lyes/nixfiles
1
0
Fork 0
Code Issues Pull requests 1 Activity Actions

Compare commits

base: lyes:e2946c9fb7a956e35c0c8edab86db51413264e24
Branches Tags
lyes:main
lyes:mail-ldap
..
compare: lyes:7aa35d9249d2aebd89200e341db71562b3655ecf
Branches Tags
lyes:main
lyes:mail-ldap

2 commits
e2946c9fb7 ... 7aa35d9249

Author SHA1 Message Date
Lyes Saadi
7aa35d9249
Revert "Adding cospend to nextcloud" 
This reverts commit e2946c9fb7.
 2026-02-15 03:42:13 +01:00
Lyes Saadi
b6352c36c1
First attempt at ldap for mail 2026-02-15 03:41:52 +01:00
11 changed files with 162 additions and 218 deletions
Download patch file Download diff file Expand all files Collapse all files

76
flake.lock generated
View file

@ -10,11 +10,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1770165109, "lastModified": 1762618334,
"narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -47,11 +47,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1770681688, "lastModified": 1769889994,
"narHash": "sha256-bGVEgZMxmw9N+IKp5nG+2nyKFezdPWYDxyxXkYW+d2M=", "narHash": "sha256-uEn3WcpPHe3sMJMgIJ0XW3f4/+TRzZpNgv4vu5/gjmA=",
"owner": "9001", "owner": "9001",
"repo": "copyparty", "repo": "copyparty",
"rev": "e5d0a0572da507acfe774e0f86ad541f5daab97f", "rev": "9b436eb52e5cfe7a0a8e59dd9f1a37351f3a2abd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -89,11 +89,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1770019181, "lastModified": 1766051518,
"narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -141,15 +141,15 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1767039857, "lastModified": 1761588595,
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"owner": "NixOS", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"type": "github" "type": "github"
} }
@ -182,11 +182,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769939035, "lastModified": 1763988335,
"narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "a8ca480175326551d6c4121498316261cbb5b260", "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -245,11 +245,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1770654520, "lastModified": 1769978395,
"narHash": "sha256-mg5WZMIPGsFu9MxSrUcuJUPMbfMsF77el5yb/7rc10k=", "narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "6c4fdbe1ad198fac36c320fd45c5957324a80b8e", "rev": "984708c34d3495a518e6ab6b8633469bbca2f77a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -288,11 +288,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1770659507, "lastModified": 1766321686,
"narHash": "sha256-RVZno9CypFN3eHxfULKN1K7mb/Cq0HkznnWqnshxpWY=", "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "781e833633ebc0873d251772a74e4400a73f5d78", "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -335,11 +335,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1770631810, "lastModified": 1769302137,
"narHash": "sha256-b7iK/x+zOXbjhRqa+XBlYla4zFvPZyU5Ln2HJkiSnzc=", "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "2889685785848de940375bf7fea5e7c5a3c8d502", "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -383,11 +383,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1770562336, "lastModified": 1769789167,
"narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d6c71932130818840fc8fe9509cf50be8c64634f", "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -399,11 +399,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1770650459, "lastModified": 1764374374,
"narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=", "narHash": "sha256-naS7hg/D1yLKSZoENx9gvsPLFiNEOTcqamJSu0OEvCA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378", "rev": "6a49303095abc094ee77dc243a9e351b642e8e75",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -415,11 +415,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1770562336, "lastModified": 1769789167,
"narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d6c71932130818840fc8fe9509cf50be8c64634f", "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -533,11 +533,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1770707140, "lastModified": 1769922110,
"narHash": "sha256-3ZRA2+o5p1+FKWx988WbwB1SQ2Mz5aL95zxhL5iD+O0=", "narHash": "sha256-/0Cl75Yy4mQOWNfr2ZR5aYZlFc2geH7NUkwiwiKUNhg=",
"owner": "0xc000022070", "owner": "0xc000022070",
"repo": "zen-browser-flake", "repo": "zen-browser-flake",
"rev": "db14437f8667f7f09784e2a4e73c105bdc1c7023", "rev": "dc3cb779f0fae72b3ebffd60a2272095f8848eda",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/zora/default.nix
View file

@ -13,6 +13,7 @@
./users.nix ./users.nix
../../users/lyes ../../users/lyes
../../users/lyes/server
../../modules ../../modules
../../modules/server ../../modules/server

2
hosts/zora/reverse-proxy.nix
View file

@ -3,7 +3,7 @@
{ {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "security@lyes.eu"; defaults.email = "root.security@lyes.eu";
}; };
services.nginx = { services.nginx = {

12
modules/server/baba/default.nix
View file

@ -15,12 +15,12 @@
extraAppsEnable = true; extraAppsEnable = true;
extraApps = { extraApps = {
inherit (config.services.nextcloud.package.packages.apps) mail calendar contacts cospend user_oidc notes richdocuments tasks news dav_push repod gpoddersync phonetrack music; inherit (config.services.nextcloud.package.packages.apps) mail calendar contacts user_oidc notes richdocuments tasks news dav_push repod phonetrack music;
# gpoddersync = pkgs.fetchNextcloudApp { gpoddersync = pkgs.fetchNextcloudApp {
# hash = "sha256-EQVs1fe0ierjqFZ5+KVc1Yj67zrwjLBAzY5A+QsC7AU="; hash = "sha256-EQVs1fe0ierjqFZ5+KVc1Yj67zrwjLBAzY5A+QsC7AU=";
# url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.13.2r/gpoddersync.tar.gz"; url = "https://github.com/thrillfall/nextcloud-gpodder/releases/download/3.13.2r/gpoddersync.tar.gz";
# license = "agpl3Only"; license = "agpl3Only";
# }; };
}; };
config = { config = {

2
modules/server/link/default.nix
View file

@ -14,7 +14,7 @@ in
# package = pkgs.kanidmWithSecretProvisioning_1_7; # package = pkgs.kanidmWithSecretProvisioning_1_7;
enableServer = true; enableServer = true;
serverSettings = { server.settings = {
bindaddress = "127.0.0.1:${port}"; bindaddress = "127.0.0.1:${port}";
ldapbindaddress = "0.0.0.0:636"; ldapbindaddress = "0.0.0.0:636";
domain = hostname; domain = hostname;

264
modules/server/taf/default.nix
View file

@ -1,5 +1,20 @@
{ config, ... }: { config, lib, ... }:
let
alias = ''
@lyes.eu lyes
lyes@mail.lyes.eu lyes
abuse@taf.lyes.eu lyes
abuse@mail.lyes.eu lyes
abuse@minish.fr lyes
abuse@minish.link lyes
postmaster@taf.lyes.eu lyes
postmaster@mail.lyes.eu lyes
postmaster@minish.fr lyes
postmaster@minish.link lyes
'';
aliasFile = lib.toFile "alias" alias;
in
{ {
mailserver = { mailserver = {
enable = true; enable = true;
@ -7,7 +22,10 @@
fqdn = "taf.lyes.eu"; fqdn = "taf.lyes.eu";
domains = [ domains = [
"lyes.eu" "lyes.eu"
"taf.lyes.eu"
"mail.lyes.eu" "mail.lyes.eu"
"minish.fr"
"minish.link"
]; ];
localDnsResolver = false; localDnsResolver = false;
@ -15,175 +33,85 @@
# debug.all = true; # debug.all = true;
# ldap = { ldap = {
# enable = true; enable = true;
# uris = [ "ldaps://auth.lyes.eu:636" ]; uris = [ "ldaps://auth.lyes.eu:636" ];
# searchBase = "dc=auth,dc=lyes,dc=eu"; searchBase = "dc=auth,dc=lyes,dc=eu";
# searchScope = "sub"; searchScope = "sub";
# bind = { bind = {
# # dn = "dn=token,dc=auth,dc=lyes,dc=eu"; # dn = "dn=token,dc=auth,dc=lyes,dc=eu";
# dn = "dn=token"; dn = "dn=token";
# passwordFile = config.age.secrets.taf-token.path; passwordFile = config.age.secrets.taf-token.path;
# }; };
# dovecot = { dovecot = {
# userFilter = "(name=%u)"; userFilter = "(&(memberof=taf_users)(mail=%u))";
# passFilter = "(name=%u)"; passFilter = "(&(memberof=taf_users)(mail=%u))";
# }; };
# postfix = { postfix = {
# filter = "(name=%s)"; filter = "(&(memberof=taf_users)(mail=%s))";
# mailAttribute = "mail"; mailAttribute = "mail";
# uidAttribute = "name"; uidAttribute = "name";
# };
# };
loginAccounts = {
"lyes@mail.lyes.eu" = {
hashedPasswordFile = config.age.secrets.lyes-mail-passwd.path;
aliases = [
"@lyes.eu"
];
quota = "1T";
sieveScript = ''
require ["include", "fileinto", "mailbox", "copy", "regex", "variables", "imap4flags"];
include :personal "hiddensieve";
# lyes.eu filters
if address :is :domain "X-Original-To" "lyes.eu" {
# If the mail comes from my crans mailbox
if address :is :localpart "X-Original-To" "crans" {
# Aurore Support
if header :contains "List-Id" "<support.aurore.lists.crans.org>" {
fileinto :create "Crans.aurore.support";
}
# Mailman moderation request
elsif address :matches :all "To" "*-owner@lists.crans.org" {
fileinto :create "Crans.moderation";
}
# Crans Bureau
elsif anyof (
header :contains "List-Id" "<bureau.lists.crans.org>",
header :contains "List-Id" "<achats-crans.lists.crans.org>",
header :contains "List-Id" "<tresorerie.lists.crans.org>"
) {
fileinto :create "Crans.crans.bureau";
}
# Crans CA
elsif header :contains "List-Id" "<ca.lists.crans.org>" {
fileinto :create "Crans.crans.ca";
}
# Crans Root Postmaster
elsif address :is :all "To" "postmaster@crans.org" {
addflag "\\Seen";
fileinto :create "Crans.crans.root.postmaster";
}
# Crans Root Mailer
elsif address :is :all "From" "MAILER-DAEMON@crans.org" {
fileinto :create "Crans.crans.root.mailer";
}
# Crans Nounou
elsif anyof (
header :contains "List-Id" "<nounou.lists.crans.org>",
header :contains "List-Id" "<apprenti-es.lists.crans.org>",
address :is :all "To" "contact@crans.org",
address :is :all "From" "contact@crans.org"
) {
fileinto :create "Crans.crans.nounou";
}
# Crans Root
elsif anyof (
address :is :all "To" "root@crans.org",
address :is :all "From" "root@crans.org",
address :is :all "From" "www-data@crans.org"
) {
fileinto :create "Crans.crans.root";
}
# Crans Gitlab
elsif address :is :all "From" "gitlab@crans.org" {
fileinto :create "Crans.crans.gitlab";
}
# Crans Wiki
elsif address :is :all "From" "wiki@crans.org" {
fileinto :create "Crans.crans.wiki";
}
# Aurore CA
elsif header :contains "List-Id" "<ca.aurore.lists.crans.org>" {
fileinto :create "Crans.aurore.ca";
}
# BDL
elsif anyof (
header :contains "List-Id" "<bdl-bureau.lists.crans.org>",
header :contains "List-Id" "<bdl.lists.crans.org>"
) {
fileinto :create "Crans.asso.bdl";
}
# Med
elsif anyof (
header :contains "List-Id" "<med-bureau.lists.crans.org>",
header :contains "List-Id" "<med.lists.crans.org>"
) {
fileinto :create "Crans.asso.med";
}
# NL BDE
elsif header :contains "List-Id" "<evenements.lists.crans.org>" {
fileinto :create "Crans.asso.nl.bde";
}
# NL BDA
elsif header :contains "List-Id" "<evenement.bda.lists.crans.org>" {
fileinto :create "Crans.asso.nl.bda";
}
# Any other associative mail
elsif anyof (
header :contains "List-Id" "<la5emeparallele-bureau.lists.crans.org>",
header :contains "List-Id" "<la5emeparallele.lists.crans.org>",
header :matches "List-Id" "<*.lists.crans.org>"
) {
fileinto :create "Crans.asso";
}
# Otherwise it's for the generic mailbox
else {
fileinto :create "Crans";
}
}
# Otherwise it's for my different accounts
# It's automatically sorted using the localpart
elsif address :localpart :regex "X-Original-To" "^(([a-zA-Z]+\\.)*([a-zA-Z]+))(-([a-zA-Z0-9_.\\-]*))?''$" {
set :lower "sub_folder" "''${1}";
set "mbox_candidate" "INBOX.''${sub_folder}";
fileinto :create "''${mbox_candidate}";
}
# Other unknown origin
else {
fileinto :create "INBOX.other";
}
}
# It's destined to my main inbox
elsif address :is "X-Original-To" "lyes@mail.lyes.eu" {
fileinto :create "INBOX";
}
# Other unknown origin
else {
fileinto :create "INBOX.other";
}
'';
}; };
}; };
# fullTextSearch = {
# enable = true;
# autoIndex = true;
# enforced = "body";
# };
# loginAccounts = {
# "lyes@mail.lyes.eu" = {
# # hashedPasswordFile = config.age.secrets.lyes-mail-passwd.path;
# # aliases = [
# # "@lyes.eu"
# # ];
# # quota = "1T";
# };
# };
# extraVirtualAliases = { # extraVirtualAliases = {
# "@lyes.eu" = "lyes@mail.lyes.eu"; # "@lyes.eu" = "lyes";
# "abuse@mail.lyes.eu" = "lyes";
# # "abuse@minish.fr" = "lyes";
# # "abuse@minish.link" = "lyes";
# "postmaster@mail.lyes.eu" = "lyes";
# # "postmaster@minish.fr" = "lyes";
# # "postmaster@minish.link" = "lyes";
# }; # };
x509.useACMEHost = config.mailserver.fqdn; x509.useACMEHost = config.mailserver.fqdn;
}; };
services.postfix = {
mapFiles."valias" = lib.mkForce aliasFile;
mapFiles."vaccounts" = lib.mkForce aliasFile;
virtual = lib.mkForce alias;
settings = {
main = {
# local_recipient_maps = "";
# virtual_alias_maps = lib.mkForce "ldap:/run/postfix/ldap-virtual-mailbox-map.cf";
maximal_queue_lifetime = "31d";
relay_domains = [
"skaven.org"
"agreg.info"
];
smtpd_recipient_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
];
};
};
};
# services.dovecot2.extraConfig = '' # services.dovecot2.extraConfig = ''
# userdb { # userdb {
# driver = ldap # driver = ldap
@ -200,7 +128,10 @@
# } # }
# ''; # '';
services.dovecot2.sieve.extensions = [ "imap4flags" ]; services.dovecot2 = {
# enableQuota = lib.mkForce false;
sieve.extensions = [ "imap4flags" ];
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
@ -217,21 +148,12 @@
age.secrets = { age.secrets = {
taf-token = { taf-token = {
owner = "postfix";
file = ../../../secrets/zora/services/taf-token.age; file = ../../../secrets/zora/services/taf-token.age;
}; };
lyes-mail-passwd = { # lyes-mail-passwd = {
owner = "postfix"; # owner = "postfix";
file = ../../../secrets/lyes/mail-passwd.age; # file = ../../../secrets/lyes/mail-passwd.age;
}; # };
lyes-hidden-sieve = {
file = ../../../secrets/lyes/hidden-sieve.age;
path = "/var/sieve/lyes@mail.lyes.eu/scripts/hiddensieve.sieve";
owner = "virtualMail";
group = "virtualMail";
mode = "660";
};
}; };
} }

2
secrets.nix
View file

@ -8,7 +8,7 @@ in
{ {
# Lyes # Lyes
"secrets/lyes/mail-passwd.age".publicKeys = [ lyes zora ]; "secrets/lyes/mail-passwd.age".publicKeys = [ lyes zora ];
"secrets/lyes/hidden-sieve.age".publicKeys = [ lyes zora ]; "secrets/lyes/sieve.age".publicKeys = [ lyes zora ];
# Zora # Zora
"secrets/zora/services/kanidm-admin-password.age".publicKeys = all; "secrets/zora/services/kanidm-admin-password.age".publicKeys = all;

BIN
secrets/lyes/hidden-sieve.age
View file

Binary file not shown.

BIN
secrets/lyes/sieve.age Normal file
View file

Binary file not shown.

8
users/lyes/server/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports =
[
./sieve.nix
];
}

13
users/lyes/server/sieve.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
age.secrets = {
lyes-sieve = {
file = ../../../secrets/lyes/sieve.age;
path = "/var/sieve/lyes@taf.lyes.eu/default.sieve";
owner = "virtualMail";
group = "virtualMail";
mode = "660";
};
};
}