l 2 websites domsen: enable dovecot2 with pam auth

2016-09-08 21:23:51 +02:00 · 2016-09-08 21:23:51 +02:00 · c298a6769d
commit c298a6769d
parent 88dd0cbc7d
1 changed files with 62 additions and 9 deletions
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@ -1,9 +1,11 @@
 { config, pkgs, lib, ... }:

 let
+
  inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
    genid
-    ;
+    genid_signed
+  ;
  inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
    ssl
    servePage
@ -20,6 +22,25 @@ let
    exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
  '';

+  check-password = pkgs.writeDash "check-password" ''
+    read pw
+
+    file="/home/$PAM_USER/.shadow"
+
+    #check if shadow file exists
+    test -e "$file" || exit 123
+
+    hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+    salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+    calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+    if [ "$calc_hash" == $hash ]; then
+      exit 0
+    else
+      exit 1
+    fi
+  '';
+
 in {
  imports = [
    ./sqlBackup.nix
@ -143,21 +164,53 @@ in {

  # MAIL STUFF
  # TODO: make into its own module
-    services.dovecot2 = {
-      enable = true;
-      mailLocation = "maildir:~/Mail";
-    };
-    krebs.iptables.tables.filter.INPUT.rules = [
-      { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
-      { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
-    ];
+  services.dovecot2 = {
+    enable = true;
+    mailLocation = "maildir:~/Mail";
+    sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
+    sslServerKey = "/var/lib/acme/lassul.us/key.pem";
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
+  ];
+
+  security.pam.services.exim.text = ''
+    auth        required      pam_env.so
+    auth        sufficient    pam_exec.so debug expose_authtok ${check-password}
+    auth        sufficient    pam_unix.so likeauth nullok
+    auth        required      pam_deny.so
+    account     required      pam_unix.so
+    password    required      pam_cracklib.so retry=3 type=
+    password    sufficient    pam_unix.so nullok use_authtok md5shadow
+    password    required      pam_deny.so
+    session     required      pam_limits.so
+    session     required      pam_unix.so
+  '';
+
  krebs.exim-smarthost = {
+    authenticators.PLAIN = ''
+      driver = plaintext
+      server_prompts = :
+      server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
+      server_set_id = $auth2
+    '';
+    authenticators.LOGIN = ''
+      driver = plaintext
+      server_prompts = "Username:: : Password::"
+      server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
+      server_set_id = $auth1
+    '';
    internet-aliases = [
      { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
      { from = "mail@jla-trading.com"; to = "jla-trading"; }
+      { from = "testuser@lassul.us"; to = "testuser"; }
    ];
    system-aliases = [
    ];
+    ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
+    ssl_key = "/var/lib/acme/lassul.us/key.pem";
  };

  users.users.domsen = {