WIP: feat/automated-account-deletion #174

Draft
b12f wants to merge 23 commits from feat/automated-account-deletion into main
14 changed files with 269 additions and 269 deletions
Showing only changes of commit 760d6e3458 - Show all commits

View file

@ -7,6 +7,7 @@
./networking.nix ./networking.nix
./wireguard.nix ./wireguard.nix
./email.nix
#./backups.nix #./backups.nix
]; ];
} }

45
hosts/metronom/email.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, flake, ... }: {
age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";
mailserver = {
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
loginAccounts = {
"admins@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = config.age.secrets.mail-admins.path;
};
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
};
"hensoko@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-hensoko.path;
quota = "2G";
};
"teutat3s@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
quota = "2G";
};
"bot@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-bot.path;
quota = "2G";
aliases = [ "hackernews-bot@pub.solar" ];
};
"crew@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-crew.path;
quota = "2G";
aliases = [ "moderation@pub.solar" ];
};
"erpnext@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-erpnext.path;
quota = "2G";
};
};
};
}

View file

@ -1,53 +0,0 @@
{ flake, lib, ... }:
{
imports = [
./backups.nix
./apps/nginx.nix
./apps/collabora.nix
./apps/coturn.nix
./apps/forgejo.nix
./apps/keycloak.nix
./apps/mailman.nix
./apps/mastodon.nix
./apps/mediawiki.nix
./apps/nextcloud.nix
./apps/nginx-mastodon.nix
./apps/nginx-mastodon-files.nix
./apps/nginx-prometheus-exporters.nix
./apps/nginx-website.nix
./apps/nginx-website-miom.nix
./apps/opensearch.nix
./apps/owncast.nix
./apps/postgresql.nix
./apps/prometheus-exporters.nix
./apps/promtail.nix
./apps/searx.nix
./apps/tmate.nix
./apps/matrix/irc.nix
./apps/matrix/mautrix-telegram.nix
./apps/matrix/synapse.nix
./apps/nginx-matrix.nix
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
security.acme.preliminarySelfsigned = true;
networking.useDHCP = true;
networking.interfaces."enp35s0".ipv4.addresses = [
{
address = "10.0.0.1";
prefixLength = 26;
}
];
networking.interfaces."enp35s0".ipv6.addresses = [
{
address = "2a01:4f8:172:1c25::1";
prefixLength = 64;
}
];
}

View file

@ -1,62 +1,28 @@
{ config, flake, ... }: { config, ... }: {
{
age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.pub.solar"; fqdn = "mail.${config.pub-solar-os.networking.domain}";
domains = [ "pub.solar" ]; domains = [ config.pub-solar-os.networking.domain ];
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
loginAccounts = { loginAccounts = {
"hensoko@pub.solar" = { "admins@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = config.age.secrets.mail-hensoko.path;
quota = "2G";
};
"teutat3s@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
quota = "2G";
};
"admins@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-admins.path;
quota = "2G"; quota = "2G";
aliases = [ aliases = [
"abuse@pub.solar" "abuse@${config.pub-solar-os.networking.domain}"
"alerts@pub.solar" "alerts@${config.pub-solar-os.networking.domain}"
"forgejo@pub.solar" "forgejo@${config.pub-solar-os.networking.domain}"
"keycloak@pub.solar" "keycloak@${config.pub-solar-os.networking.domain}"
"mastodon-notifications@pub.solar" "mastodon-notifications@${config.pub-solar-os.networking.domain}"
"matrix@pub.solar" "matrix@${config.pub-solar-os.networking.domain}"
"postmaster@pub.solar" "postmaster@${config.pub-solar-os.networking.domain}"
"nextcloud@pub.solar" "nextcloud@${config.pub-solar-os.networking.domain}"
"no-reply@pub.solar" "no-reply@${config.pub-solar-os.networking.domain}"
"security@pub.solar" "security@${config.pub-solar-os.networking.domain}"
]; ];
}; };
"bot@pub.solar" = { "hakkonaut@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = config.age.secrets.mail-bot.path;
quota = "2G";
aliases = [ "hackernews-bot@pub.solar" ];
};
"crew@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-crew.path;
quota = "2G";
aliases = [ "moderation@pub.solar" ];
};
"erpnext@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-erpnext.path;
quota = "2G";
};
"hakkonaut@pub.solar" = {
hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
quota = "2G"; quota = "2G";
}; };
}; };
@ -66,5 +32,5 @@
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
}; };
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "security@pub.solar"; security.acme.defaults.email = "security@${config.pub-solar-os.networking.domain}";
} }

View file

@ -1,5 +1,6 @@
{ {
self, self,
system,
pkgs, pkgs,
lib, lib,
config, config,
@ -20,21 +21,10 @@ in
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
nodes = { nodes = {
acme-server = { dns-server.imports = [ ./support/dns-server.nix ];
imports = [ acme-server.imports = [ ./support/acme-server.nix ];
self.nixosModules.home-manager mail-server.imports = [ ./support/mail-server.nix ];
self.nixosModules.core client.imports = [ ./support/client.nix ];
./support/ca.nix
];
};
client = {
imports = [
self.nixosModules.home-manager
self.nixosModules.core
./support/client.nix
];
};
nachtigall = { nachtigall = {
imports = [ imports = [
@ -57,63 +47,30 @@ in
database-password-file = "/tmp/dbf"; database-password-file = "/tmp/dbf";
}; };
services.keycloak.database.createLocally = true; services.keycloak.database.createLocally = true;
services.keycloak.initialAdminPassword = "password";
networking.interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.3";
prefixLength = 32;
}
];
}; };
}; };
testScript = testScript = { ... }: ''
{ ... }: ''
def puppeteer_run(cmd): def puppeteer_run(cmd):
client.succeed(f'puppeteer-run \'{cmd}\' ') client.succeed(f'puppeteer-run \'{cmd}\' ')
start_all() start_all()
acme_server.wait_for_unit("system.slice")
mail_server.wait_for_unit("dovecot2.service")
mail_server.wait_for_unit("postfix.service")
nachtigall.wait_for_unit("system.slice") nachtigall.wait_for_unit("system.slice")
nachtigall.succeed("ping 127.0.0.1 -c 2") nachtigall.succeed("ping 127.0.0.1 -c 2")
nachtigall.wait_for_unit("nginx.service") nachtigall.wait_for_unit("nginx.service")
nachtigall.systemctl("stop keycloak.service")
nachtigall.wait_until_succeeds("if (($(ps aux | grep 'Dkc.home.dir=/run/keycloak' | grep -v grep | wc -l) == 0)); then true; else false; fi")
nachtigall.succeed("${pkgs.keycloak}/bin/kc.sh --verbose import --optimized --file=${realm-export}")
nachtigall.systemctl("start keycloak.service")
nachtigall.sleep(30)
nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/") nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/") nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")
nachtigall.succeed("${pkgs.keycloak}/bin/kcadm.sh create realms -f ${realm-export} --server http://localhost:8080 --realm master --user admin --password password --no-config")
client.wait_for_unit("system.slice") client.wait_for_unit("system.slice")
client.wait_for_file("/tmp/puppeteer.sock") client.wait_for_file("/tmp/puppeteer.sock")
puppeteer_run('page.goto("https://auth.test.pub.solar/admin/master/console")')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-initial")
puppeteer_run('page.locator("[name=username]").fill("admin")')
puppeteer_run('page.locator("::-p-text(Sign In)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-password")
puppeteer_run('page.locator("[name=password]").fill("password")')
puppeteer_run('page.locator("::-p-text(Sign In)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-login")
puppeteer_run('page.locator("::-p-text(Realm settings)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-theme")
puppeteer_run('page.locator("::-p-text(Themes)").click()')
puppeteer_run('page.waitForNetworkIdle()')
puppeteer_run('page.locator("#kc-login-theme").click()')
client.screenshot("admin-theme-changed")
puppeteer_run('page.locator("li button::-p-text(pub.solar)").click()')
puppeteer_run('page.locator("::-p-text(Save)").click()')
puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("admin-theme-saved")
puppeteer_run('page.goto("https://auth.test.pub.solar")') puppeteer_run('page.goto("https://auth.test.pub.solar")')
puppeteer_run('page.waitForNetworkIdle()') puppeteer_run('page.waitForNetworkIdle()')
client.screenshot("initial") client.screenshot("initial")

View file

@ -1,21 +1,19 @@
{ {
flake,
pkgs, pkgs,
lib, lib,
config, config,
... ...
}: }:
{ {
imports = [ ./global.nix ]; imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
./global.nix
];
systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ]; systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ];
networking.interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.1";
prefixLength = 32;
}
];
services.step-ca = services.step-ca =
let let
certificates = pkgs.stdenv.mkDerivation { certificates = pkgs.stdenv.mkDerivation {

View file

@ -1,4 +1,5 @@
{ {
flake,
pkgs, pkgs,
lib, lib,
config, config,
@ -9,7 +10,11 @@ let
puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { }); puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { });
in in
{ {
imports = [ ./global.nix ]; imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
./global.nix
];
security.polkit.enable = true; security.polkit.enable = true;
@ -41,11 +46,4 @@ in
}; };
}; };
}; };
networking.interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.2";
prefixLength = 32;
}
];
} }

View file

@ -0,0 +1,70 @@
{
config,
flake,
lib,
...
}: {
imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
./global.nix
];
networking.nameservers = lib.mkForce [
"193.110.81.0" #dns0.eu
"2a0f:fc80::" #dns0.eu
"185.253.5.0" #dns0.eu
"2a0f:fc81::" #dns0.eu
];
services.resolved.enable = lib.mkForce false;
networking.firewall.allowedUDPPorts = [53];
networking.firewall.allowedTCPPorts = [53];
networking.interfaces.eth1.ipv4.addresses = [
{
address = "192.168.1.254";
prefixLength = 32;
}
];
services.unbound = {
enable = true;
settings = {
server = {
interface = [
"192.168.1.254"
];
access-control = [
"0.0.0.0/0 allow"
];
local-zone = [
"\"pub.solar\" transparent"
];
local-data = [
"\"mail.${config.pub-solar-os.networking.domain}. 10800 IN CNAME mail-server\""
"\"ca.${config.pub-solar-os.networking.domain}. 10800 IN CNAME acme-server\""
"\"${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
"\"www.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
"\"auth.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\""
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
forward-zone = [
{
name = ".";
forward-addr = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
];
forward-tls-upstream = "yes";
}
];
};
};
}

View file

@ -23,28 +23,13 @@
security.pam.services.sshd.allowNullPassword = true; security.pam.services.sshd.allowNullPassword = true;
virtualisation.forwardPorts = services.resolved.extraConfig = lib.mkForce ''
let DNS=192.168.1.254
address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address; Domains=~.
lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3; '';
in
[
{
from = "host";
host.port = 2000 + (lib.strings.toInt lastAddressPart);
guest.port = 22;
}
];
networking.interfaces.eth0.useDHCP = false; environment.systemPackages = [
pkgs.dig
networking.hosts = { ];
"192.168.1.1" = [ "ca.${config.pub-solar-os.networking.domain}" ];
"192.168.1.2" = [ "client.${config.pub-solar-os.networking.domain}" ];
"192.168.1.3" = [
"${config.pub-solar-os.networking.domain}"
"www.${config.pub-solar-os.networking.domain}"
"auth.${config.pub-solar-os.networking.domain}"
];
};
} }

View file

@ -2,4 +2,4 @@
1. Export realm settings from keycloak, you'll get a file called `realm-export.json`. 1. Export realm settings from keycloak, you'll get a file called `realm-export.json`.
2. Install dependencies for this package: `npm ci` 2. Install dependencies for this package: `npm ci`
3. Clean the exported file: `npm start $downloadedExportJSON > realm-export.json 3. Clean the exported file: `node src/index.mjs $downloadedExportJSON > realm-export.json

View file

@ -1,6 +1,6 @@
{ {
"id": "8cd6ddbb-d0d3-40ff-9f1e-efdfce05fa6e", "id": "8cd6ddbb-d0d3-40ff-9f1e-efdfce05fa6e",
"realm": "test.test.pub.solar", "realm": "test.pub.solar",
"notBefore": 0, "notBefore": 0,
"defaultSignatureAlgorithm": "RS256", "defaultSignatureAlgorithm": "RS256",
"revokeRefreshToken": false, "revokeRefreshToken": false,
@ -57,7 +57,7 @@
}, },
{ {
"id": "2e271b49-ed2b-4dc0-a578-47e7571a2934", "id": "2e271b49-ed2b-4dc0-a578-47e7571a2934",
"name": "default-roles-test.test.pub.solar", "name": "default-roles-test.pub.solar",
"description": "${role_default-roles}", "description": "${role_default-roles}",
"composite": true, "composite": true,
"composites": { "composites": {
@ -434,7 +434,7 @@
"groups": [], "groups": [],
"defaultRole": { "defaultRole": {
"id": "2e271b49-ed2b-4dc0-a578-47e7571a2934", "id": "2e271b49-ed2b-4dc0-a578-47e7571a2934",
"name": "default-roles-test.test.pub.solar", "name": "default-roles-test.pub.solar",
"description": "${role_default-roles}", "description": "${role_default-roles}",
"composite": true, "composite": true,
"clientRole": false, "clientRole": false,
@ -494,7 +494,7 @@
"disableableCredentialTypes": [], "disableableCredentialTypes": [],
"requiredActions": [], "requiredActions": [],
"realmRoles": [ "realmRoles": [
"default-roles-test.test.pub.solar" "default-roles-test.pub.solar"
], ],
"clientRoles": { "clientRoles": {
"realm-management": [ "realm-management": [
@ -533,7 +533,7 @@
"disableableCredentialTypes": [], "disableableCredentialTypes": [],
"requiredActions": [], "requiredActions": [],
"realmRoles": [ "realmRoles": [
"default-roles-test.test.pub.solar" "default-roles-test.pub.solar"
], ],
"clientRoles": { "clientRoles": {
"matrix": [ "matrix": [
@ -571,13 +571,13 @@
"description": "", "description": "",
"rootUrl": "${authBaseUrl}", "rootUrl": "${authBaseUrl}",
"adminUrl": "", "adminUrl": "",
"baseUrl": "/realms/test.test.pub.solar/account/", "baseUrl": "/realms/test.pub.solar/account/",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"redirectUris": [ "redirectUris": [
"/realms/test.test.pub.solar/account/*" "/realms/test.pub.solar/account/*"
], ],
"webOrigins": [], "webOrigins": [],
"notBefore": 0, "notBefore": 0,
@ -628,13 +628,13 @@
"description": "", "description": "",
"rootUrl": "${authBaseUrl}", "rootUrl": "${authBaseUrl}",
"adminUrl": "", "adminUrl": "",
"baseUrl": "/realms/test.test.pub.solar/account/", "baseUrl": "/realms/test.pub.solar/account/",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"redirectUris": [ "redirectUris": [
"/realms/test.test.pub.solar/account/*" "/realms/test.pub.solar/account/*"
], ],
"webOrigins": [], "webOrigins": [],
"notBefore": 0, "notBefore": 0,
@ -829,19 +829,19 @@
"clientId": "gitea", "clientId": "gitea",
"name": "", "name": "",
"description": "", "description": "",
"rootUrl": "https://git.test.test.pub.solar", "rootUrl": "https://git.test.pub.solar",
"adminUrl": "https://git.test.test.pub.solar", "adminUrl": "https://git.test.pub.solar",
"baseUrl": "https://git.test.test.pub.solar", "baseUrl": "https://git.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://git.test.test.pub.solar/*" "https://git.test.pub.solar/*"
], ],
"webOrigins": [ "webOrigins": [
"https://git.test.test.pub.solar" "https://git.test.pub.solar"
], ],
"notBefore": 0, "notBefore": 0,
"bearerOnly": false, "bearerOnly": false,
@ -889,9 +889,9 @@
"id": "b016fab5-bced-404a-93ba-c084d360701f", "id": "b016fab5-bced-404a-93ba-c084d360701f",
"clientId": "grafana", "clientId": "grafana",
"name": "", "name": "",
"description": "https://grafana.test.test.pub.solar", "description": "https://grafana.test.pub.solar",
"rootUrl": "https://grafana.test.test.pub.solar", "rootUrl": "https://grafana.test.pub.solar",
"adminUrl": "https://grafana.test.test.pub.solar", "adminUrl": "https://grafana.test.pub.solar",
"baseUrl": "/login/generic_oauth", "baseUrl": "/login/generic_oauth",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
@ -899,10 +899,10 @@
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://grafana.test.test.pub.solar/login/generic_oauth" "https://grafana.test.pub.solar/login/generic_oauth"
], ],
"webOrigins": [ "webOrigins": [
"https://grafana.test.test.pub.solar" "https://grafana.test.pub.solar"
], ],
"notBefore": 0, "notBefore": 0,
"bearerOnly": false, "bearerOnly": false,
@ -945,9 +945,9 @@
"clientId": "mastodon", "clientId": "mastodon",
"name": "mastodon", "name": "mastodon",
"description": "", "description": "",
"rootUrl": "https://mastodon.test.test.pub.solar", "rootUrl": "https://mastodon.test.pub.solar",
"adminUrl": "", "adminUrl": "",
"baseUrl": "https://mastodon.test.test.pub.solar", "baseUrl": "https://mastodon.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
@ -955,10 +955,10 @@
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"", "",
"https://mastodon.test.test.pub.solar/auth/auth/openid_connect/callback" "https://mastodon.test.pub.solar/auth/auth/openid_connect/callback"
], ],
"webOrigins": [ "webOrigins": [
"https://mastodon.test.test.pub.solar/auth/openid_connect/callback" "https://mastodon.test.pub.solar/auth/openid_connect/callback"
], ],
"notBefore": 0, "notBefore": 0,
"bearerOnly": false, "bearerOnly": false,
@ -1006,17 +1006,17 @@
"clientId": "matrix", "clientId": "matrix",
"name": "", "name": "",
"description": "", "description": "",
"rootUrl": "https://chat.test.test.pub.solar", "rootUrl": "https://chat.test.pub.solar",
"adminUrl": "", "adminUrl": "",
"baseUrl": "https://chat.test.test.pub.solar", "baseUrl": "https://chat.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://matrix.test.test.pub.solar/_synapse/client/oidc/callback", "https://matrix.test.pub.solar/_synapse/client/oidc/callback",
"https://matrix.test.test.test.pub.solar/_synapse/client/oidc/callback" "https://matrix.test.test.pub.solar/_synapse/client/oidc/callback"
], ],
"webOrigins": [], "webOrigins": [],
"notBefore": 0, "notBefore": 0,
@ -1038,7 +1038,7 @@
"tls-client-certificate-bound-access-tokens": "false", "tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false", "oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true", "backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://chat.test.test.pub.solar/_synapse/client/oidc/backchannel_logout", "backchannel.logout.url": "https://chat.test.pub.solar/_synapse/client/oidc/backchannel_logout",
"client_credentials.use_refresh_token": "false", "client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}", "acr.loa.map": "{}",
"require.pushed.authorization.requests": "false", "require.pushed.authorization.requests": "false",
@ -1111,9 +1111,9 @@
"clientId": "matrix-authentication-service", "clientId": "matrix-authentication-service",
"name": "", "name": "",
"description": "Used for our hosted https://github.com/matrix-org/matrix-authentication-service", "description": "Used for our hosted https://github.com/matrix-org/matrix-authentication-service",
"rootUrl": "https://matrix.test.test.pub.solar/", "rootUrl": "https://matrix.test.pub.solar/",
"adminUrl": "https://matrix.test.test.pub.solar/", "adminUrl": "https://matrix.test.pub.solar/",
"baseUrl": "https://matrix.test.test.pub.solar/", "baseUrl": "https://matrix.test.pub.solar/",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
@ -1166,19 +1166,19 @@
"clientId": "mediawiki", "clientId": "mediawiki",
"name": "", "name": "",
"description": "", "description": "",
"rootUrl": "https://wiki.test.test.pub.solar", "rootUrl": "https://wiki.test.pub.solar",
"adminUrl": "https://wiki.test.test.pub.solar", "adminUrl": "https://wiki.test.pub.solar",
"baseUrl": "https://wiki.test.test.pub.solar", "baseUrl": "https://wiki.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://wiki.test.test.pub.solar/*" "https://wiki.test.pub.solar/*"
], ],
"webOrigins": [ "webOrigins": [
"https://wiki.test.test.pub.solar" "https://wiki.test.pub.solar"
], ],
"notBefore": 0, "notBefore": 0,
"bearerOnly": false, "bearerOnly": false,
@ -1221,19 +1221,19 @@
"clientId": "nextcloud", "clientId": "nextcloud",
"name": "", "name": "",
"description": "", "description": "",
"rootUrl": "https://cloud.test.test.pub.solar", "rootUrl": "https://cloud.test.pub.solar",
"adminUrl": "https://cloud.test.test.pub.solar", "adminUrl": "https://cloud.test.pub.solar",
"baseUrl": "https://cloud.test.test.pub.solar", "baseUrl": "https://cloud.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://cloud.test.test.pub.solar/apps/user_oidc/code" "https://cloud.test.pub.solar/apps/user_oidc/code"
], ],
"webOrigins": [ "webOrigins": [
"https://cloud.test.test.pub.solar" "https://cloud.test.pub.solar"
], ],
"notBefore": 0, "notBefore": 0,
"bearerOnly": false, "bearerOnly": false,
@ -1247,14 +1247,14 @@
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": { "attributes": {
"client.secret.creation.time": 1724762383467, "client.secret.creation.time": 1724762383467,
"post.logout.redirect.uris": "https://cloud.test.test.pub.solar##https://cloud.test.test.pub.solar/##https://cloud.test.test.pub.solar/*", "post.logout.redirect.uris": "https://cloud.test.pub.solar##https://cloud.test.pub.solar/##https://cloud.test.pub.solar/*",
"oauth2.device.authorization.grant.enabled": "false", "oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false", "backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true", "use.refresh.tokens": "true",
"tls-client-certificate-bound-access-tokens": "false", "tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false", "oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true", "backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://cloud.test.test.pub.solar/apps/user_oidc/backchannel-logout/test.test.pub.solar%20ID", "backchannel.logout.url": "https://cloud.test.pub.solar/apps/user_oidc/backchannel-logout/test.pub.solar%20ID",
"client_credentials.use_refresh_token": "false", "client_credentials.use_refresh_token": "false",
"require.pushed.authorization.requests": "false", "require.pushed.authorization.requests": "false",
"acr.loa.map": "{}", "acr.loa.map": "{}",
@ -1283,16 +1283,16 @@
"clientId": "openbikesensor-portal", "clientId": "openbikesensor-portal",
"name": "", "name": "",
"description": "", "description": "",
"rootUrl": "https://obs-portal.test.test.pub.solar", "rootUrl": "https://obs-portal.test.pub.solar",
"adminUrl": "", "adminUrl": "",
"baseUrl": "https://obs-portal.test.test.pub.solar", "baseUrl": "https://obs-portal.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://obs-portal.test.test.pub.solar/*" "https://obs-portal.test.pub.solar/*"
], ],
"webOrigins": [ "webOrigins": [
"+" "+"
@ -1382,13 +1382,13 @@
"clientId": "security-admin-console", "clientId": "security-admin-console",
"name": "${client_security-admin-console}", "name": "${client_security-admin-console}",
"rootUrl": "${authAdminUrl}", "rootUrl": "${authAdminUrl}",
"baseUrl": "/admin/test.test.pub.solar/console/", "baseUrl": "/admin/test.pub.solar/console/",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"redirectUris": [ "redirectUris": [
"/admin/test.test.pub.solar/console/*" "/admin/test.pub.solar/console/*"
], ],
"webOrigins": [ "webOrigins": [
"+" "+"
@ -1498,19 +1498,19 @@
"clientId": "tt-rss", "clientId": "tt-rss",
"name": "tt-rss", "name": "tt-rss",
"description": "", "description": "",
"rootUrl": "https://rss.test.test.pub.solar", "rootUrl": "https://rss.test.pub.solar",
"adminUrl": "https://rss.test.test.pub.solar", "adminUrl": "https://rss.test.pub.solar",
"baseUrl": "https://rss.test.test.pub.solar", "baseUrl": "https://rss.test.pub.solar",
"surrogateAuthRequired": false, "surrogateAuthRequired": false,
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "secret", "secret": "secret",
"redirectUris": [ "redirectUris": [
"https://rss.test.test.pub.solar" "https://rss.test.pub.solar"
], ],
"webOrigins": [ "webOrigins": [
"https://rss.test.test.pub.solar" "https://rss.test.pub.solar"
], ],
"notBefore": 0, "notBefore": 0,
"bearerOnly": false, "bearerOnly": false,
@ -2095,23 +2095,23 @@
"strictTransportSecurity": "max-age=31536000; includeSubDomains" "strictTransportSecurity": "max-age=31536000; includeSubDomains"
}, },
"smtpServer": { "smtpServer": {
"password": "**********", "password": "password",
"replyToDisplayName": "test.test.pub.solar Support", "replyToDisplayName": "test.pub.solar Support",
"starttls": "false", "starttls": "false",
"auth": "true", "auth": "true",
"port": "465", "port": "465",
"replyTo": "admins@test.test.pub.solar", "replyTo": "admins@test.pub.solar",
"host": "mail.test.test.pub.solar", "host": "mail.test.pub.solar",
"from": "keycloak@test.test.pub.solar", "from": "keycloak@test.pub.solar",
"fromDisplayName": "test.test.pub.solar ID", "fromDisplayName": "test.pub.solar ID",
"envelopeFrom": "", "envelopeFrom": "",
"ssl": "true", "ssl": "true",
"user": "admins@test.test.pub.solar" "user": "admins@test.pub.solar"
}, },
"loginTheme": "test.test.pub.solar", "loginTheme": "pub.solar",
"accountTheme": "test.test.pub.solar", "accountTheme": "pub.solar",
"adminTheme": "test.test.pub.solar", "adminTheme": "pub.solar",
"emailTheme": "test.test.pub.solar", "emailTheme": "pub.solar",
"eventsEnabled": false, "eventsEnabled": false,
"eventsListeners": [ "eventsListeners": [
"jboss-logging" "jboss-logging"

View file

@ -60,11 +60,23 @@ const changeIds = (node) => {
return node; return node;
}; };
const setExtra = (data) => ({
...data,
loginTheme: "pub.solar",
accountTheme: "pub.solar",
adminTheme: "pub.solar",
emailTheme: "pub.solar",
smtpServer: {
...data.smtpServer,
password: "password",
},
});
(async () => { (async () => {
const fileContents = await readFile(filePath, { encoding: 'utf8' }); const fileContents = await readFile(filePath, { encoding: 'utf8' });
const data = JSON.parse(renameDomain(fileContents)); const data = JSON.parse(renameDomain(fileContents));
const newData = changeIds(cleanClients(data)); const newData = setExtra(changeIds(cleanClients(data)));
console.log(JSON.stringify(newData, null, 2)); console.log(JSON.stringify(newData, null, 2));
})(); })();

View file

@ -0,0 +1,27 @@
{
config,
flake,
...
}: {
imports = [
flake.self.nixosModules.home-manager
flake.self.nixosModules.core
flake.self.nixosModules.mail
flake.inputs.simple-nixos-mailserver.nixosModule
./global.nix
];
# password is password
systemd.tmpfiles.rules = [ "f /tmp/emailpw 1777 root root 10d $2b$11$NV75HGZzMcIwrnVUZKXtxexX9DN52HayDW4eKrD1A8O3uIPnCquQ2" ];
mailserver = {
loginAccounts = {
"admins@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = "/tmp/emailpw";
};
"hakkonaut@${config.pub-solar-os.networking.domain}" = {
hashedPasswordFile = "/tmp/emailpw";
};
};
};
}

View file

@ -14,13 +14,7 @@
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
nodes = { nodes = {
acme-server = { acme-server.imports = [ ./support/acme-server.nix ];
imports = [
self.nixosModules.home-manager
self.nixosModules.core
./support/ca.nix
];
};
nachtigall = { nachtigall = {
imports = [ imports = [