From a96b6b84447b8dfc29f1ac162d789fdff708f382 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Mon, 21 Apr 2025 18:54:49 +0400 Subject: [PATCH] auth: add only roundcube kanidm service account to idm_mail_servers --- auth/auth-module.nix | 47 +++++++++++++++++++++------------ sp-modules/roundcube/module.nix | 1 + 2 files changed, 31 insertions(+), 17 deletions(-) diff --git a/auth/auth-module.nix b/auth/auth-module.nix index 4d6c4cd..698e43f 100644 --- a/auth/auth-module.nix +++ b/auth/auth-module.nix @@ -23,7 +23,7 @@ let chmod 640 "${secretFP}" fi ''; - mkKanidmExecStartPostScript = oauthClientID: linuxGroup: + mkKanidmExecStartPostScript = oauthClientID: linuxGroup: isMailserver: let kanidmServiceAccountName = "sp.${oauthClientID}.service-account"; kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token"; @@ -32,7 +32,7 @@ let in pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPost-script.sh" - '' + ('' export HOME=$RUNTIME_DIRECTORY/client_home readonly KANIDM="${pkgs.kanidm}/bin/kanidm" @@ -54,9 +54,6 @@ let fi fi - # add Kanidm service account to `idm_mail_servers` group - $KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}" - # create a new read-only token for kanidm if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" --output json)" then @@ -76,7 +73,12 @@ let echo "error: cannot write token to \"${kanidmServiceAccountTokenFP}\"" exit 1 fi - ''; + + '' + + lib.strings.optionalString isMailserver '' + # add Kanidm service account to `idm_mail_servers` group + $KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}" + ''); in { options.selfprivacy.auth = { @@ -211,6 +213,13 @@ in ''; default = null; }; + isMailserver = mkOption { + type = types.bool; + description = '' + Whether client is a mailserver. + ''; + default = false; + }; }; } ); @@ -284,17 +293,21 @@ in serviceConfig = lib.mkMerge (lib.forEach clientsAttrsList - ({ clientID, isTokenNeeded, linuxGroupOfClient, ... }: { - ExecStartPre = [ - # "-" prefix means to ignore exit code of prefixed script - ("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient) - ]; - ExecStartPost = lib.mkIf isTokenNeeded - (lib.mkAfter [ - ("-" + - mkKanidmExecStartPostScript clientID linuxGroupOfClient) - ]); - })); + ({ clientID, isTokenNeeded, linuxGroupOfClient, isMailserver, ... }: + { + ExecStartPre = [ + # "-" prefix means to ignore exit code of prefixed script + ("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient) + ]; + ExecStartPost = lib.mkIf isTokenNeeded + (lib.mkAfter [ + ("-" + + mkKanidmExecStartPostScript + clientID + linuxGroupOfClient + isMailserver) + ]); + })); }; # for each OAuth2 client: Kanidm provisioning options diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix index ffa6b6e..19ba2be 100644 --- a/sp-modules/roundcube/module.nix +++ b/sp-modules/roundcube/module.nix @@ -123,6 +123,7 @@ in displayName = "Roundcube"; subdomain = cfg.subdomain; isTokenNeeded = false; + isMailserver = true; originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth"; originLanding = "https://${cfg.subdomain}.${domain}/"; useShortPreferredUsername = false;