refactor: switch to upstream nixos kanidm module

2025-09-02 12:16:12 +03:00
parent 169d1ca8df
commit 73cbdf994e
8 changed files with 189 additions and 1199 deletions
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -22,10 +22,6 @@ let

  oauth-donor = config.selfprivacy.passthru.mailserver;
  oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP linuxGroupOfService;
-  # copy client secret from mailserver
-  kanidmExecStartPreScriptRoot = pkgs.writeShellScript "${sp-module-name}-kanidm-ExecStartPre-root-script.sh" ''
-    install -v -m640 -o kanidm -g ${linuxGroupOfService} ${oauth-donor.oauth-client-secret-fp} ${oauthClientSecretFP}
-  '';
 in
 {
  options.selfprivacy.modules.roundcube = {
@@ -121,9 +117,16 @@ in
          after = [ "dovecot2.service" ];
          requires = [ "dovecot2.service" ];
        };
-        systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkAfter [
-          ("-+" + kanidmExecStartPreScriptRoot)
-        ];
+        systemd.services.kanidm.serviceConfig = {
+          ExecStartPre = lib.mkAfter [
+            (pkgs.writeShellScript "copy-mailserver-client-secret-to-roundcube" ''
+              install -v -m640 -o kanidm -g ${linuxGroupOfService} ${oauth-donor.oauth-client-secret-fp} ${oauthClientSecretFP}
+            '')
+          ];
+          SystemCallFilter = [
+            "@chown"
+          ];
+        };

        selfprivacy.auth.clients."${oauth-donor.oauth-client-id}" = {
          inherit adminsGroup usersGroup;
--- a/sp-modules/simple-nixos-mailserver/auth-dovecot.nix
+++ b/sp-modules/simple-nixos-mailserver/auth-dovecot.nix
@@ -22,10 +22,12 @@ let
  runtime-folder = group;
  keysPath = auth-passthru.keys-path;

-  # create service account token, needed for LDAP
-  kanidmExecStartPostScript = pkgs.writeShellScript "mailserver-kanidm-ExecStartPost-script.sh" ''
+  kanidmExecStartPostScript = pkgs.writeShellScript "create-dovecot-service-account-token-for-ldap" ''
    export HOME=$RUNTIME_DIRECTORY/client_home
    readonly KANIDM="${config.services.kanidm.package}/bin/kanidm"
+    export KANIDM_NAME=idm_admin
+    export KANIDM_URL="${config.services.kanidm.provision.instanceUrl}"
+    export KANIDM_SKIP_HOSTNAME_VERIFICATION="true"

    # get Kanidm service account for mailserver
    KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${mailserver-service-account-name}$")"
@@ -111,7 +113,7 @@ let
  };
  oauth-client-id = "mailserver";
  oauth-client-secret-fp = "${keysPath}/${group}/kanidm-oauth-client-secret";
-  oauth-secret-ExecStartPreScript = pkgs.writeShellScript "${oauth-client-id}-kanidm-ExecStartPre-script.sh" ''
+  oauth-secret-ExecStartPreScript = pkgs.writeShellScript "${oauth-client-id}-create-client-secret.sh" ''
    set -o xtrace
    [ -f "${oauth-client-secret-fp}" ] || \
      "${lib.getExe pkgs.openssl}" rand -base64 32 | tr "\n:@/+=" "012345" > "${oauth-client-secret-fp}"
@@ -202,10 +204,10 @@ in
  };

  systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkBefore [
-    ("-" + oauth-secret-ExecStartPreScript)
+    oauth-secret-ExecStartPreScript
  ];
  systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
-    ("-" + kanidmExecStartPostScript)
+    kanidmExecStartPostScript
  ];

  systemd.services.postfix.restartTriggers = [
--- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json
+++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
@@ -25,5 +25,6 @@
  [ "services", "postfix", "user" ],
  [ "services", "redis", "servers", "rspamd" ],
  [ "services", "rspamd" ],
-  [ "services", "kanidm", "package" ]
+  [ "services", "kanidm", "package" ],
+  [ "services", "kanidm", "provision", "instanceUrl" ]
 ]