WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port

sp-modules/auth/config-paths-needed.json

@@ -1,5 +1,7 @@
 [
   ["mailserver", "fqdn"],
+  ["mailserver", "ldap"],
+  ["mailserver", "vmailUID"],
   ["security", "acme", "certs"],
   ["selfprivacy", "domain"],
   ["selfprivacy", "modules"],

sp-modules/auth/flake.nix

@@ -2,8 +2,9 @@
   description = "User authentication and authorization module";
 
   # TODO remove when Kanidm provisioning without groups assertion lands in NixOS
-  inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
-  # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2;
+  # inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
+  # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=1bac99358baea6a3268027b4e585c68cd4ef107d;
+  inputs.nixos-unstable.url = github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d;
 
   outputs = { self, nixos-unstable }: {
     overlays.default = _final: prev: {
@@ -11,13 +12,13 @@
         kanidm oauth2-proxy;
       kanidm-provision =
         nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
-          # version = "git";
-          # src = prev.fetchFromGitHub {
-          #   owner = "oddlama";
-          #   repo = "kanidm-provision";
-          #   rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
-          #   hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
-          # };
+          version = "git";
+          src = prev.fetchFromGitHub {
+            owner = "oddlama";
+            repo = "kanidm-provision";
+            rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
+            hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
+          };
         });
     };
 
@@ -28,15 +29,18 @@
         "services/security/oauth2-proxy-nginx.nix"
       ];
       imports = [
-        (nixos-unstable.legacyPackages.x86_64-linux.path
-          + /nixos/modules/services/security/kanidm.nix)
+        ./kanidm.nix
         (nixos-unstable.legacyPackages.x86_64-linux.path
           + /nixos/modules/services/security/oauth2-proxy.nix)
         (nixos-unstable.legacyPackages.x86_64-linux.path
           + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
         ./module.nix
+        ./ldap-postfix.nix
       ];
       nixpkgs.overlays = [ self.overlays.default ];
+
+      selfprivacy.modules.auth.enable = true;
+      selfprivacy.modules.auth.debug = true;
     };
 
     configPathsNeeded =

sp-modules/auth/ldap-postfix.nix

@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mailserver;
+
+  appendLdapBindPwd =
+    { name, file, prefix, suffix ? "", passwordFile, destination }:
+    pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
+      #!${pkgs.stdenv.shell}
+      set -euo pipefail
+
+      baseDir=$(dirname ${destination})
+      if (! test -d "$baseDir"); then
+        mkdir -p $baseDir
+        chmod 755 $baseDir
+      fi
+
+      cat ${file} > ${destination}
+      echo -n '${prefix}' >> ${destination}
+      cat ${passwordFile} >> ${destination}
+      echo -n '${suffix}' >> ${destination}
+      chmod 600 ${destination}
+    '';
+
+  ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
+  submissionOptions.smtpd_sender_login_maps =
+    lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
+  commonLdapConfig = ''
+    server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
+    start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
+    version = 3
+    # tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
+    # tls_require_cert = yes
+
+    search_base = ${cfg.ldap.searchBase}
+    scope = ${cfg.ldap.searchScope}
+
+    bind = yes
+    bind_dn = ${cfg.ldap.bind.dn}
+  '';
+  ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
+    ${commonLdapConfig}
+    query_filter = ${cfg.ldap.postfix.filter}
+    result_attribute = ${cfg.ldap.postfix.mailAttribute}
+  '';
+  appendPwdInSenderLoginMap = appendLdapBindPwd {
+    name = "ldap-sender-login-map";
+    file = ldapSenderLoginMap;
+    prefix = "bind_pw = ";
+    passwordFile = cfg.ldap.bind.passwordFile;
+    destination = ldapSenderLoginMapFile;
+  };
+
+  ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
+    ${commonLdapConfig}
+    query_filter = ${cfg.ldap.postfix.filter}
+    result_attribute = ${cfg.ldap.postfix.uidAttribute}
+  '';
+  ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
+  appendPwdInVirtualMailboxMap = appendLdapBindPwd {
+    name = "ldap-virtual-mailbox-map";
+    file = ldapVirtualMailboxMap;
+    prefix = "bind_pw = ";
+    passwordFile = cfg.ldap.bind.passwordFile;
+    destination = ldapVirtualMailboxMapFile;
+  };
+in
+{
+  systemd.services.postfix-setup = {
+    preStart = ''
+      ${appendPwdInVirtualMailboxMap}
+      ${appendPwdInSenderLoginMap}
+    '';
+    restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
+  };
+  services.postfix = {
+    # the list should be merged with other options from nixos-mailserver
+    config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
+    submissionOptions = submissionOptions;
+    submissionsOptions = submissionOptions;
+  };
+}

sp-modules/auth/module.nix

@@ -10,6 +10,12 @@ let
   kanidm-bind-address = "127.0.0.1:3013";
   ldap_host = "127.0.0.1";
   ldap_port = 3636;
+  # e.g. "dc=mydomain,dc=com"
+  ldap_base_dn =
+    lib.strings.concatMapStringsSep
+      ","
+      (x: "dc=" + x)
+      (lib.strings.splitString "." domain);
 
   dovecot-oauth2-conf-file = pkgs.writeTextFile {
     name = "dovecot-oauth2.conf.ext";
@@ -25,23 +31,81 @@ let
       active_attribute = active
       active_value = true
       openid_configuration_url = ${oauth2-discovery-url "roundcube"}
-      debug = yes # FIXME
+      debug = ${if cfg.debug then "yes" else "no"}
     '';
   };
 
-  provisionAdminPassword = "abcd1234";
-  provisionIdmAdminPassword = "abcd1234"; # FIXME
+  lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
+  lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
+  lua_path = "${lua_core_path};${lua_lrucache_path};";
+  ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
+  mkLdapSearchScope = scope: (
+    if scope == "sub" then "subtree"
+    else if scope == "one" then "onelevel"
+    else scope
+  );
+  appendLdapBindPwd =
+    { name, file, prefix, suffix ? "", passwordFile, destination }:
+    pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
+      #!${pkgs.stdenv.shell}
+      set -euo pipefail
+
+      baseDir=$(dirname ${destination})
+      if (! test -d "$baseDir"); then
+        mkdir -p $baseDir
+        chmod 755 $baseDir
+      fi
+
+      cat ${file} > ${destination}
+      echo -n '${prefix}' >> ${destination}
+      cat ${passwordFile} >> ${destination}
+      echo -n '${suffix}' >> ${destination}
+      chmod 600 ${destination}
+    '';
+  dovecot-ldap-config = pkgs.writeTextFile {
+    name = "dovecot-ldap.conf.ext.template";
+    text = ''
+      ldap_version = 3
+      uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
+      ${lib.optionalString config.mailserver.ldap.startTls ''
+      tls = yes
+      ''}
+      # tls_require_cert = hard
+      # tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
+      dn = ${config.mailserver.ldap.bind.dn}
+      sasl_bind = no
+      auth_bind = no
+      base = ${config.mailserver.ldap.searchBase}
+      scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
+      ${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
+      user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
+      ''}
+      user_filter = ${config.mailserver.ldap.dovecot.userFilter}
+    '';
+  };
+  setPwdInLdapConfFile = appendLdapBindPwd {
+    name = "ldap-conf-file";
+    file = dovecot-ldap-config;
+    prefix = ''dnpass = "'';
+    suffix = ''"'';
+    passwordFile = config.mailserver.ldap.bind.passwordFile;
+    destination = ldapConfFile;
+  };
 in
 {
   options.selfprivacy.modules.auth = {
     enable = lib.mkOption {
-      default = true;
+      default = false;
       type = lib.types.bool;
     };
     subdomain = lib.mkOption {
       default = "auth";
       type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
     };
+    debug = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -54,7 +118,6 @@ in
 
       # kanidm with Rust code patches for OAuth and admin passwords provisioning
       package = pkgs.kanidm.withSecretProvisioning;
-      # FIXME
       # package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
       #   version = "git";
       #   src = pkgs.fetchFromGitHub {
@@ -91,10 +154,6 @@ in
       provision = {
         enable = true;
         autoRemove = false;
-
-        # FIXME read randomly generated password from ?
-        # adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
-        # idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
       };
       enableClient = true;
       clientSettings = {
@@ -103,22 +162,113 @@ in
         verify_hostnames = false; # FIXME
       };
     };
+    # systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkBefore ''
+    #   # check kanidm online here with curl again?
+    #   # use API key for group creation?
+    # '';
+    # services.phpfpm.pools.roundcube.settings = {
+    #   catch_workers_output = true;
+    #   "php_admin_value[error_log]" = "stdout";
+    #   "php_admin_flag[log_errors]" = true;
+    #   "php_admin_value[log_level]" = "debug";
+    # };
+    services.phpfpm.phpOptions = ''
+      error_reporting = E_ALL
+      display_errors = on;
+    '';
+    systemd.services.phpfpm-roundcube.serviceConfig = {
+      StandardError = "journal";
+      StandardOutput = "journal";
+    };
 
     services.nginx = {
       enable = true;
+      additionalModules =
+        lib.lists.optional cfg.debug pkgs.nginxModules.lua;
+      commonHttpConfig = lib.strings.optionalString cfg.debug ''
+        log_format kanidm escape=none '$request $status\n'
+                                      '[Request body]: $request_body\n'
+                                      '[Header]: $resp_header\n'
+                                      '[Response Body]: $resp_body\n\n';
+        lua_package_path "${lua_path}";
+      '';
       virtualHosts.${auth-fqdn} = {
         useACMEHost = domain;
         forceSSL = true;
         locations."/" = {
-          proxyPass =
-            "https://${kanidm-bind-address}";
+          # extraConfig = ''
+          #   if ($args != $new_args) {
+          #       rewrite ^ /ui/oauth2?$new_args? last;
+          #   }
+          # '';
+          extraConfig = lib.strings.optionalString cfg.debug ''
+            access_log /var/log/nginx/kanidm.log kanidm;
+
+            lua_need_request_body on;
+
+            # log header
+            set $req_header "";
+            set $resp_header "";
+            header_filter_by_lua '
+              local h = ngx.req.get_headers()
+              for k, v in pairs(h) do
+                ngx.var.req_header = ngx.var.req_header .. k.."="..v.." "
+              end
+              local rh = ngx.resp.get_headers()
+              for k, v in pairs(rh) do
+                ngx.var.resp_header = ngx.var.resp_header .. k.."="..v.." "
+              end
+            ';
+
+            # log body
+            set $resp_body "";
+            body_filter_by_lua '
+              local resp_body = string.sub(ngx.arg[1], 1, 4000)
+              ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
+              if ngx.arg[2] then
+                ngx.var.resp_body = ngx.ctx.buffered
+              end
+            ';
+          '';
+          proxyPass = "https://${kanidm-bind-address}";
         };
       };
+      # appendHttpConfig = ''
+      #   # Define a map to modify redirect_uri and append %2F if missing
+      #   map $args $new_args {
+      #       ~^((.*)(redirect_uri=[^&]+)(?!%2F)(.*))$ $2$3%2F$4;
+      #       default $args;
+      #   }
+      # '';
     };
 
     # TODO move to mailserver module everything below
-    mailserver.debug = true; # FIXME
+    mailserver.debug = cfg.debug; # FIXME
     mailserver.mailDirectory = "/var/vmail";
+
+    mailserver.loginAccounts = lib.mkForce { };
+    mailserver.extraVirtualAliases = lib.mkForce { };
+    # LDAP is needed for Postfix to query Kanidm about email address ownership
+    # LDAP is needed for Dovecot also.
+    mailserver.ldap = {
+      enable = false;
+      # bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
+      bind.dn = "dn=token";
+      # TODO change in this file should trigger system restart dovecot
+      bind.passwordFile = "/run/keys/dovecot/kanidm-service-account-token"; # FIXME
+      # searchBase = "ou=persons," + ldap_base_dn;
+      searchBase = ldap_base_dn;
+      # searchScope = "sub";
+      uris = [ "ldaps://localhost:${toString ldap_port}" ];
+
+      # note: in `ldapsearch` first comes filter, then attributes
+      dovecot.userAttrs = "+"; # all operational attributes
+      # TODO: investigate whether "mail=%u" is better than:
+      # dovecot.userFilter = "(&(class=person)(uid=%n))";
+      postfix.mailAttribute = "mail";
+      postfix.uidAttribute = "uid";
+    };
+
     services.dovecot2.extraConfig = ''
       auth_mechanisms = xoauth2 oauthbearer
 
@@ -130,12 +280,12 @@ in
 
       userdb {
         driver = static
-        args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
+        args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
       }
 
       # provide SASL via unix socket to postfix
       service auth {
-        unix_listener /var/lib/postfix/private/auth {
+        unix_listener /var/lib/postfix/private-auth {
           mode = 0660
           user = postfix
           group = postfix
@@ -154,7 +304,15 @@ in
         }
       }
 
+      userdb {
+        driver = ldap
+        args = ${ldapConfFile}
+        default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
+      }
+
       #auth_username_format = %Ln
+
+      # FIXME
       auth_debug = yes
       auth_debug_passwords = yes  # Be cautious with this in production as it logs passwords
       auth_verbose = yes
@@ -162,11 +320,30 @@ in
     '';
     services.dovecot2.enablePAM = false;
     services.postfix.extraConfig = ''
-      smtpd_sasl_local_domain = ${domain}
-      smtpd_relay_restrictions = permit_sasl_authenticated, reject
-      smtpd_sasl_type = dovecot
-      smtpd_sasl_path = private/auth
-      smtpd_sasl_auth_enable = yes
+      debug_peer_list = 94.43.135.210, 134.209.202.195
+      debug_peer_level = 3
+      smtp_use_tls = yes
+      # these below are already set in nixos-mailserver/mail-server/postfix.nix
+      # smtpd_sasl_local_domain = ${domain}
+      # smtpd_relay_restrictions = permit_sasl_authenticated, reject
+      # smtpd_sender_restrictions =
+      # smtpd_sender_login_maps =
+      # smtpd_sasl_type = dovecot
+      # smtpd_sasl_path = private-auth
+      # smtpd_sasl_auth_enable = yes
     '';
+
+    systemd.services.dovecot2 = {
+      # TODO does it merge with existing preStart?
+      preStart = setPwdInLdapConfFile + "\n";
+    };
+
+    # does it merge with existing restartTriggers?
+    systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
+
+    environment.systemPackages = lib.lists.optionals cfg.debug [
+      pkgs.shelldap
+      pkgs.openldap
+    ];
   };
 }