From 88dd0cbc7d6e9dc40cf70699d8b89804fdbd6788 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 8 Sep 2016 21:06:50 +0200 Subject: l 2 websites: set uploadsize limit to 100m --- lass/2configs/websites/domsen.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/2configs/websites/domsen.nix') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index d5ad38c07..f500b8261 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -132,6 +132,9 @@ in { extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so sendmail_path = "${sendmail} -t -i" always_populate_raw_post_data = -1 + upload_max_filesize = 100M + post_max_size = 100M + file_uploads = on ''; } '' cat ${pkgs.php}/etc/php-recommended.ini > $out -- cgit v1.2.3 From c298a6769dbb05ecb760049836e73c55703c23ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 8 Sep 2016 21:23:51 +0200 Subject: l 2 websites domsen: enable dovecot2 with pam auth --- lass/2configs/websites/domsen.nix | 71 ++++++++++++++++++++++++++++++++++----- 1 file changed, 62 insertions(+), 9 deletions(-) (limited to 'lass/2configs/websites/domsen.nix') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index f500b8261..2f93c1f9c 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,9 +1,11 @@ { config, pkgs, lib, ... }: let + inherit (import { config = {}; inherit lib; }) genid - ; + genid_signed + ; inherit (import {inherit lib pkgs;}) ssl servePage @@ -20,6 +22,25 @@ let exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" ''; + check-password = pkgs.writeDash "check-password" '' + read pw + + file="/home/$PAM_USER/.shadow" + + #check if shadow file exists + test -e "$file" || exit 123 + + hash="$(${pkgs.coreutils}/bin/head -1 $file)" + salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')" + + calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)" + if [ "$calc_hash" == $hash ]; then + exit 0 + else + exit 1 + fi + ''; + in { imports = [ ./sqlBackup.nix @@ -143,21 +164,53 @@ in { # MAIL STUFF # TODO: make into its own module - services.dovecot2 = { - enable = true; - mailLocation = "maildir:~/Mail"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; } - { predicate = "-p tcp --dport imap"; target = "ACCEPT"; } - ]; + services.dovecot2 = { + enable = true; + mailLocation = "maildir:~/Mail"; + sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; + sslServerKey = "/var/lib/acme/lassul.us/key.pem"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } + { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } + ]; + + security.pam.services.exim.text = '' + auth required pam_env.so + auth sufficient pam_exec.so debug expose_authtok ${check-password} + auth sufficient pam_unix.so likeauth nullok + auth required pam_deny.so + account required pam_unix.so + password required pam_cracklib.so retry=3 type= + password sufficient pam_unix.so nullok use_authtok md5shadow + password required pam_deny.so + session required pam_limits.so + session required pam_unix.so + ''; + krebs.exim-smarthost = { + authenticators.PLAIN = '' + driver = plaintext + server_prompts = : + server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" + server_set_id = $auth2 + ''; + authenticators.LOGIN = '' + driver = plaintext + server_prompts = "Username:: : Password::" + server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" + server_set_id = $auth1 + ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } + { from = "testuser@lassul.us"; to = "testuser"; } ]; system-aliases = [ ]; + ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/lassul.us/key.pem"; }; users.users.domsen = { -- cgit v1.2.3 From 88bb31e8d2ca330c14d4a6e843d7cd7b1909d815 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 11 Oct 2016 17:50:42 +0200 Subject: l 2 websites domsen: use new phpOptions --- lass/2configs/websites/domsen.nix | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) (limited to 'lass/2configs/websites/domsen.nix') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 2f93c1f9c..0723e9ab9 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -144,22 +144,13 @@ in { }; - #services.phpfpm.phpOptions = '' - # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - # sendmail_path = ${sendmail} -t - #''; - services.phpfpm.phpIni = pkgs.runCommand "php.ini" { - options = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - sendmail_path = "${sendmail} -t -i" - always_populate_raw_post_data = -1 - upload_max_filesize = 100M - post_max_size = 100M - file_uploads = on - ''; - } '' - cat ${pkgs.php}/etc/php-recommended.ini > $out - echo "$options" >> $out + services.phpfpm.phpOptions = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + sendmail_path = ${sendmail} -t + always_populate_raw_post_data = -1 + upload_max_filesize = 100M + post_max_size = 100M + file_uploads = on ''; # MAIL STUFF -- cgit v1.2.3 From 1c4bf63ed89d93fb13d98c5a0a12fc00387bbadd Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 12 Oct 2016 12:34:49 +0200 Subject: l 2 websites domsen: disable apcu --- lass/2configs/websites/domsen.nix | 3 --- 1 file changed, 3 deletions(-) (limited to 'lass/2configs/websites/domsen.nix') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 0723e9ab9..e05f40d97 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -143,11 +143,8 @@ in { }; }; - services.phpfpm.phpOptions = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so sendmail_path = ${sendmail} -t - always_populate_raw_post_data = -1 upload_max_filesize = 100M post_max_size = 100M file_uploads = on -- cgit v1.2.3