diff options
Diffstat (limited to 'lass/2configs/websites')
-rw-r--r-- | lass/2configs/websites/domsen.nix | 90 | ||||
-rw-r--r-- | lass/2configs/websites/util.nix | 3 |
2 files changed, 68 insertions, 25 deletions
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index d5ad38c07..e05f40d97 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,9 +1,11 @@ { config, pkgs, lib, ... }: let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) genid - ; + genid_signed + ; inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) ssl servePage @@ -20,6 +22,25 @@ let exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" ''; + check-password = pkgs.writeDash "check-password" '' + read pw + + file="/home/$PAM_USER/.shadow" + + #check if shadow file exists + test -e "$file" || exit 123 + + hash="$(${pkgs.coreutils}/bin/head -1 $file)" + salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')" + + calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)" + if [ "$calc_hash" == $hash ]; then + exit 0 + else + exit 1 + fi + ''; + in { imports = [ ./sqlBackup.nix @@ -122,39 +143,62 @@ in { }; }; - - #services.phpfpm.phpOptions = '' - # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - # sendmail_path = ${sendmail} -t - #''; - services.phpfpm.phpIni = pkgs.runCommand "php.ini" { - options = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - sendmail_path = "${sendmail} -t -i" - always_populate_raw_post_data = -1 - ''; - } '' - cat ${pkgs.php}/etc/php-recommended.ini > $out - echo "$options" >> $out + services.phpfpm.phpOptions = '' + sendmail_path = ${sendmail} -t + upload_max_filesize = 100M + post_max_size = 100M + file_uploads = on ''; # MAIL STUFF # TODO: make into its own module - services.dovecot2 = { - enable = true; - mailLocation = "maildir:~/Mail"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; } - { predicate = "-p tcp --dport imap"; target = "ACCEPT"; } - ]; + services.dovecot2 = { + enable = true; + mailLocation = "maildir:~/Mail"; + sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; + sslServerKey = "/var/lib/acme/lassul.us/key.pem"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } + { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } + ]; + + security.pam.services.exim.text = '' + auth required pam_env.so + auth sufficient pam_exec.so debug expose_authtok ${check-password} + auth sufficient pam_unix.so likeauth nullok + auth required pam_deny.so + account required pam_unix.so + password required pam_cracklib.so retry=3 type= + password sufficient pam_unix.so nullok use_authtok md5shadow + password required pam_deny.so + session required pam_limits.so + session required pam_unix.so + ''; + krebs.exim-smarthost = { + authenticators.PLAIN = '' + driver = plaintext + server_prompts = : + server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" + server_set_id = $auth2 + ''; + authenticators.LOGIN = '' + driver = plaintext + server_prompts = "Username:: : Password::" + server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" + server_set_id = $auth1 + ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } + { from = "testuser@lassul.us"; to = "testuser"; } ]; system-aliases = [ ]; + ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/lassul.us/key.pem"; }; users.users.domsen = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 330d8ba86..23f417195 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -167,7 +167,6 @@ rec { pm.max_spare_servers = 3 listen.owner = nginx listen.group = nginx - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes @@ -188,6 +187,7 @@ rec { error_log /tmp/nginx_err.log; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; + client_max_body_size 100m; ''; locations = [ (nameValuePair "/" '' @@ -219,7 +219,6 @@ rec { pm.max_spare_servers = 3 listen.owner = nginx listen.group = nginx - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes |