servo: disable email-based registration gating

2024-08-06 21:39:32 +00:00
parent 247fd3f807
commit d45ea622d1
4 changed files with 44 additions and 22 deletions
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@@ -1,4 +1,6 @@
 # postfix config options: <https://www.postfix.org/postconf.5.html>
+# config files:
+# - /etc/postfix/main.cf

 { config, lib, pkgs, ... }:

@@ -175,23 +177,30 @@ in


  #### OUTGOING MESSAGE REWRITING:
-  services.postfix.enableHeaderChecks = true;
-  services.postfix.headerChecks = [
-    # intercept gitea registration confirmations and manually screen them
-    {
-      # headerChecks are somehow ignorant of alias rules: have to redirect to a real user
-      action = "REDIRECT colin@uninsane.org";
-      pattern = "/^Subject: Please activate your account/";
-    }
-    # intercept Matrix registration confirmations
-    {
-      action = "REDIRECT colin@uninsane.org";
-      pattern = "/^Subject:.*Validate your email/";
-    }
-    # XXX postfix only supports performing ONE action per header.
+  # - `man 5 header_checks`
+  #   - <https://www.postfix.org/header_checks.5.html>
+  # - populates `/var/lib/postfix/conf/header_checks`
+  # XXX(2024-08-06): registration gating via email matches is AWFUL:
+  # 1. bypassed if the service offers localization.
+  # 2. if i try to forward the registration request, it may match the filter again and get sent back to my inbox.
+  # 3. header checks are possibly under-used in the ecosystem, and may break postfix config.
+  # services.postfix.enableHeaderChecks = true;
+  # services.postfix.headerChecks = [
+  #   # intercept gitea registration confirmations and manually screen them
  #   {
-    #   action = "REPLACE Subject: git application: Please activate your account";
-    #   pattern = "/^Subject:.*activate your account/";
+  #     # headerChecks are somehow ignorant of alias rules: have to redirect to a real user
+  #     action = "REDIRECT colin@uninsane.org";
+  #     pattern = "/^Subject: Please activate your account/";
  #   }
-  ];
+  #   # intercept Matrix registration confirmations
+  #   {
+  #     action = "REDIRECT colin@uninsane.org";
+  #     pattern = "/^Subject:.*Validate your email/";
+  #   }
+  #   # XXX postfix only supports performing ONE action per header.
+  #   # {
+  #   #   action = "REPLACE Subject: git application: Please activate your account";
+  #   #   pattern = "/^Subject:.*activate your account/";
+  #   # }
+  # ];
 }
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -1,10 +1,14 @@
 # config options: <https://docs.gitea.io/en-us/administration/config-cheat-sheet/>
+# TODO: service shouldn't run as `git` user, but as `gitea`
 { config, pkgs, lib, ... }:

 {
  sane.persist.sys.byStore.private = [
    { user = "git"; group = "gitea"; mode = "0750"; path = "/var/lib/gitea"; method = "bind"; }
  ];
+
+  sane.programs.gitea.enableFor.user.colin = true;  # for admin, and monitoring
+
  services.gitea.enable = true;
  services.gitea.user = "git";  # default is 'gitea'
  services.gitea.database.type = "postgres";
@@ -40,14 +44,21 @@
      # timeout for email approval. 5760 = 4 days. 10080 = 7 days
      ACTIVE_CODE_LIVE_MINUTES = 10080;
      # REGISTER_EMAIL_CONFIRM = false;
-      # REGISTER_MANUAL_CONFIRM = true;
-      REGISTER_EMAIL_CONFIRM = true;
+      # REGISTER_EMAIL_CONFIRM = true;  #< override REGISTER_MANUAL_CONFIRM
+      REGISTER_MANUAL_CONFIRM = true;
      # not sure what this notifies *on*...
      ENABLE_NOTIFY_MAIL = true;
      # defaults to image-based captcha.
      # also supports recaptcha (with custom URLs) or hCaptcha.
      ENABLE_CAPTCHA = true;
      NOREPLY_ADDRESS = "noreply.anonymous.git@uninsane.org";
+      EMAIL_DOMAIN_BLOCKLIST = lib.concatStringsSep ", " [
+        "*.claychoen.top"
+        "*.gemmasmith.co.uk"
+        "*.jenniferlawrence.uk"
+        "*.sarahconnor.co.uk"
+        "*.marymarshall.co.uk"
+      ];
    };
    session = {
      COOKIE_SECURE = true;
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@@ -30,7 +30,7 @@

    # services.matrix-synapse.enable_registration_captcha = true;
    # services.matrix-synapse.enable_registration_without_verification = true;
-    enable_registration = true;
+    # enable_registration = true;
    # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";

    # default for listeners is port = 8448, tls = true, x_forwarded = false.
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -623,6 +623,8 @@ in
      "/tmp"  # "Cannot open display:" if it can't mount /tmp 👀
    ];

+    gitea = {};
+
    gnome-calculator.buildCost = 1;
    gnome-calculator.sandbox.method = "bwrap";
    gnome-calculator.sandbox.whitelistWayland = true;