summaryrefslogtreecommitdiffstats
path: root/lass/2configs/websites/domsen.nix
diff options
context:
space:
mode:
Diffstat (limited to 'lass/2configs/websites/domsen.nix')
-rw-r--r--lass/2configs/websites/domsen.nix71
1 files changed, 62 insertions, 9 deletions
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index f500b8261..2f93c1f9c 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -1,9 +1,11 @@
{ config, pkgs, lib, ... }:
let
+
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
genid
- ;
+ genid_signed
+ ;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
ssl
servePage
@@ -20,6 +22,25 @@ let
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
'';
+ check-password = pkgs.writeDash "check-password" ''
+ read pw
+
+ file="/home/$PAM_USER/.shadow"
+
+ #check if shadow file exists
+ test -e "$file" || exit 123
+
+ hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+ salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+ calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+ if [ "$calc_hash" == $hash ]; then
+ exit 0
+ else
+ exit 1
+ fi
+ '';
+
in {
imports = [
./sqlBackup.nix
@@ -143,21 +164,53 @@ in {
# MAIL STUFF
# TODO: make into its own module
- services.dovecot2 = {
- enable = true;
- mailLocation = "maildir:~/Mail";
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
- ];
+ services.dovecot2 = {
+ enable = true;
+ mailLocation = "maildir:~/Mail";
+ sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslServerKey = "/var/lib/acme/lassul.us/key.pem";
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
+ ];
+
+ security.pam.services.exim.text = ''
+ auth required pam_env.so
+ auth sufficient pam_exec.so debug expose_authtok ${check-password}
+ auth sufficient pam_unix.so likeauth nullok
+ auth required pam_deny.so
+ account required pam_unix.so
+ password required pam_cracklib.so retry=3 type=
+ password sufficient pam_unix.so nullok use_authtok md5shadow
+ password required pam_deny.so
+ session required pam_limits.so
+ session required pam_unix.so
+ '';
+
krebs.exim-smarthost = {
+ authenticators.PLAIN = ''
+ driver = plaintext
+ server_prompts = :
+ server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
+ server_set_id = $auth2
+ '';
+ authenticators.LOGIN = ''
+ driver = plaintext
+ server_prompts = "Username:: : Password::"
+ server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
+ server_set_id = $auth1
+ '';
internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
+ { from = "testuser@lassul.us"; to = "testuser"; }
];
system-aliases = [
];
+ ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
+ ssl_key = "/var/lib/acme/lassul.us/key.pem";
};
users.users.domsen = {