roundcube,auth: migrate to auth module

2025-04-17 12:48:02 +04:00
parent 46971cd2be
commit 5f9be4130e
2 changed files with 41 additions and 45 deletions
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -3,11 +3,9 @@
  [ "selfprivacy", "domain" ],
  [ "selfprivacy", "modules", "auth" ],
  [ "selfprivacy", "modules", "roundcube" ],
  [ "selfprivacy", "passthru", "auth", "admins-group" ],
  [ "selfprivacy", "passthru", "auth", "auth-fqdn" ],
-  [ "selfprivacy", "passthru", "auth", "full-users-group" ],
+  [ "selfprivacy", "passthru", "auth", "mkOAuth2ClientSecretFP" ],
  [ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
  [ "selfprivacy", "passthru", "auth", "oauth2-systemd-service" ],
  [ "selfprivacy", "passthru", "mailserver", "oauth-client-id" ],
  [ "selfprivacy", "passthru", "mailserver", "oauth-client-secret-fp" ],
  [ "selfprivacy", "sso", "enable" ]
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -5,20 +5,24 @@ let
  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
  auth-passthru = config.selfprivacy.passthru.auth;
  auth-fqdn = auth-passthru.auth-fqdn;
  linuxUserOfService = "roundcube";
  linuxGroupOfService = "roundcube";
  sp-module-name = "roundcube";
-  user = "roundcube";
+
-  group = "roundcube";
+  # SelfPrivacy uses SP Module ID to identify the group!
  adminsGroup = "sp.${sp-module-name}.admins";
  usersGroup = "sp.${sp-module-name}.users";
  oauth-donor = config.selfprivacy.passthru.mailserver;
-  kanidm-oauth-client-secret-fp =
+  oauthClientSecretFP =
-    "/run/keys/${group}/kanidm-oauth-client-secret";
+    auth-passthru.mkOAuth2ClientSecretFP linuxGroupOfService;
  # copy client secret from mailserver
  kanidmExecStartPreScriptRoot = pkgs.writeShellScript
    "${sp-module-name}-kanidm-ExecStartPre-root-script.sh"
    ''
-      # set-group-ID bit allows for kanidm user to create files inheriting group
+      install -v -m640 -o kanidm -g ${linuxGroupOfService} ${oauth-donor.oauth-client-secret-fp} ${oauthClientSecretFP}
      mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${group}
      chown kanidm:${group} /run/keys/${group}
      install -v -m640 -o kanidm -g ${group} ${oauth-donor.oauth-client-secret-fp} ${kanidm-oauth-client-secret-fp}
    '';
 in
 {
@@ -91,53 +95,47 @@ in
    }
    # the following part is active only when "auth" module is enabled
    (lib.mkIf is-auth-enabled {
      # for phpfpm-roundcube to have access to get through /run/keys directory
      users.groups.keys.members = [ user ];
      services.roundcube.extraConfig = lib.mkAfter ''
        $config['oauth_provider'] = 'generic';
        $config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
        $config['oauth_client_id'] = '${oauth-donor.oauth-client-id}';
-        $config['oauth_client_secret'] = file_get_contents('${kanidm-oauth-client-secret-fp}');
+        $config['oauth_client_secret'] = file_get_contents('${oauthClientSecretFP}');
        $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
        $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
        $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-donor.oauth-client-id}/userinfo';
-        $config['oauth_scope'] = 'email profile openid'; # FIXME
+        $config['oauth_scope'] = 'email profile openid';
        $config['oauth_auth_parameters'] = [];
        $config['oauth_identity_fields'] = ['email'];
        $config['oauth_login_redirect'] = true;
        $config['auto_create_user'] = true;
      '';
      systemd.services.roundcube = {
-        after = [ auth-passthru.oauth2-systemd-service ];
+        after = [ "dovecot2.service" ];
-        requires = [ auth-passthru.oauth2-systemd-service "dovecot2.service" ];
+        requires = [ "dovecot2.service" ];
      };
-      systemd.services.kanidm = {
+      systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkAfter [
-        serviceConfig.ExecStartPre = lib.mkAfter [
+        ("-+" + kanidmExecStartPreScriptRoot)
-          ("-+" + kanidmExecStartPreScriptRoot)
+      ];
-        ];
+
-      };
+      selfprivacy.auth.clients."${oauth-donor.oauth-client-id}" = {
-      services.kanidm.provision = {
+        inherit adminsGroup usersGroup;
-        groups = {
+        imageFile = ./icon.svg;
-          "sp.roundcube.admins".members = [ auth-passthru.admins-group ];
+        displayName = "Roundcube";
-          "sp.roundcube.users".members =
+        subdomain = cfg.subdomain;
-            [ "sp.roundcube.admins" auth-passthru.full-users-group ];
+        isTokenNeeded = true;
-        };
+        originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
-        systems.oauth2.${oauth-donor.oauth-client-id} = {
+        originLanding = "https://${cfg.subdomain}.${domain}/";
-          displayName = "Roundcube";
+        useShortPreferredUsername = false;
-          originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
+        clientSystemdUnits = [ "phpfpm-roundcube.service" ];
-          originLanding = "https://${cfg.subdomain}.${domain}/";
+        enablePkce = false;
-          basicSecretFile = kanidm-oauth-client-secret-fp;
+        linuxUserOfClient = linuxUserOfService;
-          # when true, name is passed to a service instead of name@domain
+        linuxGroupOfClient = linuxGroupOfService;
-          preferShortUsername = false;
+        scopeMaps = {
-          allowInsecureClientDisablePkce = true; # FIXME is it needed?
+          "${usersGroup}" = [
-          scopeMaps = {
+            "email"
-            "sp.roundcube.users" = [
+            "openid"
-              "email"
+            "profile"
-              "openid"
+          ];
              "profile"
            ];
          };
          removeOrphanedClaimMaps = true;
        };
      };
    })