Develop Reference

dovecot deliver does not use same user-id for auto-indexing in FTS as it does for IMAP searches

Using dovecot 2.3.7.2 with solr 8.11.2 when I do:
doveadm search -u user mailbox INBOX subject "something"
I get multiple mail ID's.
When I start a manual IMAP session and login as that user, select INBOX, and try the command:
. search subject "something"
It returns zero mail ID's; this is consistent across all searches using IMAP - no results returned, no matter what I search for in IMAP.
Further investigation shows that the SOLR search via doveadm is using just the 'username', whereas the IMAP search is using the full email address (and finding nothing).
Worse, with auto-update of the FTS turned on, the user-id used when updating as mail arrives is the domain-less user-id.
Is there a way to change this behaviour, or at least make it consistent?
The dovecot -n command returns:
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-125-generic x86_64 Ubuntu 20.04.5 LTS
# Hostname: WITHELD
mail_location = maildir:~/Mail
mail_plugins = " fts fts_solr virtual"
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace {
location = virtual:~/Mail/virtual
prefix = virtual.
separator = .
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
mailbox virtual.All {
comment = All my messages
special_use = \All
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
passdb {
driver = pam
}
plugin {
fts = solr
fts_autoindex = yes
fts_enforced = yes
fts_solr = url=http://localhost:8983/solr/dovecot/
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap lmtp sieve pop3 sieve"
service imap {
vsz_limit = 4 G
}
service index-worker {
vsz_limit = 2 G
}
service indexer-worker {
vsz_limit = 2 G
}
service lmtp {
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
}
ssl_cert = </etc/letsencrypt/live/WITHELD/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = " fts fts_solr virtual sieve"
postmaster_address = WITHELD
}
protocol lda {
mail_plugins = " fts fts_solr virtual sieve"
}
protocol imap {
mail_max_userip_connections = 40
}

Azure Terraform Web App private Endpoint virtual network

I am trying to automate the deployment of an azure virtual network and azure web app.
During the deployment of those resources, everything went just fine and no errors. So I wanted to try to activate the private endpoint on the web app. This is my configuration on terraform.
resource "azurerm_virtual_network" "demo-vnet" {
name = "virtual-network-test"
address_space = ["10.100.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.rg-testing-env.name
}
resource "azurerm_subnet" "front_end" {
name = "Front_End-Subnet"
address_prefixes = ["10.100.5.0/28"]
virtual_network_name = azurerm_virtual_network.demo-vnet.name
resource_group_name = azurerm_resource_group.rg-testing-env.name
delegation {
name = "testing-frontend"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
And on the web app itself, I set this configuration
resource "azurerm_app_service_virtual_network_swift_connection" "web-app-vnet" {
app_service_id = azurerm_app_service.app-test.example.id
subnet_id = azurerm_subnet.front_end.id
}
NOTE: On my first deployment, the swift failed because I had not delegation on the virtual network, so I had to add the delegation on the subnet to be able to run terraform.
After setting in place all the configuration, I run my terraform, everything run just smoothly, no errors.
After the completion, I checked my web app Private Endpoint and that was just off.
Can please anyone explain me what am I doing wrong here?. I thought that the swift connection was the block of code to activate the Private endpoint but apparently I am missing something else.
Just to confirm my logic workflow, I tried to do the manual steps in the portal. But surprisingly I was not able because I have the delegation on the subnet, as you can see.
Thank you so much for any help and/or explanation you can offer to solve this issue

I have used the below code to test the creation of VNET and Web app with private endpoint.
provider "azurerm" {
features{}
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
# Virtual Network
resource "azurerm_virtual_network" "vnet" {
name = "ansumanapp-vnet"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
address_space = ["10.4.0.0/16"]
}
# Subnets for App Service instances
resource "azurerm_subnet" "appserv" {
name = "frontend-app"
resource_group_name = data.azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.4.1.0/24"]
enforce_private_link_endpoint_network_policies = true
}
# App Service Plan
resource "azurerm_app_service_plan" "frontend" {
name = "ansuman-frontend-asp"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
kind = "Linux"
reserved = true
sku {
tier = "Premium"
size = "P1V2"
}
}
# App Service
resource "azurerm_app_service" "frontend" {
name = "ansuman-frontend-app"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.frontend.id
}
#private endpoint
resource "azurerm_private_endpoint" "example" {
name = "${azurerm_app_service.frontend.name}-endpoint"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.appserv.id
private_service_connection {
name = "${azurerm_app_service.frontend.name}-privateconnection"
private_connection_resource_id = azurerm_app_service.frontend.id
subresource_names = ["sites"]
is_manual_connection = false
}
}
# private DNS
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.azurewebsites.net"
resource_group_name = data.azurerm_resource_group.rg.name
}
#private DNS Link
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "${azurerm_app_service.frontend.name}-dnslink"
resource_group_name = data.azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.vnet.id
registration_enabled = false
}
Requirements:
As you can see from the above code the Private Endpoint , Private DNS and Private DNS Link block are required for creating the private endpoint and enabling it for the app service.
The App service Plan needs to have Premium Plan for having Private
endpoint.
The Subnet to be used by Private Endpoint should have
enforce_private_link_endpoint_network_policies = true set other
wise it will error giving message as subnet has private endpoint network policies enabled , it should be disabled to be used by Private endpoint.
DNS zone name should only be privatelink.azurewebsites.net as you are creating a private endpoint for webapp.
Outputs:

How to copy a file from local machine to a storage account using Terraform

I have created a storage account and created a file share in it too using Terraform. I want to copy some files from my local machine to that storage account using Terraform. Is that possible? If yes, then how?
Here is my code-
provider "azurerm" {
# whilst the `version` attribute is optional, we recommend pinning to a given version of the Provider
version = "=2.0.0"
subscription_id = "xxx-xxxx-xxxx-xxxx"
tenant_id = "xxxxx-xxxxx-xxxx-xxxx"
features {}
}
resource "azurerm_resource_group" "example" {
name = "azuretest"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "asdfghjklteststorage"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_storage_share" "example" {
name = "sharename"
storage_account_name = azurerm_storage_account.example.name
quota = 50
acl {
id = "xxx-xxx-xxx-xxx"
access_policy {
permissions = "rwdl"
start = "2020-05-10T09:38:21.0000000Z"
expiry = "2020-07-02T10:38:21.0000000Z"
}
}
}
resource "null_resource" "uploadfile" {
provisioner "local-exec" {
command = <<-EOT
$storageAcct = Get-AzStorageAccount -ResourceGroupName "${azurerm_resource_group.example.name}" -Name "${azurerm_storage_account.example.name}"
Set-AzStorageFileContent `
-Context $storageAcct.Context `
-ShareName "${azurerm_storage_share.example.name}" `
-Source "C:\Users\xxx\xxx\xxx\Untitled.png" `
-Path "Untitled.png"
EOT
interpreter = ["PowerShell", "-Command"]
}
}

You could use local-exec provisioner invokes a local executable after a resource is created. See upload a file to Azure file share with PowerShell.
For example,
resource "azurerm_storage_share" "example" {
name = "sharename"
storage_account_name = azurerm_storage_account.example.name
quota = 50
acl {
id = "xxxxxxxxxxxxxxx"
access_policy {
permissions = "rwdl"
start = "2020-05-10T09:38:21.0000000Z"
expiry = "2020-07-02T10:38:21.0000000Z"
}
}
}
resource "null_resource" "uploadfile" {
provisioner "local-exec" {
command = <<-EOT
$storageAcct = Get-AzStorageAccount -ResourceGroupName "${azurerm_resource_group.example.name}" -Name "${azurerm_storage_account.example.name}"
Set-AzStorageFileContent `
-Context $storageAcct.Context `
-ShareName "${azurerm_storage_share.example.name}" `
-Source "C:\Users\xxx\terraform\test.txt" `
-Path "test.txt"
EOT
interpreter = ["PowerShell", "-Command"]
}
}
Result
For more information, you could read this blog.

For anyone coming from Google, it's worth pointing out you that in early 2022 should now be able to use azurerm_storage_share_file. This worked great for me to upload a single file. To upload multiple files it looks like you will require multiple resources
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file
resource "azurerm_storage_share_file" "example" {
name = "test.txt"
storage_share_id = azurerm_storage_share.example.id
source = "${path.root}/TestFiles/test.txt"
}

How can I enable Caddy plugins in NixOS?

I've just started playing with NixOS, and have so far managed to edit /etc/nixos/configuration.nix in my NixOS 18.09 VM to have PHP-FPM and the Caddy webserver enabled.
{ config, pkgs, ... }:
{
imports = [ <nixpkgs/nixos/modules/installer/virtualbox-demo.nix> ];
users = {
mutableUsers = false;
groups = {
caddy = { };
php-project = { };
};
users = {
hello = {
group = "php-project";
};
};
};
environment.systemPackages = [
pkgs.htop
pkgs.httpie
pkgs.php # for PHP CLI
];
services.caddy = {
enable = true;
email = "david#example.com";
agree = true;
config = ''
(common) {
gzip
header / -Server
header / -X-Powered-By
}
:8080 {
root /var/www/hello
fastcgi / /run/phpfpm/hello.sock php
log syslog
import common
}
'';
};
services.phpfpm = {
phpOptions = ''
date.timezone = "Europe/Berlin"
'';
poolConfigs = {
hello = ''
user = hello
listen = /run/phpfpm/hello.sock
; ...
pm.max_requests = 500
'';
};
};
}
A PHP-processed response is available at at localhost:8080. (Yay!)
To enable Caddy plugins when compiling from source, Go imports are added to caddy's run.go, e.g.:
_ "github.com/mholt/caddy/caddyhttp" // plug in the HTTP server type
// This is where other plugins get plugged in (imported)
_ "github.com/nicolasazrak/caddy-cache" // added to use another plugin
)
How can I set such line insertion to be performed after the source is downloaded and before the build takes place? (If this is a reasonable approach when using Nix?)
The NixOS 18.09 caddy package.
The NixOS 18.09 caddy service.
I believe that when writing a package a builder script (Bash or otherwise) can be assigned, and I'm thinking the line insertion could be done in it. But I'm lost as to how to assign a script to an existing package in this situation (override an attribute/use an overlay?) and where to put the script on the disk.
Status update
I've been doing some reading on customising packages in general and it sounds like overlays might be what I need. However, I don't seem to be able to get my overlay evaluated.
I'm using overriding of the package name as a test as it's simpler than patching code.
Overlay attempt 1
/etc/nixos/configuration.nix:
{ config, pkgs, options, ... }:
{
imports = [ <nixpkgs/nixos/modules/installer/virtualbox-demo.nix> ];
nix.nixPath = options.nix.nixPath.default ++ [
"nixpkgs-overlays=/etc/nixos/overlays-compat/"
];
# ...
}
/etc/nixos/overlays-compat/overlays.nix:
self: super:
with super.lib;
let
# Using the nixos plumbing that's used to evaluate the config...
eval = import <nixpkgs/nixos/lib/eval-config.nix>;
# Evaluate the config,
paths = (eval {modules = [(import <nixos-config>)];})
# then get the `nixpkgs.overlays` option.
.config.nixpkgs.overlays
;
in
foldl' (flip extends) (_: super) paths self
/etc/nixos/overlays-compat/caddy.nix:
self: super:
{
caddy = super.caddy.override {
name = "caddy-override";
};
}
Overlay attempt 2
/etc/nixos/configuration.nix:
nixpkgs.overlays = [ (self: super: {
caddy = super.caddy.override {
name = "caddy-override";
};
} ) ];
error: anonymous function at /nix/store/mr5sfmz6lm5952ch5q6v49563wzylrkx-nixos-18.09.2327.37694c8cc0e/nixos/pkgs/servers/caddy/default.nix:1:1 called with unexpected argument 'name', at /nix/store/mr5sfmz6lm5952ch5q6v49563wzylrkx-nixos-18.09.2327.37694c8cc0e/nixos/lib/customisation.nix:69:12
overrideAttrs
I previously managed to override the package name with this:
{ config, pkgs, options, ... }:
let
caddyOverride = pkgs.caddy.overrideAttrs (oldAttrs: rec {
name = "caddy-override-v${oldAttrs.version}";
});
in {
{
# ...
services.caddy = {
package = caddyOverride;
# ...
}
}
I could see in htop that the caddy binary was in a folder called /nix/store/...-caddy-override-v0.11.0-bin/. But I understand that overriding in this way has been superseded by overlays.

In order to add plugins to Caddy, it seems that the method is to modify the source.
You will need to adapt the Nixpkgs expression for Caddy to make that possible. That can be done outside the Nixpkgs tree, using services.caddy.package = callPackage ./my-caddy.nix {} for example, or by forking the Nixpkgs repository and pointing your NIX_PATH to your clone.

There is an issue for Caddy plugins: https://github.com/NixOS/nixpkgs/issues/14671
PR welcome!

Configure FreeRADIUS to only support EAP TTLS PAP

I have an external RADIUS server that only supports PAP. I have configured FreeRADIUS 2.2.4 to proxy the PAP request inside an EAP-TTLS tunnel (from a WiFi access point configured for WPA2 Enterprise) to this RADIUS server, and I tested it with eapol_test. I can manually configure a PC or Mac to only send EAP-TTLS+PAP but this is not really desirable.
When unconfigured WPA2 Enterprise clients connect they try PEAP and LEAP and EAP-MD5. I disabled most of the other EAP types, but it seems that I need at least one other EAP type supported in default_eap_type in the TTLS block. The non-commented part of my eap.conf is below:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = heythatsprivate
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
}
Is there a way to configure FreeRADIUS so that there are no EAP types allowed inside TTLS or to explicitly require PAP inside the tunnel?
Thanks,
-rohan

Try to setup a new servers besides the default...
server my-server {
authorize { ... }
authenticate {
eap
}
accounting { ... }
}
Then create a inner-tunnel for second fase of authentication
server my-tunnel {
authorize {
pap
}
...
authenticate {
Auth-Type PAP {
pap
}
}
...
}
You will need to modify your EAP configuration as this:
eap {
default_eap_type = ttls
...
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "my-tunnel"
}
...
}
Then specify for each client what server do you want to use to process authentication requests
client example {
ipv6addr = x.x.x.x
netmask = 32
secret = *******
shortname = example
virtual_server = my-server
}
I'm sure this will enable what do you want to do.
Regards,
-Hernan Garcia