diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-26 13:58:07 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-26 13:58:07 +0200 |
commit | fc6cf6169868e60c189e4b243330c3717ff159f3 (patch) | |
tree | 3f6dea9c1420e23756257b5abea27ec9ed92d58a /hosts | |
parent | 84f2affd66a0ff3947b91a30308cb8e6a8ff7594 (diff) | |
download | nixos-fc6cf6169868e60c189e4b243330c3717ff159f3.tar nixos-fc6cf6169868e60c189e4b243330c3717ff159f3.tar.gz nixos-fc6cf6169868e60c189e4b243330c3717ff159f3.tar.bz2 nixos-fc6cf6169868e60c189e4b243330c3717ff159f3.tar.xz nixos-fc6cf6169868e60c189e4b243330c3717ff159f3.zip |
...
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/sif/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 13 | ||||
-rw-r--r-- | hosts/surtr/email/spm/default.nix | 24 | ||||
-rw-r--r-- | hosts/surtr/email/spm/lib/Data/CaseInsensitive/Instances.hs | 19 | ||||
-rw-r--r-- | hosts/surtr/email/spm/lib/Data/UUID/Instances.hs | 18 | ||||
-rw-r--r-- | hosts/surtr/email/spm/lib/Spm.hs | 5 | ||||
-rw-r--r-- | hosts/surtr/email/spm/lib/Spm/Api.hs | 40 | ||||
-rw-r--r-- | hosts/surtr/email/spm/package.yaml | 92 | ||||
-rw-r--r-- | hosts/surtr/email/spm/provision/Spm/Provision.hs | 46 | ||||
-rw-r--r-- | hosts/surtr/email/spm/server/Crypto/JOSE/JWK/Instances.hs | 9 | ||||
-rw-r--r-- | hosts/surtr/email/spm/server/Data/CaseInsensitive/Instances.hs | 30 | ||||
-rw-r--r-- | hosts/surtr/email/spm/server/Data/UUID/Instances.hs | 31 | ||||
-rw-r--r-- | hosts/surtr/email/spm/server/Spm/Server.hs | 194 | ||||
-rw-r--r-- | hosts/surtr/email/spm/server/Spm/Server/Database.hs | 72 | ||||
-rw-r--r-- | hosts/surtr/email/spm/spm.nix | 28 |
15 files changed, 11 insertions, 614 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index a1220005..a79cfaa7 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -31,8 +31,8 @@ in { | |||
31 | nvm0 = { device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; bypassWorkqueues = true; }; | 31 | nvm0 = { device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; bypassWorkqueues = true; }; |
32 | nvm1 = { device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; bypassWorkqueues = true; }; | 32 | nvm1 = { device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; bypassWorkqueues = true; }; |
33 | }; | 33 | }; |
34 | availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; | 34 | availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; |
35 | kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; | 35 | kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; |
36 | }; | 36 | }; |
37 | 37 | ||
38 | blacklistedKernelModules = [ "nouveau" ]; | 38 | blacklistedKernelModules = [ "nouveau" ]; |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 947aa328..b952070b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -21,8 +21,6 @@ let | |||
21 | }; | 21 | }; |
22 | 22 | ||
23 | spmDomains = ["bouncy.email"]; | 23 | spmDomains = ["bouncy.email"]; |
24 | |||
25 | spm = pkgs.callPackage ./spm {}; | ||
26 | in { | 24 | in { |
27 | config = { | 25 | config = { |
28 | nixpkgs.overlays = [ | 26 | nixpkgs.overlays = [ |
@@ -118,7 +116,14 @@ in { | |||
118 | "reject_unverified_recipient" | 116 | "reject_unverified_recipient" |
119 | ]; | 117 | ]; |
120 | unverified_recipient_reject_code = "550"; | 118 | unverified_recipient_reject_code = "550"; |
121 | unverified_recipient_reject_reason = "Recipient address rejected: undeliverable address"; | 119 | unverified_recipient_reject_reason = "Recipient address lookup failed"; |
120 | address_verify_map = "internal:address_verify_map"; | ||
121 | address_verify_positive_expire_time = "1h"; | ||
122 | address_verify_positive_refresh_time = "15m"; | ||
123 | address_verify_negative_expire_time = "15s"; | ||
124 | address_verify_negative_refresh_time = "5s"; | ||
125 | address_verify_cache_cleanup_interval = "5s"; | ||
126 | address_verify_poll_delay = "1s"; | ||
122 | 127 | ||
123 | smtpd_relay_restrictions = [ | 128 | smtpd_relay_restrictions = [ |
124 | "permit_mynetworks" | 129 | "permit_mynetworks" |
@@ -643,7 +648,7 @@ in { | |||
643 | systemd.services.spm = { | 648 | systemd.services.spm = { |
644 | serviceConfig = { | 649 | serviceConfig = { |
645 | Type = "notify"; | 650 | Type = "notify"; |
646 | ExecStart = "${spm}/bin/spm-server"; | 651 | ExecStart = "${pkgs.spm}/bin/spm-server"; |
647 | User = "spm"; | 652 | User = "spm"; |
648 | Group = "spm"; | 653 | Group = "spm"; |
649 | 654 | ||
diff --git a/hosts/surtr/email/spm/default.nix b/hosts/surtr/email/spm/default.nix deleted file mode 100644 index 75f99d8d..00000000 --- a/hosts/surtr/email/spm/default.nix +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | { haskell, fetchFromGitHub }: | ||
2 | |||
3 | let | ||
4 | # defaultPackages = (import ./stackage.nix {}); | ||
5 | # haskellPackages = defaultPackages // argumentPackages; | ||
6 | # haskellPackages = argumentPackages; | ||
7 | haskellPackages = haskell.packages.ghc922.override { | ||
8 | overrides = self: super: { | ||
9 | warp-systemd = haskell.lib.doJailbreak (super.warp-systemd.overrideAttrs (oldAttrs: { meta = oldAttrs.meta // { broken = false; }; })); | ||
10 | servant-server = super.servant-server.overrideAttrs (oldAttrs: { | ||
11 | patches = []; | ||
12 | }); | ||
13 | hpack = super.hpack.overrideAttrs (oldAttrs: rec { | ||
14 | version = "0.35.0"; | ||
15 | src = fetchFromGitHub { | ||
16 | owner = "sol"; | ||
17 | repo = "hpack"; | ||
18 | rev = "0.35.0"; | ||
19 | hash = "sha256-DMxCHwz9x2e4kSOIk1/qeW3aDFHw88LNW+4vXxDV9EI="; | ||
20 | }; | ||
21 | }); | ||
22 | }; | ||
23 | }; | ||
24 | in haskellPackages.callPackage ./spm.nix {} | ||
diff --git a/hosts/surtr/email/spm/lib/Data/CaseInsensitive/Instances.hs b/hosts/surtr/email/spm/lib/Data/CaseInsensitive/Instances.hs deleted file mode 100644 index 56cba98a..00000000 --- a/hosts/surtr/email/spm/lib/Data/CaseInsensitive/Instances.hs +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | {-# OPTIONS_GHC -fno-warn-orphans #-} | ||
2 | |||
3 | module Data.CaseInsensitive.Instances () where | ||
4 | |||
5 | import Prelude | ||
6 | |||
7 | import Data.CaseInsensitive (CI) | ||
8 | import qualified Data.CaseInsensitive as CI | ||
9 | |||
10 | import Servant.API.ContentTypes | ||
11 | |||
12 | import Data.Aeson | ||
13 | |||
14 | |||
15 | instance MimeRender PlainText a => MimeRender PlainText (CI a) where | ||
16 | mimeRender p = mimeRender p . CI.original | ||
17 | |||
18 | instance ToJSON a => ToJSON (CI a) where | ||
19 | toJSON = toJSON . CI.original | ||
diff --git a/hosts/surtr/email/spm/lib/Data/UUID/Instances.hs b/hosts/surtr/email/spm/lib/Data/UUID/Instances.hs deleted file mode 100644 index 335937d8..00000000 --- a/hosts/surtr/email/spm/lib/Data/UUID/Instances.hs +++ /dev/null | |||
@@ -1,18 +0,0 @@ | |||
1 | {-# OPTIONS_GHC -fno-warn-orphans #-} | ||
2 | |||
3 | module Data.UUID.Instances () where | ||
4 | |||
5 | import Prelude | ||
6 | import Data.UUID (UUID) | ||
7 | import qualified Data.UUID as UUID | ||
8 | import Servant.API.ContentTypes | ||
9 | |||
10 | |||
11 | instance MimeRender PlainText UUID where | ||
12 | mimeRender p = mimeRender p . UUID.toText | ||
13 | |||
14 | instance MimeRender JSON UUID where | ||
15 | mimeRender p = mimeRender p . UUID.toText | ||
16 | |||
17 | instance MimeRender OctetStream UUID where | ||
18 | mimeRender p = mimeRender p . UUID.toByteString | ||
diff --git a/hosts/surtr/email/spm/lib/Spm.hs b/hosts/surtr/email/spm/lib/Spm.hs deleted file mode 100644 index c7f7dfe5..00000000 --- a/hosts/surtr/email/spm/lib/Spm.hs +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | module Spm | ||
2 | ( module Spm.Api | ||
3 | ) where | ||
4 | |||
5 | import Spm.Api | ||
diff --git a/hosts/surtr/email/spm/lib/Spm/Api.hs b/hosts/surtr/email/spm/lib/Spm/Api.hs deleted file mode 100644 index d9644222..00000000 --- a/hosts/surtr/email/spm/lib/Spm/Api.hs +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | {-# LANGUAGE TemplateHaskell #-} | ||
2 | |||
3 | module Spm.Api | ||
4 | ( SpmMailbox | ||
5 | , SpmApi, spmApi | ||
6 | ) where | ||
7 | |||
8 | import Prelude | ||
9 | |||
10 | import Servant.API | ||
11 | |||
12 | import Data.Proxy (Proxy(..)) | ||
13 | |||
14 | import Data.Text (Text) | ||
15 | |||
16 | import GHC.Generics (Generic) | ||
17 | import Type.Reflection (Typeable) | ||
18 | |||
19 | import Control.Lens.TH | ||
20 | |||
21 | import Data.CaseInsensitive (CI) | ||
22 | import Data.CaseInsensitive.Instances () | ||
23 | |||
24 | import Crypto.JOSE.JWK (JWKSet) | ||
25 | |||
26 | import Data.UUID (UUID) | ||
27 | import Data.UUID.Instances () | ||
28 | |||
29 | |||
30 | newtype SpmMailbox = SpmMailbox { unSpmMailbox :: CI Text } | ||
31 | deriving stock (Eq, Ord, Read, Show, Generic, Typeable) | ||
32 | deriving newtype (MimeRender JSON, MimeRender PlainText) | ||
33 | makeWrapped ''SpmMailbox | ||
34 | |||
35 | type SpmApi = "whoami" :> Get '[PlainText, JSON] SpmMailbox | ||
36 | :<|> ".well-known" :> "jwks.json" :> Get '[JSON] JWKSet | ||
37 | :<|> "instance-id" :> Get '[PlainText, JSON, OctetStream] UUID | ||
38 | |||
39 | spmApi :: Proxy SpmApi | ||
40 | spmApi = Proxy | ||
diff --git a/hosts/surtr/email/spm/package.yaml b/hosts/surtr/email/spm/package.yaml deleted file mode 100644 index 4859e38c..00000000 --- a/hosts/surtr/email/spm/package.yaml +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | name: spm | ||
2 | version: 0.1.0 | ||
3 | |||
4 | default-extensions: | ||
5 | - NoImplicitPrelude | ||
6 | - DerivingStrategies | ||
7 | - DeriveAnyClass | ||
8 | - DataKinds | ||
9 | - RecordWildCards | ||
10 | - TypeFamilies | ||
11 | - LambdaCase | ||
12 | other-extensions: | ||
13 | - OverloadedStrings | ||
14 | - TemplateHaskell | ||
15 | - QuasiQuotes | ||
16 | - UndecidableInstances | ||
17 | language: GHC2021 | ||
18 | license: AGPL-3.0-or-later | ||
19 | ghc-options: | ||
20 | - -Wall | ||
21 | - -Wmissing-home-modules | ||
22 | - -Wredundant-constraints | ||
23 | - -Widentities | ||
24 | - -Wincomplete-uni-patterns | ||
25 | - -Werror | ||
26 | - -fwarn-tabs | ||
27 | - -j -O | ||
28 | |||
29 | library: | ||
30 | dependencies: | ||
31 | - base | ||
32 | - servant | ||
33 | - text | ||
34 | - lens | ||
35 | - case-insensitive | ||
36 | - aeson | ||
37 | - jose | ||
38 | - uuid | ||
39 | source-dirs: | ||
40 | - lib | ||
41 | |||
42 | executables: | ||
43 | spm-server: | ||
44 | dependencies: | ||
45 | - spm | ||
46 | - base | ||
47 | - servant-server | ||
48 | - warp-systemd | ||
49 | - warp | ||
50 | - attoparsec | ||
51 | - text | ||
52 | - bytestring | ||
53 | - wai | ||
54 | - wai-extra | ||
55 | - lens | ||
56 | - case-insensitive | ||
57 | - http-types | ||
58 | - persistent | ||
59 | - persistent-postgresql | ||
60 | - uuid | ||
61 | - path-pieces | ||
62 | - transformers | ||
63 | - mtl | ||
64 | - resource-pool | ||
65 | - monad-logger | ||
66 | - mmorph | ||
67 | - unliftio-core | ||
68 | - http-api-data | ||
69 | - exceptions | ||
70 | - aeson | ||
71 | - filepath | ||
72 | - jose | ||
73 | |||
74 | source-dirs: | ||
75 | - server | ||
76 | |||
77 | main: Spm.Server | ||
78 | spm-provision: | ||
79 | dependencies: | ||
80 | - base | ||
81 | - jose | ||
82 | - uuid | ||
83 | - optparse-applicative | ||
84 | - text | ||
85 | - aeson | ||
86 | - bytestring | ||
87 | - lens | ||
88 | |||
89 | source-dirs: | ||
90 | - provision | ||
91 | |||
92 | main: Spm.Provision | ||
diff --git a/hosts/surtr/email/spm/provision/Spm/Provision.hs b/hosts/surtr/email/spm/provision/Spm/Provision.hs deleted file mode 100644 index ff18baa0..00000000 --- a/hosts/surtr/email/spm/provision/Spm/Provision.hs +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | module Spm.Provision | ||
2 | ( main | ||
3 | ) where | ||
4 | |||
5 | import Prelude | ||
6 | import Options.Applicative | ||
7 | import Control.Monad | ||
8 | |||
9 | import qualified Data.Text.IO as Text | ||
10 | |||
11 | import qualified Data.UUID as UUID | ||
12 | import qualified Data.UUID.V4 as UUID | ||
13 | |||
14 | import Crypto.JOSE.JWK | ||
15 | |||
16 | import qualified Data.ByteString.Lazy.Char8 as CLBS | ||
17 | import qualified Data.Aeson as JSON | ||
18 | |||
19 | import Control.Lens | ||
20 | |||
21 | |||
22 | data Command | ||
23 | = InstanceId | ||
24 | | JwkSet | ||
25 | deriving stock (Eq, Ord, Read, Show) | ||
26 | |||
27 | cmdInstanceId :: IO () | ||
28 | cmdInstanceId = Text.putStrLn . UUID.toText =<< UUID.nextRandom | ||
29 | |||
30 | cmdJwkSet :: IO () | ||
31 | cmdJwkSet = do | ||
32 | k' <- genJWK (OKPGenParam Ed25519) | ||
33 | kid <- UUID.nextRandom | ||
34 | let k = k' & jwkKid ?~ UUID.toText kid | ||
35 | & jwkUse ?~ Sig | ||
36 | & jwkKeyOps ?~ [Sign, Verify] | ||
37 | CLBS.putStrLn . JSON.encode . JWKSet $ pure k | ||
38 | |||
39 | opts :: Parser (IO ()) | ||
40 | opts = subparser $ | ||
41 | command "instance-id" (info (pure cmdInstanceId) idm) | ||
42 | <> command "jwk-set" (info (pure cmdJwkSet) idm) | ||
43 | |||
44 | |||
45 | main :: IO () | ||
46 | main = join $ execParser (info opts idm) | ||
diff --git a/hosts/surtr/email/spm/server/Crypto/JOSE/JWK/Instances.hs b/hosts/surtr/email/spm/server/Crypto/JOSE/JWK/Instances.hs deleted file mode 100644 index 44a5cfe0..00000000 --- a/hosts/surtr/email/spm/server/Crypto/JOSE/JWK/Instances.hs +++ /dev/null | |||
@@ -1,9 +0,0 @@ | |||
1 | {-# LANGUAGE TemplateHaskell #-} | ||
2 | {-# OPTIONS_GHC -fno-warn-orphans #-} | ||
3 | |||
4 | module Crypto.JOSE.JWK.Instances () where | ||
5 | |||
6 | import Control.Lens.TH | ||
7 | import Crypto.JOSE.JWK | ||
8 | |||
9 | makeWrapped ''JWKSet | ||
diff --git a/hosts/surtr/email/spm/server/Data/CaseInsensitive/Instances.hs b/hosts/surtr/email/spm/server/Data/CaseInsensitive/Instances.hs deleted file mode 100644 index 1f3f7a11..00000000 --- a/hosts/surtr/email/spm/server/Data/CaseInsensitive/Instances.hs +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | {-# OPTIONS_GHC -fno-warn-orphans #-} | ||
2 | {-# LANGUAGE OverloadedStrings #-} | ||
3 | |||
4 | module Data.CaseInsensitive.Instances () where | ||
5 | |||
6 | import Prelude | ||
7 | import Database.Persist | ||
8 | import Database.Persist.Sql | ||
9 | |||
10 | import Data.CaseInsensitive (CI) | ||
11 | import qualified Data.CaseInsensitive as CI | ||
12 | |||
13 | import Data.Text (Text) | ||
14 | import qualified Data.Text as Text | ||
15 | import qualified Data.Text.Encoding as Text | ||
16 | |||
17 | import Control.Exception | ||
18 | |||
19 | |||
20 | instance PersistField (CI Text) where | ||
21 | toPersistValue = PersistLiteralEscaped . Text.encodeUtf8 . CI.original | ||
22 | fromPersistValue = \case | ||
23 | PersistText t -> Right $ CI.mk t | ||
24 | PersistLiteralEscaped bs -> case Text.decodeUtf8' bs of | ||
25 | Right t -> Right $ CI.mk t | ||
26 | Left err -> Left $ "Could not decode PersistLiteral as UTF-8: " <> Text.pack (displayException err) | ||
27 | o -> Left $ "Expected PersistText or PersistLiteral but got ‘" <> Text.pack (show o) <> "’" | ||
28 | |||
29 | instance PersistFieldSql (CI Text) where | ||
30 | sqlType _ = SqlOther "citext" | ||
diff --git a/hosts/surtr/email/spm/server/Data/UUID/Instances.hs b/hosts/surtr/email/spm/server/Data/UUID/Instances.hs deleted file mode 100644 index b2268c96..00000000 --- a/hosts/surtr/email/spm/server/Data/UUID/Instances.hs +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | {-# OPTIONS_GHC -fno-warn-orphans #-} | ||
2 | {-# LANGUAGE OverloadedStrings #-} | ||
3 | |||
4 | module Data.UUID.Instances () where | ||
5 | |||
6 | import Prelude | ||
7 | import Database.Persist | ||
8 | import Database.Persist.Sql | ||
9 | import Data.UUID (UUID) | ||
10 | import qualified Data.UUID as UUID | ||
11 | |||
12 | import qualified Data.ByteString.Char8 as CBS | ||
13 | import qualified Data.Text as Text | ||
14 | |||
15 | import Web.PathPieces | ||
16 | |||
17 | |||
18 | instance PersistField UUID where | ||
19 | toPersistValue = PersistLiteralEscaped . CBS.pack . UUID.toString | ||
20 | fromPersistValue (PersistLiteralEscaped uuidB8) = | ||
21 | case UUID.fromString $ CBS.unpack uuidB8 of | ||
22 | Just uuid -> Right uuid | ||
23 | Nothing -> Left "Invalid UUID" | ||
24 | fromPersistValue v = Left $ "Expected PersistLiteral but got ‘" <> Text.pack (show v) <> "’" | ||
25 | |||
26 | instance PersistFieldSql UUID where | ||
27 | sqlType _ = SqlOther "uuid" | ||
28 | |||
29 | instance PathPiece UUID where | ||
30 | toPathPiece = Text.pack . UUID.toString | ||
31 | fromPathPiece = UUID.fromString . Text.unpack | ||
diff --git a/hosts/surtr/email/spm/server/Spm/Server.hs b/hosts/surtr/email/spm/server/Spm/Server.hs deleted file mode 100644 index 7690f51a..00000000 --- a/hosts/surtr/email/spm/server/Spm/Server.hs +++ /dev/null | |||
@@ -1,194 +0,0 @@ | |||
1 | {-# LANGUAGE OverloadedStrings, TemplateHaskell #-} | ||
2 | |||
3 | module Spm.Server | ||
4 | ( main | ||
5 | ) where | ||
6 | |||
7 | import Prelude | ||
8 | import Spm.Api | ||
9 | import Servant | ||
10 | import Servant.Server.Experimental.Auth | ||
11 | |||
12 | import Network.Wai | ||
13 | import Network.Wai.Handler.Warp | ||
14 | import Network.Wai.Handler.Warp.Systemd | ||
15 | import Network.Wai.Middleware.RequestLogger | ||
16 | |||
17 | import Network.HTTP.Types | ||
18 | |||
19 | import Data.Text (Text) | ||
20 | import qualified Data.Text as Text | ||
21 | import qualified Data.Text.Encoding as Text | ||
22 | import Data.Attoparsec.Text | ||
23 | |||
24 | import qualified Data.ByteString.Lazy as LBS | ||
25 | |||
26 | import GHC.Generics (Generic) | ||
27 | import Type.Reflection (Typeable) | ||
28 | |||
29 | import Control.Applicative | ||
30 | import Control.Monad | ||
31 | import Control.Arrow | ||
32 | import Control.Monad.IO.Class | ||
33 | import Control.Monad.IO.Unlift | ||
34 | |||
35 | import Control.Lens hiding (Context) | ||
36 | |||
37 | import qualified Data.CaseInsensitive as CI | ||
38 | |||
39 | import System.IO | ||
40 | |||
41 | import Spm.Server.Database | ||
42 | |||
43 | import Database.Persist | ||
44 | import Database.Persist.Postgresql | ||
45 | import Data.Pool | ||
46 | |||
47 | import Control.Monad.Trans.Reader (ReaderT, runReaderT) | ||
48 | |||
49 | import Control.Monad.Logger | ||
50 | |||
51 | import Control.Monad.Morph | ||
52 | |||
53 | import System.Environment | ||
54 | |||
55 | import Control.Monad.Catch (Exception, MonadThrow(..)) | ||
56 | |||
57 | import Data.UUID (UUID) | ||
58 | import qualified Data.UUID as UUID | ||
59 | |||
60 | import qualified Data.Aeson as JSON | ||
61 | |||
62 | import System.FilePath ((</>), isRelative) | ||
63 | |||
64 | import Crypto.JOSE.JWK hiding (Context) | ||
65 | import Crypto.JOSE.JWK.Instances () | ||
66 | |||
67 | import Data.Maybe | ||
68 | |||
69 | |||
70 | hSslClientVerify, hSslClientSDn :: HeaderName | ||
71 | hSslClientVerify = "SSL-Client-Verify" | ||
72 | hSslClientSDn = "SSL-Client-S-DN" | ||
73 | |||
74 | |||
75 | data SSLClientVerify | ||
76 | = SSLClientVerifySuccess | ||
77 | | SSLClientVerifyOther Text | ||
78 | deriving (Eq, Ord, Read, Show, Generic, Typeable) | ||
79 | instance FromHttpApiData SSLClientVerify where | ||
80 | parseUrlPiece = (left Text.pack .) . parseOnly $ p <* endOfInput | ||
81 | where | ||
82 | p :: Parser SSLClientVerify | ||
83 | p = (SSLClientVerifySuccess <$ asciiCI "success") | ||
84 | <|> (SSLClientVerifyOther <$> takeText) | ||
85 | |||
86 | type instance AuthServerData (AuthProtect "spm_mailbox") = MailMailbox | ||
87 | |||
88 | type SpmServerApi = Header' '[Required, Strict] "SPM-Domain" MailDomain | ||
89 | :> AuthProtect "spm_mailbox" | ||
90 | :> SpmApi | ||
91 | |||
92 | spmServerApi :: Proxy SpmServerApi | ||
93 | spmServerApi = Proxy | ||
94 | |||
95 | |||
96 | requestMailMailbox :: Request -> Either Text MailMailbox | ||
97 | requestMailMailbox req = do | ||
98 | clientVerify <- getHeader hSslClientVerify | ||
99 | clientSDN <- getHeader hSslClientSDn | ||
100 | |||
101 | case clientVerify of | ||
102 | SSLClientVerifySuccess -> return () | ||
103 | o@(SSLClientVerifyOther _) -> Left $ "Expected “SSLClientVerifySuccess”, but got “" <> Text.pack (show o) <> "”" | ||
104 | spmMailbox <- left Text.pack $ parseOnly (asciiCI "CN=" *> (CI.mk <$> takeText) <* endOfInput) clientSDN | ||
105 | |||
106 | return $ _Wrapped # spmMailbox | ||
107 | where | ||
108 | getHeader :: forall a. FromHttpApiData a => HeaderName -> Either Text a | ||
109 | getHeader hdrName = parseHeader <=< maybeToEither ("Missing “" <> Text.decodeUtf8 (CI.original hdrName) <> "”") . lookup hdrName $ requestHeaders req | ||
110 | |||
111 | maybeToEither e = maybe (Left e) Right | ||
112 | |||
113 | mailboxAuthHandler :: AuthHandler Request MailMailbox | ||
114 | mailboxAuthHandler = mkAuthHandler handler | ||
115 | where | ||
116 | throw401 msg = throwError $ err401 { errBody = LBS.fromStrict $ Text.encodeUtf8 msg } | ||
117 | handler = either throw401 return . requestMailMailbox | ||
118 | |||
119 | mkSpmRequestLogger :: MonadIO m => m Middleware | ||
120 | mkSpmRequestLogger = liftIO $ mkRequestLogger loggerSettings | ||
121 | where | ||
122 | loggerSettings = defaultRequestLoggerSettings | ||
123 | { destination = Handle stderr | ||
124 | , outputFormat = ApacheWithSettings $ defaultApacheSettings | ||
125 | & setApacheUserGetter (preview (_Right . _Wrapped . to (Text.encodeUtf8. CI.original)) . requestMailMailbox) | ||
126 | & setApacheIPAddrSource FromFallback | ||
127 | } | ||
128 | |||
129 | data ServerCtx = ServerCtx | ||
130 | { _sctxSqlPool :: Pool SqlBackend | ||
131 | , _sctxInstanceId :: UUID | ||
132 | , _sctxJwkSet :: JWKSet | ||
133 | } deriving (Generic, Typeable) | ||
134 | makeLenses ''ServerCtx | ||
135 | |||
136 | type Handler' = ReaderT ServerCtx (LoggingT Handler) | ||
137 | type Server' api = ServerT api Handler' | ||
138 | |||
139 | data ServerCtxError | ||
140 | = ServerCtxNoInstanceId | ServerCtxInvalidInstanceId | ||
141 | | ServerCtxJwkSetCredentialFileNotRelative | ||
142 | | ServerCtxNoCredentialsDirectory | ||
143 | | ServerCtxJwkSetDecodeError String | ||
144 | | ServerCtxJwkSetEmpty | ||
145 | deriving stock (Eq, Ord, Read, Show, Generic, Typeable) | ||
146 | deriving anyclass (Exception) | ||
147 | |||
148 | mkSpmApp :: (MonadUnliftIO m, MonadThrow m) => m Application | ||
149 | mkSpmApp = do | ||
150 | requestLogger <- mkSpmRequestLogger | ||
151 | |||
152 | connStr <- liftIO $ maybe mempty (Text.encodeUtf8 . Text.pack) <$> lookupEnv "PGCONNSTR" | ||
153 | _sctxInstanceId <- maybe (throwM ServerCtxInvalidInstanceId) return . UUID.fromString =<< maybe (throwM ServerCtxNoInstanceId) return =<< liftIO (lookupEnv "SPM_INSTANCE") | ||
154 | jwksetCredentialFile <- liftIO $ fromMaybe "spm-keys.json" <$> lookupEnv "SPM_KEYS_CREDENTIAL" | ||
155 | unless (isRelative jwksetCredentialFile) $ throwM ServerCtxJwkSetCredentialFileNotRelative | ||
156 | credentialsDir <- maybe (throwM ServerCtxNoCredentialsDirectory) return =<< liftIO (lookupEnv "CREDENTIALS_DIRECTORY") | ||
157 | _sctxJwkSet@(JWKSet jwks) <- either (throwM . ServerCtxJwkSetDecodeError) return =<< liftIO (JSON.eitherDecodeFileStrict' $ credentialsDir </> jwksetCredentialFile) | ||
158 | when (null jwks) $ throwM ServerCtxJwkSetEmpty | ||
159 | |||
160 | runStderrLoggingT . withPostgresqlPool connStr 1 $ \_sctxSqlPool -> do | ||
161 | let | ||
162 | spmServerContext :: Context (AuthHandler Request MailMailbox ': '[]) | ||
163 | spmServerContext = mailboxAuthHandler :. EmptyContext | ||
164 | |||
165 | spmServer' = spmServer | ||
166 | |||
167 | logger <- askLoggerIO | ||
168 | return $ serveWithContextT spmServerApi spmServerContext ((runReaderT ?? ServerCtx{..}) . hoist (runLoggingT ?? logger)) spmServer' | ||
169 | & requestLogger | ||
170 | |||
171 | spmSql :: ReaderT SqlBackend Handler' a -> Handler' a | ||
172 | spmSql act = do | ||
173 | sqlPool <- view sctxSqlPool | ||
174 | withResource sqlPool $ runReaderT act | ||
175 | |||
176 | spmServer :: MailDomain -> MailMailbox -> Server' SpmApi | ||
177 | spmServer _dom mbox = whoami | ||
178 | :<|> jwkSet | ||
179 | :<|> instanceId | ||
180 | where | ||
181 | whoami = do | ||
182 | Entity _ Mailbox{mailboxIdent} <- maybe (throwError err404) return <=< spmSql . getBy $ UniqueMailbox mbox | ||
183 | return $ mailboxIdent ^. _Wrapped . re _Wrapped | ||
184 | |||
185 | jwkSet = views sctxJwkSet $ over _Wrapped (^.. folded . asPublicKey . _Just) | ||
186 | |||
187 | instanceId = view sctxInstanceId | ||
188 | |||
189 | main :: IO () | ||
190 | main = runSystemdWarp systemdSettings warpSettings =<< mkSpmApp | ||
191 | where | ||
192 | systemdSettings = defaultSystemdSettings | ||
193 | & requireSocketActivation .~ True | ||
194 | warpSettings = defaultSettings | ||
diff --git a/hosts/surtr/email/spm/server/Spm/Server/Database.hs b/hosts/surtr/email/spm/server/Spm/Server/Database.hs deleted file mode 100644 index 09b4c67b..00000000 --- a/hosts/surtr/email/spm/server/Spm/Server/Database.hs +++ /dev/null | |||
@@ -1,72 +0,0 @@ | |||
1 | {-# LANGUAGE OverloadedStrings, TemplateHaskell, QuasiQuotes, UndecidableInstances #-} | ||
2 | |||
3 | module Spm.Server.Database | ||
4 | ( MailMailbox, MailLocal, MailExtension, MailDomain | ||
5 | , Mailbox(..), MailboxMapping(..) | ||
6 | , Unique(..) | ||
7 | ) where | ||
8 | |||
9 | import Prelude | ||
10 | |||
11 | import Database.Persist | ||
12 | import Database.Persist.Sql | ||
13 | import Database.Persist.TH | ||
14 | |||
15 | import GHC.Generics (Generic) | ||
16 | import Type.Reflection (Typeable) | ||
17 | |||
18 | import Data.Text (Text) | ||
19 | |||
20 | import Data.CaseInsensitive (CI) | ||
21 | import qualified Data.CaseInsensitive as CI | ||
22 | import Data.CaseInsensitive.Instances () | ||
23 | |||
24 | import Data.UUID (UUID) | ||
25 | import Data.UUID.Instances () | ||
26 | |||
27 | import Data.Int (Int64) | ||
28 | |||
29 | import Control.Lens | ||
30 | |||
31 | import Web.HttpApiData | ||
32 | |||
33 | |||
34 | newtype MailMailbox = MailMailbox | ||
35 | { unMailMailbox :: CI Text | ||
36 | } deriving stock (Eq, Ord, Read, Show, Generic, Typeable) | ||
37 | deriving newtype (PersistField, PersistFieldSql) | ||
38 | makeWrapped ''MailMailbox | ||
39 | newtype MailLocal = MailLocal | ||
40 | { unMailLocal :: CI Text | ||
41 | } deriving stock (Eq, Ord, Read, Show, Generic, Typeable) | ||
42 | deriving newtype (PersistField, PersistFieldSql) | ||
43 | makeWrapped ''MailLocal | ||
44 | newtype MailExtension = MailExtension | ||
45 | { unMailExtension :: CI Text | ||
46 | } deriving stock (Eq, Ord, Read, Show, Generic, Typeable) | ||
47 | deriving newtype (PersistField, PersistFieldSql) | ||
48 | makeWrapped ''MailExtension | ||
49 | newtype MailDomain = MailDomain | ||
50 | { unMailDomain :: CI Text | ||
51 | } deriving stock (Eq, Ord, Read, Show, Generic, Typeable) | ||
52 | deriving newtype (PersistField, PersistFieldSql) | ||
53 | makeWrapped ''MailDomain | ||
54 | |||
55 | instance FromHttpApiData MailDomain where | ||
56 | parseUrlPiece = fmap (review _Wrapped . CI.mk) . parseUrlPiece | ||
57 | |||
58 | |||
59 | share [mkPersist sqlSettings] [persistLowerCase| | ||
60 | Mailbox | ||
61 | Id UUID sqltype=uuid default=gen_random_uuid() | ||
62 | ident MailMailbox sql=mailbox | ||
63 | quota Int64 Maybe sql=quota_bytes MigrationOnly | ||
64 | UniqueMailbox ident | ||
65 | deriving Show | ||
66 | MailboxMapping | ||
67 | Id UUID sqltype=uuid default=gen_random_uuid() | ||
68 | local MailLocal Maybe | ||
69 | extension MailExtension Maybe | ||
70 | domain MailDomain | ||
71 | mailbox MailboxId | ||
72 | |] | ||
diff --git a/hosts/surtr/email/spm/spm.nix b/hosts/surtr/email/spm/spm.nix deleted file mode 100644 index ba7a5f0b..00000000 --- a/hosts/surtr/email/spm/spm.nix +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | { mkDerivation, aeson, attoparsec, base, bytestring | ||
2 | , case-insensitive, exceptions, filepath, hpack, http-api-data | ||
3 | , http-types, jose, lens, lib, mmorph, monad-logger, mtl | ||
4 | , optparse-applicative, path-pieces, persistent | ||
5 | , persistent-postgresql, resource-pool, servant, servant-server | ||
6 | , text, transformers, unliftio-core, uuid, wai, wai-extra, warp | ||
7 | , warp-systemd | ||
8 | }: | ||
9 | mkDerivation { | ||
10 | pname = "spm"; | ||
11 | version = "0.1.0"; | ||
12 | src = ./.; | ||
13 | isLibrary = true; | ||
14 | isExecutable = true; | ||
15 | libraryHaskellDepends = [ | ||
16 | aeson base case-insensitive jose lens servant text | ||
17 | ]; | ||
18 | libraryToolDepends = [ hpack ]; | ||
19 | executableHaskellDepends = [ | ||
20 | aeson attoparsec base bytestring case-insensitive exceptions | ||
21 | filepath http-api-data http-types jose lens mmorph monad-logger mtl | ||
22 | optparse-applicative path-pieces persistent persistent-postgresql | ||
23 | resource-pool servant-server text transformers unliftio-core uuid | ||
24 | wai wai-extra warp warp-systemd | ||
25 | ]; | ||
26 | prePatch = "hpack"; | ||
27 | license = lib.licenses.agpl3Plus; | ||
28 | } | ||