thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SP modules do not depend on selfprivacy.modules.auth

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-02-03 02:03:20 +04:00
parent ea443d2150
commit 65548a1e73
4 changed files with 322 additions and 336 deletions
Download Patch File Download Diff File Expand all files Collapse all files

267
sp-modules/gitea/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, options, pkgs, ... }: { config, lib, pkgs, ... }:
let let
sp = config.selfprivacy; sp = config.selfprivacy;
stateDir = stateDir =
@@ -309,152 +309,149 @@ in
}; };
} }
# the following part is active only when "auth" module is enabled # the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs (lib.mkIf is-auth-enabled {
(options.selfprivacy.modules ? "auth") services.forgejo.settings = {
(lib.mkIf is-auth-enabled { auth.DISABLE_LOGIN_FORM = true;
services.forgejo.settings = { service = {
auth.DISABLE_LOGIN_FORM = true; DISABLE_REGISTRATION = cfg.disableRegistration;
service = { REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
DISABLE_REGISTRATION = cfg.disableRegistration; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView; SHOW_REGISTRATION_BUTTON = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ENABLE_BASIC_AUTHENTICATION = false;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_BASIC_AUTHENTICATION = false;
};
# disallow explore page and access to private repositories, but allow public
"service.explore".REQUIRE_SIGNIN_VIEW = true;
# TODO control via selfprivacy parameter
# "service.explore".DISABLE_USERS_PAGE = true;
oauth2_client = {
REDIRECT_URI = redirect-uri;
ACCOUNT_LINKING = "auto";
ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email openid profile";
};
# doesn't work if LDAP auth source is not active!
"cron.sync_external_users" = {
ENABLED = true;
RUN_AT_START = true;
NOTICE_ON_SUCCESS = true;
};
}; };
systemd.services.forgejo = {
preStart =
let
exe = lib.getExe config.services.forgejo.package;
# FIXME skip-tls-verify, bind-password
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol LDAPS \
--skip-tls-verify \
--host '${auth-passthru.ldap-host}' \
--port '${toString auth-passthru.ldap-port}' \
--user-search-base '${auth-passthru.ldap-base-dn}' \
--user-filter '(&(class=person)(memberof=${users-group})(name=%s))' \
--admin-filter '(&(class=person)(memberof=${admins-group}))' \
--username-attribute name \
--firstname-attribute name \
--surname-attribute displayname \
--email-attribute mail \
--public-ssh-key-attribute sshPublicKey \
--bind-dn 'dn=token' \
--bind-password "$(cat ${kanidm-service-account-token-fp})" \
--synchronize-users
'';
oauthConfigArgs = ''
--name "${oauth2-provider-name}" \
--provider openidConnect \
--key forgejo \
--secret "$(<${kanidm-oauth-client-secret-fp})" \
--group-claim-name groups \
--admin-group admins \
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
'';
in
lib.mkAfter ''
set -o xtrace
# Check if LDAP is already configured # disallow explore page and access to private repositories, but allow public
ldap_line="$(${exe} admin auth list | grep LDAP | head -n 1)" "service.explore".REQUIRE_SIGNIN_VIEW = true;
if [[ -n "$ldap_line" ]]; then # TODO control via selfprivacy parameter
# update ldap config # "service.explore".DISABLE_USERS_PAGE = true;
id="$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-ldap --id "$id" ${ldapConfigArgs}
else
# initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs}
fi
oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)" oauth2_client = {
if [[ -n "$oauth_line" ]]; then REDIRECT_URI = redirect-uri;
id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')" ACCOUNT_LINKING = "auto";
${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs} ENABLE_AUTO_REGISTRATION = true;
else OPENID_CONNECT_SCOPES = "email openid profile";
${exe} admin auth add-oauth ${oauthConfigArgs} };
fi # doesn't work if LDAP auth source is not active!
"cron.sync_external_users" = {
ENABLED = true;
RUN_AT_START = true;
NOTICE_ON_SUCCESS = true;
};
};
systemd.services.forgejo = {
preStart =
let
exe = lib.getExe config.services.forgejo.package;
# FIXME skip-tls-verify, bind-password
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol LDAPS \
--skip-tls-verify \
--host '${auth-passthru.ldap-host}' \
--port '${toString auth-passthru.ldap-port}' \
--user-search-base '${auth-passthru.ldap-base-dn}' \
--user-filter '(&(class=person)(memberof=${users-group})(name=%s))' \
--admin-filter '(&(class=person)(memberof=${admins-group})' \
--username-attribute name \
--firstname-attribute name \
--surname-attribute displayname \
--email-attribute mail \
--public-ssh-key-attribute sshPublicKey \
--bind-dn 'dn=token' \
--bind-password "$(cat ${kanidm-service-account-token-fp})" \
--synchronize-users
''; '';
# TODO consider passing oauth consumer service to auth module instead oauthConfigArgs = ''
after = [ auth-passthru.oauth2-systemd-service ]; --name "${oauth2-provider-name}" \
requires = [ auth-passthru.oauth2-systemd-service ]; --provider openidConnect \
}; --key forgejo \
--secret "$(<${kanidm-oauth-client-secret-fp})" \
--group-claim-name groups \
--admin-group admins \
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
'';
in
lib.mkAfter ''
set -o xtrace
# for ExecStartPost script to have access to /run/keys/* # Check if LDAP is already configured
users.groups.keys.members = [ config.services.forgejo.group ]; ldap_line="$(${exe} admin auth list | grep LDAP | head -n 1)"
systemd.services.kanidm.serviceConfig.ExecStartPre = [ if [[ -n "$ldap_line" ]]; then
("-+" + kanidmExecStartPreScriptRoot) # update ldap config
("-" + kanidmExecStartPreScript) id="$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
]; ${exe} admin auth update-ldap --id "$id" ${ldapConfigArgs}
systemd.services.kanidm.serviceConfig.ExecStartPost = else
lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]; # initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs}
fi
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)"
extraConfig = lib.mkAfter '' if [[ -n "$oauth_line" ]]; then
rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last; id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
# FIXME is it needed? ${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; else
${exe} admin auth add-oauth ${oauthConfigArgs}
fi
''; '';
}; # TODO consider passing oauth consumer service to auth module instead
after = [ auth-passthru.oauth2-systemd-service ];
requires = [ auth-passthru.oauth2-systemd-service ];
};
services.kanidm.provision = { # for ExecStartPost script to have access to /run/keys/*
groups = { users.groups.keys.members = [ config.services.forgejo.group ];
"${admins-group}".members = [ auth-passthru.admins-group ];
"${users-group}".members = systemd.services.kanidm.serviceConfig.ExecStartPre = [
[ admins-group auth-passthru.full-users-group ]; ("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
systemd.services.kanidm.serviceConfig.ExecStartPost =
lib.mkAfter [ ("-" + kanidmExecStartPostScript) ];
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
extraConfig = lib.mkAfter ''
rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
# FIXME is it needed?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
services.kanidm.provision = {
groups = {
"${admins-group}".members = [ auth-passthru.admins-group ];
"${users-group}".members =
[ admins-group auth-passthru.full-users-group ];
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
originUrl = redirect-uri;
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = true;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"${users-group}" = [
"email"
"openid"
"profile"
];
}; };
systems.oauth2.forgejo = { removeOrphanedClaimMaps = true;
displayName = "Forgejo"; # NOTE https://github.com/oddlama/kanidm-provision/issues/15
originUrl = redirect-uri; # add more scopes when a user is a member of specific group
originLanding = "https://${cfg.subdomain}.${sp.domain}/"; # currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
basicSecretFile = kanidm-oauth-client-secret-fp; # supplementaryScopeMaps."${admins-group}" =
# when true, name is passed to a service instead of name@domain # [ "read:admin" "write:admin" ];
preferShortUsername = true; claimMaps.groups = {
allowInsecureClientDisablePkce = true; # FIXME is it needed? joinType = "array";
scopeMaps = { valuesByGroup.${admins-group} = [ "admins" ];
"${users-group}" = [
"email"
"openid"
"profile"
];
};
removeOrphanedClaimMaps = true;
# NOTE https://github.com/oddlama/kanidm-provision/issues/15
# add more scopes when a user is a member of specific group
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
# supplementaryScopeMaps."${admins-group}" =
# [ "read:admin" "write:admin" ];
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admins" ];
};
}; };
}; };
}) };
) })
]); ]);
} }

222
sp-modules/nextcloud/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, options, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import ./common.nix config) inherit (import ./common.nix config)
admin-pass-filepath admin-pass-filepath
@@ -276,133 +276,131 @@ in
}; };
} }
# the following part is active only when "auth" module is enabled # the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs (lib.mkIf is-auth-enabled {
(options.selfprivacy.modules ? "auth") systemd.services.nextcloud-setup = {
(lib.mkIf is-auth-enabled { path = [ pkgs.jq ];
systemd.services.nextcloud-setup = { script = ''
path = [ pkgs.jq ]; set -o errexit
script = '' set -o nounset
set -o errexit ${lib.strings.optionalString cfg.debug "set -o xtrace"}
set -o nounset
${lib.strings.optionalString cfg.debug "set -o xtrace"}
${occ} app:install user_ldap || : ${occ} app:install user_ldap || :
${occ} app:enable user_ldap ${occ} app:enable user_ldap
# The following code tries to match an existing config or creates a new one. # The following code tries to match an existing config or creates a new one.
# The criteria for matching is the ldapHost value. # The criteria for matching is the ldapHost value.
# remove broken link after previous nextcloud (un)installation # remove broken link after previous nextcloud (un)installation
[[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \ [[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \
rm -v "${override-config-fp}" rm -v "${override-config-fp}"
ALL_CONFIG="$(${occ} ldap:show-config --output=json)" ALL_CONFIG="$(${occ} ldap:show-config --output=json)"
MATCHING_CONFIG_IDs="$(jq '[to_entries[] | select(.value.ldapHost=="${ldap_scheme_and_host}") | .key]' <<<"$ALL_CONFIG")" MATCHING_CONFIG_IDs="$(jq '[to_entries[] | select(.value.ldapHost=="${ldap_scheme_and_host}") | .key]' <<<"$ALL_CONFIG")"
if [[ $(jq 'length' <<<"$MATCHING_CONFIG_IDs") > 0 ]]; then if [[ $(jq 'length' <<<"$MATCHING_CONFIG_IDs") > 0 ]]; then
CONFIG_ID="$(jq --raw-output '.[0]' <<<"$MATCHING_CONFIG_IDs")" CONFIG_ID="$(jq --raw-output '.[0]' <<<"$MATCHING_CONFIG_IDs")"
else else
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)" CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
fi fi
echo "Using configId $CONFIG_ID" echo "Using configId $CONFIG_ID"
# The following CLI commands follow # The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way # https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
# StartTLS is not supported in Kanidm due to security risks, whereas # StartTLS is not supported in Kanidm due to security risks, whereas
# user_ldap doesn't support SASL. Importing certificate doesn't # user_ldap doesn't support SASL. Importing certificate doesn't
# help: # help:
# ${occ} security:certificates:import "${config.security.acme.certs.${domain}.directory}/cert.pem" # ${occ} security:certificates:import "${config.security.acme.certs.${domain}.directory}/cert.pem"
${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1' ${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1'
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' '${ldap_scheme_and_host}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' '${ldap_scheme_and_host}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token' ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${kanidm-service-account-token-fp})" ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${kanidm-service-account-token-fp})"
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' '${auth-passthru.ldap-base-dn}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' '${auth-passthru.ldap-base-dn}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' '${auth-passthru.ldap-base-dn}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' '${auth-passthru.ldap-base-dn}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' '${auth-passthru.ldap-base-dn}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' '${auth-passthru.ldap-base-dn}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' 'mail' ${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' 'mail'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
'(&(class=group)(${wildcard-group}))' '(&(class=group)(${wildcard-group})'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
'(&(class=group)(${wildcard-group}))' '(&(class=group)(${wildcard-group}))'
# ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \ # ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
# 'groupOfUniqueNames' # 'groupOfUniqueNames'
# ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \ # ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
# 'uniqueMember' # 'uniqueMember'
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
'(&(class=person)(memberof=${users-group})(uid=%uid))' '(&(class=person)(memberof=${users-group})(uid=%uid))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
'uid' 'uid'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
'displayname' 'displayname'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
'(&(class=person)(memberof=${users-group})(name=%s))' '(&(class=person)(memberof=${users-group})(name=%s))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
'1' '1'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
'person' 'person'
${occ} ldap:test-config -- "$CONFIG_ID" ${occ} ldap:test-config -- "$CONFIG_ID"
# delete all configs except "$CONFIG_ID" # delete all configs except "$CONFIG_ID"
for configid in $(jq --raw-output "keys[] | select(. != \"$CONFIG_ID\")" <<<"$ALL_CONFIG"); do for configid in $(jq --raw-output "keys[] | select(. != \"$CONFIG_ID\")" <<<"$ALL_CONFIG"); do
echo "Deactivating $configid" echo "Deactivating $configid"
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' '0' ${occ} ldap:set-config "$configid" 'ldapConfigurationActive' '0'
echo "Deactivated $configid" echo "Deactivated $configid"
echo "Deleting $configid" echo "Deleting $configid"
${occ} ldap:delete-config "$configid" ${occ} ldap:delete-config "$configid"
echo "Deleted $configid" echo "Deleted $configid"
done done
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' '1' ${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' '1'
############################################################################ ############################################################################
# OIDC app # OIDC app
############################################################################ ############################################################################
${occ} app:install user_oidc || : ${occ} app:install user_oidc || :
${occ} app:enable user_oidc ${occ} app:enable user_oidc
${occ} user_oidc:provider ${auth-passthru.oauth2-provider-name} \ ${occ} user_oidc:provider ${auth-passthru.oauth2-provider-name} \
--clientid="${oauth-client-id}" \ --clientid="${oauth-client-id}" \
--clientsecret="$(<${kanidm-oauth-client-secret-fp})" \ --clientsecret="$(<${kanidm-oauth-client-secret-fp})" \
--discoveryuri="${auth-passthru.oauth2-discovery-url "nextcloud"}" \ --discoveryuri="${auth-passthru.oauth2-discovery-url "nextcloud"}" \
--unique-uid=0 \ --unique-uid=0 \
--scope="email openid profile" \ --scope="email openid profile" \
--mapping-uid=preferred_username \ --mapping-uid=preferred_username \
--no-interaction \ --no-interaction \
--mapping-groups=groups \ --mapping-groups=groups \
--group-provisioning=1 \ --group-provisioning=1 \
-vvv -vvv
''; '';
# TODO consider passing oauth consumer service to auth module instead # TODO consider passing oauth consumer service to auth module instead
after = [ auth-passthru.oauth2-systemd-service ]; after = [ auth-passthru.oauth2-systemd-service ];
requires = [ auth-passthru.oauth2-systemd-service ]; requires = [ auth-passthru.oauth2-systemd-service ];
};
services.kanidm.provision = {
groups = {
"${admins-group}".members = [ auth-passthru.admins-group ];
"${users-group}".members =
[ admins-group auth-passthru.full-users-group ];
}; };
services.kanidm.provision = { systems.oauth2.${oauth-client-id} = {
groups = { displayName = "Nextcloud";
"${admins-group}".members = [ auth-passthru.admins-group ]; originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code";
"${users-group}".members = originLanding = "https://${cfg.subdomain}.${domain}/";
[ admins-group auth-passthru.full-users-group ]; basicSecretFile = kanidm-oauth-client-secret-fp;
}; # when true, name is passed to a service instead of name@domain
systems.oauth2.${oauth-client-id} = { preferShortUsername = true;
displayName = "Nextcloud"; allowInsecureClientDisablePkce = false;
originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code"; scopeMaps.${users-group} = [ "email" "openid" "profile" ];
originLanding = "https://${cfg.subdomain}.${domain}/"; removeOrphanedClaimMaps = true;
basicSecretFile = kanidm-oauth-client-secret-fp; claimMaps.groups = {
# when true, name is passed to a service instead of name@domain joinType = "array";
preferShortUsername = true; valuesByGroup.${admins-group} = [ "admin" ];
allowInsecureClientDisablePkce = false;
scopeMaps.${users-group} = [ "email" "openid" "profile" ];
removeOrphanedClaimMaps = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admin" ];
};
}; };
}; };
})) };
})
]); ]);
} }

105
sp-modules/roundcube/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, options, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.roundcube; cfg = config.selfprivacy.modules.roundcube;
@@ -82,61 +82,58 @@ in
systemd.services.roundcube.after = [ "dovecot2.service" ]; systemd.services.roundcube.after = [ "dovecot2.service" ];
} }
# the following part is active only when "auth" module is enabled # the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs (lib.mkIf is-auth-enabled {
(options.selfprivacy.modules ? "auth") # for phpfpm-roundcube to have access to get through /run/keys directory
(lib.mkIf is-auth-enabled { users.groups.keys.members = [ user ];
# for phpfpm-roundcube to have access to get through /run/keys directory services.roundcube.extraConfig = lib.mkAfter ''
users.groups.keys.members = [ user ]; $config['oauth_provider'] = 'generic';
services.roundcube.extraConfig = lib.mkAfter '' $config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_provider'] = 'generic'; $config['oauth_client_id'] = '${oauth-donor.oauth-client-id}';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}'; $config['oauth_client_secret'] = file_get_contents('${kanidm-oauth-client-secret-fp}');
$config['oauth_client_id'] = '${oauth-donor.oauth-client-id}'; $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
$config['oauth_client_secret'] = file_get_contents('${kanidm-oauth-client-secret-fp}'); $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2'; $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-donor.oauth-client-id}/userinfo';
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token'; $config['oauth_scope'] = 'email profile openid'; # FIXME
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-donor.oauth-client-id}/userinfo'; $config['oauth_auth_parameters'] = [];
$config['oauth_scope'] = 'email profile openid'; # FIXME $config['oauth_identity_fields'] = ['email'];
$config['oauth_auth_parameters'] = []; $config['oauth_login_redirect'] = true;
$config['oauth_identity_fields'] = ['email']; $config['auto_create_user'] = true;
$config['oauth_login_redirect'] = true; $config['oauth_verify_peer'] = false; # FIXME
$config['auto_create_user'] = true; # $config['oauth_pkce'] = 'S256'; # FIXME
$config['oauth_verify_peer'] = false; # FIXME '';
# $config['oauth_pkce'] = 'S256'; # FIXME systemd.services.roundcube = {
''; after = [ auth-passthru.oauth2-systemd-service ];
systemd.services.roundcube = { requires = [ auth-passthru.oauth2-systemd-service ];
after = [ auth-passthru.oauth2-systemd-service ]; };
requires = [ auth-passthru.oauth2-systemd-service ]; systemd.services.kanidm = {
serviceConfig.ExecStartPre = lib.mkBefore [
("-+" + kanidmExecStartPreScriptRoot)
];
};
services.kanidm.provision = {
groups = {
"sp.roundcube.admins".members = [ auth-passthru.admins-group ];
"sp.roundcube.users".members =
[ "sp.roundcube.admins" auth-passthru.full-users-group ];
}; };
systemd.services.kanidm = { systems.oauth2.${oauth-donor.oauth-client-id} = {
serviceConfig.ExecStartPre = lib.mkBefore [ displayName = "Roundcube";
("-+" + kanidmExecStartPreScriptRoot) originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
]; originLanding = "https://${cfg.subdomain}.${domain}/";
}; basicSecretFile = kanidm-oauth-client-secret-fp;
services.kanidm.provision = { # when true, name is passed to a service instead of name@domain
groups = { preferShortUsername = false;
"sp.roundcube.admins".members = [ auth-passthru.admins-group ]; allowInsecureClientDisablePkce = true; # FIXME is it needed?
"sp.roundcube.users".members = scopeMaps = {
[ "sp.roundcube.admins" auth-passthru.full-users-group ]; "sp.roundcube.users" = [
}; "email"
systems.oauth2.${oauth-donor.oauth-client-id} = { "openid"
displayName = "Roundcube"; "profile"
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth"; ];
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"sp.roundcube.users" = [
"email"
"openid"
"profile"
];
};
removeOrphanedClaimMaps = true;
}; };
removeOrphanedClaimMaps = true;
}; };
}) };
) })
]); ]);
} }

64
sp-modules/simple-nixos-mailserver/config.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, options, pkgs, ... }@nixos-args: { config, lib, pkgs, ... }@nixos-args:
let let
sp = config.selfprivacy; sp = config.selfprivacy;
@@ -176,42 +176,36 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable (lib.mkMerge [
}; };
} }
# the following parts are active only when "auth" module is enabled # the following parts are active only when "auth" module is enabled
(lib.attrsets.optionalAttrs (lib.mkIf is-auth-enabled {
(options.selfprivacy.modules ? "auth") mailserver = {
(lib.mkIf is-auth-enabled { extraVirtualAliases = lib.mkForce { };
mailserver = { loginAccounts = lib.mkForce { };
extraVirtualAliases = lib.mkForce { }; # LDAP is needed for Postfix to query Kanidm about email address ownership.
loginAccounts = lib.mkForce { }; # LDAP is needed for Dovecot also.
# LDAP is needed for Postfix to query Kanidm about email address ownership. ldap = {
# LDAP is needed for Dovecot also. # false; otherwise, simple-nixos-mailserver enables auth via LDAP
ldap = { enable = false;
# false; otherwise, simple-nixos-mailserver enables auth via LDAP
enable = false;
# bind.dn = "uid=mail,ou=persons," + ldap_base_dn; # bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
bind.dn = "dn=token"; bind.dn = "dn=token";
# TODO change in this file should trigger system restart dovecot # TODO change in this file should trigger system restart dovecot
bind.passwordFile = mailserver-service-account-token-fp; bind.passwordFile = mailserver-service-account-token-fp;
# searchBase = "ou=persons," + ldap_base_dn; # searchBase = "ou=persons," + ldap_base_dn;
searchBase = auth-passthru.ldap-base-dn; # TODO refine this searchBase = auth-passthru.ldap-base-dn; # TODO refine this
# NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS) # NOTE: 127.0.0.1 instead of localhost doesn't work (maybe because of TLS)
uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ]; uris = [ "ldaps://localhost:${toString auth-passthru.ldap-port}" ];
};
}; };
# FIXME set auth module option instead };
systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkBefore [ # FIXME set auth module option instead
("-+" + kanidmExecStartPreScriptRoot) systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkBefore [
]; ("-+" + kanidmExecStartPreScriptRoot)
systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [ ];
("-" + kanidmExecStartPostScript) systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
]; ("-" + kanidmExecStartPostScript)
})) ];
(lib.attrsets.optionalAttrs })
(options.selfprivacy.modules ? "auth") (lib.mkIf is-auth-enabled (import ./auth-dovecot.nix nixos-args))
(lib.mkIf is-auth-enabled (import ./auth-dovecot.nix nixos-args))) (lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args))
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled (import ./auth-postfix.nix nixos-args)))
]) ])