thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: add only roundcube kanidm service account to idm_mail_servers

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-04-21 18:54:49 +04:00
parent 3f1a2b5baf
commit a96b6b8444
2 changed files with 31 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
auth/auth-module.nix
View File

@@ -23,7 +23,7 @@ let
chmod 640 "${secretFP}" chmod 640 "${secretFP}"
fi fi
''; '';
mkKanidmExecStartPostScript = oauthClientID: linuxGroup: mkKanidmExecStartPostScript = oauthClientID: linuxGroup: isMailserver:
let let
kanidmServiceAccountName = "sp.${oauthClientID}.service-account"; kanidmServiceAccountName = "sp.${oauthClientID}.service-account";
kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token"; kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
@@ -32,7 +32,7 @@ let
in in
pkgs.writeShellScript pkgs.writeShellScript
"${oauthClientID}-kanidm-ExecStartPost-script.sh" "${oauthClientID}-kanidm-ExecStartPost-script.sh"
'' (''
export HOME=$RUNTIME_DIRECTORY/client_home export HOME=$RUNTIME_DIRECTORY/client_home
readonly KANIDM="${pkgs.kanidm}/bin/kanidm" readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
@@ -54,9 +54,6 @@ let
fi fi
fi fi
# add Kanidm service account to `idm_mail_servers` group
$KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}"
# create a new read-only token for kanidm # create a new read-only token for kanidm
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" --output json)" if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" --output json)"
then then
@@ -76,7 +73,12 @@ let
echo "error: cannot write token to \"${kanidmServiceAccountTokenFP}\"" echo "error: cannot write token to \"${kanidmServiceAccountTokenFP}\""
exit 1 exit 1
fi fi
'';
''
+ lib.strings.optionalString isMailserver ''
# add Kanidm service account to `idm_mail_servers` group
$KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}"
'');
in in
{ {
options.selfprivacy.auth = { options.selfprivacy.auth = {
@@ -211,6 +213,13 @@ in
''; '';
default = null; default = null;
}; };
isMailserver = mkOption {
type = types.bool;
description = ''
Whether client is a mailserver.
'';
default = false;
};
}; };
} }
); );
@@ -284,17 +293,21 @@ in
serviceConfig = serviceConfig =
lib.mkMerge (lib.forEach lib.mkMerge (lib.forEach
clientsAttrsList clientsAttrsList
({ clientID, isTokenNeeded, linuxGroupOfClient, ... }: { ({ clientID, isTokenNeeded, linuxGroupOfClient, isMailserver, ... }:
ExecStartPre = [ {
# "-" prefix means to ignore exit code of prefixed script ExecStartPre = [
("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient) # "-" prefix means to ignore exit code of prefixed script
]; ("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient)
ExecStartPost = lib.mkIf isTokenNeeded ];
(lib.mkAfter [ ExecStartPost = lib.mkIf isTokenNeeded
("-" + (lib.mkAfter [
mkKanidmExecStartPostScript clientID linuxGroupOfClient) ("-" +
]); mkKanidmExecStartPostScript
})); clientID
linuxGroupOfClient
isMailserver)
]);
}));
}; };
# for each OAuth2 client: Kanidm provisioning options # for each OAuth2 client: Kanidm provisioning options

1
sp-modules/roundcube/module.nix
View File

@@ -123,6 +123,7 @@ in
displayName = "Roundcube"; displayName = "Roundcube";
subdomain = cfg.subdomain; subdomain = cfg.subdomain;
isTokenNeeded = false; isTokenNeeded = false;
isMailserver = true;
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth"; originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
originLanding = "https://${cfg.subdomain}.${domain}/"; originLanding = "https://${cfg.subdomain}.${domain}/";
useShortPreferredUsername = false; useShortPreferredUsername = false;