thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: restructure LDAP related nix files

Browse Source
This commit is contained in:
Alexander Tomokhov
2024-12-26 18:27:25 +04:00
parent 5d76f456c1
commit 3a904f599e
10 changed files with 178 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
sp-modules/simple-nixos-mailserver/ldap-dovecot.nix Normal file
View File

@@ -0,0 +1,131 @@
{ config, lib, pkgs, ... }@nixos-args:
let
inherit (import ./common.nix nixos-args)
appendLdapBindPwd
cfg
domain
auth-passthru
;
ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
mkLdapSearchScope = scope: (
if scope == "sub" then "subtree"
else if scope == "one" then "onelevel"
else scope
);
dovecot-ldap-config = pkgs.writeTextFile {
name = "dovecot-ldap.conf.ext.template";
text = ''
ldap_version = 3
uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
${lib.optionalString config.mailserver.ldap.startTls ''
tls = yes
''}
# tls_require_cert = hard
# tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
dn = ${config.mailserver.ldap.bind.dn}
sasl_bind = no
auth_bind = no
base = ${config.mailserver.ldap.searchBase}
scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
''}
user_filter = ${config.mailserver.ldap.dovecot.userFilter}
'';
};
setPwdInLdapConfFile = appendLdapBindPwd {
name = "ldap-conf-file";
file = dovecot-ldap-config;
prefix = ''dnpass = "'';
suffix = ''"'';
passwordFile = config.mailserver.ldap.bind.passwordFile;
destination = ldapConfFile;
};
dovecot-oauth2-conf-file = pkgs.writeTextFile {
name = "dovecot-oauth2.conf.ext";
text = ''
introspection_mode = post
introspection_url = ${auth-passthru.oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
client_id = roundcube
client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
username_attribute = username
scope = email profile openid
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
active_attribute = active
active_value = true
openid_configuration_url = ${auth-passthru.oauth2-discovery-url "roundcube"}
debug = "no"
'';
};
in
lib.mkIf config.selfprivacy.modules.auth.enable {
mailserver.ldap = {
# note: in `ldapsearch` first comes filter, then attributes
dovecot.userAttrs = "+"; # all operational attributes
# TODO: investigate whether "mail=%u" is better than:
# dovecot.userFilter = "(&(class=person)(uid=%n))";
};
services.dovecot2.extraConfig = ''
auth_mechanisms = xoauth2 oauthbearer
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = ${dovecot-oauth2-conf-file}
}
userdb {
driver = static
args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
}
# provide SASL via unix socket to postfix
service auth {
unix_listener /var/lib/postfix/private-auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth {
unix_listener auth-userdb {
mode = 0660
user = dovecot2
}
unix_listener dovecot-auth {
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
}
userdb {
driver = ldap
args = ${ldapConfFile}
default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
}
#auth_username_format = %Ln
# FIXME
auth_debug = yes
auth_debug_passwords = yes # Be cautious with this in production as it logs passwords
auth_verbose = yes
mail_debug = yes
'';
services.dovecot2.enablePAM = false;
systemd.services.dovecot2 = {
# TODO does it merge with existing preStart?
preStart = setPwdInLdapConfFile + "\n";
# FIXME pass dependant services to auth module option instead
wants = [ "kanidm.service" ];
after = [ "kanidm.service" ];
};
# does it merge with existing restartTriggers?
systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
}