thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port

Browse Source
This commit is contained in:
Alexander Tomokhov
2024-12-20 16:13:59 +04:00
parent b5de64105c
commit ad6d3d6970
6 changed files with 1472 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sp-modules/auth/config-paths-needed.json
View File

@@ -1,5 +1,7 @@
[
["mailserver", "fqdn"],
["mailserver", "ldap"],
["mailserver", "vmailUID"],
["security", "acme", "certs"],
["selfprivacy", "domain"],
["selfprivacy", "modules"],

26
sp-modules/auth/flake.nix
View File

@@ -2,8 +2,9 @@
description = "User authentication and authorization module";
# TODO remove when Kanidm provisioning without groups assertion lands in NixOS
inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
# inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2;
# inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
# inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=1bac99358baea6a3268027b4e585c68cd4ef107d;
inputs.nixos-unstable.url = github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d;
outputs = { self, nixos-unstable }: {
overlays.default = _final: prev: {
@@ -11,13 +12,13 @@
kanidm oauth2-proxy;
kanidm-provision =
nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
# version = "git";
# src = prev.fetchFromGitHub {
# owner = "oddlama";
# repo = "kanidm-provision";
# rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
# hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
# };
version = "git";
src = prev.fetchFromGitHub {
owner = "oddlama";
repo = "kanidm-provision";
rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
};
});
};
@@ -28,15 +29,18 @@
"services/security/oauth2-proxy-nginx.nix"
];
imports = [
(nixos-unstable.legacyPackages.x86_64-linux.path
+ /nixos/modules/services/security/kanidm.nix)
./kanidm.nix
(nixos-unstable.legacyPackages.x86_64-linux.path
+ /nixos/modules/services/security/oauth2-proxy.nix)
(nixos-unstable.legacyPackages.x86_64-linux.path
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
./module.nix
./ldap-postfix.nix
];
nixpkgs.overlays = [ self.overlays.default ];
selfprivacy.modules.auth.enable = true;
selfprivacy.modules.auth.debug = true;
};
configPathsNeeded =

1008
sp-modules/auth/kanidm.nix Normal file
View File

File diff suppressed because it is too large Load Diff

81
sp-modules/auth/ldap-postfix.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
let
cfg = config.mailserver;
appendLdapBindPwd =
{ name, file, prefix, suffix ? "", passwordFile, destination }:
pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
#!${pkgs.stdenv.shell}
set -euo pipefail
baseDir=$(dirname ${destination})
if (! test -d "$baseDir"); then
mkdir -p $baseDir
chmod 755 $baseDir
fi
cat ${file} > ${destination}
echo -n '${prefix}' >> ${destination}
cat ${passwordFile} >> ${destination}
echo -n '${suffix}' >> ${destination}
chmod 600 ${destination}
'';
ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
submissionOptions.smtpd_sender_login_maps =
lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
commonLdapConfig = ''
server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
version = 3
# tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
# tls_require_cert = yes
search_base = ${cfg.ldap.searchBase}
scope = ${cfg.ldap.searchScope}
bind = yes
bind_dn = ${cfg.ldap.bind.dn}
'';
ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
${commonLdapConfig}
query_filter = ${cfg.ldap.postfix.filter}
result_attribute = ${cfg.ldap.postfix.mailAttribute}
'';
appendPwdInSenderLoginMap = appendLdapBindPwd {
name = "ldap-sender-login-map";
file = ldapSenderLoginMap;
prefix = "bind_pw = ";
passwordFile = cfg.ldap.bind.passwordFile;
destination = ldapSenderLoginMapFile;
};
ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
${commonLdapConfig}
query_filter = ${cfg.ldap.postfix.filter}
result_attribute = ${cfg.ldap.postfix.uidAttribute}
'';
ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
appendPwdInVirtualMailboxMap = appendLdapBindPwd {
name = "ldap-virtual-mailbox-map";
file = ldapVirtualMailboxMap;
prefix = "bind_pw = ";
passwordFile = cfg.ldap.bind.passwordFile;
destination = ldapVirtualMailboxMapFile;
};
in
{
systemd.services.postfix-setup = {
preStart = ''
${appendPwdInVirtualMailboxMap}
${appendPwdInSenderLoginMap}
'';
restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
};
services.postfix = {
# the list should be merged with other options from nixos-mailserver
config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
submissionOptions = submissionOptions;
submissionsOptions = submissionOptions;
};
}

215
sp-modules/auth/module.nix
View File

@@ -10,6 +10,12 @@ let
kanidm-bind-address = "127.0.0.1:3013";
ldap_host = "127.0.0.1";
ldap_port = 3636;
# e.g. "dc=mydomain,dc=com"
ldap_base_dn =
lib.strings.concatMapStringsSep
","
(x: "dc=" + x)
(lib.strings.splitString "." domain);
dovecot-oauth2-conf-file = pkgs.writeTextFile {
name = "dovecot-oauth2.conf.ext";
@@ -25,23 +31,81 @@ let
active_attribute = active
active_value = true
openid_configuration_url = ${oauth2-discovery-url "roundcube"}
debug = yes # FIXME
debug = ${if cfg.debug then "yes" else "no"}
'';
};
provisionAdminPassword = "abcd1234";
provisionIdmAdminPassword = "abcd1234"; # FIXME
lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
lua_path = "${lua_core_path};${lua_lrucache_path};";
ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
mkLdapSearchScope = scope: (
if scope == "sub" then "subtree"
else if scope == "one" then "onelevel"
else scope
);
appendLdapBindPwd =
{ name, file, prefix, suffix ? "", passwordFile, destination }:
pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
#!${pkgs.stdenv.shell}
set -euo pipefail
baseDir=$(dirname ${destination})
if (! test -d "$baseDir"); then
mkdir -p $baseDir
chmod 755 $baseDir
fi
cat ${file} > ${destination}
echo -n '${prefix}' >> ${destination}
cat ${passwordFile} >> ${destination}
echo -n '${suffix}' >> ${destination}
chmod 600 ${destination}
'';
dovecot-ldap-config = pkgs.writeTextFile {
name = "dovecot-ldap.conf.ext.template";
text = ''
ldap_version = 3
uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
${lib.optionalString config.mailserver.ldap.startTls ''
tls = yes
''}
# tls_require_cert = hard
# tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
dn = ${config.mailserver.ldap.bind.dn}
sasl_bind = no
auth_bind = no
base = ${config.mailserver.ldap.searchBase}
scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
''}
user_filter = ${config.mailserver.ldap.dovecot.userFilter}
'';
};
setPwdInLdapConfFile = appendLdapBindPwd {
name = "ldap-conf-file";
file = dovecot-ldap-config;
prefix = ''dnpass = "'';
suffix = ''"'';
passwordFile = config.mailserver.ldap.bind.passwordFile;
destination = ldapConfFile;
};
in
{
options.selfprivacy.modules.auth = {
enable = lib.mkOption {
default = true;
default = false;
type = lib.types.bool;
};
subdomain = lib.mkOption {
default = "auth";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
debug = lib.mkOption {
default = false;
type = lib.types.bool;
};
};
config = lib.mkIf cfg.enable {
@@ -54,7 +118,6 @@ in
# kanidm with Rust code patches for OAuth and admin passwords provisioning
package = pkgs.kanidm.withSecretProvisioning;
# FIXME
# package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
# version = "git";
# src = pkgs.fetchFromGitHub {
@@ -91,10 +154,6 @@ in
provision = {
enable = true;
autoRemove = false;
# FIXME read randomly generated password from ?
# adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
# idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
};
enableClient = true;
clientSettings = {
@@ -103,22 +162,113 @@ in
verify_hostnames = false; # FIXME
};
};
# systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkBefore ''
# # check kanidm online here with curl again?
# # use API key for group creation?
# '';
# services.phpfpm.pools.roundcube.settings = {
# catch_workers_output = true;
# "php_admin_value[error_log]" = "stdout";
# "php_admin_flag[log_errors]" = true;
# "php_admin_value[log_level]" = "debug";
# };
services.phpfpm.phpOptions = ''
error_reporting = E_ALL
display_errors = on;
'';
systemd.services.phpfpm-roundcube.serviceConfig = {
StandardError = "journal";
StandardOutput = "journal";
};
services.nginx = {
enable = true;
additionalModules =
lib.lists.optional cfg.debug pkgs.nginxModules.lua;
commonHttpConfig = lib.strings.optionalString cfg.debug ''
log_format kanidm escape=none '$request $status\n'
'[Request body]: $request_body\n'
'[Header]: $resp_header\n'
'[Response Body]: $resp_body\n\n';
lua_package_path "${lua_path}";
'';
virtualHosts.${auth-fqdn} = {
useACMEHost = domain;
forceSSL = true;
locations."/" = {
proxyPass =
"https://${kanidm-bind-address}";
# extraConfig = ''
# if ($args != $new_args) {
# rewrite ^ /ui/oauth2?$new_args? last;
# }
# '';
extraConfig = lib.strings.optionalString cfg.debug ''
access_log /var/log/nginx/kanidm.log kanidm;
lua_need_request_body on;
# log header
set $req_header "";
set $resp_header "";
header_filter_by_lua '
local h = ngx.req.get_headers()
for k, v in pairs(h) do
ngx.var.req_header = ngx.var.req_header .. k.."="..v.." "
end
local rh = ngx.resp.get_headers()
for k, v in pairs(rh) do
ngx.var.resp_header = ngx.var.resp_header .. k.."="..v.." "
end
';
# log body
set $resp_body "";
body_filter_by_lua '
local resp_body = string.sub(ngx.arg[1], 1, 4000)
ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
if ngx.arg[2] then
ngx.var.resp_body = ngx.ctx.buffered
end
';
'';
proxyPass = "https://${kanidm-bind-address}";
};
};
# appendHttpConfig = ''
# # Define a map to modify redirect_uri and append %2F if missing
# map $args $new_args {
# ~^((.*)(redirect_uri=[^&]+)(?!%2F)(.*))$ $2$3%2F$4;
# default $args;
# }
# '';
};
# TODO move to mailserver module everything below
mailserver.debug = true; # FIXME
mailserver.debug = cfg.debug; # FIXME
mailserver.mailDirectory = "/var/vmail";
mailserver.loginAccounts = lib.mkForce { };
mailserver.extraVirtualAliases = lib.mkForce { };
# LDAP is needed for Postfix to query Kanidm about email address ownership
# LDAP is needed for Dovecot also.
mailserver.ldap = {
enable = false;
# bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
bind.dn = "dn=token";
# TODO change in this file should trigger system restart dovecot
bind.passwordFile = "/run/keys/dovecot/kanidm-service-account-token"; # FIXME
# searchBase = "ou=persons," + ldap_base_dn;
searchBase = ldap_base_dn;
# searchScope = "sub";
uris = [ "ldaps://localhost:${toString ldap_port}" ];
# note: in `ldapsearch` first comes filter, then attributes
dovecot.userAttrs = "+"; # all operational attributes
# TODO: investigate whether "mail=%u" is better than:
# dovecot.userFilter = "(&(class=person)(uid=%n))";
postfix.mailAttribute = "mail";
postfix.uidAttribute = "uid";
};
services.dovecot2.extraConfig = ''
auth_mechanisms = xoauth2 oauthbearer
@@ -130,12 +280,12 @@ in
userdb {
driver = static
args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
}
# provide SASL via unix socket to postfix
service auth {
unix_listener /var/lib/postfix/private/auth {
unix_listener /var/lib/postfix/private-auth {
mode = 0660
user = postfix
group = postfix
@@ -154,7 +304,15 @@ in
}
}
userdb {
driver = ldap
args = ${ldapConfFile}
default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
}
#auth_username_format = %Ln
# FIXME
auth_debug = yes
auth_debug_passwords = yes # Be cautious with this in production as it logs passwords
auth_verbose = yes
@@ -162,11 +320,30 @@ in
'';
services.dovecot2.enablePAM = false;
services.postfix.extraConfig = ''
smtpd_sasl_local_domain = ${domain}
smtpd_relay_restrictions = permit_sasl_authenticated, reject
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
debug_peer_list = 94.43.135.210, 134.209.202.195
debug_peer_level = 3
smtp_use_tls = yes
# these below are already set in nixos-mailserver/mail-server/postfix.nix
# smtpd_sasl_local_domain = ${domain}
# smtpd_relay_restrictions = permit_sasl_authenticated, reject
# smtpd_sender_restrictions =
# smtpd_sender_login_maps =
# smtpd_sasl_type = dovecot
# smtpd_sasl_path = private-auth
# smtpd_sasl_auth_enable = yes
'';
systemd.services.dovecot2 = {
# TODO does it merge with existing preStart?
preStart = setPwdInLdapConfFile + "\n";
};
# does it merge with existing restartTriggers?
systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
environment.systemPackages = lib.lists.optionals cfg.debug [
pkgs.shelldap
pkgs.openldap
];
};
}

190
sp-modules/roundcube/module.nix
View File

@@ -5,6 +5,79 @@ let
auth-module = config.selfprivacy.modules.auth;
auth-fqdn = auth-module.subdomain + "." + domain;
oauth-client-id = "roundcube";
dovecot-service-account-name = "dovecot-service-account";
postfix-service-account-name = "postfix-service-account";
dovecot-service-account-token-name = "dovecot-service-account-token";
postfix-service-account-token-name = "postfix-service-account-token";
# dovecot-service-account-token-fp = "/run/kanidm/token/dovecot";
dovecot-service-account-token-fp =
"/run/keys/dovecot/kanidm-service-account-token";
postfix-service-account-token-fp =
"/run/keys/postfix/kanidm-service-account-token";
dovecot-group = "dovecot2"; # FIXME
postfix-group = "postfix"; # FIXME
# FIXME use usernames and groups from `config`
# FIXME dependency on dovecot2 and postfix
# set-group-ID bit allows for kanidm user to create files,
# which inherit directory group (.e.g dovecot, postfix)
kanidmExecStartPostScriptRoot = pkgs.writeShellScript
"roundcube-kanidm-ExecStartPost-root-script.sh"
''
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/dovecot
chown kanidm:dovecot2 /run/keys/dovecot
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/postfix
chown kanidm:postfix /run/keys/postfix
'';
# FIXME parameterize names like "dovecot2" group
kanidmExecStartPostScript = pkgs.writeShellScript
"roundcube-kanidm-ExecStartPost-script.sh"
''
export HOME=$RUNTIME_DIRECTORY/client_home
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
# get Kanidm service account for Dovecot
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${dovecot-service-account-name}$")"
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
then
echo "kanidm service account \"${dovecot-service-account-name}\" is found"
else
echo "kanidm service account \"${dovecot-service-account-name}\" is not found"
echo "creating new kanidm service account \"${dovecot-service-account-name}\""
if $KANIDM service-account create --name idm_admin ${dovecot-service-account-name} ${dovecot-service-account-name} idm_admin
then
"kanidm service account \"${dovecot-service-account-name}\" created"
else
echo "error: cannot create kanidm service account \"${dovecot-service-account-name}\""
exit 1
fi
fi
# add Kanidm service account to `idm_mail_servers` group
$KANIDM group add-members idm_mail_servers ${dovecot-service-account-name}
# create a new read-only token for Dovecot
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin ${dovecot-service-account-name} ${dovecot-service-account-token-name} --output json)"
then
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
exit 1
fi
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
then
echo "error: cannot get service-account API token from JSON"
exit 1
fi
# if ! printf "%s\n" "$KANIDM_SERVICE_ACCOUNT_TOKEN" > ${dovecot-service-account-token-fp}
if ! install --mode=640 \
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
${dovecot-service-account-token-fp}
then
echo "error: cannot write token to \"${dovecot-service-account-token-fp}\""
exit 1
fi
'';
in
{
options.selfprivacy.modules.roundcube = {
@@ -32,15 +105,40 @@ in
};
config = lib.mkIf cfg.enable {
# FIXME get user names from `config`
# in order to allow access below /run/keys
users.groups.keys.members = [ "kanidm" "dovecot2" "postfix" ];
services.roundcube = {
enable = true;
# package = pkgs.roundcube.overrideAttrs (_: rec {
# version = "1.6.9";
# src = pkgs.fetchurl {
# url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/roundcubemail-${version}-complete.tar.gz";
# sha256 = "sha256-thpfXCL4kMKZ6TWqz88IcGdpkNiuv/DWzf8HW/F8708=";
# };
# # src = pkgs.fetchurl {
# # url = "https://github.com/roundcube/roundcubemail/archive/master/3a6e25a5b386e0d87427b934ccd2e0e282e0a74e.tar.gz";
# # sha256 = "sha256-EpEI4E+r3reYbI/5rquia+zgz1+6k49lPChlp4QiZTE=";
# # };
# postFixup = ''
# cp -v ${/data/sp/roundcubemail-1.6.9/program/include/rcmail_oauth.php} $out/program/include/rcmail_oauth.php
# cp -v ${/data/sp/roundcubemail-1.6.9/program/actions/login/oauth.php} $out/program/actions/login/oauth.php
# rm -r $out/program/localization/*
# '';
# });
# package = pkgs.runCommandNoCCLocal "roundcube-debug" {} ''
# cp -r --no-preserve=all ${pkgs.roundcube} $out
# cp -v ${/data/sp/roundcubemail-1.6.8/plugins/debug_logger/debug_logger.php} $out/plugins/debug_logger/debug_logger.php
# cp -v ${/data/sp/roundcubemail-1.6.8/program/include/rcmail_oauth.php} $out/program/include/rcmail_oauth.php
# '';
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
# plugins = [ "debug_logger" ];
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
# $config['smtp_user'] = "%u";
# $config['smtp_pass'] = "%p";
'' + lib.strings.optionalString auth-module.enable ''
@@ -53,20 +151,62 @@ in
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
$config['oauth_scope'] = 'email profile openid';
# $config['oauth_scope'] = 'email openid dovecotprofile';
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
$config['oauth_login_redirect'] = false;
$config['auto_create_user'] = true;
$config['log_dir'] = '/tmp/roundcube';
$config['log_driver'] = 'stdout';
$config['log_errors'] = 1;
// Log SQL queries to <log_dir>/sql or to syslog
$config['sql_debug'] = true;
// Log IMAP conversation to <log_dir>/imap or to syslog
$config['imap_debug'] = true;
$config['log_debug'] = true;
$config['oauth_debug'] = true;
// Log LDAP conversation to <log_dir>/ldap or to syslog
$config['ldap_debug'] = true;
// Log SMTP conversation to <log_dir>/smtp or to syslog
$config['smtp_debug'] = true;
$config['debug_logger']['master'] = 'master';
$config['debug_logger']['oauth'] = 'oauth';
$config['debug_logger']['imap'] = 'imap';
$config['debug_logger']['log'] = 'log';
$config['debug_logger']['smtp'] = 'smtp';
$config['oauth_verify_peer'] = false;
$config['log_logins'] = true;
$config['log_session'] = true;
# $config['oauth_pkce'] = 'S256';
'';
};
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;
# extraConfig = ''
# add_header X-Frame-Options DENY;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# '';
};
systemd = {
services = {
phpfpm-roundcube.serviceConfig.Slice = lib.mkForce "roundcube.slice";
phpfpm-roundcube.serviceConfig = {
Slice = lib.mkForce "roundcube.slice";
StandardError = "journal";
StandardOutput = "journal";
};
kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
("+" + kanidmExecStartPostScriptRoot)
kanidmExecStartPostScript
];
};
slices.roundcube = {
description = "Roundcube service slice";
@@ -75,23 +215,33 @@ in
services.kanidm.provision = lib.mkIf auth-module.enable {
groups.roundcube_users.present = true;
systems.oauth2.roundcube =
{
displayName = "Roundcube";
originUrl = "https://${cfg.subdomain}.${domain}/";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
# when true, name is passed to a service instead of name@domain
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps.roundcube_users = [
"email"
# "groups"
"profile"
"openid"
# "dovecotprofile"
];
};
systems.oauth2.roundcube = {
displayName = "Roundcube";
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
# when true, name is passed to a service instead of name@domain
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps.roundcube_users = [
"email"
"profile"
"openid"
];
# scopeMaps.roundcube_users = [
# "email"
# "openid"
# "dovecotprofile"
# ];
# add more scopes when a user is a member of specific group
# claimMaps.groups = {
# joinType = "array";
# valuesByGroup = {
# "sp.roundcube.admin" = [ "admin" ];
# };
# };
};
};
};
}