makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity

l 2 websites domsen: enable dovecot2 with pam auth

Browse source
This commit is contained in:
lassulus 2016-09-08 21:23:51 +02:00
parent 88dd0cbc7d
commit c298a6769d
1 changed files with 62 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
lass/2configs/websites/domsen.nix
View file

@ -1,9 +1,11 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
genid genid
; genid_signed
;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
ssl ssl
servePage servePage
@ -20,6 +22,25 @@ let
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
''; '';
check-password = pkgs.writeDash "check-password" ''
read pw
file="/home/$PAM_USER/.shadow"
#check if shadow file exists
test -e "$file" || exit 123
hash="$(${pkgs.coreutils}/bin/head -1 $file)"
salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
if [ "$calc_hash" == $hash ]; then
exit 0
else
exit 1
fi
'';
in { in {
imports = [ imports = [
./sqlBackup.nix ./sqlBackup.nix
@ -143,21 +164,53 @@ in {
# MAIL STUFF # MAIL STUFF
# TODO: make into its own module # TODO: make into its own module
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
mailLocation = "maildir:~/Mail"; mailLocation = "maildir:~/Mail";
}; sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
krebs.iptables.tables.filter.INPUT.rules = [ sslServerKey = "/var/lib/acme/lassul.us/key.pem";
{ predicate = "-p tcp --dport pop3"; target = "ACCEPT"; } };
{ predicate = "-p tcp --dport imap"; target = "ACCEPT"; } krebs.iptables.tables.filter.INPUT.rules = [
]; { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
];
security.pam.services.exim.text = ''
auth required pam_env.so
auth sufficient pam_exec.so debug expose_authtok ${check-password}
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5shadow
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
'';
krebs.exim-smarthost = { krebs.exim-smarthost = {
authenticators.PLAIN = ''
driver = plaintext
server_prompts = :
server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
server_set_id = $auth2
'';
authenticators.LOGIN = ''
driver = plaintext
server_prompts = "Username:: : Password::"
server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
server_set_id = $auth1
'';
internet-aliases = [ internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; } { from = "mail@jla-trading.com"; to = "jla-trading"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
]; ];
system-aliases = [ system-aliases = [
]; ];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem";
}; };
users.users.domsen = { users.users.domsen = {