRegister = false; + email = false; + + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; }; uploadsPath = "/var/lib/hedgedoc/uploads"; @@ -102,6 +100,125 @@ environmentFile = config.sops.secrets.hedgedoc_environment_file.path; }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = let + baseDir = "/var/lib/authelia-default"; + in { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = {}; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = false; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${config.services.ddclientovh.domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + ## The SMTP server. + # server = "ssl0.ovh.net"; + server = "smtp.gmail.com"; + ## The SMTP port. + # port = 465; + port = 587; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + smtp_encryption = "STARTTLS"; + ## The SMTP user, usually your email address. + # user = "..." + ## The SMTP password. + #password="password" + ## The header field, optional: how the sender appears in the email. The first + ## is a free-form name, followed by an email between <>. + # from = "Postmaster "; + ## Same for reply-to, optional. + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; }; inherit autoStart; @@ -125,9 +242,20 @@ hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc"; isReadOnly = false; }; + + "/var/lib/authelia-default" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default"; + isReadOnly = false; + }; + + "/var/lib/lldap" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; + isReadOnly = false; + }; }; - extraFlags = ["--resolv-conf=bind-host"]; + # extraFlags = ["--resolv-conf=bind-host"]; + # networking.useHostResolvConf = true; privateNetwork = true; forwardPorts = [ diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 9f8e118..1d6bceb 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -1,4 +1,10 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:yPR7lnSssSTc3lvN4fSI5UXIfZHL8bMS0lcHC61aBz2ozjkSOTVUgYOD5XJbijfMCW9UWKLvItboo/nd8iLb3S+/DX4XZfAq8Bt+ootKsneIj9rJgw7bH3HYQnzmtWoFjoXSmLM=,iv:CVbXTlAafaXpo5G6F5CtJiq2LDa/48972kRnGOmhDJI=,tag:FaoL/8SdspZWXbATXPOazg==,type:str] +hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str] +#ENC[AES256_GCM,data:3eEhIiTdW/55tBCzjoVPCONvNIQJHzWDhqUn11YH+jW1ZKTeh+uW7koqNtnI9RrwUfxTbDL7RQJqwbRtWRBc+AjK7/QYYWKVmmI8x/HWNwozskKa0A==,iv:sjTA04ZQvqUc6j2xB1FchJjdjP07P8VyZHCHKjNQ3tg=,tag:IhQVkleEqnTq6Kw8PA2mVg==,type:comment] +authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] +authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] +lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] +lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] +lldap_environmentFile: ENC[AES256_GCM,data:Abm54WGZLuzSp9y41scQgGWjHkN4osmCUBjQF/+YvI6xWWhyg6kSl34Q0NfyVnE4Xz9Gw4bLEcIAqodiKw+pQdy8ZL+wUxOKdWLeWqs2BzNDFrx4UxnJFKr3mzPTyI7ZlU/s70BgmskbB5H9TCtE6VayvPgFNlzubMRAplD7Ow2Z+GQ1cYBOIj7ACzUvEGKus74lxTdZwIvVxYubm7dBlFtkyAUfJ+WNG22dgAHK32fyk3bicvW3YykexA68adDT8XTUm9eV9iZAvbTafjB1acjSRt21sfn7kfiTbXOpy5UaKU9xRix/33bx3uxET1kJH0U7gnqcr7ndF4hwv5/+zECPctxfCY3r+g==,iv:vbWQoc263u+RJTzHEn1EugZtlbqZcqVvbAqVaDriy1k=,tag:MzijifxaX7hRaUUVvOmFqA==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +20,8 @@ sops: eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-09T17:55:21Z" - mac: ENC[AES256_GCM,data:RIJuExrlGxcMMY2oofqyC9tZxqi/Tnt548cfrVe6UZ7HthlkaU/XkzGH/tw7kk28iiV5fbDRycg3xuOsh30BuHwVzguEdOH5RU8GivAOxRbEr1vxdCUs6x5Zs7PcQktRXXIv6rjJ70uVIO34f15oVE8Ag5nlUHc3lZLabCWs7Ag=,iv:lVD903ph9Mx/wbwsPIcqJi9yfgmX97XNgGB7F6N7xOE=,tag:IhdYpIgV4UzVRtwUs4wf+Q==,type:str] + lastmodified: "2023-07-15T19:10:51Z" + mac: ENC[AES256_GCM,data:gxrb24cwDc9Mp/pEWktrTJFfkLY1yHsA7hLMUu1jQHmhBU7g3dYjvn4Ep4QVk0X8GjqL6CYL2j8PfX5WR5+PnwoQpbG52xwknBx5wRMMu5Z10QTAJTPjAzhwuO3Vr0SAAb8BRyyGBNsg8mr/xfQGrLY6u5MFICpRFNYh8XAWdDY=,iv:xqjRcYJVbeV+469dRldqF3fOrWogBiGvq+iL4dizvhk=,tag:QfVcROIxuv2E5eg0qaaQcw==,type:str] pgp: - created_at: "2023-07-09T17:51:27Z" enc: |- diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index 63b3def..ad8635f 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -1,6 +1,5 @@ dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] -dyndns_container-backup.svc.stefanjunker.de: ENC[AES256_GCM,data:eVRz5btXqtFwLfud,iv:D7QmO003/xgDytsU4a3dBuY2zalIHq/4+CwMkLwLVRA=,tag:fd4NZ/fOkBW1keMgqXkroA==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +24,8 @@ sops: Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-01T21:10:42Z" - mac: ENC[AES256_GCM,data:8peJxGulSe3XROk0uwjUeRJA3bY7LoR1xQB+D+NUCVFOjIqy8ROu9ZC+IAVxgDL0Y6jpO8Ob06qQ3yvGA1lgnLnDBQ9NeKLKI5KDBcY4mNChS3C5DsB7WlPZMrlp4u9dp+wbVnba6CFiSqCEvp1+D1gi6Da/QVdN/EY55Vv8l0s=,iv:GNxJf/cfA9NrhbEwzHTm/UH+jIMWBSSDF58eQjm4xd8=,tag:+WhthtHSUNzan+p9RNBD2Q==,type:str] + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] pgp: - created_at: "2023-07-01T21:42:42Z" enc: |-