nixos/modules/services/web-apps/sogo.nix

   1 { config, pkgs, lib, ... }: with lib; let
   2   cfg = config.services.sogo;
   3
   4   preStart = pkgs.writeShellScriptBin "sogo-prestart" ''
   5     ${if (cfg.configReplaces != {}) then ''
   6       # Insert secrets
   7       ${concatStringsSep "\n" (mapAttrsToList (k: v: ''export ${k}="$(cat "${v}" | tr -d '\n')"'') cfg.configReplaces)}
   8
   9       ${pkgs.perl}/bin/perl -p ${concatStringsSep " " (mapAttrsToList (k: v: '' -e 's/${k}/''${ENV{"${k}"}}/g;' '') cfg.configReplaces)} /etc/sogo/sogo.conf.raw | install -m 640 -o sogo -g sogo /dev/stdin /etc/sogo/sogo.conf
  10     '' else ''
  11       install -m 640 -o sogo -g sogo /etc/sogo/sogo.conf.raw /etc/sogo/sogo.conf
  12     ''}
  13   '';
  14
  15 in {
  16   options.services.sogo = with types; {
  17     enable = mkEnableOption "SOGo groupware";
  18
  19     vhostName = mkOption {
  20       description = "Name of the nginx vhost";
  21       type = str;
  22       default = "sogo";
  23     };
  24
  25     timezone = mkOption {
  26       description = "Timezone of your SOGo instance";
  27       type = str;
  28       example = "America/Montreal";
  29     };
  30
  31     language = mkOption {
  32       description = "Language of SOGo";
  33       type = str;
  34       default = "English";
  35     };
  36
  37     ealarmsCredFile = mkOption {
  38       description = "Optional path to a credentials file for email alarms";
  39       type = nullOr str;
  40       default = null;
  41     };
  42
  43     configReplaces = mkOption {
  44       description = ''
  45         Replacement-filepath mapping for sogo.conf.
  46         Every key is replaced with the contents of the file specified as value.
  47
  48         In the example, every occurrence of LDAP_BINDPW will be replaced with the text of the
  49         specified file.
  50       '';
  51       type = attrsOf str;
  52       default = {};
  53       example = {
  54         LDAP_BINDPW = "/var/lib/secrets/sogo/ldappw";
  55       };
  56     };
  57
  58     extraConfig = mkOption {
  59       description = "Extra sogo.conf configuration lines";
  60       type = lines;
  61       default = "";
  62     };
  63   };
  64
  65   config = mkIf cfg.enable {
  66     environment.systemPackages = [ pkgs.sogo ];
  67
  68     environment.etc."sogo/sogo.conf.raw".text = ''
  69       {
  70         // Mandatory parameters
  71         SOGoTimeZone = "${cfg.timezone}";
  72         SOGoLanguage = "${cfg.language}";
  73         // Paths
  74         WOSendMail = "/run/wrappers/bin/sendmail";
  75         SOGoMailSpoolPath = "/var/lib/sogo/spool";
  76         // Enable CSRF protection
  77         SOGoXSRFValidationEnabled = YES;
  78         // Remove dates from log (jornald does that)
  79         NGLogDefaultLogEventFormatterClass = "NGLogEventFormatter";
  80         // Extra config
  81         ${cfg.extraConfig}
  82       }
  83     '';
  84
  85     systemd.services.sogo = {
  86       description = "SOGo groupware";
  87       after = [ "postgresql.service" "mysql.service" "memcached.service" "openldap.service" "dovecot2.service" ];
  88       wantedBy = [ "multi-user.target" ];
  89       restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ];
  90
  91       environment.LDAPTLS_CACERT = "/etc/ssl/certs/ca-certificates.crt";
  92
  93       serviceConfig = {
  94         Type = "forking";
  95         ExecStartPre = "+" + preStart + "/bin/sogo-prestart";
  96         ExecStart = "${pkgs.sogo}/bin/sogod -WOLogFile - -WOPidFile /run/sogo/sogo.pid";
  97
  98         ProtectSystem = "strict";
  99         ProtectHome = true;
 100         PrivateTmp = true;
 101         PrivateDevices = true;
 102         ProtectKernelTunables = true;
 103         ProtectKernelModules = true;
 104         ProtectControlGroups = true;
 105         RuntimeDirectory = "sogo";
 106         StateDirectory = "sogo/spool";
 107
 108         User = "sogo";
 109         Group = "sogo";
 110
 111         CapabilityBoundingSet = "";
 112         NoNewPrivileges = true;
 113
 114         LockPersonality = true;
 115         RestrictRealtime = true;
 116         PrivateMounts = true;
 117         PrivateUsers = true;
 118         MemoryDenyWriteExecute = true;
 119         SystemCallFilter = "@basic-io @file-system @network-io @system-service @timer";
 120         SystemCallArchitectures = "native";
 121         RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
 122       };
 123     };
 124
 125     systemd.services.sogo-tmpwatch = {
 126       description = "SOGo tmpwatch";
 127
 128       startAt = [ "hourly" ];
 129       script = ''
 130         SOGOSPOOL=/var/lib/sogo/spool
 131
 132         find "$SOGOSPOOL" -type f -user sogo -atime +23 -delete > /dev/null
 133         find "$SOGOSPOOL" -mindepth 1 -type d -user sogo -empty -delete > /dev/null
 134       '';
 135
 136       serviceConfig = {
 137         Type = "oneshot";
 138
 139         ProtectSystem = "strict";
 140         ProtectHome = true;
 141         PrivateTmp = true;
 142         PrivateDevices = true;
 143         ProtectKernelTunables = true;
 144         ProtectKernelModules = true;
 145         ProtectControlGroups = true;
 146         StateDirectory = "sogo/spool";
 147
 148         User = "sogo";
 149         Group = "sogo";
 150
 151         CapabilityBoundingSet = "";
 152         NoNewPrivileges = true;
 153
 154         LockPersonality = true;
 155         RestrictRealtime = true;
 156         PrivateMounts = true;
 157         PrivateUsers = true;
 158         PrivateNetwork = true;
 159         SystemCallFilter = "@basic-io @file-system @system-service";
 160         SystemCallArchitectures = "native";
 161         RestrictAddressFamilies = "";
 162       };
 163     };
 164
 165     systemd.services.sogo-ealarms = {
 166       description = "SOGo email alarms";
 167
 168       after = [ "postgresql.service" "mysqld.service" "memcached.service" "openldap.service" "dovecot2.service" "sogo.service" ];
 169       restartTriggers = [ config.environment.etc."sogo/sogo.conf.raw".source ];
 170
 171       startAt = [ "minutely" ];
 172
 173       serviceConfig = {
 174         Type = "oneshot";
 175         ExecStart = "${pkgs.sogo}/bin/sogo-ealarms-notify${optionalString (cfg.ealarmsCredFile != null) " -p ${cfg.ealarmsCredFile}"}";
 176
 177         ProtectSystem = "strict";
 178         ProtectHome = true;
 179         PrivateTmp = true;
 180         PrivateDevices = true;
 181         ProtectKernelTunables = true;
 182         ProtectKernelModules = true;
 183         ProtectControlGroups = true;
 184         StateDirectory = "sogo/spool";
 185
 186         User = "sogo";
 187         Group = "sogo";
 188
 189         CapabilityBoundingSet = "";
 190         NoNewPrivileges = true;
 191
 192         LockPersonality = true;
 193         RestrictRealtime = true;
 194         PrivateMounts = true;
 195         PrivateUsers = true;
 196         MemoryDenyWriteExecute = true;
 197         SystemCallFilter = "@basic-io @file-system @network-io @system-service";
 198         SystemCallArchitectures = "native";
 199         RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
 200       };
 201     };
 202
 203     # nginx vhost
 204     services.nginx.virtualHosts."${cfg.vhostName}" = {
 205       locations."/".extraConfig = ''
 206         rewrite ^ https://$server_name/SOGo;
 207         allow all;
 208       '';
 209
 210       # For iOS 7
 211       locations."/principals/".extraConfig = ''
 212         rewrite ^ https://$server_name/SOGo/dav;
 213         allow all;
 214       '';
 215
 216       locations."^~/SOGo".extraConfig = ''
 217         proxy_pass http://127.0.0.1:20000;
 218         proxy_redirect http://127.0.0.1:20000 default;
 219
 220         proxy_set_header X-Real-IP $remote_addr;
 221         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 222         proxy_set_header Host $host;
 223         proxy_set_header x-webobjects-server-protocol HTTP/1.0;
 224         proxy_set_header x-webobjects-remote-host 127.0.0.1;
 225         proxy_set_header x-webobjects-server-port $server_port;
 226         proxy_set_header x-webobjects-server-name $server_name;
 227         proxy_set_header x-webobjects-server-url $scheme://$host;
 228         proxy_connect_timeout 90;
 229         proxy_send_timeout 90;
 230         proxy_read_timeout 90;
 231         proxy_buffer_size 64k;
 232         proxy_buffers 8 64k;
 233         proxy_busy_buffers_size 64k;
 234         proxy_temp_file_write_size 64k;
 235         client_max_body_size 50m;
 236         client_body_buffer_size 128k;
 237         break;
 238       '';
 239
 240       locations."/SOGo.woa/WebServerResources/".extraConfig = ''
 241         alias ${pkgs.sogo}/lib/GNUstep/SOGo/WebServerResources/;
 242         allow all;
 243       '';
 244
 245       locations."/SOGo/WebServerResources/".extraConfig = ''
 246         alias ${pkgs.sogo}/lib/GNUstep/SOGo/WebServerResources/;
 247         allow all;
 248       '';
 249
 250       locations."~ ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$".extraConfig = ''
 251         alias ${pkgs.sogo}/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
 252       '';
 253
 254       locations."~ ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\\.(jpg|png|gif|css|js)$".extraConfig = ''
 255         alias ${pkgs.sogo}/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
 256       '';
 257     };
 258
 259     # User and group
 260     users.groups.sogo = {};
 261     users.users.sogo = {
 262       group = "sogo";
 263       isSystemUser = true;
 264       description = "SOGo service user";
 265     };
 266   };
 267 }