SP modules do not depend on selfprivacy.modules.auth

2025-02-03 02:03:20 +04:00
parent ea443d2150
commit 65548a1e73
4 changed files with 322 additions and 336 deletions
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -1,4 +1,4 @@
-{ config, lib, options, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.roundcube;
@@ -82,61 +82,58 @@ in
      systemd.services.roundcube.after = [ "dovecot2.service" ];
    }
    # the following part is active only when "auth" module is enabled
-    (lib.attrsets.optionalAttrs
-      (options.selfprivacy.modules ? "auth")
-      (lib.mkIf is-auth-enabled {
-        # for phpfpm-roundcube to have access to get through /run/keys directory
-        users.groups.keys.members = [ user ];
-        services.roundcube.extraConfig = lib.mkAfter ''
-          $config['oauth_provider'] = 'generic';
-          $config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
-          $config['oauth_client_id'] = '${oauth-donor.oauth-client-id}';
-          $config['oauth_client_secret'] = file_get_contents('${kanidm-oauth-client-secret-fp}');
-          $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
-          $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
-          $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-donor.oauth-client-id}/userinfo';
-          $config['oauth_scope'] = 'email profile openid'; # FIXME
-          $config['oauth_auth_parameters'] = [];
-          $config['oauth_identity_fields'] = ['email'];
-          $config['oauth_login_redirect'] = true;
-          $config['auto_create_user'] = true;
-          $config['oauth_verify_peer'] = false; # FIXME
-          # $config['oauth_pkce'] = 'S256'; # FIXME
-        '';
-        systemd.services.roundcube = {
-          after = [ auth-passthru.oauth2-systemd-service ];
-          requires = [ auth-passthru.oauth2-systemd-service ];
+    (lib.mkIf is-auth-enabled {
+      # for phpfpm-roundcube to have access to get through /run/keys directory
+      users.groups.keys.members = [ user ];
+      services.roundcube.extraConfig = lib.mkAfter ''
+        $config['oauth_provider'] = 'generic';
+        $config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
+        $config['oauth_client_id'] = '${oauth-donor.oauth-client-id}';
+        $config['oauth_client_secret'] = file_get_contents('${kanidm-oauth-client-secret-fp}');
+        $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
+        $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
+        $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-donor.oauth-client-id}/userinfo';
+        $config['oauth_scope'] = 'email profile openid'; # FIXME
+        $config['oauth_auth_parameters'] = [];
+        $config['oauth_identity_fields'] = ['email'];
+        $config['oauth_login_redirect'] = true;
+        $config['auto_create_user'] = true;
+        $config['oauth_verify_peer'] = false; # FIXME
+        # $config['oauth_pkce'] = 'S256'; # FIXME
+      '';
+      systemd.services.roundcube = {
+        after = [ auth-passthru.oauth2-systemd-service ];
+        requires = [ auth-passthru.oauth2-systemd-service ];
+      };
+      systemd.services.kanidm = {
+        serviceConfig.ExecStartPre = lib.mkBefore [
+          ("-+" + kanidmExecStartPreScriptRoot)
+        ];
+      };
+      services.kanidm.provision = {
+        groups = {
+          "sp.roundcube.admins".members = [ auth-passthru.admins-group ];
+          "sp.roundcube.users".members =
+            [ "sp.roundcube.admins" auth-passthru.full-users-group ];
        };
-        systemd.services.kanidm = {
-          serviceConfig.ExecStartPre = lib.mkBefore [
-            ("-+" + kanidmExecStartPreScriptRoot)
-          ];
-        };
-        services.kanidm.provision = {
-          groups = {
-            "sp.roundcube.admins".members = [ auth-passthru.admins-group ];
-            "sp.roundcube.users".members =
-              [ "sp.roundcube.admins" auth-passthru.full-users-group ];
-          };
-          systems.oauth2.${oauth-donor.oauth-client-id} = {
-            displayName = "Roundcube";
-            originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
-            originLanding = "https://${cfg.subdomain}.${domain}/";
-            basicSecretFile = kanidm-oauth-client-secret-fp;
-            # when true, name is passed to a service instead of name@domain
-            preferShortUsername = false;
-            allowInsecureClientDisablePkce = true; # FIXME is it needed?
-            scopeMaps = {
-              "sp.roundcube.users" = [
-                "email"
-                "openid"
-                "profile"
-              ];
-            };
-            removeOrphanedClaimMaps = true;
+        systems.oauth2.${oauth-donor.oauth-client-id} = {
+          displayName = "Roundcube";
+          originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
+          originLanding = "https://${cfg.subdomain}.${domain}/";
+          basicSecretFile = kanidm-oauth-client-secret-fp;
+          # when true, name is passed to a service instead of name@domain
+          preferShortUsername = false;
+          allowInsecureClientDisablePkce = true; # FIXME is it needed?
+          scopeMaps = {
+            "sp.roundcube.users" = [
+              "email"
+              "openid"
+              "profile"
+            ];
          };
+          removeOrphanedClaimMaps = true;
        };
-      })
-    )
+      };
+    })
  ]);
 }