chore: restructure LDAP related nix files
This commit is contained in:
25
sp-modules/simple-nixos-mailserver/common.nix
Normal file
25
sp-modules/simple-nixos-mailserver/common.nix
Normal file
@@ -0,0 +1,25 @@
|
||||
{ config, pkgs, ... }:
|
||||
rec {
|
||||
auth-passthru = config.passthru.selfprivacy.auth;
|
||||
domain = config.selfprivacy.domain;
|
||||
is-auth-enabled = config.selfprivacy.modules.auth.enable;
|
||||
|
||||
appendLdapBindPwd =
|
||||
{ name, file, prefix, suffix ? "", passwordFile, destination }:
|
||||
pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
set -euo pipefail
|
||||
|
||||
baseDir=$(dirname ${destination})
|
||||
if (! test -d "$baseDir"); then
|
||||
mkdir -p $baseDir
|
||||
chmod 755 $baseDir
|
||||
fi
|
||||
|
||||
cat ${file} > ${destination}
|
||||
echo -n '${prefix}' >> ${destination}
|
||||
cat ${passwordFile} >> ${destination}
|
||||
echo -n '${suffix}' >> ${destination}
|
||||
chmod 600 ${destination}
|
||||
'';
|
||||
}
|
@@ -1,8 +1,11 @@
|
||||
[
|
||||
[ "mailserver" ],
|
||||
[ "passthru", "selfprivacy", "auth" ],
|
||||
[ "security", "acme", "certs" ],
|
||||
[ "selfprivacy", "domain" ],
|
||||
[ "selfprivacy", "hashedMasterPassword" ],
|
||||
[ "selfprivacy", "modules", "auth", "enable" ],
|
||||
[ "selfprivacy", "modules", "simple-nixos-mailserver" ],
|
||||
[ "selfprivacy", "useBinds" ],
|
||||
[ "selfprivacy", "username" ],
|
||||
[ "selfprivacy", "users" ],
|
||||
@@ -11,6 +14,5 @@
|
||||
[ "services", "postfix", "group" ],
|
||||
[ "services", "postfix", "user" ],
|
||||
[ "services", "redis" ],
|
||||
[ "services", "rspamd" ],
|
||||
[ "selfprivacy", "modules", "simple-nixos-mailserver" ]
|
||||
[ "services", "rspamd" ]
|
||||
]
|
||||
|
@@ -1,6 +1,71 @@
|
||||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
sp = config.selfprivacy;
|
||||
|
||||
inherit (import ./common.nix {inherit config pkgs;})
|
||||
auth-passthru
|
||||
domain
|
||||
is-auth-enabled
|
||||
;
|
||||
|
||||
mailserver-service-account-name = "sp.mailserver.service-account";
|
||||
mailserver-service-account-token-name = "mailserver-service-account-token";
|
||||
mailserver-service-account-token-fp =
|
||||
"/run/keys/mailserver/kanidm-service-account-token"; # FIXME sync with auth module
|
||||
kanidmExecStartPostScriptRoot = pkgs.writeShellScript
|
||||
"mailserver-kanidm-ExecStartPost-root-script.sh"
|
||||
''
|
||||
# set-group-ID bit allows for kanidm user to create files,
|
||||
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/mailserver
|
||||
chown kanidm:kanidm /run/keys/mailserver
|
||||
'';
|
||||
kanidmExecStartPostScript = pkgs.writeShellScript
|
||||
"mailserver-kanidm-ExecStartPost-script.sh"
|
||||
''
|
||||
export HOME=$RUNTIME_DIRECTORY/client_home
|
||||
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
|
||||
|
||||
# get Kanidm service account for mailserver
|
||||
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${mailserver-service-account-name}$")"
|
||||
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
|
||||
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
|
||||
then
|
||||
echo "kanidm service account \"${mailserver-service-account-name}\" is found"
|
||||
else
|
||||
echo "kanidm service account \"${mailserver-service-account-name}\" is not found"
|
||||
echo "creating new kanidm service account \"${mailserver-service-account-name}\""
|
||||
if $KANIDM service-account create --name idm_admin ${mailserver-service-account-name} ${mailserver-service-account-name} idm_admin
|
||||
then
|
||||
"kanidm service account \"${mailserver-service-account-name}\" created"
|
||||
else
|
||||
echo "error: cannot create kanidm service account \"${mailserver-service-account-name}\""
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# add Kanidm service account to `idm_mail_servers` group
|
||||
$KANIDM group add-members idm_mail_servers ${mailserver-service-account-name}
|
||||
|
||||
# create a new read-only token for mailserver
|
||||
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin ${mailserver-service-account-name} ${mailserver-service-account-token-name} --output json)"
|
||||
then
|
||||
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
||||
exit 1
|
||||
fi
|
||||
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
|
||||
then
|
||||
echo "error: cannot get service-account API token from JSON"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! install --mode=640 \
|
||||
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
|
||||
${mailserver-service-account-token-fp}
|
||||
then
|
||||
echo "error: cannot write token to \"${mailserver-service-account-token-fp}\""
|
||||
exit 1
|
||||
fi
|
||||
'';
|
||||
in
|
||||
lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
||||
{
|
||||
@@ -42,7 +107,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
||||
|
||||
# A list of all login accounts. To create the password hashes, use
|
||||
# mkpasswd -m sha-512 "super secret password"
|
||||
loginAccounts = {
|
||||
loginAccounts = lib.mkIf (!is-auth-enabled) ({
|
||||
"${sp.username}@${sp.domain}" = {
|
||||
hashedPassword = sp.hashedMasterPassword;
|
||||
sieveScript = ''
|
||||
@@ -69,9 +134,9 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
||||
'';
|
||||
};
|
||||
})
|
||||
sp.users);
|
||||
sp.users));
|
||||
|
||||
extraVirtualAliases = {
|
||||
extraVirtualAliases = lib.mkIf (!is-auth-enabled) {
|
||||
"admin@${sp.domain}" = "${sp.username}@${sp.domain}";
|
||||
};
|
||||
|
||||
@@ -90,6 +155,26 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
||||
enableManageSieve = true;
|
||||
|
||||
virusScanning = false;
|
||||
|
||||
mailDirectory = "/var/vmail";
|
||||
|
||||
# LDAP is needed for Postfix to query Kanidm about email address ownership.
|
||||
# LDAP is needed for Dovecot also.
|
||||
ldap = lib.mkIf is-auth-enabled {
|
||||
# false; otherwise, simple-nixos-mailserver enables auth via LDAP
|
||||
enable = false;
|
||||
|
||||
# bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
|
||||
bind.dn = "dn=token";
|
||||
# TODO change in this file should trigger system restart dovecot
|
||||
bind.passwordFile = "/run/keys/mailserver/kanidm-service-account-token"; # FIXME
|
||||
|
||||
# searchBase = "ou=persons," + ldap_base_dn;
|
||||
searchBase = auth-passthru.ldap-base-dn; # TODO refine this
|
||||
|
||||
# NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS)
|
||||
uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
@@ -99,6 +184,15 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
||||
rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
||||
redis-rspamd.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
||||
opendkim.serviceConfig.Slice = "simple_nixos_mailserver.slice";
|
||||
# FIXME set auth module option instead
|
||||
kanidm.serviceConfig.ExecStartPost =
|
||||
lib.mkIf is-auth-enabled
|
||||
(lib.mkAfter
|
||||
[
|
||||
("+" + kanidmExecStartPostScriptRoot)
|
||||
kanidmExecStartPostScript
|
||||
]
|
||||
);
|
||||
};
|
||||
slices."simple_nixos_mailserver" = {
|
||||
name = "simple_nixos_mailserver.slice";
|
||||
|
@@ -10,6 +10,8 @@
|
||||
mailserver.nixosModules.default
|
||||
./options.nix
|
||||
./config.nix
|
||||
./ldap-postfix.nix
|
||||
./ldap-dovecot.nix
|
||||
];
|
||||
};
|
||||
configPathsNeeded =
|
||||
|
131
sp-modules/simple-nixos-mailserver/ldap-dovecot.nix
Normal file
131
sp-modules/simple-nixos-mailserver/ldap-dovecot.nix
Normal file
@@ -0,0 +1,131 @@
|
||||
{ config, lib, pkgs, ... }@nixos-args:
|
||||
let
|
||||
inherit (import ./common.nix nixos-args)
|
||||
appendLdapBindPwd
|
||||
cfg
|
||||
domain
|
||||
auth-passthru
|
||||
;
|
||||
|
||||
ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
|
||||
mkLdapSearchScope = scope: (
|
||||
if scope == "sub" then "subtree"
|
||||
else if scope == "one" then "onelevel"
|
||||
else scope
|
||||
);
|
||||
dovecot-ldap-config = pkgs.writeTextFile {
|
||||
name = "dovecot-ldap.conf.ext.template";
|
||||
text = ''
|
||||
ldap_version = 3
|
||||
uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
|
||||
${lib.optionalString config.mailserver.ldap.startTls ''
|
||||
tls = yes
|
||||
''}
|
||||
# tls_require_cert = hard
|
||||
# tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
|
||||
dn = ${config.mailserver.ldap.bind.dn}
|
||||
sasl_bind = no
|
||||
auth_bind = no
|
||||
base = ${config.mailserver.ldap.searchBase}
|
||||
scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
|
||||
${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
|
||||
user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
|
||||
''}
|
||||
user_filter = ${config.mailserver.ldap.dovecot.userFilter}
|
||||
'';
|
||||
};
|
||||
setPwdInLdapConfFile = appendLdapBindPwd {
|
||||
name = "ldap-conf-file";
|
||||
file = dovecot-ldap-config;
|
||||
prefix = ''dnpass = "'';
|
||||
suffix = ''"'';
|
||||
passwordFile = config.mailserver.ldap.bind.passwordFile;
|
||||
destination = ldapConfFile;
|
||||
};
|
||||
dovecot-oauth2-conf-file = pkgs.writeTextFile {
|
||||
name = "dovecot-oauth2.conf.ext";
|
||||
text = ''
|
||||
introspection_mode = post
|
||||
introspection_url = ${auth-passthru.oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
|
||||
client_id = roundcube
|
||||
client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
|
||||
username_attribute = username
|
||||
scope = email profile openid
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
active_attribute = active
|
||||
active_value = true
|
||||
openid_configuration_url = ${auth-passthru.oauth2-discovery-url "roundcube"}
|
||||
debug = "no"
|
||||
'';
|
||||
};
|
||||
in
|
||||
lib.mkIf config.selfprivacy.modules.auth.enable {
|
||||
mailserver.ldap = {
|
||||
# note: in `ldapsearch` first comes filter, then attributes
|
||||
dovecot.userAttrs = "+"; # all operational attributes
|
||||
# TODO: investigate whether "mail=%u" is better than:
|
||||
# dovecot.userFilter = "(&(class=person)(uid=%n))";
|
||||
};
|
||||
|
||||
services.dovecot2.extraConfig = ''
|
||||
auth_mechanisms = xoauth2 oauthbearer
|
||||
|
||||
passdb {
|
||||
driver = oauth2
|
||||
mechanisms = xoauth2 oauthbearer
|
||||
args = ${dovecot-oauth2-conf-file}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
|
||||
}
|
||||
|
||||
# provide SASL via unix socket to postfix
|
||||
service auth {
|
||||
unix_listener /var/lib/postfix/private-auth {
|
||||
mode = 0660
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
service auth {
|
||||
unix_listener auth-userdb {
|
||||
mode = 0660
|
||||
user = dovecot2
|
||||
}
|
||||
unix_listener dovecot-auth {
|
||||
mode = 0660
|
||||
# Assuming the default Postfix user and group
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = ldap
|
||||
args = ${ldapConfFile}
|
||||
default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
|
||||
}
|
||||
|
||||
#auth_username_format = %Ln
|
||||
|
||||
# FIXME
|
||||
auth_debug = yes
|
||||
auth_debug_passwords = yes # Be cautious with this in production as it logs passwords
|
||||
auth_verbose = yes
|
||||
mail_debug = yes
|
||||
'';
|
||||
services.dovecot2.enablePAM = false;
|
||||
systemd.services.dovecot2 = {
|
||||
# TODO does it merge with existing preStart?
|
||||
preStart = setPwdInLdapConfFile + "\n";
|
||||
# FIXME pass dependant services to auth module option instead
|
||||
wants = [ "kanidm.service" ];
|
||||
after = [ "kanidm.service" ];
|
||||
};
|
||||
|
||||
# does it merge with existing restartTriggers?
|
||||
systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
|
||||
|
||||
}
|
79
sp-modules/simple-nixos-mailserver/ldap-postfix.nix
Normal file
79
sp-modules/simple-nixos-mailserver/ldap-postfix.nix
Normal file
@@ -0,0 +1,79 @@
|
||||
{ config, lib, pkgs, ... }@nixos-args:
|
||||
let
|
||||
inherit (import ./common.nix nixos-args)
|
||||
appendLdapBindPwd
|
||||
auth-passthru
|
||||
;
|
||||
|
||||
cfg = config.mailserver;
|
||||
|
||||
ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
|
||||
submissionOptions.smtpd_sender_login_maps =
|
||||
lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
|
||||
commonLdapConfig = ''
|
||||
server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
|
||||
start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
|
||||
version = 3
|
||||
# tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
|
||||
# tls_require_cert = yes
|
||||
|
||||
search_base = ${cfg.ldap.searchBase}
|
||||
scope = ${cfg.ldap.searchScope}
|
||||
|
||||
bind = yes
|
||||
bind_dn = ${cfg.ldap.bind.dn}
|
||||
'';
|
||||
ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
|
||||
${commonLdapConfig}
|
||||
query_filter = ${cfg.ldap.postfix.filter}
|
||||
result_attribute = ${cfg.ldap.postfix.mailAttribute}
|
||||
'';
|
||||
appendPwdInSenderLoginMap = appendLdapBindPwd {
|
||||
name = "ldap-sender-login-map";
|
||||
file = ldapSenderLoginMap;
|
||||
prefix = "bind_pw = ";
|
||||
passwordFile = cfg.ldap.bind.passwordFile;
|
||||
destination = ldapSenderLoginMapFile;
|
||||
};
|
||||
|
||||
ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
|
||||
${commonLdapConfig}
|
||||
query_filter = ${cfg.ldap.postfix.filter}
|
||||
result_attribute = ${cfg.ldap.postfix.uidAttribute}
|
||||
'';
|
||||
ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
|
||||
appendPwdInVirtualMailboxMap = appendLdapBindPwd {
|
||||
name = "ldap-virtual-mailbox-map";
|
||||
file = ldapVirtualMailboxMap;
|
||||
prefix = "bind_pw = ";
|
||||
passwordFile = cfg.ldap.bind.passwordFile;
|
||||
destination = ldapVirtualMailboxMapFile;
|
||||
};
|
||||
in
|
||||
lib.mkIf config.selfprivacy.modules.auth.enable {
|
||||
mailserver.ldap = {
|
||||
postfix.mailAttribute = "mail";
|
||||
postfix.uidAttribute = "uid";
|
||||
};
|
||||
systemd.services.postfix-setup = {
|
||||
preStart = ''
|
||||
${appendPwdInVirtualMailboxMap}
|
||||
${appendPwdInSenderLoginMap}
|
||||
'';
|
||||
restartTriggers =
|
||||
[ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
|
||||
wants = [ auth-passthru.oauth2-systemd-service ];
|
||||
after = [ "kanidm.service" ];
|
||||
};
|
||||
services.postfix = {
|
||||
# the list should be merged with other options from nixos-mailserver
|
||||
config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
|
||||
inherit submissionOptions;
|
||||
submissionsOptions = submissionOptions;
|
||||
# extraConfig = ''
|
||||
# debug_peer_list =
|
||||
# debug_peer_level = 3
|
||||
# smtp_tls_security_level = encrypt
|
||||
# '';
|
||||
};
|
||||
}
|
Reference in New Issue
Block a user