Some kind of broken state

voc · Dec 25, 2024 · 92876cc · 92876cc
1 parent c40e56d
commit 92876cc
Show file tree

Hide file tree

Showing 7 changed files with 172 additions and 20 deletions.
diff --git a/nixos/hosts/mail/mail.nix b/nixos/hosts/mail/mail.nix
@@ -3,6 +3,11 @@
 let
   OWNER_EMAIL = "[email protected]";  # Change this!
   MAILMAN_HOST = "lists.c3voc.de";    # Change this!
+
+  # Znuny handled addresses
+  ticketSystemAddresses = [
+    "znuny"
+  ];
 in {
   imports = [ inputs.nixos-mailserver.nixosModule ];
 
@@ -41,21 +46,19 @@ in {
       "muenchen" = "[email protected]";
       "studios" = "[email protected]";
       "voc" = "[email protected]";
-    };
+    } // (lib.genAttrs ticketSystemAddresses (addr: "${addr}@tickets.c3voc.de"));
 
     # whitelist SPF checks from mng (for now)
     policydSPFExtraConfig = ''
       HELO_Whitelist = mng.c3voc.de
-      skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,185.106.84.49,2001:67c:20a0:e::179
+      skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,185.106.84.49,2001:67c:20a0:e::179,185.106.84.19,2001:67c:20a0:e::19
     '';
-
-    loginAccounts."[email protected]" = {
-      hashedPassword = "$2b$05$KSWvSJXyURjzQjXfSIzPTeDTZ0lXjj2.z.t6QT8lL32q4UBwZQAQ6";
-    };
   };
 
   sops.secrets.aliases = {};
 
+  services.opendkim.domains = lib.mkAfter ",tickets.c3voc.de";
+
   services.postfix = {
     mapFiles.virtual_cm = config.sops.secrets.aliases.path;
     relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
@@ -68,6 +71,10 @@ in {
     networks = [ 
       "127.0.0.1/32"
       "[::1]/128"
+
+      # tickets.c3voc.de
+      "185.106.84.19/32"
+      "[2001:67c:20a0:e::19]/128"
     ];
   };
 

diff --git a/nixos/hosts/sso/authentik.nix b/nixos/hosts/sso/authentik.nix
@@ -17,6 +17,8 @@
     };
   };
 
+  networking.firewall.allowedTCPPorts = [ 9000 ];
+
   services.nginx.virtualHosts."sso.c3voc.de".locations."/outpost.goauthentik.io" = {
     recommendedProxySettings = false;
     extraConfig = ''

diff --git a/nixos/hosts/tickets/authentik.nix b/nixos/hosts/tickets/authentik.nix
@@ -0,0 +1,19 @@
+{ config, inputs, ... }:
+
+{
+
+  imports = [
+    inputs.authentik-nix.nixosModules.default
+  ];
+
+  config = {
+    sops.secrets."authentik-token" = {};
+    sops.templates."authentik.env".content = ''
+      AUTHENTIK_HOST=https://sso.c3voc.de
+      AUTHENTIK_TOKEN=${config.sops.placeholder."authentik-token"}
+    '';
+
+    services.authentik-ldap.enable = true;
+    services.authentik-ldap.environmentFile = config.sops.templates."authentik.env".path;
+  };
+}
diff --git a/nixos/hosts/tickets/default.nix b/nixos/hosts/tickets/default.nix
@@ -8,12 +8,14 @@ in
   imports = [
     "${modulesPath}/virtualisation/proxmox-image.nix"
 
+    ./authentik.nix
+    ./mail.nix
     ./znuny.nix
   ];
   config = {
     system.stateVersion = "23.11"; # do not touch
 
-    sops.secrets."znuny_mail_password".owner = "znuny";
+    sops.secrets."ldap-bind-password".owner = "znuny";
 
     networking.useDHCP = false;
     networking.interfaces.eth0.ipv4.addresses = [{
@@ -45,18 +47,103 @@ in
 
       $Self->{Organization} = 'c3voc';
 
-      $Self->{'SendmailModule'} = 'Kernel::System::Email::SMTPTLS';
+      $Self->{'SendmailNotificationEnvelopeFrom'} = '[email protected]';
+
+      $Self->{'SendmailModule'} = 'Kernel::System::Email::SMTP';
       $Self->{'SendmailModule::Host'} = 'mail.c3voc.de';
-      $Self->{'SendmailModule::Port'} = '565';
-      $Self->{'SendmailModule::AuthUser'} = 'znuny';
-      use File::Slurper 'read_text';
-      $Self->{'SendmailModule::AuthPassword'} = read_text('${config.sops.secrets."znuny_mail_password".path}');
+      $Self->{'SendmailModule::Port'} = '25';
+      $Self->{'SendmailModule::AuthUser'} = "";
+      $Self->{'SendmailModule::AuthPassword'} = "";
+
+      $Self->{CheckMXRecord} = 0;
+
+      $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
+      $Self->{LogoutURL} = 'https://sso.c3voc.de/';
+
+      $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
+      $Self->{'AuthSyncModule::LDAP::Host'} = 'localhost';
+      $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=znuny,dc=c3voc,dc=de';
+      $Self->{'AuthSyncModule::LDAP::UID'} = 'cn';
+      $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
+      $Self->{'AuthSyncModule::LDAP::GroupDN'} = 'cn=voc,ou=groups,dc=znuny,dc=c3voc,dc=de';
+      $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=znuny-ldap-bind,ou=users,dc=znuny,dc=c3voc,dc=de';
+      use File::Slurper;
+      $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = File::Slurper::read_text('${config.sops.secrets."ldap-bind-password".path}');
+      $Self->{'AuthSyncModule::LDAP::Params'} = {
+          port    => 3389,
+      };
+      $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
+      $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
+      $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
+          'users',
+      ];
+      $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
+          UserFirstname => ['givenName', 'cn', '_'],
+          UserLastname  => ['sn', '_'],
+          UserEmail     => 'mail',
+      };
+      $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
+          # ldap group
+          'cn=znuny-admin,ou=groups,dc=znuny,dc=c3voc,dc=de' => {
+              # otrs group
+              'admin' => {
+                  rw => 1,
+                  ro => 1,
+              },
+          },
+          'cn=voc,ou=groups,dc=znuny,dc=c3voc,dc=de' => {
+              'users' => {
+                  rw => 1,
+                  ro => 1,
+              },
+          },
+          'cn=znuny-test-queue,ou=groups,dc=znuny,dc=c3voc,dc=de' => {
+              'znuny-queue' => {
+                  rw => 1,
+                  ro => 1,
+              },
+          },
+      };
+      $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
+      };
+
+
     '';
 
     services.nginx.enable = true;
-    services.nginx.virtualHosts."tickets.c3voc.de" = {
-      forceSSL = true;
-      enableACME = true;
-    } // config.services.znuny.nginxVirtualHostConfig;
+    services.nginx.virtualHosts."tickets.c3voc.de" = mkMerge [
+      {
+        forceSSL = true;
+        enableACME = true;
+        locations."/outpost.goauthentik.io" = {
+          proxyPass = "https://sso.c3voc.de/outpost.goauthentik.io";
+          extraConfig = ''
+            proxy_set_header        Host $host;
+            proxy_set_header        X-Origin-URI $request_uri;
+            proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+            add_header              Set-Cookie $auth_cookie;
+            auth_request_set        $auth_cookie $upstream_http_set_cookie;
+            proxy_pass_request_body off;
+            proxy_set_header        Content-Length "";
+          '';
+        };
+        locations."~ ^/znuny/(.*\\.pl)(/.*)?$".extraConfig = mkBefore ''
+          auth_request     /outpost.goauthentik.io/auth/nginx;
+          auth_request_set $auth_cookie $upstream_http_set_cookie;
+          error_page       401 = @goauthentik_proxy_signin;
+          add_header       Set-Cookie $auth_cookie;
+
+          auth_request_set $authentik_username $upstream_http_x_authentik_username;
+
+          fastcgi_param REMOTE_USER $authentik_username;
+        '';
+        locations."@goauthentik_proxy_signin".extraConfig = ''
+          internal;
+          add_header Set-Cookie $auth_cookie;
+          return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+        '';
+      }
+      config.services.znuny.nginxVirtualHostConfig
+    ];
   };
 }
diff --git a/nixos/hosts/tickets/mail.nix b/nixos/hosts/tickets/mail.nix
@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+
+{
+  config = {
+    networking.nftables.extraInput = lib.mkAfter ''
+      ip saddr 185.106.84.29/32 tcp dport 25 accept
+      ip6 saddr 2001:67c:20a0:e::29/128 tcp dport 25 accept
+    '';
+
+    services.postfix.enable = true;
+    services.postfix.domain = "tickets.c3voc.de";
+    services.postfix.destination = [ "tickets.c3voc.de" ];
+    services.postfix.transport = ''
+      tickets.c3voc.de otrs-delivery
+    '';
+    services.postfix.masterConfig."otrs-delivery".type = "unix";
+    services.postfix.masterConfig."otrs-delivery".privileged = true;
+    services.postfix.masterConfig."otrs-delivery".chroot = false;
+    services.postfix.masterConfig."otrs-delivery".maxproc = 10;
+    services.postfix.masterConfig."otrs-delivery".command = "pipe";
+    services.postfix.masterConfig."otrs-delivery".args = [
+      "flags=Rq"
+      "user=${config.services.znuny.user}"
+      "null_sender="
+      "argv=${config.services.znuny.pkg}/bin/znuny.Console.pl Maint::PostMaster::Read --untrusted --quiet"
+    ];
+  };
+}
diff --git a/nixos/hosts/tickets/secrets.yaml b/nixos/hosts/tickets/secrets.yaml
@@ -1,4 +1,5 @@
-znuny_mail_password: ENC[AES256_GCM,data:QdOmah7eqq8L155k1Hn7vmeYouXMZJPD9ruYkaH4yVw=,iv:thuDkijzvN61wCsNl/h4DJWf+jPj37B3Nth3no2J/yw=,tag:MWAiD/MWjkkooy51MCFmrQ==,type:str]
+authentik-token: ENC[AES256_GCM,data:FDtUliAaq8nDO7+7xceCtMS0EZscmtVhS4fHuLiRt5g02EaGLolQIZXSkIIJdp1PHZ1YWwuNj0RQMsUY,iv:FYUKoVw/8E4U5C0CNb2gvdETXyFbD77dfbCpb5R8wvg=,tag:qFQ3Zmg9bFscX3iGl6m92Q==,type:str]
+ldap-bind-password: ENC[AES256_GCM,data:oHGxg14P+VU34qkCdPPAPSRzrDcM3S7hlFnuv3q7yKc=,iv:f4xlm5Mszc0iHJAFdZitMaAk5677ZVe7YdlEkr6OWbY=,tag:UjrnI5158g+4Zb2dlF/Ggw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -41,8 +42,8 @@ sops:
             US9NUEZYSjNKMi9VdkU2ckpWdm9oNVkK6Vospcd2YXmq33rY4bCIC1I9TRq49lSJ
             Vsdl5vVf5kWoUtLQywy2AgvzSUS8l4O3bKiFo7cCBYhTKwVEqA7BFw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-28T19:07:15Z"
-    mac: ENC[AES256_GCM,data:VDsnXCmlX0TgW1kYmkR9nHw2kyQe+MeHCWDxYKKnDqUbYu7p4FfczdgY9Xp+nJLij4OYQhED7nz633ZLYNRnSMFZTOMTC50qlWdIJNqchfZbjSgb6fpQ88SCy5wesHIL7hhnYV20+4n6w6XPLmtmkUZQd23TEykaz3V09Spi5u8=,iv:2Dk4ex2grWoJpGYJhK1drv/749Z4o2vbjdFgcsR5sb0=,tag:PNoxZpW8Z62HPWl0CcsbyQ==,type:str]
+    lastmodified: "2024-11-10T12:17:29Z"
+    mac: ENC[AES256_GCM,data:UdAM+yDzrwRo5ekQEx/yvW6CSf8iTaPzYA4jRSqMDhwTRVVBekHVOggq19ZLrTaYX0JtcCCOK3X74bw5CyxSxPGNW9pl1LyFuzB2q9Of/GggjO8u1hyZBargYbz+0WJuEsFIZw3Q1AE/qVlYbn2VolDMAmdins5hT1zCNEjf7JM=,iv:OVlLRg6x6175P81TGWdll/o5I2hBlwJvouH6HqJnsGk=,tag:IHEX6JGfa8cGSWsV62qbIQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/nixos/hosts/tickets/znuny.nix b/nixos/hosts/tickets/znuny.nix
@@ -118,6 +118,10 @@ in
 {
   options.services.znuny = {
     enable = mkEnableOption "Enable Znuny web-based ticketing system";
+    pkg = mkOption {
+      type = types.path;
+      default = pkg;
+    };
     unixSocket = mkOption {
       type = types.str;
       default = "/run/znuny.sock";
@@ -218,12 +222,16 @@ in
     ];
 
     services.fcgiwrap.instances."znuny".socket.user = "nginx";
-    services.fcgiwrap.instances."znuny".socket.group = "nignx";
+    services.fcgiwrap.instances."znuny".socket.group = cfg.group;
     services.fcgiwrap.instances."znuny".socket.type = "unix";
     services.fcgiwrap.instances."znuny".socket.address = cfg.unixSocket;
     services.fcgiwrap.instances."znuny".process.user = cfg.user;
     services.fcgiwrap.instances."znuny".process.group = cfg.group;
     services.fcgiwrap.instances."znuny".process.prefork = cfg.prefork;
+    systemd.sockets."fcgiwrap-znuny" = {
+      requires = [ "nginx.service" ];
+      after = [ "nginx.service" ];
+    };
 
     systemd.services."znuny-daemon" = {
       path = [ pkgs.postgresql ];