thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix roundcube: OAuth secret, ExecStartPost ignore failure

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-15 18:03:19 +04:00
parent 89d788aab2
commit 56fe5690c1
2 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
sp-modules/roundcube/config-paths-needed.json
View File

@@ -2,6 +2,7 @@
[ "mailserver", "fqdn" ], [ "mailserver", "fqdn" ],
[ "passthru", "selfprivacy", "auth", "auth-fqdn" ], [ "passthru", "selfprivacy", "auth", "auth-fqdn" ],
[ "passthru", "selfprivacy", "auth", "oauth2-provider-name" ], [ "passthru", "selfprivacy", "auth", "oauth2-provider-name" ],
[ "passthru", "selfprivacy", "auth", "oauth2-systemd-service" ],
[ "selfprivacy", "domain" ], [ "selfprivacy", "domain" ],
[ "selfprivacy", "modules", "auth" ], [ "selfprivacy", "modules", "auth" ],
[ "selfprivacy", "modules", "roundcube" ] [ "selfprivacy", "modules", "roundcube" ]

28
sp-modules/roundcube/module.nix
View File

@@ -6,6 +6,22 @@ let
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
auth-fqdn = auth-passthru.auth-fqdn; auth-fqdn = auth-passthru.auth-fqdn;
oauth-client-id = "roundcube"; oauth-client-id = "roundcube";
roundcube-group = "roundcube";
kanidmExecStartPreScriptRoot = pkgs.writeShellScript
"${oauth-client-id}-kanidm-ExecStartPre-root-script.sh"
''
# set-group-ID bit allows for kanidm user to create files,
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${oauth-client-id}
chown kanidm:${roundcube-group} /run/keys/${oauth-client-id}
'';
kanidm-oauth-client-secret-fp =
"/run/keys/${oauth-client-id}/kanidm-oauth-client-secret";
kanidmExecStartPreScript = pkgs.writeShellScript
"${oauth-client-id}-kanidm-ExecStartPre-script.sh" ''
set -o xtrace
[ -f "${kanidm-oauth-client-secret-fp}" ] || \
"${lib.getExe pkgs.openssl}" rand -base64 -out "${kanidm-oauth-client-secret-fp}" 32
'';
in in
{ {
options.selfprivacy.modules.roundcube = { options.selfprivacy.modules.roundcube = {
@@ -48,7 +64,7 @@ in
$config['oauth_provider'] = 'generic'; $config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}'; $config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_client_id'] = '${oauth-client-id}'; $config['oauth_client_id'] = '${oauth-client-id}';
$config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME $config['oauth_client_secret'] = "$(<${kanidm-oauth-client-secret-fp})";
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2'; $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token'; $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo'; $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
@@ -70,6 +86,14 @@ in
systemd.slices.roundcube.description = "Roundcube service slice"; systemd.slices.roundcube.description = "Roundcube service slice";
systemd.services.kanidm = lib.mkIf is-auth-enabled {
serviceConfig.ExecStartPre = lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
requires = [ auth-passthru.oauth2-systemd-service ];
};
services.kanidm.provision = lib.mkIf is-auth-enabled { services.kanidm.provision = lib.mkIf is-auth-enabled {
groups = { groups = {
"sp.roundcube.admins".members = [ "sp.admins" ]; "sp.roundcube.admins".members = [ "sp.admins" ];
@@ -79,7 +103,7 @@ in
displayName = "Roundcube"; displayName = "Roundcube";
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth"; originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
originLanding = "https://${cfg.subdomain}.${domain}/"; originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain # when true, name is passed to a service instead of name@domain
preferShortUsername = false; preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed? allowInsecureClientDisablePkce = true; # FIXME is it needed?