thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix gitea,nextcloud,roundcube: evaluate without auth module

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-24 16:27:48 +04:00
parent f795bc977f
commit 0c7a8d51b0
3 changed files with 490 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

143
sp-modules/roundcube/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, options, pkgs, ... }:
let
domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.roundcube;
@@ -48,74 +48,81 @@ in
};
};
config = lib.mkIf cfg.enable {
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'' + lib.strings.optionalString is-auth-enabled ''
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_client_id'] = '${oauth-client-id}';
$config['oauth_client_secret'] = "$(<${kanidm-oauth-client-secret-fp})";
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
$config['oauth_scope'] = 'email profile openid'; # FIXME
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
$config['auto_create_user'] = true;
$config['oauth_verify_peer'] = false; # FIXME
# $config['oauth_pkce'] = 'S256'; # FIXME
'';
};
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
systemd.slices.roundcube.description = "Roundcube service slice";
systemd.services.kanidm = lib.mkIf is-auth-enabled {
serviceConfig.ExecStartPre = lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
requires = [ auth-passthru.oauth2-systemd-service ];
};
services.kanidm.provision = lib.mkIf is-auth-enabled {
groups = {
"sp.roundcube.admins".members = [ "sp.admins" ];
"sp.roundcube.users".members = [ "sp.roundcube.admins" ];
config = lib.mkIf cfg.enable (lib.mkMerge [
{
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
systems.oauth2.roundcube = {
displayName = "Roundcube";
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"sp.roundcube.users" = [
"email"
"openid"
"profile"
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
systemd.slices.roundcube.description = "Roundcube service slice";
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
services.roundcube.extraConfig = lib.mkAfter ''
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_client_id'] = '${oauth-client-id}';
$config['oauth_client_secret'] = "$(<${kanidm-oauth-client-secret-fp})";
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
$config['oauth_scope'] = 'email profile openid'; # FIXME
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
$config['auto_create_user'] = true;
$config['oauth_verify_peer'] = false; # FIXME
# $config['oauth_pkce'] = 'S256'; # FIXME
'';
systemd.services.kanidm = {
serviceConfig.ExecStartPre = lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
requires = [ auth-passthru.oauth2-systemd-service ];
};
removeOrphanedClaimMaps = true;
};
};
};
services.kanidm.provision = {
groups = {
"sp.roundcube.admins".members = [ "sp.admins" ];
"sp.roundcube.users".members = [ "sp.roundcube.admins" ];
};
systems.oauth2.roundcube = {
displayName = "Roundcube";
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"sp.roundcube.users" = [
"email"
"openid"
"profile"
];
};
removeOrphanedClaimMaps = true;
};
};
})
)
]);
}