chore: restructure LDAP related nix files

This commit is contained in:
Alexander Tomokhov
2024-12-26 18:27:25 +04:00
parent 5d76f456c1
commit 3a904f599e
10 changed files with 178 additions and 240 deletions

View File

@@ -0,0 +1,25 @@
{ config, pkgs, ... }:
rec {
auth-passthru = config.passthru.selfprivacy.auth;
domain = config.selfprivacy.domain;
is-auth-enabled = config.selfprivacy.modules.auth.enable;
appendLdapBindPwd =
{ name, file, prefix, suffix ? "", passwordFile, destination }:
pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
#!${pkgs.stdenv.shell}
set -euo pipefail
baseDir=$(dirname ${destination})
if (! test -d "$baseDir"); then
mkdir -p $baseDir
chmod 755 $baseDir
fi
cat ${file} > ${destination}
echo -n '${prefix}' >> ${destination}
cat ${passwordFile} >> ${destination}
echo -n '${suffix}' >> ${destination}
chmod 600 ${destination}
'';
}

View File

@@ -1,8 +1,11 @@
[
[ "mailserver" ],
[ "passthru", "selfprivacy", "auth" ],
[ "security", "acme", "certs" ],
[ "selfprivacy", "domain" ],
[ "selfprivacy", "hashedMasterPassword" ],
[ "selfprivacy", "modules", "auth", "enable" ],
[ "selfprivacy", "modules", "simple-nixos-mailserver" ],
[ "selfprivacy", "useBinds" ],
[ "selfprivacy", "username" ],
[ "selfprivacy", "users" ],
@@ -11,6 +14,5 @@
[ "services", "postfix", "group" ],
[ "services", "postfix", "user" ],
[ "services", "redis" ],
[ "services", "rspamd" ],
[ "selfprivacy", "modules", "simple-nixos-mailserver" ]
[ "services", "rspamd" ]
]

View File

@@ -1,6 +1,71 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
sp = config.selfprivacy;
inherit (import ./common.nix {inherit config pkgs;})
auth-passthru
domain
is-auth-enabled
;
mailserver-service-account-name = "sp.mailserver.service-account";
mailserver-service-account-token-name = "mailserver-service-account-token";
mailserver-service-account-token-fp =
"/run/keys/mailserver/kanidm-service-account-token"; # FIXME sync with auth module
kanidmExecStartPostScriptRoot = pkgs.writeShellScript
"mailserver-kanidm-ExecStartPost-root-script.sh"
''
# set-group-ID bit allows for kanidm user to create files,
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/mailserver
chown kanidm:kanidm /run/keys/mailserver
'';
kanidmExecStartPostScript = pkgs.writeShellScript
"mailserver-kanidm-ExecStartPost-script.sh"
''
export HOME=$RUNTIME_DIRECTORY/client_home
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
# get Kanidm service account for mailserver
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${mailserver-service-account-name}$")"
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
then
echo "kanidm service account \"${mailserver-service-account-name}\" is found"
else
echo "kanidm service account \"${mailserver-service-account-name}\" is not found"
echo "creating new kanidm service account \"${mailserver-service-account-name}\""
if $KANIDM service-account create --name idm_admin ${mailserver-service-account-name} ${mailserver-service-account-name} idm_admin
then
"kanidm service account \"${mailserver-service-account-name}\" created"
else
echo "error: cannot create kanidm service account \"${mailserver-service-account-name}\""
exit 1
fi
fi
# add Kanidm service account to `idm_mail_servers` group
$KANIDM group add-members idm_mail_servers ${mailserver-service-account-name}
# create a new read-only token for mailserver
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin ${mailserver-service-account-name} ${mailserver-service-account-token-name} --output json)"
then
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
exit 1
fi
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
then
echo "error: cannot get service-account API token from JSON"
exit 1
fi
if ! install --mode=640 \
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
${mailserver-service-account-token-fp}
then
echo "error: cannot write token to \"${mailserver-service-account-token-fp}\""
exit 1
fi
'';
in
lib.mkIf sp.modules.simple-nixos-mailserver.enable
{
@@ -42,7 +107,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
loginAccounts = lib.mkIf (!is-auth-enabled) ({
"${sp.username}@${sp.domain}" = {
hashedPassword = sp.hashedMasterPassword;
sieveScript = ''
@@ -69,9 +134,9 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
'';
};
})
sp.users);
sp.users));
extraVirtualAliases = {
extraVirtualAliases = lib.mkIf (!is-auth-enabled) {
"admin@${sp.domain}" = "${sp.username}@${sp.domain}";
};
@@ -90,6 +155,26 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
enableManageSieve = true;
virusScanning = false;
mailDirectory = "/var/vmail";
# LDAP is needed for Postfix to query Kanidm about email address ownership.
# LDAP is needed for Dovecot also.
ldap = lib.mkIf is-auth-enabled {
# false; otherwise, simple-nixos-mailserver enables auth via LDAP
enable = false;
# bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
bind.dn = "dn=token";
# TODO change in this file should trigger system restart dovecot
bind.passwordFile = "/run/keys/mailserver/kanidm-service-account-token"; # FIXME
# searchBase = "ou=persons," + ldap_base_dn;
searchBase = auth-passthru.ldap-base-dn; # TODO refine this
# NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS)
uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
};
};
systemd = {
@@ -99,6 +184,15 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
# FIXME set auth module option instead
kanidm.serviceConfig.ExecStartPost =
lib.mkIf is-auth-enabled
(lib.mkAfter
[
("+" + kanidmExecStartPostScriptRoot)
kanidmExecStartPostScript
]
);
};
slices."simple_nixos_mailserver" = {
name = "simple_nixos_mailserver.slice";

View File

@@ -10,6 +10,8 @@
mailserver.nixosModules.default
./options.nix
./config.nix
./ldap-postfix.nix
./ldap-dovecot.nix
];
};
configPathsNeeded =

View File

@@ -0,0 +1,131 @@
{ config, lib, pkgs, ... }@nixos-args:
let
inherit (import ./common.nix nixos-args)
appendLdapBindPwd
cfg
domain
auth-passthru
;
ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
mkLdapSearchScope = scope: (
if scope == "sub" then "subtree"
else if scope == "one" then "onelevel"
else scope
);
dovecot-ldap-config = pkgs.writeTextFile {
name = "dovecot-ldap.conf.ext.template";
text = ''
ldap_version = 3
uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
${lib.optionalString config.mailserver.ldap.startTls ''
tls = yes
''}
# tls_require_cert = hard
# tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
dn = ${config.mailserver.ldap.bind.dn}
sasl_bind = no
auth_bind = no
base = ${config.mailserver.ldap.searchBase}
scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
''}
user_filter = ${config.mailserver.ldap.dovecot.userFilter}
'';
};
setPwdInLdapConfFile = appendLdapBindPwd {
name = "ldap-conf-file";
file = dovecot-ldap-config;
prefix = ''dnpass = "'';
suffix = ''"'';
passwordFile = config.mailserver.ldap.bind.passwordFile;
destination = ldapConfFile;
};
dovecot-oauth2-conf-file = pkgs.writeTextFile {
name = "dovecot-oauth2.conf.ext";
text = ''
introspection_mode = post
introspection_url = ${auth-passthru.oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
client_id = roundcube
client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
username_attribute = username
scope = email profile openid
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
active_attribute = active
active_value = true
openid_configuration_url = ${auth-passthru.oauth2-discovery-url "roundcube"}
debug = "no"
'';
};
in
lib.mkIf config.selfprivacy.modules.auth.enable {
mailserver.ldap = {
# note: in `ldapsearch` first comes filter, then attributes
dovecot.userAttrs = "+"; # all operational attributes
# TODO: investigate whether "mail=%u" is better than:
# dovecot.userFilter = "(&(class=person)(uid=%n))";
};
services.dovecot2.extraConfig = ''
auth_mechanisms = xoauth2 oauthbearer
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = ${dovecot-oauth2-conf-file}
}
userdb {
driver = static
args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
}
# provide SASL via unix socket to postfix
service auth {
unix_listener /var/lib/postfix/private-auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth {
unix_listener auth-userdb {
mode = 0660
user = dovecot2
}
unix_listener dovecot-auth {
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
}
userdb {
driver = ldap
args = ${ldapConfFile}
default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
}
#auth_username_format = %Ln
# FIXME
auth_debug = yes
auth_debug_passwords = yes # Be cautious with this in production as it logs passwords
auth_verbose = yes
mail_debug = yes
'';
services.dovecot2.enablePAM = false;
systemd.services.dovecot2 = {
# TODO does it merge with existing preStart?
preStart = setPwdInLdapConfFile + "\n";
# FIXME pass dependant services to auth module option instead
wants = [ "kanidm.service" ];
after = [ "kanidm.service" ];
};
# does it merge with existing restartTriggers?
systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
}

View File

@@ -0,0 +1,79 @@
{ config, lib, pkgs, ... }@nixos-args:
let
inherit (import ./common.nix nixos-args)
appendLdapBindPwd
auth-passthru
;
cfg = config.mailserver;
ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
submissionOptions.smtpd_sender_login_maps =
lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
commonLdapConfig = ''
server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
version = 3
# tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
# tls_require_cert = yes
search_base = ${cfg.ldap.searchBase}
scope = ${cfg.ldap.searchScope}
bind = yes
bind_dn = ${cfg.ldap.bind.dn}
'';
ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
${commonLdapConfig}
query_filter = ${cfg.ldap.postfix.filter}
result_attribute = ${cfg.ldap.postfix.mailAttribute}
'';
appendPwdInSenderLoginMap = appendLdapBindPwd {
name = "ldap-sender-login-map";
file = ldapSenderLoginMap;
prefix = "bind_pw = ";
passwordFile = cfg.ldap.bind.passwordFile;
destination = ldapSenderLoginMapFile;
};
ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
${commonLdapConfig}
query_filter = ${cfg.ldap.postfix.filter}
result_attribute = ${cfg.ldap.postfix.uidAttribute}
'';
ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
appendPwdInVirtualMailboxMap = appendLdapBindPwd {
name = "ldap-virtual-mailbox-map";
file = ldapVirtualMailboxMap;
prefix = "bind_pw = ";
passwordFile = cfg.ldap.bind.passwordFile;
destination = ldapVirtualMailboxMapFile;
};
in
lib.mkIf config.selfprivacy.modules.auth.enable {
mailserver.ldap = {
postfix.mailAttribute = "mail";
postfix.uidAttribute = "uid";
};
systemd.services.postfix-setup = {
preStart = ''
${appendPwdInVirtualMailboxMap}
${appendPwdInSenderLoginMap}
'';
restartTriggers =
[ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
wants = [ auth-passthru.oauth2-systemd-service ];
after = [ "kanidm.service" ];
};
services.postfix = {
# the list should be merged with other options from nixos-mailserver
config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
inherit submissionOptions;
submissionsOptions = submissionOptions;
# extraConfig = ''
# debug_peer_list =
# debug_peer_level = 3
# smtp_tls_security_level = encrypt
# '';
};
}