chore: restructure LDAP related nix files

sp-modules/auth/common.nix

@@ -1,35 +0,0 @@
-{ config, lib, pkgs, ... }:
-rec {
-  domain = config.selfprivacy.domain;
-  cfg = config.selfprivacy.modules.auth;
-  passthru = config.passthru.selfprivacy.auth;
-  auth-fqdn = cfg.subdomain + "." + domain;
-
-  kanidm_ldap_port = 3636;
-
-  # e.g. "dc=mydomain,dc=com"
-  ldap_base_dn =
-    lib.strings.concatMapStringsSep
-      ","
-      (x: "dc=" + x)
-      (lib.strings.splitString "." domain);
-
-  appendLdapBindPwd =
-    { name, file, prefix, suffix ? "", passwordFile, destination }:
-    pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
-      #!${pkgs.stdenv.shell}
-      set -euo pipefail
-
-      baseDir=$(dirname ${destination})
-      if (! test -d "$baseDir"); then
-        mkdir -p $baseDir
-        chmod 755 $baseDir
-      fi
-
-      cat ${file} > ${destination}
-      echo -n '${prefix}' >> ${destination}
-      cat ${passwordFile} >> ${destination}
-      echo -n '${suffix}' >> ${destination}
-      chmod 600 ${destination}
-    '';
-}

sp-modules/auth/flake.nix

@@ -35,8 +35,6 @@
         (nixos-unstable.legacyPackages.x86_64-linux.path
           + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
         ./module.nix
-        ./ldap-postfix.nix
-        ./ldap-dovecot.nix
       ];
       nixpkgs.overlays = [ self.overlays.default ];
 

sp-modules/auth/ldap-dovecot.nix

@@ -1,129 +0,0 @@
-{ config, lib, pkgs, ... }@nixos-args:
-let
-  inherit (import ./common.nix nixos-args)
-    appendLdapBindPwd
-    cfg
-    domain
-    passthru
-    ;
-
-  ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
-  mkLdapSearchScope = scope: (
-    if scope == "sub" then "subtree"
-    else if scope == "one" then "onelevel"
-    else scope
-  );
-  dovecot-ldap-config = pkgs.writeTextFile {
-    name = "dovecot-ldap.conf.ext.template";
-    text = ''
-      ldap_version = 3
-      uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
-      ${lib.optionalString config.mailserver.ldap.startTls ''
-      tls = yes
-      ''}
-      # tls_require_cert = hard
-      # tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
-      dn = ${config.mailserver.ldap.bind.dn}
-      sasl_bind = no
-      auth_bind = no
-      base = ${config.mailserver.ldap.searchBase}
-      scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
-      ${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
-      user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
-      ''}
-      user_filter = ${config.mailserver.ldap.dovecot.userFilter}
-    '';
-  };
-  setPwdInLdapConfFile = appendLdapBindPwd {
-    name = "ldap-conf-file";
-    file = dovecot-ldap-config;
-    prefix = ''dnpass = "'';
-    suffix = ''"'';
-    passwordFile = config.mailserver.ldap.bind.passwordFile;
-    destination = ldapConfFile;
-  };
-  dovecot-oauth2-conf-file = pkgs.writeTextFile {
-    name = "dovecot-oauth2.conf.ext";
-    text = ''
-      introspection_mode = post
-      introspection_url = ${passthru.oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
-      client_id = roundcube
-      client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
-      username_attribute = username
-      # scope = email groups profile openid dovecotprofile
-      scope = email profile openid
-      tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
-      active_attribute = active
-      active_value = true
-      openid_configuration_url = ${passthru.oauth2-discovery-url "roundcube"}
-      debug = ${if cfg.debug then "yes" else "no"}
-    '';
-  };
-in
-{
-  mailserver.ldap = {
-    # note: in `ldapsearch` first comes filter, then attributes
-    dovecot.userAttrs = "+"; # all operational attributes
-    # TODO: investigate whether "mail=%u" is better than:
-    # dovecot.userFilter = "(&(class=person)(uid=%n))";
-  };
-
-  services.dovecot2.extraConfig = ''
-    auth_mechanisms = xoauth2 oauthbearer
-
-    passdb {
-      driver = oauth2
-      mechanisms = xoauth2 oauthbearer
-      args = ${dovecot-oauth2-conf-file}
-    }
-
-    userdb {
-      driver = static
-      args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
-    }
-
-    # provide SASL via unix socket to postfix
-    service auth {
-      unix_listener /var/lib/postfix/private-auth {
-        mode = 0660
-        user = postfix
-        group = postfix
-      }
-    }
-    service auth {
-      unix_listener auth-userdb {
-        mode = 0660
-        user = dovecot2
-      }
-      unix_listener dovecot-auth {
-        mode = 0660
-        # Assuming the default Postfix user and group
-        user = postfix
-        group = postfix
-      }
-    }
-
-    userdb {
-      driver = ldap
-      args = ${ldapConfFile}
-      default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
-    }
-
-    #auth_username_format = %Ln
-
-    # FIXME
-    auth_debug = yes
-    auth_debug_passwords = yes  # Be cautious with this in production as it logs passwords
-    auth_verbose = yes
-    mail_debug = yes
-  '';
-  services.dovecot2.enablePAM = false;
-  systemd.services.dovecot2 = {
-    # TODO does it merge with existing preStart?
-    preStart = setPwdInLdapConfFile + "\n";
-  };
-
-  # does it merge with existing restartTriggers?
-  systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
-
-}

sp-modules/auth/ldap-postfix.nix

@@ -1,75 +0,0 @@
-{ config, lib, pkgs, ... }@nixos-args:
-let
-  inherit (import ./common.nix nixos-args)
-    appendLdapBindPwd
-    ;
-
-  cfg = config.mailserver;
-
-  ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
-  submissionOptions.smtpd_sender_login_maps =
-    lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
-  commonLdapConfig = ''
-    server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
-    start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
-    version = 3
-    # tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
-    # tls_require_cert = yes
-
-    search_base = ${cfg.ldap.searchBase}
-    scope = ${cfg.ldap.searchScope}
-
-    bind = yes
-    bind_dn = ${cfg.ldap.bind.dn}
-  '';
-  ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
-    ${commonLdapConfig}
-    query_filter = ${cfg.ldap.postfix.filter}
-    result_attribute = ${cfg.ldap.postfix.mailAttribute}
-  '';
-  appendPwdInSenderLoginMap = appendLdapBindPwd {
-    name = "ldap-sender-login-map";
-    file = ldapSenderLoginMap;
-    prefix = "bind_pw = ";
-    passwordFile = cfg.ldap.bind.passwordFile;
-    destination = ldapSenderLoginMapFile;
-  };
-
-  ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
-    ${commonLdapConfig}
-    query_filter = ${cfg.ldap.postfix.filter}
-    result_attribute = ${cfg.ldap.postfix.uidAttribute}
-  '';
-  ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
-  appendPwdInVirtualMailboxMap = appendLdapBindPwd {
-    name = "ldap-virtual-mailbox-map";
-    file = ldapVirtualMailboxMap;
-    prefix = "bind_pw = ";
-    passwordFile = cfg.ldap.bind.passwordFile;
-    destination = ldapVirtualMailboxMapFile;
-  };
-in
-{
-  mailserver.ldap = {
-    postfix.mailAttribute = "mail";
-    postfix.uidAttribute = "uid";
-  };
-  systemd.services.postfix-setup = {
-    preStart = ''
-      ${appendPwdInVirtualMailboxMap}
-      ${appendPwdInSenderLoginMap}
-    '';
-    restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
-  };
-  services.postfix = {
-    # the list should be merged with other options from nixos-mailserver
-    config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
-    inherit submissionOptions;
-    submissionsOptions = submissionOptions;
-    # extraConfig = ''
-    #   debug_peer_list =
-    #   debug_peer_level = 3
-    #   smtp_tls_security_level = encrypt
-    # '';
-  };
-}

sp-modules/auth/module.nix

@@ -1,14 +1,12 @@
-{ config, lib, pkgs, ... }@nixos-args:
+{ config, lib, pkgs, ... }:
 let
-  inherit (import ./common.nix nixos-args)
-    auth-fqdn
-    cfg
-    domain
-    kanidm_ldap_port
-    ldap_base_dn
-    passthru
-    ;
+  passthru = config.passthru.selfprivacy.auth;
+  cfg = config.selfprivacy.modules.auth;
+  domain = config.selfprivacy.domain;
 
+  kanidm-bind-address = "127.0.0.1:3013";
+
+  # lua stuff for debugging only
   lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
   lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
   lua_path = "${lua_core_path};${lua_lrucache_path};";
@@ -34,6 +32,9 @@ in
     # FIXME revise this: maybe kanidm must not have access to a public TLS
     users.groups."acmereceivers".members = [ "kanidm" ];
 
+    # for ExecStartPost scripts to have access to /run/keys/*
+    users.groups.keys.members = [ "kanidm" ];
+
     services.kanidm = {
       enableServer = true;
 
@@ -46,7 +47,7 @@ in
         # included if it is non-standard (any port except 443). This must match or
         # be a descendent of the domain name you configure above. If these two
         # items are not consistent, the server WILL refuse to start!
-        origin = "https://" + auth-fqdn;
+        origin = "https://" + passthru.auth-fqdn;
 
         # TODO revise this: maybe kanidm must not have access to a public TLS
         tls_chain =
@@ -55,9 +56,9 @@ in
           "${config.security.acme.certs.${domain}.directory}/key.pem";
 
         # nginx should proxy requests to it
-        bindaddress = passthru.kanidm-bind-address;
+        bindaddress = kanidm-bind-address;
 
-        ldapbindaddress = "127.0.0.1:${toString kanidm_ldap_port}";
+        ldapbindaddress = "127.0.0.1:${toString passthru.ldap-port}";
 
         # kanidm is behind a proxy
         trust_x_forward_for = true;
@@ -70,7 +71,7 @@ in
       };
       enableClient = true;
       clientSettings = {
-        uri = "https://" + auth-fqdn;
+        uri = "https://" + passthru.auth-fqdn;
         verify_ca = false; # FIXME
         verify_hostnames = false; # FIXME
       };
@@ -79,19 +80,21 @@ in
     services.nginx = {
       enable = true;
       additionalModules =
-        lib.lists.optional cfg.debug pkgs.nginxModules.lua;
-      commonHttpConfig = lib.strings.optionalString cfg.debug ''
+        lib.mkIf cfg.debug pkgs.nginxModules.lua;
+      commonHttpConfig = lib.mkIf cfg.debug ''
         log_format kanidm escape=none '$request $status\n'
                                       '[Request body]: $request_body\n'
                                       '[Header]: $resp_header\n'
                                       '[Response Body]: $resp_body\n\n';
         lua_package_path "${lua_path}";
       '';
-      virtualHosts.${auth-fqdn} = {
+      virtualHosts.${passthru.auth-fqdn} = {
         useACMEHost = domain;
         forceSSL = true;
         locations."/" = {
-          extraConfig = lib.strings.optionalString cfg.debug ''
+          # be aware that such logging mechanism breaks Kanidm authentication
+          # (but authorization works)
+          extraConfig = lib.mkIf cfg.debug ''
             access_log /var/log/nginx/kanidm.log kanidm;
 
             lua_need_request_body on;
@@ -120,43 +123,27 @@ in
               end
             ';
           '';
-          proxyPass = "https://${passthru.kanidm-bind-address}";
+          proxyPass = "https://${kanidm-bind-address}";
         };
       };
     };
 
-    # TODO move to mailserver module everything below
-    mailserver.debug = cfg.debug; # FIXME
-    mailserver.mailDirectory = "/var/vmail";
-
-    mailserver.loginAccounts = lib.mkForce { };
-    mailserver.extraVirtualAliases = lib.mkForce { };
-    # LDAP is needed for Postfix to query Kanidm about email address ownership.
-    # LDAP is needed for Dovecot also.
-    mailserver.ldap = {
-      enable = false;
-      # bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
-      bind.dn = "dn=token";
-      # TODO change in this file should trigger system restart dovecot
-      bind.passwordFile = "/run/keys/dovecot/kanidm-service-account-token"; # FIXME
-
-      # searchBase = "ou=persons," + ldap_base_dn;
-      searchBase = ldap_base_dn; # TODO refine this
-
-      # NOTE: 127.0.0.1 instead of localhost does not work for unknown reason
-      uris = [ "ldaps://localhost:${toString kanidm_ldap_port}" ];
-    };
-
-    environment.systemPackages = lib.lists.optionals cfg.debug [
-      pkgs.shelldap
-      pkgs.openldap
-    ];
-
-    passthru.selfprivacy.auth = {
-      kanidm-bind-address = "127.0.0.1:3013";
+    passthru.selfprivacy.auth = rec {
+      auth-fqdn = cfg.subdomain + "." + domain;
       oauth2-introspection-url = client_id: client_secret:
         "https://${client_id}:${client_secret}@${auth-fqdn}/oauth2/token/introspect";
-      oauth2-discovery-url = client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+      oauth2-discovery-url = client_id:
+        "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+      oauth2-provider-name = "kanidm";
+      oauth2-systemd-service = "kanidm.service";
+
+      # e.g. "dc=mydomain,dc=com"
+      ldap-base-dn =
+        lib.strings.concatMapStringsSep
+          ","
+          (x: "dc=" + x)
+          (lib.strings.splitString "." domain);
+      ldap-port = 3636;
     };
   };
 }