WIP: feat/automated-account-deletion #174
|
@ -7,6 +7,7 @@
|
|||
|
||||
./networking.nix
|
||||
./wireguard.nix
|
||||
./email.nix
|
||||
#./backups.nix
|
||||
];
|
||||
}
|
||||
|
|
45
hosts/metronom/email.nix
Normal file
45
hosts/metronom/email.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ config, flake, ... }: {
|
||||
age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
|
||||
age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
|
||||
age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
|
||||
age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
|
||||
age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
|
||||
age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
|
||||
age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";
|
||||
|
||||
mailserver = {
|
||||
# A list of all login accounts. To create the password hashes, use
|
||||
# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
|
||||
loginAccounts = {
|
||||
"admins@${config.pub-solar-os.networking.domain}" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-admins.path;
|
||||
};
|
||||
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
|
||||
};
|
||||
|
||||
"hensoko@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-hensoko.path;
|
||||
quota = "2G";
|
||||
};
|
||||
"teutat3s@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
|
||||
quota = "2G";
|
||||
};
|
||||
"bot@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-bot.path;
|
||||
quota = "2G";
|
||||
aliases = [ "hackernews-bot@pub.solar" ];
|
||||
};
|
||||
"crew@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-crew.path;
|
||||
quota = "2G";
|
||||
aliases = [ "moderation@pub.solar" ];
|
||||
};
|
||||
"erpnext@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-erpnext.path;
|
||||
quota = "2G";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
{ flake, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./backups.nix
|
||||
./apps/nginx.nix
|
||||
|
||||
./apps/collabora.nix
|
||||
./apps/coturn.nix
|
||||
./apps/forgejo.nix
|
||||
./apps/keycloak.nix
|
||||
./apps/mailman.nix
|
||||
./apps/mastodon.nix
|
||||
./apps/mediawiki.nix
|
||||
./apps/nextcloud.nix
|
||||
./apps/nginx-mastodon.nix
|
||||
./apps/nginx-mastodon-files.nix
|
||||
./apps/nginx-prometheus-exporters.nix
|
||||
./apps/nginx-website.nix
|
||||
./apps/nginx-website-miom.nix
|
||||
./apps/opensearch.nix
|
||||
./apps/owncast.nix
|
||||
./apps/postgresql.nix
|
||||
./apps/prometheus-exporters.nix
|
||||
./apps/promtail.nix
|
||||
./apps/searx.nix
|
||||
./apps/tmate.nix
|
||||
|
||||
./apps/matrix/irc.nix
|
||||
./apps/matrix/mautrix-telegram.nix
|
||||
./apps/matrix/synapse.nix
|
||||
./apps/nginx-matrix.nix
|
||||
];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
security.acme.preliminarySelfsigned = true;
|
||||
|
||||
networking.useDHCP = true;
|
||||
networking.interfaces."enp35s0".ipv4.addresses = [
|
||||
{
|
||||
address = "10.0.0.1";
|
||||
prefixLength = 26;
|
||||
}
|
||||
];
|
||||
networking.interfaces."enp35s0".ipv6.addresses = [
|
||||
{
|
||||
address = "2a01:4f8:172:1c25::1";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
}
|
|
@ -1,62 +1,28 @@
|
|||
{ config, flake, ... }:
|
||||
|
||||
{
|
||||
age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
|
||||
age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
|
||||
age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
|
||||
age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
|
||||
age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
|
||||
age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
|
||||
age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";
|
||||
|
||||
{ config, ... }: {
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.pub.solar";
|
||||
domains = [ "pub.solar" ];
|
||||
fqdn = "mail.${config.pub-solar-os.networking.domain}";
|
||||
domains = [ config.pub-solar-os.networking.domain ];
|
||||
|
||||
# A list of all login accounts. To create the password hashes, use
|
||||
# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
|
||||
loginAccounts = {
|
||||
"hensoko@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-hensoko.path;
|
||||
quota = "2G";
|
||||
};
|
||||
"teutat3s@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
|
||||
quota = "2G";
|
||||
};
|
||||
"admins@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-admins.path;
|
||||
"admins@${config.pub-solar-os.networking.domain}" = {
|
||||
quota = "2G";
|
||||
aliases = [
|
||||
"abuse@pub.solar"
|
||||
"alerts@pub.solar"
|
||||
"forgejo@pub.solar"
|
||||
"keycloak@pub.solar"
|
||||
"mastodon-notifications@pub.solar"
|
||||
"matrix@pub.solar"
|
||||
"postmaster@pub.solar"
|
||||
"nextcloud@pub.solar"
|
||||
"no-reply@pub.solar"
|
||||
"security@pub.solar"
|
||||
"abuse@${config.pub-solar-os.networking.domain}"
|
||||
"alerts@${config.pub-solar-os.networking.domain}"
|
||||
"forgejo@${config.pub-solar-os.networking.domain}"
|
||||
"keycloak@${config.pub-solar-os.networking.domain}"
|
||||
"mastodon-notifications@${config.pub-solar-os.networking.domain}"
|
||||
"matrix@${config.pub-solar-os.networking.domain}"
|
||||
"postmaster@${config.pub-solar-os.networking.domain}"
|
||||
"nextcloud@${config.pub-solar-os.networking.domain}"
|
||||
"no-reply@${config.pub-solar-os.networking.domain}"
|
||||
"security@${config.pub-solar-os.networking.domain}"
|
||||
];
|
||||
};
|
||||
"bot@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-bot.path;
|
||||
quota = "2G";
|
||||
aliases = [ "hackernews-bot@pub.solar" ];
|
||||
};
|
||||
"crew@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-crew.path;
|
||||
quota = "2G";
|
||||
aliases = [ "moderation@pub.solar" ];
|
||||
};
|
||||
"erpnext@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-erpnext.path;
|
||||
quota = "2G";
|
||||
};
|
||||
"hakkonaut@pub.solar" = {
|
||||
hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
|
||||
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
|
||||
quota = "2G";
|
||||
};
|
||||
};
|
||||
|
@ -66,5 +32,5 @@
|
|||
certificateScheme = "acme-nginx";
|
||||
};
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "security@pub.solar";
|
||||
security.acme.defaults.email = "security@${config.pub-solar-os.networking.domain}";
|
||||
}
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
self,
|
||||
system,
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
|
@ -20,21 +21,10 @@ in
|
|||
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
|
||||
|
||||
nodes = {
|
||||
acme-server = {
|
||||
imports = [
|
||||
self.nixosModules.home-manager
|
||||
self.nixosModules.core
|
||||
./support/ca.nix
|
||||
];
|
||||
};
|
||||
|
||||
client = {
|
||||
imports = [
|
||||
self.nixosModules.home-manager
|
||||
self.nixosModules.core
|
||||
./support/client.nix
|
||||
];
|
||||
};
|
||||
dns-server.imports = [ ./support/dns-server.nix ];
|
||||
acme-server.imports = [ ./support/acme-server.nix ];
|
||||
mail-server.imports = [ ./support/mail-server.nix ];
|
||||
client.imports = [ ./support/client.nix ];
|
||||
|
||||
nachtigall = {
|
||||
imports = [
|
||||
|
@ -57,63 +47,30 @@ in
|
|||
database-password-file = "/tmp/dbf";
|
||||
};
|
||||
services.keycloak.database.createLocally = true;
|
||||
|
||||
networking.interfaces.eth0.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.3";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
services.keycloak.initialAdminPassword = "password";
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
{ ... }: ''
|
||||
testScript = { ... }: ''
|
||||
def puppeteer_run(cmd):
|
||||
client.succeed(f'puppeteer-run \'{cmd}\' ')
|
||||
|
||||
start_all()
|
||||
|
||||
acme_server.wait_for_unit("system.slice")
|
||||
mail_server.wait_for_unit("dovecot2.service")
|
||||
mail_server.wait_for_unit("postfix.service")
|
||||
nachtigall.wait_for_unit("system.slice")
|
||||
nachtigall.succeed("ping 127.0.0.1 -c 2")
|
||||
nachtigall.wait_for_unit("nginx.service")
|
||||
|
||||
nachtigall.systemctl("stop keycloak.service")
|
||||
nachtigall.wait_until_succeeds("if (($(ps aux | grep 'Dkc.home.dir=/run/keycloak' | grep -v grep | wc -l) == 0)); then true; else false; fi")
|
||||
nachtigall.succeed("${pkgs.keycloak}/bin/kc.sh --verbose import --optimized --file=${realm-export}")
|
||||
nachtigall.systemctl("start keycloak.service")
|
||||
nachtigall.sleep(30)
|
||||
nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
|
||||
nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")
|
||||
nachtigall.succeed("${pkgs.keycloak}/bin/kcadm.sh create realms -f ${realm-export} --server http://localhost:8080 --realm master --user admin --password password --no-config")
|
||||
|
||||
client.wait_for_unit("system.slice")
|
||||
client.wait_for_file("/tmp/puppeteer.sock")
|
||||
|
||||
puppeteer_run('page.goto("https://auth.test.pub.solar/admin/master/console")')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
client.screenshot("admin-initial")
|
||||
puppeteer_run('page.locator("[name=username]").fill("admin")')
|
||||
puppeteer_run('page.locator("::-p-text(Sign In)").click()')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
client.screenshot("admin-password")
|
||||
puppeteer_run('page.locator("[name=password]").fill("password")')
|
||||
puppeteer_run('page.locator("::-p-text(Sign In)").click()')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
client.screenshot("admin-login")
|
||||
puppeteer_run('page.locator("::-p-text(Realm settings)").click()')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
client.screenshot("admin-theme")
|
||||
puppeteer_run('page.locator("::-p-text(Themes)").click()')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
puppeteer_run('page.locator("#kc-login-theme").click()')
|
||||
client.screenshot("admin-theme-changed")
|
||||
puppeteer_run('page.locator("li button::-p-text(pub.solar)").click()')
|
||||
puppeteer_run('page.locator("::-p-text(Save)").click()')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
client.screenshot("admin-theme-saved")
|
||||
|
||||
|
||||
|
||||
puppeteer_run('page.goto("https://auth.test.pub.solar")')
|
||||
puppeteer_run('page.waitForNetworkIdle()')
|
||||
client.screenshot("initial")
|
||||
|
|
|
@ -1,21 +1,19 @@
|
|||
{
|
||||
flake,
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [ ./global.nix ];
|
||||
imports = [
|
||||
flake.self.nixosModules.home-manager
|
||||
flake.self.nixosModules.core
|
||||
./global.nix
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ];
|
||||
|
||||
networking.interfaces.eth0.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.1";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
|
||||
services.step-ca =
|
||||
let
|
||||
certificates = pkgs.stdenv.mkDerivation {
|
|
@ -1,4 +1,5 @@
|
|||
{
|
||||
flake,
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
|
@ -9,7 +10,11 @@ let
|
|||
puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { });
|
||||
in
|
||||
{
|
||||
imports = [ ./global.nix ];
|
||||
imports = [
|
||||
flake.self.nixosModules.home-manager
|
||||
flake.self.nixosModules.core
|
||||
./global.nix
|
||||
];
|
||||
|
||||
security.polkit.enable = true;
|
||||
|
||||
|
@ -41,11 +46,4 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.interfaces.eth0.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.2";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
70
tests/support/dns-server.nix
Normal file
70
tests/support/dns-server.nix
Normal file
|
@ -0,0 +1,70 @@
|
|||
{
|
||||
config,
|
||||
flake,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
flake.self.nixosModules.home-manager
|
||||
flake.self.nixosModules.core
|
||||
./global.nix
|
||||
];
|
||||
|
||||
networking.nameservers = lib.mkForce [
|
||||
"193.110.81.0" #dns0.eu
|
||||
"2a0f:fc80::" #dns0.eu
|
||||
"185.253.5.0" #dns0.eu
|
||||
"2a0f:fc81::" #dns0.eu
|
||||
];
|
||||
|
||||
services.resolved.enable = lib.mkForce false;
|
||||
|
||||
networking.firewall.allowedUDPPorts = [53];
|
||||
networking.firewall.allowedTCPPorts = [53];
|
||||
|
||||
networking.interfaces.eth1.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.1.254";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
interface = [
|
||||
"192.168.1.254"
|
||||
];
|
||||
access-control = [
|
||||
"0.0.0.0/0 allow"
|
||||
];
|
||||
local-zone = [
|
||||
"\"pub.solar\" transparent"
|
||||
];
|
||||
local-data = [
|
||||
"\"mail.${config.pub-solar-os.networking.domain}. 10800 IN CNAME mail-server\""
|
||||
"\"ca.${config.pub-solar-os.networking.domain}. 10800 IN CNAME acme-server\""
|
||||
"\"${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
|
||||
"\"www.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
|
||||
"\"auth.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
|
||||
];
|
||||
|
||||
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
|
||||
};
|
||||
|
||||
forward-zone = [
|
||||
{
|
||||
name = ".";
|
||||
forward-addr = [
|
||||
"193.110.81.0#dns0.eu"
|
||||
"2a0f:fc80::#dns0.eu"
|
||||
"185.253.5.0#dns0.eu"
|
||||
"2a0f:fc81::#dns0.eu"
|
||||
];
|
||||
forward-tls-upstream = "yes";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -23,28 +23,13 @@
|
|||
|
||||
security.pam.services.sshd.allowNullPassword = true;
|
||||
|
||||
virtualisation.forwardPorts =
|
||||
let
|
||||
address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
|
||||
lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3;
|
||||
in
|
||||
[
|
||||
{
|
||||
from = "host";
|
||||
host.port = 2000 + (lib.strings.toInt lastAddressPart);
|
||||
guest.port = 22;
|
||||
}
|
||||
];
|
||||
services.resolved.extraConfig = lib.mkForce ''
|
||||
DNS=192.168.1.254
|
||||
Domains=~.
|
||||
'';
|
||||
|
||||
networking.interfaces.eth0.useDHCP = false;
|
||||
|
||||
networking.hosts = {
|
||||
"192.168.1.1" = [ "ca.${config.pub-solar-os.networking.domain}" ];
|
||||
"192.168.1.2" = [ "client.${config.pub-solar-os.networking.domain}" ];
|
||||
"192.168.1.3" = [
|
||||
"${config.pub-solar-os.networking.domain}"
|
||||
"www.${config.pub-solar-os.networking.domain}"
|
||||
"auth.${config.pub-solar-os.networking.domain}"
|
||||
environment.systemPackages = [
|
||||
pkgs.dig
|
||||
];
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
1. Export realm settings from keycloak, you'll get a file called `realm-export.json`.
|
||||
2. Install dependencies for this package: `npm ci`
|
||||
3. Clean the exported file: `npm start $downloadedExportJSON > realm-export.json
|
||||
3. Clean the exported file: `node src/index.mjs $downloadedExportJSON > realm-export.json
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"id": "8cd6ddbb-d0d3-40ff-9f1e-efdfce05fa6e",
|
||||
"realm": "test.test.pub.solar",
|
||||
"realm": "test.pub.solar",
|
||||
"notBefore": 0,
|
||||
"defaultSignatureAlgorithm": "RS256",
|
||||
"revokeRefreshToken": false,
|
||||
|
@ -57,7 +57,7 @@
|
|||
},
|
||||
{
|
||||
"id": "2e271b49-ed2b-4dc0-a578-47e7571a2934",
|
||||
"name": "default-roles-test.test.pub.solar",
|
||||
"name": "default-roles-test.pub.solar",
|
||||
"description": "${role_default-roles}",
|
||||
"composite": true,
|
||||
"composites": {
|
||||
|
@ -434,7 +434,7 @@
|
|||
"groups": [],
|
||||
"defaultRole": {
|
||||
"id": "2e271b49-ed2b-4dc0-a578-47e7571a2934",
|
||||
"name": "default-roles-test.test.pub.solar",
|
||||
"name": "default-roles-test.pub.solar",
|
||||
"description": "${role_default-roles}",
|
||||
"composite": true,
|
||||
"clientRole": false,
|
||||
|
@ -494,7 +494,7 @@
|
|||
"disableableCredentialTypes": [],
|
||||
"requiredActions": [],
|
||||
"realmRoles": [
|
||||
"default-roles-test.test.pub.solar"
|
||||
"default-roles-test.pub.solar"
|
||||
],
|
||||
"clientRoles": {
|
||||
"realm-management": [
|
||||
|
@ -533,7 +533,7 @@
|
|||
"disableableCredentialTypes": [],
|
||||
"requiredActions": [],
|
||||
"realmRoles": [
|
||||
"default-roles-test.test.pub.solar"
|
||||
"default-roles-test.pub.solar"
|
||||
],
|
||||
"clientRoles": {
|
||||
"matrix": [
|
||||
|
@ -571,13 +571,13 @@
|
|||
"description": "",
|
||||
"rootUrl": "${authBaseUrl}",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "/realms/test.test.pub.solar/account/",
|
||||
"baseUrl": "/realms/test.pub.solar/account/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"/realms/test.test.pub.solar/account/*"
|
||||
"/realms/test.pub.solar/account/*"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
|
@ -628,13 +628,13 @@
|
|||
"description": "",
|
||||
"rootUrl": "${authBaseUrl}",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "/realms/test.test.pub.solar/account/",
|
||||
"baseUrl": "/realms/test.pub.solar/account/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"/realms/test.test.pub.solar/account/*"
|
||||
"/realms/test.pub.solar/account/*"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
|
@ -829,19 +829,19 @@
|
|||
"clientId": "gitea",
|
||||
"name": "",
|
||||
"description": "",
|
||||
"rootUrl": "https://git.test.test.pub.solar",
|
||||
"adminUrl": "https://git.test.test.pub.solar",
|
||||
"baseUrl": "https://git.test.test.pub.solar",
|
||||
"rootUrl": "https://git.test.pub.solar",
|
||||
"adminUrl": "https://git.test.pub.solar",
|
||||
"baseUrl": "https://git.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://git.test.test.pub.solar/*"
|
||||
"https://git.test.pub.solar/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://git.test.test.pub.solar"
|
||||
"https://git.test.pub.solar"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
|
@ -889,9 +889,9 @@
|
|||
"id": "b016fab5-bced-404a-93ba-c084d360701f",
|
||||
"clientId": "grafana",
|
||||
"name": "",
|
||||
"description": "https://grafana.test.test.pub.solar",
|
||||
"rootUrl": "https://grafana.test.test.pub.solar",
|
||||
"adminUrl": "https://grafana.test.test.pub.solar",
|
||||
"description": "https://grafana.test.pub.solar",
|
||||
"rootUrl": "https://grafana.test.pub.solar",
|
||||
"adminUrl": "https://grafana.test.pub.solar",
|
||||
"baseUrl": "/login/generic_oauth",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
|
@ -899,10 +899,10 @@
|
|||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://grafana.test.test.pub.solar/login/generic_oauth"
|
||||
"https://grafana.test.pub.solar/login/generic_oauth"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://grafana.test.test.pub.solar"
|
||||
"https://grafana.test.pub.solar"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
|
@ -945,9 +945,9 @@
|
|||
"clientId": "mastodon",
|
||||
"name": "mastodon",
|
||||
"description": "",
|
||||
"rootUrl": "https://mastodon.test.test.pub.solar",
|
||||
"rootUrl": "https://mastodon.test.pub.solar",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "https://mastodon.test.test.pub.solar",
|
||||
"baseUrl": "https://mastodon.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
|
@ -955,10 +955,10 @@
|
|||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"",
|
||||
"https://mastodon.test.test.pub.solar/auth/auth/openid_connect/callback"
|
||||
"https://mastodon.test.pub.solar/auth/auth/openid_connect/callback"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://mastodon.test.test.pub.solar/auth/openid_connect/callback"
|
||||
"https://mastodon.test.pub.solar/auth/openid_connect/callback"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
|
@ -1006,17 +1006,17 @@
|
|||
"clientId": "matrix",
|
||||
"name": "",
|
||||
"description": "",
|
||||
"rootUrl": "https://chat.test.test.pub.solar",
|
||||
"rootUrl": "https://chat.test.pub.solar",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "https://chat.test.test.pub.solar",
|
||||
"baseUrl": "https://chat.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://matrix.test.test.pub.solar/_synapse/client/oidc/callback",
|
||||
"https://matrix.test.test.test.pub.solar/_synapse/client/oidc/callback"
|
||||
"https://matrix.test.pub.solar/_synapse/client/oidc/callback",
|
||||
"https://matrix.test.test.pub.solar/_synapse/client/oidc/callback"
|
||||
],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
|
@ -1038,7 +1038,7 @@
|
|||
"tls-client-certificate-bound-access-tokens": "false",
|
||||
"oidc.ciba.grant.enabled": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"backchannel.logout.url": "https://chat.test.test.pub.solar/_synapse/client/oidc/backchannel_logout",
|
||||
"backchannel.logout.url": "https://chat.test.pub.solar/_synapse/client/oidc/backchannel_logout",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"acr.loa.map": "{}",
|
||||
"require.pushed.authorization.requests": "false",
|
||||
|
@ -1111,9 +1111,9 @@
|
|||
"clientId": "matrix-authentication-service",
|
||||
"name": "",
|
||||
"description": "Used for our hosted https://github.com/matrix-org/matrix-authentication-service",
|
||||
"rootUrl": "https://matrix.test.test.pub.solar/",
|
||||
"adminUrl": "https://matrix.test.test.pub.solar/",
|
||||
"baseUrl": "https://matrix.test.test.pub.solar/",
|
||||
"rootUrl": "https://matrix.test.pub.solar/",
|
||||
"adminUrl": "https://matrix.test.pub.solar/",
|
||||
"baseUrl": "https://matrix.test.pub.solar/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
|
@ -1166,19 +1166,19 @@
|
|||
"clientId": "mediawiki",
|
||||
"name": "",
|
||||
"description": "",
|
||||
"rootUrl": "https://wiki.test.test.pub.solar",
|
||||
"adminUrl": "https://wiki.test.test.pub.solar",
|
||||
"baseUrl": "https://wiki.test.test.pub.solar",
|
||||
"rootUrl": "https://wiki.test.pub.solar",
|
||||
"adminUrl": "https://wiki.test.pub.solar",
|
||||
"baseUrl": "https://wiki.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://wiki.test.test.pub.solar/*"
|
||||
"https://wiki.test.pub.solar/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://wiki.test.test.pub.solar"
|
||||
"https://wiki.test.pub.solar"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
|
@ -1221,19 +1221,19 @@
|
|||
"clientId": "nextcloud",
|
||||
"name": "",
|
||||
"description": "",
|
||||
"rootUrl": "https://cloud.test.test.pub.solar",
|
||||
"adminUrl": "https://cloud.test.test.pub.solar",
|
||||
"baseUrl": "https://cloud.test.test.pub.solar",
|
||||
"rootUrl": "https://cloud.test.pub.solar",
|
||||
"adminUrl": "https://cloud.test.pub.solar",
|
||||
"baseUrl": "https://cloud.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://cloud.test.test.pub.solar/apps/user_oidc/code"
|
||||
"https://cloud.test.pub.solar/apps/user_oidc/code"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://cloud.test.test.pub.solar"
|
||||
"https://cloud.test.pub.solar"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
|
@ -1247,14 +1247,14 @@
|
|||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"client.secret.creation.time": 1724762383467,
|
||||
"post.logout.redirect.uris": "https://cloud.test.test.pub.solar##https://cloud.test.test.pub.solar/##https://cloud.test.test.pub.solar/*",
|
||||
"post.logout.redirect.uris": "https://cloud.test.pub.solar##https://cloud.test.pub.solar/##https://cloud.test.pub.solar/*",
|
||||
"oauth2.device.authorization.grant.enabled": "false",
|
||||
"backchannel.logout.revoke.offline.tokens": "false",
|
||||
"use.refresh.tokens": "true",
|
||||
"tls-client-certificate-bound-access-tokens": "false",
|
||||
"oidc.ciba.grant.enabled": "false",
|
||||
"backchannel.logout.session.required": "true",
|
||||
"backchannel.logout.url": "https://cloud.test.test.pub.solar/apps/user_oidc/backchannel-logout/test.test.pub.solar%20ID",
|
||||
"backchannel.logout.url": "https://cloud.test.pub.solar/apps/user_oidc/backchannel-logout/test.pub.solar%20ID",
|
||||
"client_credentials.use_refresh_token": "false",
|
||||
"require.pushed.authorization.requests": "false",
|
||||
"acr.loa.map": "{}",
|
||||
|
@ -1283,16 +1283,16 @@
|
|||
"clientId": "openbikesensor-portal",
|
||||
"name": "",
|
||||
"description": "",
|
||||
"rootUrl": "https://obs-portal.test.test.pub.solar",
|
||||
"rootUrl": "https://obs-portal.test.pub.solar",
|
||||
"adminUrl": "",
|
||||
"baseUrl": "https://obs-portal.test.test.pub.solar",
|
||||
"baseUrl": "https://obs-portal.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://obs-portal.test.test.pub.solar/*"
|
||||
"https://obs-portal.test.pub.solar/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"+"
|
||||
|
@ -1382,13 +1382,13 @@
|
|||
"clientId": "security-admin-console",
|
||||
"name": "${client_security-admin-console}",
|
||||
"rootUrl": "${authAdminUrl}",
|
||||
"baseUrl": "/admin/test.test.pub.solar/console/",
|
||||
"baseUrl": "/admin/test.pub.solar/console/",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"redirectUris": [
|
||||
"/admin/test.test.pub.solar/console/*"
|
||||
"/admin/test.pub.solar/console/*"
|
||||
],
|
||||
"webOrigins": [
|
||||
"+"
|
||||
|
@ -1498,19 +1498,19 @@
|
|||
"clientId": "tt-rss",
|
||||
"name": "tt-rss",
|
||||
"description": "",
|
||||
"rootUrl": "https://rss.test.test.pub.solar",
|
||||
"adminUrl": "https://rss.test.test.pub.solar",
|
||||
"baseUrl": "https://rss.test.test.pub.solar",
|
||||
"rootUrl": "https://rss.test.pub.solar",
|
||||
"adminUrl": "https://rss.test.pub.solar",
|
||||
"baseUrl": "https://rss.test.pub.solar",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"alwaysDisplayInConsole": false,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "secret",
|
||||
"redirectUris": [
|
||||
"https://rss.test.test.pub.solar"
|
||||
"https://rss.test.pub.solar"
|
||||
],
|
||||
"webOrigins": [
|
||||
"https://rss.test.test.pub.solar"
|
||||
"https://rss.test.pub.solar"
|
||||
],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
|
@ -2095,23 +2095,23 @@
|
|||
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
|
||||
},
|
||||
"smtpServer": {
|
||||
"password": "**********",
|
||||
"replyToDisplayName": "test.test.pub.solar Support",
|
||||
"password": "password",
|
||||
"replyToDisplayName": "test.pub.solar Support",
|
||||
"starttls": "false",
|
||||
"auth": "true",
|
||||
"port": "465",
|
||||
"replyTo": "admins@test.test.pub.solar",
|
||||
"host": "mail.test.test.pub.solar",
|
||||
"from": "keycloak@test.test.pub.solar",
|
||||
"fromDisplayName": "test.test.pub.solar ID",
|
||||
"replyTo": "admins@test.pub.solar",
|
||||
"host": "mail.test.pub.solar",
|
||||
"from": "keycloak@test.pub.solar",
|
||||
"fromDisplayName": "test.pub.solar ID",
|
||||
"envelopeFrom": "",
|
||||
"ssl": "true",
|
||||
"user": "admins@test.test.pub.solar"
|
||||
"user": "admins@test.pub.solar"
|
||||
},
|
||||
"loginTheme": "test.test.pub.solar",
|
||||
"accountTheme": "test.test.pub.solar",
|
||||
"adminTheme": "test.test.pub.solar",
|
||||
"emailTheme": "test.test.pub.solar",
|
||||
"loginTheme": "pub.solar",
|
||||
"accountTheme": "pub.solar",
|
||||
"adminTheme": "pub.solar",
|
||||
"emailTheme": "pub.solar",
|
||||
"eventsEnabled": false,
|
||||
"eventsListeners": [
|
||||
"jboss-logging"
|
||||
|
|
|
@ -60,11 +60,23 @@ const changeIds = (node) => {
|
|||
return node;
|
||||
};
|
||||
|
||||
const setExtra = (data) => ({
|
||||
...data,
|
||||
loginTheme: "pub.solar",
|
||||
accountTheme: "pub.solar",
|
||||
adminTheme: "pub.solar",
|
||||
emailTheme: "pub.solar",
|
||||
smtpServer: {
|
||||
...data.smtpServer,
|
||||
password: "password",
|
||||
},
|
||||
});
|
||||
|
||||
(async () => {
|
||||
const fileContents = await readFile(filePath, { encoding: 'utf8' });
|
||||
const data = JSON.parse(renameDomain(fileContents));
|
||||
|
||||
const newData = changeIds(cleanClients(data));
|
||||
const newData = setExtra(changeIds(cleanClients(data)));
|
||||
|
||||
console.log(JSON.stringify(newData, null, 2));
|
||||
})();
|
||||
|
|
27
tests/support/mail-server.nix
Normal file
27
tests/support/mail-server.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
config,
|
||||
flake,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
flake.self.nixosModules.home-manager
|
||||
flake.self.nixosModules.core
|
||||
flake.self.nixosModules.mail
|
||||
flake.inputs.simple-nixos-mailserver.nixosModule
|
||||
./global.nix
|
||||
];
|
||||
|
||||
# password is password
|
||||
systemd.tmpfiles.rules = [ "f /tmp/emailpw 1777 root root 10d $2b$11$NV75HGZzMcIwrnVUZKXtxexX9DN52HayDW4eKrD1A8O3uIPnCquQ2" ];
|
||||
|
||||
mailserver = {
|
||||
loginAccounts = {
|
||||
"admins@${config.pub-solar-os.networking.domain}" = {
|
||||
hashedPasswordFile = "/tmp/emailpw";
|
||||
};
|
||||
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
|
||||
hashedPasswordFile = "/tmp/emailpw";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -14,13 +14,7 @@
|
|||
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
|
||||
|
||||
nodes = {
|
||||
acme-server = {
|
||||
imports = [
|
||||
self.nixosModules.home-manager
|
||||
self.nixosModules.core
|
||||
./support/ca.nix
|
||||
];
|
||||
};
|
||||
acme-server.imports = [ ./support/acme-server.nix ];
|
||||
|
||||
nachtigall = {
|
||||
imports = [
|
||||
|
|
Loading…
Reference in a new issue