From 6fcc8c450fbd0386adf9461955359ad882278f42 Mon Sep 17 00:00:00 2001 From: rndusr Date: Sat, 20 Jan 2024 11:00:03 -0600 Subject: [PATCH 1/4] add a mail sync thing for gmail --- README.md | 6 ++- boxes/netbox/default.nix | 14 ++++++- builds/gmail_mail_bridge.nix | 19 ++++++++++ builds/gmail_mail_bridge/.gitignore | 1 + builds/gmail_mail_bridge/README | 10 +++++ builds/gmail_mail_bridge/default.nix | 20 ++++++++++ .../gmail_mail_bridge/__init__.py | 37 +++++++++++++++++++ builds/gmail_mail_bridge/shell.nix | 12 ++++++ builds/gmail_mail_bridge/sync.gas | 23 ++++++++++++ flake.lock | 6 +-- 10 files changed, 142 insertions(+), 6 deletions(-) create mode 100644 builds/gmail_mail_bridge.nix create mode 100644 builds/gmail_mail_bridge/.gitignore create mode 100644 builds/gmail_mail_bridge/README create mode 100644 builds/gmail_mail_bridge/default.nix create mode 100644 builds/gmail_mail_bridge/gmail_mail_bridge/__init__.py create mode 100644 builds/gmail_mail_bridge/shell.nix create mode 100644 builds/gmail_mail_bridge/sync.gas diff --git a/README.md b/README.md index 07a6835..df68e69 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ installation `sudo nixos-rebuild --flake .#your-flake-name-here switch` -if you're trying to install `virtbox`, then use the `--impure` flag: +if you're trying to install `netbox`, then use the `--impure` flag: -`sudo nixos-rebuild --flake .#virtbox switch --impure` +`sudo nixos-rebuild --flake .#netbox switch --impure` for alternate installations on non-NixOS hosts, a Makefile will be made available @@ -28,6 +28,8 @@ things to do - integrate `disko` and `sops-nix` into the setup - switch from gitea to cgit - establish backup infrastructure for `netbox` +- move gmail-mail-bridge into mail-sync repo + * (perhaps figure out how to produce a flake for it) license ------- diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix index ce56bad..1e015c7 100644 --- a/boxes/netbox/default.nix +++ b/boxes/netbox/default.nix @@ -113,6 +113,7 @@ in { [ ./hardware-configuration.nix ../../modules/bootstrap.nix + ../../builds/gmail_mail_bridge.nix ]; networking.networkmanager.enable = true; @@ -136,6 +137,8 @@ in { neovim ]; + services.gmail_mail_bridge.enable = true; + system.copySystemConfiguration = true; system.stateVersion = "23.05"; # don't change this, lol boot.loader.grub.enable = true; @@ -412,7 +415,16 @@ in { services.nginx.virtualHosts."mail.beepboop.systems" = { forceSSL = true; enableACME = true; - globalRedirect = "cube.beepboop.systems"; + locations."/bridge-submit" = { + extraConfig = '' + proxy_pass http://localhost:8041; + ''; + }; + locations."/" = { + extraConfig = '' + return 301 https://cube.beepboop.systems; + ''; + }; }; networking.firewall = { diff --git a/builds/gmail_mail_bridge.nix b/builds/gmail_mail_bridge.nix new file mode 100644 index 0000000..a81985c --- /dev/null +++ b/builds/gmail_mail_bridge.nix @@ -0,0 +1,19 @@ +{ lib, pkgs, config, ... }: +let + cfg = config.services.gmail_mail_bridge; + appEnv = pkgs.python3.withPackages (p: with p; [ waitress (callPackage ./gmail_mail_bridge/default.nix {}) ]); +in { + options.services.gmail_mail_bridge = { + enable = lib.mkEnableOption "Enable the gmail_mail_bridge"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.gmail_mail_bridge = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${appEnv}/bin/waitress-serve --port=8041 gmail_mail_bridge:app"; + StandardOutput = "journal"; + }; + }; + }; +} diff --git a/builds/gmail_mail_bridge/.gitignore b/builds/gmail_mail_bridge/.gitignore new file mode 100644 index 0000000..aaca2e2 --- /dev/null +++ b/builds/gmail_mail_bridge/.gitignore @@ -0,0 +1 @@ +__pycache_/ diff --git a/builds/gmail_mail_bridge/README b/builds/gmail_mail_bridge/README new file mode 100644 index 0000000..eae7b1c --- /dev/null +++ b/builds/gmail_mail_bridge/README @@ -0,0 +1,10 @@ +synchronize email from gmail accounts whose OAuth access is heavily restricted + +background +---------- + +my school district disabled external OAuth access to email, which is not cool. this script gets around this and creates a bridge so you can recieve emails from your school email. + +do note that this is heavily unpolished and most definately insecure. there are some hardcoded credentials (which you can change, it just takes a little technical know-how) + +have fun! diff --git a/builds/gmail_mail_bridge/default.nix b/builds/gmail_mail_bridge/default.nix new file mode 100644 index 0000000..bde908a --- /dev/null +++ b/builds/gmail_mail_bridge/default.nix @@ -0,0 +1,20 @@ +{ pkgs, pythonPackages ? (import {}).python3Packages }: +pythonPackages.buildPythonPackage { + name = "gmail_mail_bridge"; + src = ./gmail_mail_bridge; + + propagatedBuildInputs = [ pythonPackages.flask pkgs.system-sendmail ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/${pythonPackages.python.sitePackages} + cp -r . $out/${pythonPackages.python.sitePackages}/gmail_mail_bridge + + runHook postInstall + ''; + + shellHook = "export FLASK_APP=gmail_mail_bridge"; + + format = "other"; +} diff --git a/builds/gmail_mail_bridge/gmail_mail_bridge/__init__.py b/builds/gmail_mail_bridge/gmail_mail_bridge/__init__.py new file mode 100644 index 0000000..e6a7241 --- /dev/null +++ b/builds/gmail_mail_bridge/gmail_mail_bridge/__init__.py @@ -0,0 +1,37 @@ +from flask import Flask +from flask import request +from flask import redirect +from flask import abort + +import logging + +import smtplib +import email + +from subprocess import Popen, PIPE, STDOUT + +pre_shared_secret = "amongus sussy imposter" +to = "ryan@beepboop.systems" + +app = Flask(__name__) + +def handle_post(request): + msg = email.message_from_string(request.form["payload"]) + del msg["To"] + msg["To"] = to + if not msg["From"]: + msg["From"] = "unknown-sender@mail.beepboop.systems" + + s = smtplib.SMTP('localhost') + s.send_message(msg) + s.quit() + +@app.route("/bridge-submit", methods = ["GET", "POST"]) +def testing(): + if request.method == 'POST': + data = request.form + if data['auth'] == pre_shared_secret: + handle_post(request) + else: + return 'you didn\'t use post' + return "default answer" diff --git a/builds/gmail_mail_bridge/shell.nix b/builds/gmail_mail_bridge/shell.nix new file mode 100644 index 0000000..abd9f69 --- /dev/null +++ b/builds/gmail_mail_bridge/shell.nix @@ -0,0 +1,12 @@ +{ pkgs ? import (fetchTarball "https://github.com/NixOS/nixpkgs/tarball/nixos-23.11") {} }: + +pkgs.mkShell { + packages = [ + (pkgs.python3.withPackages (ps: [ + ps.flask + ])) + + pkgs.curl + pkgs.jq + ]; +} diff --git a/builds/gmail_mail_bridge/sync.gas b/builds/gmail_mail_bridge/sync.gas new file mode 100644 index 0000000..0df9d17 --- /dev/null +++ b/builds/gmail_mail_bridge/sync.gas @@ -0,0 +1,23 @@ +// google-side synchronization +// add a minute-wise trigger for mail synchronization +// go to the sidebar, select triggers, add a new one, configure it +// to run syncMail every minute + +function syncMail() { + var threads = GmailApp.search("label:need_processing"); + var label = GmailApp.getUserLabelByName("need_processing"); + for (var thread of threads) { + for (var message of GmailApp.getMessagesForThread(thread)) { + var formData = { + auth: 'amongus sussy imposter', + payload: message.getRawContent(), + }; + var options = { + 'method' : 'POST', + 'payload' : formData + }; + var resp = UrlFetchApp.fetch('https://mail.beepboop.systems/bridge-submit', options); + } + thread.removeLabel(label); + } +} diff --git a/flake.lock b/flake.lock index a513034..ca92b72 100644 --- a/flake.lock +++ b/flake.lock @@ -209,12 +209,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-wGl3ZnqjhpAEpTkzgjWxgsbmGX9c7TPCM4I0okuOYFE=", - "path": "/nix/store/2fjha7mwjnlsmd4s3y7a3lfk3lq3w87z-source/builds", + "narHash": "sha256-laeQplEc8BPopbQGvBMcjkf3eP8WTjQsHGTOlmQ2eK4=", + "path": "/nix/store/yyh8xblrdvii3cdw9rzyvf8fpyra3ias-source/builds", "type": "path" }, "original": { - "path": "/nix/store/2fjha7mwjnlsmd4s3y7a3lfk3lq3w87z-source/builds", + "path": "/nix/store/yyh8xblrdvii3cdw9rzyvf8fpyra3ias-source/builds", "type": "path" } }, From 6b861b77b8f8fb3a516550668f42e7559b32e3a8 Mon Sep 17 00:00:00 2001 From: randomuser Date: Sun, 21 Jan 2024 12:07:54 -0600 Subject: [PATCH 2/4] some changes, added remote key --- boxes/mainsail/default.nix | 47 ++++++++++----- boxes/mainsail/hardware-configuration.nix | 21 +++---- boxes/mainsail/home.nix | 9 --- boxes/mainsail/server.nix | 70 ----------------------- flake.lock | 4 +- flake.nix | 7 --- 6 files changed, 45 insertions(+), 113 deletions(-) delete mode 100644 boxes/mainsail/home.nix delete mode 100644 boxes/mainsail/server.nix diff --git a/boxes/mainsail/default.nix b/boxes/mainsail/default.nix index e492f9b..d17b946 100644 --- a/boxes/mainsail/default.nix +++ b/boxes/mainsail/default.nix @@ -2,11 +2,8 @@ { imports = [ ./hardware-configuration.nix - ./server.nix ../../modules/bootstrap.nix ../../modules/common.nix - ../../modules/x11.nix - ../../modules/discord.nix ]; boot.loader.grub.enable = true; @@ -26,20 +23,40 @@ "; environment.systemPackages = with pkgs; [ - vscodium-fhs - libreoffice + neovim + git + curl + ]; - anki-bin - ytfzf - kdenlive - libreoffice - i3 - gcc - gnumake + services.home-assistant = { + enable = true; + extraComponents = [ + # Components required to complete the onboarding + "netgear" + "hue" + "nest" + "esphome" + "met" + "radio_browser" + ]; + config = { + # Includes dependencies for a basic setup + # https://www.home-assistant.io/integrations/default_config/ + default_config = {}; + }; + openFirewall = true; + }; - scrcpy - thunderbird - mepo + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; + + users.users.usr.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" ]; system.stateVersion = "23.11"; diff --git a/boxes/mainsail/hardware-configuration.nix b/boxes/mainsail/hardware-configuration.nix index c2a86c1..9bc31a8 100644 --- a/boxes/mainsail/hardware-configuration.nix +++ b/boxes/mainsail/hardware-configuration.nix @@ -5,27 +5,28 @@ { imports = - [ (modulesPath + "/profiles/qemu-guest.nix") + [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "ums_realtek" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/7b70ab88-296c-4737-90b2-267cb2432dc1"; + { device = "/dev/disk/by-uuid/948aeaf8-cb7e-4f85-ae3e-1bc6a25ec156"; fsType = "ext4"; }; - swapDevices = [ ]; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/617cb1ae-a788-429a-b0d4-63d46d8a4e1b"; + fsType = "ext4"; + }; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + swapDevices = + [ { device = "/dev/disk/by-uuid/d82ae76c-68f4-4e70-9162-5dab5f84375b"; } + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/boxes/mainsail/home.nix b/boxes/mainsail/home.nix deleted file mode 100644 index 144dd0e..0000000 --- a/boxes/mainsail/home.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, inputs, config, pkgs, home, ... }: - -{ - imports = [ - ../../home/x11.nix - ]; - - home.stateVersion = "23.11"; -} diff --git a/boxes/mainsail/server.nix b/boxes/mainsail/server.nix deleted file mode 100644 index 7503d58..0000000 --- a/boxes/mainsail/server.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ lib, config, pkgs, ...}: -{ - services.paperless = { - enable = true; - passwordFile = "/etc/paperless-password"; - port = 3004; - address = "localhost"; - extraConfig = { - PAPERLESS_URL = "https://paperless.beepboop.systems"; - }; - }; - - services.calibre-web.enable = true; - services.calibre-web.listen.port = 8080; - - powerManagement.enable = false; - - programs.adb.enable = true; - users.users.usr.extraGroups = ["adbusers"]; - - services.openssh = { - enable = true; - ports = [2222]; - }; - -<<<<<<< Updated upstream - services.radicale = { - enable = true; - settings = { - auth = { - type = "htpasswd"; - htpasswd_filename = "radicale-passwd"; - htpasswd_encryption = "plain"; - }; - }; - }; - -======= ->>>>>>> Stashed changes - systemd.targets.sleep.enable = false; - systemd.targets.suspend.enable = false; - systemd.targets.hibernate.enable = false; - systemd.targets.hybrid-sleep.enable = false; - - systemd.services.paperless-web-bridge = { - script = '' - ${pkgs.openssh}/bin/ssh -v -NR 3004:localhost:3004 -oExitOnForwardFailure=yes -p 55555 useracc@beepboop.systems - ''; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "ankisyncd.service" ]; - serviceConfig = { - Restart = "on-failure"; - StartLimitBurst = 10000; - RestartSec = "0s"; - }; - }; - - systemd.services.internal-ssh-bridge = { - script = '' - ${pkgs.openssh}/bin/ssh -v -NR 2222:localhost:2222 -oExitOnForwardFailure=yes -p 55555 useracc@beepboop.systems - ''; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "ankisyncd.service" ]; - serviceConfig = { - Restart = "on-failure"; - StartLimitBurst = 10000; - RestartSec = "0s"; - }; - }; -} diff --git a/flake.lock b/flake.lock index 572223e..5c25f72 100644 --- a/flake.lock +++ b/flake.lock @@ -210,11 +210,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=", - "path": "/nix/store/vsn2v6zr402x5cf1w340ifbp2xb07jcg-source/builds", + "path": "/nix/store/0ygfgmnw546l628g3a6gdnk9h7hh1pv0-source/builds", "type": "path" }, "original": { - "path": "/nix/store/vsn2v6zr402x5cf1w340ifbp2xb07jcg-source/builds", + "path": "/nix/store/0ygfgmnw546l628g3a6gdnk9h7hh1pv0-source/builds", "type": "path" } }, diff --git a/flake.nix b/flake.nix index 06e0817..2a1dfcb 100644 --- a/flake.nix +++ b/flake.nix @@ -82,13 +82,6 @@ specialArgs = { inherit inputs; }; modules = [ ./boxes/mainsail - - home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.extraSpecialArgs = { inherit inputs; }; - home-manager.users.usr = import ./boxes/mainsail/home.nix; - } ]; }; }; From 1e56e048a08d74e6d83c773ba91e26f3a524b778 Mon Sep 17 00:00:00 2001 From: rndusr Date: Sun, 21 Jan 2024 12:14:04 -0600 Subject: [PATCH 3/4] add stuff --- boxes/netbox/default.nix | 23 ++++++++++++++++++----- flake.lock | 4 ++-- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix index 1e015c7..2d112d5 100644 --- a/boxes/netbox/default.nix +++ b/boxes/netbox/default.nix @@ -229,12 +229,10 @@ in { ''; }; - users.users.useracc = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; - }; - users.users.ryan = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" + ]; isNormalUser = true; extraGroups = [ "wheel" "docker" ]; }; @@ -322,6 +320,21 @@ in { return 301 https://mail.beepboop.systems; ''; }; + locations."~ \\.git" = { + extraConfig = '' + client_max_body_size 0; + + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /var/lib/git; + fastcgi_param PATH_INFO $uri; + + # Forward REMOTE_USER as we want to know when we are authenticated + fastcgi_param REMOTE_USER $remote_user; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + ''; + }; locations."/" = { extraConfig = '' include ${pkgs.nginx}/conf/fastcgi_params; diff --git a/flake.lock b/flake.lock index 5c25f72..4f1b849 100644 --- a/flake.lock +++ b/flake.lock @@ -210,11 +210,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=", - "path": "/nix/store/0ygfgmnw546l628g3a6gdnk9h7hh1pv0-source/builds", + "path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds", "type": "path" }, "original": { - "path": "/nix/store/0ygfgmnw546l628g3a6gdnk9h7hh1pv0-source/builds", + "path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds", "type": "path" } }, From a852816503b580d03fb3d996ddb4732385822c5d Mon Sep 17 00:00:00 2001 From: rndusr Date: Sun, 21 Jan 2024 12:40:51 -0600 Subject: [PATCH 4/4] lock the stuff down --- boxes/netbox/default.nix | 20 +++++++++++++++++++- flake.lock | 4 ++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix index 2d112d5..e21f423 100644 --- a/boxes/netbox/default.nix +++ b/boxes/netbox/default.nix @@ -144,6 +144,23 @@ in { boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; + services.sslh = { + enable = true; + settings.protocols = [ + { + host = "localhost"; + name = "ssh"; + port = "55555"; + service = "ssh"; + } + { + host = "localhost"; + name = "tls"; + port = "442"; + } + ]; + }; + # cgit users = { groups.git = { }; @@ -279,6 +296,7 @@ in { services.nginx.enable = true; services.nginx.clientMaxBodySize = "100m"; + services.nginx.defaultSSLListenPort = 442; services.nginx.virtualHosts."beepboop.systems" = { forceSSL = true; @@ -442,6 +460,6 @@ in { networking.firewall = { enable = true; - allowedTCPPorts = [ 5232 55555 22 80 443 ]; + allowedTCPPorts = [ 80 443 ]; }; } diff --git a/flake.lock b/flake.lock index 4f1b849..d53acea 100644 --- a/flake.lock +++ b/flake.lock @@ -210,11 +210,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=", - "path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds", + "path": "/nix/store/26f187i54ky8clnmd0rbjvv8h3khgc5d-source/builds", "type": "path" }, "original": { - "path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds", + "path": "/nix/store/26f187i54ky8clnmd0rbjvv8h3khgc5d-source/builds", "type": "path" } },