WIP: feat/automated-account-deletion #174

Draft
b12f wants to merge 23 commits from feat/automated-account-deletion into main
14 changed files with 269 additions and 269 deletions
Showing only changes of commit 760d6e3458 - Show all commits

View file

@ -7,6 +7,7 @@
./networking.nix
./wireguard.nix
./email.nix
#./backups.nix
];
}

45
hosts/metronom/email.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, flake, ... }: {
age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";
mailserver = {
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
loginAccounts = {
"admins@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = config.age.secrets.mail-admins.path;
};
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
};
"hensoko@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-hensoko.path;
quota = "2G";
};
"teutat3s@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
quota = "2G";
};
"bot@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-bot.path;
quota = "2G";
aliases = [ "hackernews-bot@pub.solar" ];
};
"crew@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-crew.path;
quota = "2G";
aliases = [ "moderation@pub.solar" ];
};
"erpnext@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-erpnext.path;
quota = "2G";
};
};
};
}

View file

@ -1,53 +0,0 @@
{ flake, lib, ... }:
{
imports = [
./backups.nix
./apps/nginx.nix
./apps/collabora.nix
./apps/coturn.nix
./apps/forgejo.nix
./apps/keycloak.nix
./apps/mailman.nix
./apps/mastodon.nix
./apps/mediawiki.nix
./apps/nextcloud.nix
./apps/nginx-mastodon.nix
./apps/nginx-mastodon-files.nix
./apps/nginx-prometheus-exporters.nix
./apps/nginx-website.nix
./apps/nginx-website-miom.nix
./apps/opensearch.nix
./apps/owncast.nix
./apps/postgresql.nix
./apps/prometheus-exporters.nix
./apps/promtail.nix
./apps/searx.nix
./apps/tmate.nix
./apps/matrix/irc.nix
./apps/matrix/mautrix-telegram.nix
./apps/matrix/synapse.nix
./apps/nginx-matrix.nix
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
security.acme.preliminarySelfsigned = true;
networking.useDHCP = true;
networking.interfaces."enp35s0".ipv4.addresses = [
{
address = "10.0.0.1";
prefixLength = 26;
}
];
networking.interfaces."enp35s0".ipv6.addresses = [
{
address = "2a01:4f8:172:1c25::1";
prefixLength = 64;
}
];
}

View file

@ -1,62 +1,28 @@
{ config, flake, ... }:
{
age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";
{ config, ... }: {
mailserver = {
enable = true;
fqdn = "mail.pub.solar";
domains = [ "pub.solar" ];
fqdn = "mail.${config.pub-solar-os.networking.domain}";
domains = [ config.pub-solar-os.networking.domain ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
loginAccounts = {
"hensoko@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-hensoko.path;
quota = "2G";
};
"teutat3s@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
quota = "2G";
};
"admins@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-admins.path;
"admins@${config.pub-solar-os.networking.domain}" = {
quota = "2G";
aliases = [
"abuse@pub.solar"
"alerts@pub.solar"
"forgejo@pub.solar"
"keycloak@pub.solar"
"mastodon-notifications@pub.solar"
"matrix@pub.solar"
"postmaster@pub.solar"
"nextcloud@pub.solar"
"no-reply@pub.solar"
"security@pub.solar"
"abuse@${config.pub-solar-os.networking.domain}"
"alerts@${config.pub-solar-os.networking.domain}"
"forgejo@${config.pub-solar-os.networking.domain}"
"keycloak@${config.pub-solar-os.networking.domain}"
"mastodon-notifications@${config.pub-solar-os.networking.domain}"
"matrix@${config.pub-solar-os.networking.domain}"
"postmaster@${config.pub-solar-os.networking.domain}"
"nextcloud@${config.pub-solar-os.networking.domain}"
"no-reply@${config.pub-solar-os.networking.domain}"
"security@${config.pub-solar-os.networking.domain}"
];
};
"bot@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-bot.path;
quota = "2G";
aliases = [ "hackernews-bot@pub.solar" ];
};
"crew@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-crew.path;
quota = "2G";
aliases = [ "moderation@pub.solar" ];
};
"erpnext@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-erpnext.path;
quota = "2G";
};
"hakkonaut@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
quota = "2G";
};
};
@ -66,5 +32,5 @@
certificateScheme = "acme-nginx";
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "security@pub.solar";
security.acme.defaults.email = "security@${config.pub-solar-os.networking.domain}";
}

View file

@ -1,5 +1,6 @@
{
self,
system,
pkgs,
lib,
config,
@ -20,21 +21,10 @@ in
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
nodes = {
acme-server = {
imports = [
self.nixosModules.home-manager
self.nixosModules.core
./support/ca.nix
];
};
client = {
imports = [
self.nixosModules.home-manager
self.nixosModules.core
./support/client.nix
];
};
dns-server.imports = [ ./support/dns-server.nix ];
acme-server.imports = [ ./support/acme-server.nix ];
mail-server.imports = [ ./support/mail-server.nix ];
client.imports = [ ./support/client.nix ];
nachtigall = {
imports = [
@ -57,63 +47,30 @@ in
database-password-file = "/tmp/dbf";
};
services.keycloak.database.createLocally = true;
networking.interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.3";
prefixLength = 32;
}
];
services.keycloak.initialAdminPassword = "password";
};
};
testScript =
{ ... }: ''
testScript = { ... }: ''
def puppeteer_run(cmd):
client.succeed(f'puppeteer-run \'{cmd}\' ')
start_all()
acme_server.wait_for_unit("system.slice")
mail_server.wait_for_unit("dovecot2.service")
mail_server.wait_for_unit("postfix.service")
nachtigall.wait_for_unit("system.slice")
nachtigall.succeed("ping 127.0.0.1 -c 2")
nachtigall.wait_for_unit("nginx.service")
nachtigall.systemctl("stop keycloak.service")
nachtigall.wait_until_succeeds("if (($(ps aux | grep 'Dkc.home.dir=/run/keycloak' | grep -v grep | wc -l) == 0)); then true; else false; fi")
nachtigall.succeed("${pkgs.keycloak}/bin/kc.sh --verbose import --optimized --file=${realm-export}")
nachtigall.systemctl("start keycloak.service")
nachtigall.sleep(30)
nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")
nachtigall.succeed("${pkgs.keycloak}/bin/kcadm.sh create realms -f ${realm-export} --server http://localhost:8080 --realm master --user admin --password password --no-config")
client.wait_for_unit("system.slice")
client.wait_for_file("/tmp/puppeteer.sock")
puppeteer_run('page.goto("https://auth.test.pub.solar/admin/master/console")')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-initial")
puppeteer_run('page.locator("[name=username]").fill("admin")')
puppeteer_run('page.locator("::-p-text(Sign In)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-password")
puppeteer_run('page.locator("[name=password]").fill("password")')
puppeteer_run('page.locator("::-p-text(Sign In)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-login")
puppeteer_run('page.locator("::-p-text(Realm settings)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-theme")
puppeteer_run('page.locator("::-p-text(Themes)").click()')
puppeteer_run('page.waitForNetworkIdle()')
puppeteer_run('page.locator("#kc-login-theme").click()')
client.screenshot("admin-theme-changed")
puppeteer_run('page.locator("li button::-p-text(pub.solar)").click()')
puppeteer_run('page.locator("::-p-text(Save)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-theme-saved")
puppeteer_run('page.goto("https://auth.test.pub.solar")')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("initial")

View file

@ -1,21 +1,19 @@
{
flake,
pkgs,
lib,
config,
...
}:
{
imports = [ ./global.nix ];
imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
./global.nix
];
systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ];
networking.interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.1";
prefixLength = 32;
}
];
services.step-ca =
let
certificates = pkgs.stdenv.mkDerivation {

View file

@ -1,4 +1,5 @@
{
flake,
pkgs,
lib,
config,
@ -9,7 +10,11 @@ let
puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { });
in
{
imports = [ ./global.nix ];
imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
./global.nix
];
security.polkit.enable = true;
@ -41,11 +46,4 @@ in
};
};
};
networking.interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.2";
prefixLength = 32;
}
];
}

View file

@ -0,0 +1,70 @@
{
config,
flake,
lib,
...
}: {
imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
./global.nix
];
networking.nameservers = lib.mkForce [
"193.110.81.0" #dns0.eu
"2a0f:fc80::" #dns0.eu
"185.253.5.0" #dns0.eu
"2a0f:fc81::" #dns0.eu
];
services.resolved.enable = lib.mkForce false;
networking.firewall.allowedUDPPorts = [53];
networking.firewall.allowedTCPPorts = [53];
networking.interfaces.eth1.ipv4.addresses = [
{
address = "192.168.1.254";
prefixLength = 32;
}
];
services.unbound = {
enable = true;
settings = {
server = {
interface = [
"192.168.1.254"
];
access-control = [
"0.0.0.0/0 allow"
];
local-zone = [
"\"pub.solar\" transparent"
];
local-data = [
"\"mail.${config.pub-solar-os.networking.domain}. 10800 IN CNAME mail-server\""
"\"ca.${config.pub-solar-os.networking.domain}. 10800 IN CNAME acme-server\""
"\"${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
"\"www.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
"\"auth.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
forward-zone = [
{
name = ".";
forward-addr = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
];
forward-tls-upstream = "yes";
}
];
};
};
}

View file

@ -23,28 +23,13 @@
security.pam.services.sshd.allowNullPassword = true;
virtualisation.forwardPorts =
let
address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3;
in
[
{
from = "host";
host.port = 2000 + (lib.strings.toInt lastAddressPart);
guest.port = 22;
}
];
services.resolved.extraConfig = lib.mkForce ''
DNS=192.168.1.254
Domains=~.
'';
networking.interfaces.eth0.useDHCP = false;
networking.hosts = {
"192.168.1.1" = [ "ca.${config.pub-solar-os.networking.domain}" ];
"192.168.1.2" = [ "client.${config.pub-solar-os.networking.domain}" ];
"192.168.1.3" = [
"${config.pub-solar-os.networking.domain}"
"www.${config.pub-solar-os.networking.domain}"
"auth.${config.pub-solar-os.networking.domain}"
environment.systemPackages = [
pkgs.dig
];
};
}

View file

@ -2,4 +2,4 @@
1. Export realm settings from keycloak, you'll get a file called `realm-export.json`.
2. Install dependencies for this package: `npm ci`
3. Clean the exported file: `npm start $downloadedExportJSON > realm-export.json
3. Clean the exported file: `node src/index.mjs $downloadedExportJSON > realm-export.json

View file

@ -1,6 +1,6 @@
{
"id": "8cd6ddbb-d0d3-40ff-9f1e-efdfce05fa6e",
"realm": "test.test.pub.solar",
"realm": "test.pub.solar",
"notBefore": 0,
"defaultSignatureAlgorithm": "RS256",
"revokeRefreshToken": false,
@ -57,7 +57,7 @@
},
{
"id": "2e271b49-ed2b-4dc0-a578-47e7571a2934",
"name": "default-roles-test.test.pub.solar",
"name": "default-roles-test.pub.solar",
"description": "${role_default-roles}",
"composite": true,
"composites": {
@ -434,7 +434,7 @@
"groups": [],
"defaultRole": {
"id": "2e271b49-ed2b-4dc0-a578-47e7571a2934",
"name": "default-roles-test.test.pub.solar",
"name": "default-roles-test.pub.solar",
"description": "${role_default-roles}",
"composite": true,
"clientRole": false,
@ -494,7 +494,7 @@
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"default-roles-test.test.pub.solar"
"default-roles-test.pub.solar"
],
"clientRoles": {
"realm-management": [
@ -533,7 +533,7 @@
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"default-roles-test.test.pub.solar"
"default-roles-test.pub.solar"
],
"clientRoles": {
"matrix": [
@ -571,13 +571,13 @@
"description": "",
"rootUrl": "${authBaseUrl}",
"adminUrl": "",
"baseUrl": "/realms/test.test.pub.solar/account/",
"baseUrl": "/realms/test.pub.solar/account/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"/realms/test.test.pub.solar/account/*"
"/realms/test.pub.solar/account/*"
],
"webOrigins": [],
"notBefore": 0,
@ -628,13 +628,13 @@
"description": "",
"rootUrl": "${authBaseUrl}",
"adminUrl": "",
"baseUrl": "/realms/test.test.pub.solar/account/",
"baseUrl": "/realms/test.pub.solar/account/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"/realms/test.test.pub.solar/account/*"
"/realms/test.pub.solar/account/*"
],
"webOrigins": [],
"notBefore": 0,
@ -829,19 +829,19 @@
"clientId": "gitea",
"name": "",
"description": "",
"rootUrl": "https://git.test.test.pub.solar",
"adminUrl": "https://git.test.test.pub.solar",
"baseUrl": "https://git.test.test.pub.solar",
"rootUrl": "https://git.test.pub.solar",
"adminUrl": "https://git.test.pub.solar",
"baseUrl": "https://git.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://git.test.test.pub.solar/*"
"https://git.test.pub.solar/*"
],
"webOrigins": [
"https://git.test.test.pub.solar"
"https://git.test.pub.solar"
],
"notBefore": 0,
"bearerOnly": false,
@ -889,9 +889,9 @@
"id": "b016fab5-bced-404a-93ba-c084d360701f",
"clientId": "grafana",
"name": "",
"description": "https://grafana.test.test.pub.solar",
"rootUrl": "https://grafana.test.test.pub.solar",
"adminUrl": "https://grafana.test.test.pub.solar",
"description": "https://grafana.test.pub.solar",
"rootUrl": "https://grafana.test.pub.solar",
"adminUrl": "https://grafana.test.pub.solar",
"baseUrl": "/login/generic_oauth",
"surrogateAuthRequired": false,
"enabled": true,
@ -899,10 +899,10 @@
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://grafana.test.test.pub.solar/login/generic_oauth"
"https://grafana.test.pub.solar/login/generic_oauth"
],
"webOrigins": [
"https://grafana.test.test.pub.solar"
"https://grafana.test.pub.solar"
],
"notBefore": 0,
"bearerOnly": false,
@ -945,9 +945,9 @@
"clientId": "mastodon",
"name": "mastodon",
"description": "",
"rootUrl": "https://mastodon.test.test.pub.solar",
"rootUrl": "https://mastodon.test.pub.solar",
"adminUrl": "",
"baseUrl": "https://mastodon.test.test.pub.solar",
"baseUrl": "https://mastodon.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
@ -955,10 +955,10 @@
"secret": "secret",
"redirectUris": [
"",
"https://mastodon.test.test.pub.solar/auth/auth/openid_connect/callback"
"https://mastodon.test.pub.solar/auth/auth/openid_connect/callback"
],
"webOrigins": [
"https://mastodon.test.test.pub.solar/auth/openid_connect/callback"
"https://mastodon.test.pub.solar/auth/openid_connect/callback"
],
"notBefore": 0,
"bearerOnly": false,
@ -1006,17 +1006,17 @@
"clientId": "matrix",
"name": "",
"description": "",
"rootUrl": "https://chat.test.test.pub.solar",
"rootUrl": "https://chat.test.pub.solar",
"adminUrl": "",
"baseUrl": "https://chat.test.test.pub.solar",
"baseUrl": "https://chat.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://matrix.test.test.pub.solar/_synapse/client/oidc/callback",
"https://matrix.test.test.test.pub.solar/_synapse/client/oidc/callback"
"https://matrix.test.pub.solar/_synapse/client/oidc/callback",
"https://matrix.test.test.pub.solar/_synapse/client/oidc/callback"
],
"webOrigins": [],
"notBefore": 0,
@ -1038,7 +1038,7 @@
"tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://chat.test.test.pub.solar/_synapse/client/oidc/backchannel_logout",
"backchannel.logout.url": "https://chat.test.pub.solar/_synapse/client/oidc/backchannel_logout",
"client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}",
"require.pushed.authorization.requests": "false",
@ -1111,9 +1111,9 @@
"clientId": "matrix-authentication-service",
"name": "",
"description": "Used for our hosted https://github.com/matrix-org/matrix-authentication-service",
"rootUrl": "https://matrix.test.test.pub.solar/",
"adminUrl": "https://matrix.test.test.pub.solar/",
"baseUrl": "https://matrix.test.test.pub.solar/",
"rootUrl": "https://matrix.test.pub.solar/",
"adminUrl": "https://matrix.test.pub.solar/",
"baseUrl": "https://matrix.test.pub.solar/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
@ -1166,19 +1166,19 @@
"clientId": "mediawiki",
"name": "",
"description": "",
"rootUrl": "https://wiki.test.test.pub.solar",
"adminUrl": "https://wiki.test.test.pub.solar",
"baseUrl": "https://wiki.test.test.pub.solar",
"rootUrl": "https://wiki.test.pub.solar",
"adminUrl": "https://wiki.test.pub.solar",
"baseUrl": "https://wiki.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://wiki.test.test.pub.solar/*"
"https://wiki.test.pub.solar/*"
],
"webOrigins": [
"https://wiki.test.test.pub.solar"
"https://wiki.test.pub.solar"
],
"notBefore": 0,
"bearerOnly": false,
@ -1221,19 +1221,19 @@
"clientId": "nextcloud",
"name": "",
"description": "",
"rootUrl": "https://cloud.test.test.pub.solar",
"adminUrl": "https://cloud.test.test.pub.solar",
"baseUrl": "https://cloud.test.test.pub.solar",
"rootUrl": "https://cloud.test.pub.solar",
"adminUrl": "https://cloud.test.pub.solar",
"baseUrl": "https://cloud.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://cloud.test.test.pub.solar/apps/user_oidc/code"
"https://cloud.test.pub.solar/apps/user_oidc/code"
],
"webOrigins": [
"https://cloud.test.test.pub.solar"
"https://cloud.test.pub.solar"
],
"notBefore": 0,
"bearerOnly": false,
@ -1247,14 +1247,14 @@
"protocol": "openid-connect",
"attributes": {
"client.secret.creation.time": 1724762383467,
"post.logout.redirect.uris": "https://cloud.test.test.pub.solar##https://cloud.test.test.pub.solar/##https://cloud.test.test.pub.solar/*",
"post.logout.redirect.uris": "https://cloud.test.pub.solar##https://cloud.test.pub.solar/##https://cloud.test.pub.solar/*",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true",
"tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://cloud.test.test.pub.solar/apps/user_oidc/backchannel-logout/test.test.pub.solar%20ID",
"backchannel.logout.url": "https://cloud.test.pub.solar/apps/user_oidc/backchannel-logout/test.pub.solar%20ID",
"client_credentials.use_refresh_token": "false",
"require.pushed.authorization.requests": "false",
"acr.loa.map": "{}",
@ -1283,16 +1283,16 @@
"clientId": "openbikesensor-portal",
"name": "",
"description": "",
"rootUrl": "https://obs-portal.test.test.pub.solar",
"rootUrl": "https://obs-portal.test.pub.solar",
"adminUrl": "",
"baseUrl": "https://obs-portal.test.test.pub.solar",
"baseUrl": "https://obs-portal.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://obs-portal.test.test.pub.solar/*"
"https://obs-portal.test.pub.solar/*"
],
"webOrigins": [
"+"
@ -1382,13 +1382,13 @@
"clientId": "security-admin-console",
"name": "${client_security-admin-console}",
"rootUrl": "${authAdminUrl}",
"baseUrl": "/admin/test.test.pub.solar/console/",
"baseUrl": "/admin/test.pub.solar/console/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"/admin/test.test.pub.solar/console/*"
"/admin/test.pub.solar/console/*"
],
"webOrigins": [
"+"
@ -1498,19 +1498,19 @@
"clientId": "tt-rss",
"name": "tt-rss",
"description": "",
"rootUrl": "https://rss.test.test.pub.solar",
"adminUrl": "https://rss.test.test.pub.solar",
"baseUrl": "https://rss.test.test.pub.solar",
"rootUrl": "https://rss.test.pub.solar",
"adminUrl": "https://rss.test.pub.solar",
"baseUrl": "https://rss.test.pub.solar",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "secret",
"redirectUris": [
"https://rss.test.test.pub.solar"
"https://rss.test.pub.solar"
],
"webOrigins": [
"https://rss.test.test.pub.solar"
"https://rss.test.pub.solar"
],
"notBefore": 0,
"bearerOnly": false,
@ -2095,23 +2095,23 @@
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
},
"smtpServer": {
"password": "**********",
"replyToDisplayName": "test.test.pub.solar Support",
"password": "password",
"replyToDisplayName": "test.pub.solar Support",
"starttls": "false",
"auth": "true",
"port": "465",
"replyTo": "admins@test.test.pub.solar",
"host": "mail.test.test.pub.solar",
"from": "keycloak@test.test.pub.solar",
"fromDisplayName": "test.test.pub.solar ID",
"replyTo": "admins@test.pub.solar",
"host": "mail.test.pub.solar",
"from": "keycloak@test.pub.solar",
"fromDisplayName": "test.pub.solar ID",
"envelopeFrom": "",
"ssl": "true",
"user": "admins@test.test.pub.solar"
"user": "admins@test.pub.solar"
},
"loginTheme": "test.test.pub.solar",
"accountTheme": "test.test.pub.solar",
"adminTheme": "test.test.pub.solar",
"emailTheme": "test.test.pub.solar",
"loginTheme": "pub.solar",
"accountTheme": "pub.solar",
"adminTheme": "pub.solar",
"emailTheme": "pub.solar",
"eventsEnabled": false,
"eventsListeners": [
"jboss-logging"

View file

@ -60,11 +60,23 @@ const changeIds = (node) => {
return node;
};
const setExtra = (data) => ({
...data,
loginTheme: "pub.solar",
accountTheme: "pub.solar",
adminTheme: "pub.solar",
emailTheme: "pub.solar",
smtpServer: {
...data.smtpServer,
password: "password",
},
});
(async () => {
const fileContents = await readFile(filePath, { encoding: 'utf8' });
const data = JSON.parse(renameDomain(fileContents));
const newData = changeIds(cleanClients(data));
const newData = setExtra(changeIds(cleanClients(data)));
console.log(JSON.stringify(newData, null, 2));
})();

View file

@ -0,0 +1,27 @@
{
config,
flake,
...
}: {
imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
flake.self.nixosModules.mail
flake.inputs.simple-nixos-mailserver.nixosModule
./global.nix
];
# password is password
systemd.tmpfiles.rules = [ "f /tmp/emailpw 1777 root root 10d $2b$11$NV75HGZzMcIwrnVUZKXtxexX9DN52HayDW4eKrD1A8O3uIPnCquQ2" ];
mailserver = {
loginAccounts = {
"admins@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = "/tmp/emailpw";
};
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = "/tmp/emailpw";
};
};
};
}

View file

@ -14,13 +14,7 @@
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
nodes = {
acme-server = {
imports = [
self.nixosModules.home-manager
self.nixosModules.core
./support/ca.nix
];
};
acme-server.imports = [ ./support/acme-server.nix ];
nachtigall = {
imports = [