summaryrefslogtreecommitdiffstats
path: root/lass/2configs/websites
diff options
context:
space:
mode:
Diffstat (limited to 'lass/2configs/websites')
-rw-r--r--lass/2configs/websites/domsen.nix90
-rw-r--r--lass/2configs/websites/util.nix3
2 files changed, 68 insertions, 25 deletions
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index d5ad38c07..e05f40d97 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -1,9 +1,11 @@
{ config, pkgs, lib, ... }:
let
+
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
genid
- ;
+ genid_signed
+ ;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
ssl
servePage
@@ -20,6 +22,25 @@ let
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
'';
+ check-password = pkgs.writeDash "check-password" ''
+ read pw
+
+ file="/home/$PAM_USER/.shadow"
+
+ #check if shadow file exists
+ test -e "$file" || exit 123
+
+ hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+ salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+ calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+ if [ "$calc_hash" == $hash ]; then
+ exit 0
+ else
+ exit 1
+ fi
+ '';
+
in {
imports = [
./sqlBackup.nix
@@ -122,39 +143,62 @@ in {
};
};
-
- #services.phpfpm.phpOptions = ''
- # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
- # sendmail_path = ${sendmail} -t
- #'';
- services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
- options = ''
- extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
- sendmail_path = "${sendmail} -t -i"
- always_populate_raw_post_data = -1
- '';
- } ''
- cat ${pkgs.php}/etc/php-recommended.ini > $out
- echo "$options" >> $out
+ services.phpfpm.phpOptions = ''
+ sendmail_path = ${sendmail} -t
+ upload_max_filesize = 100M
+ post_max_size = 100M
+ file_uploads = on
'';
# MAIL STUFF
# TODO: make into its own module
- services.dovecot2 = {
- enable = true;
- mailLocation = "maildir:~/Mail";
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
- ];
+ services.dovecot2 = {
+ enable = true;
+ mailLocation = "maildir:~/Mail";
+ sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslServerKey = "/var/lib/acme/lassul.us/key.pem";
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
+ ];
+
+ security.pam.services.exim.text = ''
+ auth required pam_env.so
+ auth sufficient pam_exec.so debug expose_authtok ${check-password}
+ auth sufficient pam_unix.so likeauth nullok
+ auth required pam_deny.so
+ account required pam_unix.so
+ password required pam_cracklib.so retry=3 type=
+ password sufficient pam_unix.so nullok use_authtok md5shadow
+ password required pam_deny.so
+ session required pam_limits.so
+ session required pam_unix.so
+ '';
+
krebs.exim-smarthost = {
+ authenticators.PLAIN = ''
+ driver = plaintext
+ server_prompts = :
+ server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
+ server_set_id = $auth2
+ '';
+ authenticators.LOGIN = ''
+ driver = plaintext
+ server_prompts = "Username:: : Password::"
+ server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
+ server_set_id = $auth1
+ '';
internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
+ { from = "testuser@lassul.us"; to = "testuser"; }
];
system-aliases = [
];
+ ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
+ ssl_key = "/var/lib/acme/lassul.us/key.pem";
};
users.users.domsen = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 330d8ba86..23f417195 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -167,7 +167,6 @@ rec {
pm.max_spare_servers = 3
listen.owner = nginx
listen.group = nginx
- # errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
@@ -188,6 +187,7 @@ rec {
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
+ client_max_body_size 100m;
'';
locations = [
(nameValuePair "/" ''
@@ -219,7 +219,6 @@ rec {
pm.max_spare_servers = 3
listen.owner = nginx
listen.group = nginx
- # errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes