servo: disable email-based registration gating

This commit is contained in:
2024-08-06 21:39:32 +00:00
parent 247fd3f807
commit d45ea622d1
4 changed files with 44 additions and 22 deletions

View File

@@ -1,4 +1,6 @@
# postfix config options: <https://www.postfix.org/postconf.5.html>
# config files:
# - /etc/postfix/main.cf
{ config, lib, pkgs, ... }:
@@ -175,23 +177,30 @@ in
#### OUTGOING MESSAGE REWRITING:
services.postfix.enableHeaderChecks = true;
services.postfix.headerChecks = [
# intercept gitea registration confirmations and manually screen them
{
# headerChecks are somehow ignorant of alias rules: have to redirect to a real user
action = "REDIRECT colin@uninsane.org";
pattern = "/^Subject: Please activate your account/";
}
# intercept Matrix registration confirmations
{
action = "REDIRECT colin@uninsane.org";
pattern = "/^Subject:.*Validate your email/";
}
# XXX postfix only supports performing ONE action per header.
# {
# action = "REPLACE Subject: git application: Please activate your account";
# pattern = "/^Subject:.*activate your account/";
# }
];
# - `man 5 header_checks`
# - <https://www.postfix.org/header_checks.5.html>
# - populates `/var/lib/postfix/conf/header_checks`
# XXX(2024-08-06): registration gating via email matches is AWFUL:
# 1. bypassed if the service offers localization.
# 2. if i try to forward the registration request, it may match the filter again and get sent back to my inbox.
# 3. header checks are possibly under-used in the ecosystem, and may break postfix config.
# services.postfix.enableHeaderChecks = true;
# services.postfix.headerChecks = [
# # intercept gitea registration confirmations and manually screen them
# {
# # headerChecks are somehow ignorant of alias rules: have to redirect to a real user
# action = "REDIRECT colin@uninsane.org";
# pattern = "/^Subject: Please activate your account/";
# }
# # intercept Matrix registration confirmations
# {
# action = "REDIRECT colin@uninsane.org";
# pattern = "/^Subject:.*Validate your email/";
# }
# # XXX postfix only supports performing ONE action per header.
# # {
# # action = "REPLACE Subject: git application: Please activate your account";
# # pattern = "/^Subject:.*activate your account/";
# # }
# ];
}

View File

@@ -1,10 +1,14 @@
# config options: <https://docs.gitea.io/en-us/administration/config-cheat-sheet/>
# TODO: service shouldn't run as `git` user, but as `gitea`
{ config, pkgs, lib, ... }:
{
sane.persist.sys.byStore.private = [
{ user = "git"; group = "gitea"; mode = "0750"; path = "/var/lib/gitea"; method = "bind"; }
];
sane.programs.gitea.enableFor.user.colin = true; # for admin, and monitoring
services.gitea.enable = true;
services.gitea.user = "git"; # default is 'gitea'
services.gitea.database.type = "postgres";
@@ -40,14 +44,21 @@
# timeout for email approval. 5760 = 4 days. 10080 = 7 days
ACTIVE_CODE_LIVE_MINUTES = 10080;
# REGISTER_EMAIL_CONFIRM = false;
# REGISTER_MANUAL_CONFIRM = true;
REGISTER_EMAIL_CONFIRM = true;
# REGISTER_EMAIL_CONFIRM = true; #< override REGISTER_MANUAL_CONFIRM
REGISTER_MANUAL_CONFIRM = true;
# not sure what this notifies *on*...
ENABLE_NOTIFY_MAIL = true;
# defaults to image-based captcha.
# also supports recaptcha (with custom URLs) or hCaptcha.
ENABLE_CAPTCHA = true;
NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
EMAIL_DOMAIN_BLOCKLIST = lib.concatStringsSep ", " [
"*.claychoen.top"
"*.gemmasmith.co.uk"
"*.jenniferlawrence.uk"
"*.sarahconnor.co.uk"
"*.marymarshall.co.uk"
];
};
session = {
COOKIE_SECURE = true;

View File

@@ -30,7 +30,7 @@
# services.matrix-synapse.enable_registration_captcha = true;
# services.matrix-synapse.enable_registration_without_verification = true;
enable_registration = true;
# enable_registration = true;
# services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
# default for listeners is port = 8448, tls = true, x_forwarded = false.

View File

@@ -623,6 +623,8 @@ in
"/tmp" # "Cannot open display:" if it can't mount /tmp 👀
];
gitea = {};
gnome-calculator.buildCost = 1;
gnome-calculator.sandbox.method = "bwrap";
gnome-calculator.sandbox.whitelistWayland = true;