WIP: LDAP: Dovecot&Postfix works, but Postfix sends to 25 port

sp-modules/auth/config-paths-needed.json

@@ -1,5 +1,7 @@
 [
   ["mailserver", "fqdn"],
+  ["mailserver", "ldap"],
+  ["mailserver", "vmailUID"],
   ["security", "acme", "certs"],
   ["selfprivacy", "domain"],
   ["selfprivacy", "modules"],

sp-modules/auth/flake.nix

@@ -2,8 +2,9 @@
   description = "User authentication and authorization module";
 
   # TODO remove when Kanidm provisioning without groups assertion lands in NixOS
-  inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
+  # inputs.nixos-unstable.url = github:alexoundos/nixpkgs/679fd3fd318ce2d57d0cabfbd7f4b8857d78ae95;
-  # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=3feae1d8a2681b57c07d3a212a083988da6b96d2;
+  # inputs.nixos-unstable.url = git+file:/data/nixpkgs?ref=kanidm-1.4.0&rev=1bac99358baea6a3268027b4e585c68cd4ef107d;
+  inputs.nixos-unstable.url = github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d;
 
   outputs = { self, nixos-unstable }: {
     overlays.default = _final: prev: {
@@ -11,13 +12,13 @@
         kanidm oauth2-proxy;
       kanidm-provision =
         nixos-unstable.legacyPackages.${prev.system}.kanidm-provision.overrideAttrs (_: {
-          # version = "git";
+          version = "git";
-          # src = prev.fetchFromGitHub {
+          src = prev.fetchFromGitHub {
-          #   owner = "oddlama";
+            owner = "oddlama";
-          #   repo = "kanidm-provision";
+            repo = "kanidm-provision";
-          #   rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
+            rev = "d1f55c9247a6b25d30bbe90a74307aaac6306db4";
-          #   hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
+            hash = "sha256-cZ3QbowmWX7j1eJRiUP52ao28xZzC96OdZukdWDHfFI=";
-          # };
+          };
         });
     };
 
@@ -28,15 +29,18 @@
         "services/security/oauth2-proxy-nginx.nix"
       ];
       imports = [
-        (nixos-unstable.legacyPackages.x86_64-linux.path
+        ./kanidm.nix
-          + /nixos/modules/services/security/kanidm.nix)
         (nixos-unstable.legacyPackages.x86_64-linux.path
           + /nixos/modules/services/security/oauth2-proxy.nix)
         (nixos-unstable.legacyPackages.x86_64-linux.path
           + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
         ./module.nix
+        ./ldap-postfix.nix
       ];
       nixpkgs.overlays = [ self.overlays.default ];
+
+      selfprivacy.modules.auth.enable = true;
+      selfprivacy.modules.auth.debug = true;
     };
 
     configPathsNeeded =

sp-modules/auth/ldap-postfix.nix

@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.mailserver;
+
+  appendLdapBindPwd =
+    { name, file, prefix, suffix ? "", passwordFile, destination }:
+    pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
+      #!${pkgs.stdenv.shell}
+      set -euo pipefail
+
+      baseDir=$(dirname ${destination})
+      if (! test -d "$baseDir"); then
+        mkdir -p $baseDir
+        chmod 755 $baseDir
+      fi
+
+      cat ${file} > ${destination}
+      echo -n '${prefix}' >> ${destination}
+      cat ${passwordFile} >> ${destination}
+      echo -n '${suffix}' >> ${destination}
+      chmod 600 ${destination}
+    '';
+
+  ldapSenderLoginMapFile = "/run/postfix/ldap-sender-login-map.cf";
+  submissionOptions.smtpd_sender_login_maps =
+    lib.mkForce "hash:/etc/postfix/vaccounts,ldap:${ldapSenderLoginMapFile}";
+  commonLdapConfig = ''
+    server_host = ${lib.concatStringsSep " " cfg.ldap.uris}
+    start_tls = ${if cfg.ldap.startTls then "yes" else "no"}
+    version = 3
+    # tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
+    # tls_require_cert = yes
+
+    search_base = ${cfg.ldap.searchBase}
+    scope = ${cfg.ldap.searchScope}
+
+    bind = yes
+    bind_dn = ${cfg.ldap.bind.dn}
+  '';
+  ldapSenderLoginMap = pkgs.writeText "ldap-sender-login-map.cf" ''
+    ${commonLdapConfig}
+    query_filter = ${cfg.ldap.postfix.filter}
+    result_attribute = ${cfg.ldap.postfix.mailAttribute}
+  '';
+  appendPwdInSenderLoginMap = appendLdapBindPwd {
+    name = "ldap-sender-login-map";
+    file = ldapSenderLoginMap;
+    prefix = "bind_pw = ";
+    passwordFile = cfg.ldap.bind.passwordFile;
+    destination = ldapSenderLoginMapFile;
+  };
+
+  ldapVirtualMailboxMap = pkgs.writeText "ldap-virtual-mailbox-map.cf" ''
+    ${commonLdapConfig}
+    query_filter = ${cfg.ldap.postfix.filter}
+    result_attribute = ${cfg.ldap.postfix.uidAttribute}
+  '';
+  ldapVirtualMailboxMapFile = "/run/postfix/ldap-virtual-mailbox-map.cf";
+  appendPwdInVirtualMailboxMap = appendLdapBindPwd {
+    name = "ldap-virtual-mailbox-map";
+    file = ldapVirtualMailboxMap;
+    prefix = "bind_pw = ";
+    passwordFile = cfg.ldap.bind.passwordFile;
+    destination = ldapVirtualMailboxMapFile;
+  };
+in
+{
+  systemd.services.postfix-setup = {
+    preStart = ''
+      ${appendPwdInVirtualMailboxMap}
+      ${appendPwdInSenderLoginMap}
+    '';
+    restartTriggers = [ appendPwdInVirtualMailboxMap appendPwdInSenderLoginMap ];
+  };
+  services.postfix = {
+    # the list should be merged with other options from nixos-mailserver
+    config.virtual_mailbox_maps = [ "ldap:${ldapVirtualMailboxMapFile}" ];
+    submissionOptions = submissionOptions;
+    submissionsOptions = submissionOptions;
+  };
+}

sp-modules/auth/module.nix

@@ -10,6 +10,12 @@ let
   kanidm-bind-address = "127.0.0.1:3013";
   ldap_host = "127.0.0.1";
   ldap_port = 3636;
+  # e.g. "dc=mydomain,dc=com"
+  ldap_base_dn =
+    lib.strings.concatMapStringsSep
+      ","
+      (x: "dc=" + x)
+      (lib.strings.splitString "." domain);
 
   dovecot-oauth2-conf-file = pkgs.writeTextFile {
     name = "dovecot-oauth2.conf.ext";
@@ -25,23 +31,81 @@ let
       active_attribute = active
       active_value = true
       openid_configuration_url = ${oauth2-discovery-url "roundcube"}
-      debug = yes # FIXME
+      debug = ${if cfg.debug then "yes" else "no"}
     '';
   };
 
-  provisionAdminPassword = "abcd1234";
+  lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
-  provisionIdmAdminPassword = "abcd1234"; # FIXME
+  lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
+  lua_path = "${lua_core_path};${lua_lrucache_path};";
+  ldapConfFile = "/run/dovecot2/dovecot-ldap.conf.ext"; # FIXME get "dovecot2" from `config`
+  mkLdapSearchScope = scope: (
+    if scope == "sub" then "subtree"
+    else if scope == "one" then "onelevel"
+    else scope
+  );
+  appendLdapBindPwd =
+    { name, file, prefix, suffix ? "", passwordFile, destination }:
+    pkgs.writeScript "append-ldap-bind-pwd-in-${name}" ''
+      #!${pkgs.stdenv.shell}
+      set -euo pipefail
+
+      baseDir=$(dirname ${destination})
+      if (! test -d "$baseDir"); then
+        mkdir -p $baseDir
+        chmod 755 $baseDir
+      fi
+
+      cat ${file} > ${destination}
+      echo -n '${prefix}' >> ${destination}
+      cat ${passwordFile} >> ${destination}
+      echo -n '${suffix}' >> ${destination}
+      chmod 600 ${destination}
+    '';
+  dovecot-ldap-config = pkgs.writeTextFile {
+    name = "dovecot-ldap.conf.ext.template";
+    text = ''
+      ldap_version = 3
+      uris = ${lib.concatStringsSep " " config.mailserver.ldap.uris}
+      ${lib.optionalString config.mailserver.ldap.startTls ''
+      tls = yes
+      ''}
+      # tls_require_cert = hard
+      # tls_ca_cert_file = ${config.mailserver.ldap.tlsCAFile}
+      dn = ${config.mailserver.ldap.bind.dn}
+      sasl_bind = no
+      auth_bind = no
+      base = ${config.mailserver.ldap.searchBase}
+      scope = ${mkLdapSearchScope config.mailserver.ldap.searchScope}
+      ${lib.optionalString (config.mailserver.ldap.dovecot.userAttrs != null) ''
+      user_attrs = ${config.mailserver.ldap.dovecot.userAttrs}
+      ''}
+      user_filter = ${config.mailserver.ldap.dovecot.userFilter}
+    '';
+  };
+  setPwdInLdapConfFile = appendLdapBindPwd {
+    name = "ldap-conf-file";
+    file = dovecot-ldap-config;
+    prefix = ''dnpass = "'';
+    suffix = ''"'';
+    passwordFile = config.mailserver.ldap.bind.passwordFile;
+    destination = ldapConfFile;
+  };
 in
 {
   options.selfprivacy.modules.auth = {
     enable = lib.mkOption {
-      default = true;
+      default = false;
       type = lib.types.bool;
     };
     subdomain = lib.mkOption {
       default = "auth";
       type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
     };
+    debug = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -54,7 +118,6 @@ in
 
       # kanidm with Rust code patches for OAuth and admin passwords provisioning
       package = pkgs.kanidm.withSecretProvisioning;
-      # FIXME
       # package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
       #   version = "git";
       #   src = pkgs.fetchFromGitHub {
@@ -91,10 +154,6 @@ in
       provision = {
         enable = true;
         autoRemove = false;
-
-        # FIXME read randomly generated password from ?
-        # adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
-        # idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
       };
       enableClient = true;
       clientSettings = {
@@ -103,22 +162,113 @@ in
         verify_hostnames = false; # FIXME
       };
     };
+    # systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkBefore ''
+    #   # check kanidm online here with curl again?
+    #   # use API key for group creation?
+    # '';
+    # services.phpfpm.pools.roundcube.settings = {
+    #   catch_workers_output = true;
+    #   "php_admin_value[error_log]" = "stdout";
+    #   "php_admin_flag[log_errors]" = true;
+    #   "php_admin_value[log_level]" = "debug";
+    # };
+    services.phpfpm.phpOptions = ''
+      error_reporting = E_ALL
+      display_errors = on;
+    '';
+    systemd.services.phpfpm-roundcube.serviceConfig = {
+      StandardError = "journal";
+      StandardOutput = "journal";
+    };
 
     services.nginx = {
       enable = true;
+      additionalModules =
+        lib.lists.optional cfg.debug pkgs.nginxModules.lua;
+      commonHttpConfig = lib.strings.optionalString cfg.debug ''
+        log_format kanidm escape=none '$request $status\n'
+                                      '[Request body]: $request_body\n'
+                                      '[Header]: $resp_header\n'
+                                      '[Response Body]: $resp_body\n\n';
+        lua_package_path "${lua_path}";
+      '';
       virtualHosts.${auth-fqdn} = {
         useACMEHost = domain;
         forceSSL = true;
         locations."/" = {
-          proxyPass =
+          # extraConfig = ''
-            "https://${kanidm-bind-address}";
+          #   if ($args != $new_args) {
+          #       rewrite ^ /ui/oauth2?$new_args? last;
+          #   }
+          # '';
+          extraConfig = lib.strings.optionalString cfg.debug ''
+            access_log /var/log/nginx/kanidm.log kanidm;
+
+            lua_need_request_body on;
+
+            # log header
+            set $req_header "";
+            set $resp_header "";
+            header_filter_by_lua '
+              local h = ngx.req.get_headers()
+              for k, v in pairs(h) do
+                ngx.var.req_header = ngx.var.req_header .. k.."="..v.." "
+              end
+              local rh = ngx.resp.get_headers()
+              for k, v in pairs(rh) do
+                ngx.var.resp_header = ngx.var.resp_header .. k.."="..v.." "
+              end
+            ';
+
+            # log body
+            set $resp_body "";
+            body_filter_by_lua '
+              local resp_body = string.sub(ngx.arg[1], 1, 4000)
+              ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
+              if ngx.arg[2] then
+                ngx.var.resp_body = ngx.ctx.buffered
+              end
+            ';
+          '';
+          proxyPass = "https://${kanidm-bind-address}";
         };
       };
+      # appendHttpConfig = ''
+      #   # Define a map to modify redirect_uri and append %2F if missing
+      #   map $args $new_args {
+      #       ~^((.*)(redirect_uri=[^&]+)(?!%2F)(.*))$ $2$3%2F$4;
+      #       default $args;
+      #   }
+      # '';
     };
 
     # TODO move to mailserver module everything below
-    mailserver.debug = true; # FIXME
+    mailserver.debug = cfg.debug; # FIXME
     mailserver.mailDirectory = "/var/vmail";
+
+    mailserver.loginAccounts = lib.mkForce { };
+    mailserver.extraVirtualAliases = lib.mkForce { };
+    # LDAP is needed for Postfix to query Kanidm about email address ownership
+    # LDAP is needed for Dovecot also.
+    mailserver.ldap = {
+      enable = false;
+      # bind.dn = "uid=mail,ou=persons," + ldap_base_dn;
+      bind.dn = "dn=token";
+      # TODO change in this file should trigger system restart dovecot
+      bind.passwordFile = "/run/keys/dovecot/kanidm-service-account-token"; # FIXME
+      # searchBase = "ou=persons," + ldap_base_dn;
+      searchBase = ldap_base_dn;
+      # searchScope = "sub";
+      uris = [ "ldaps://localhost:${toString ldap_port}" ];
+
+      # note: in `ldapsearch` first comes filter, then attributes
+      dovecot.userAttrs = "+"; # all operational attributes
+      # TODO: investigate whether "mail=%u" is better than:
+      # dovecot.userFilter = "(&(class=person)(uid=%n))";
+      postfix.mailAttribute = "mail";
+      postfix.uidAttribute = "uid";
+    };
+
     services.dovecot2.extraConfig = ''
       auth_mechanisms = xoauth2 oauthbearer
 
@@ -130,12 +280,12 @@ in
 
       userdb {
         driver = static
-        args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
+        args = uid=virtualMail gid=virtualMail home=/var/vmail/${domain}/%u
       }
 
       # provide SASL via unix socket to postfix
       service auth {
-        unix_listener /var/lib/postfix/private/auth {
+        unix_listener /var/lib/postfix/private-auth {
           mode = 0660
           user = postfix
           group = postfix
@@ -154,7 +304,15 @@ in
         }
       }
 
+      userdb {
+        driver = ldap
+        args = ${ldapConfFile}
+        default_fields = home=/var/vmail/${domain}/%u uid=${toString config.mailserver.vmailUID} gid=${toString config.mailserver.vmailUID}
+      }
+
       #auth_username_format = %Ln
+
+      # FIXME
       auth_debug = yes
       auth_debug_passwords = yes  # Be cautious with this in production as it logs passwords
       auth_verbose = yes
@@ -162,11 +320,30 @@ in
     '';
     services.dovecot2.enablePAM = false;
     services.postfix.extraConfig = ''
-      smtpd_sasl_local_domain = ${domain}
+      debug_peer_list = 94.43.135.210, 134.209.202.195
-      smtpd_relay_restrictions = permit_sasl_authenticated, reject
+      debug_peer_level = 3
-      smtpd_sasl_type = dovecot
+      smtp_use_tls = yes
-      smtpd_sasl_path = private/auth
+      # these below are already set in nixos-mailserver/mail-server/postfix.nix
-      smtpd_sasl_auth_enable = yes
+      # smtpd_sasl_local_domain = ${domain}
+      # smtpd_relay_restrictions = permit_sasl_authenticated, reject
+      # smtpd_sender_restrictions =
+      # smtpd_sender_login_maps =
+      # smtpd_sasl_type = dovecot
+      # smtpd_sasl_path = private-auth
+      # smtpd_sasl_auth_enable = yes
     '';
+
+    systemd.services.dovecot2 = {
+      # TODO does it merge with existing preStart?
+      preStart = setPwdInLdapConfFile + "\n";
+    };
+
+    # does it merge with existing restartTriggers?
+    systemd.services.postfix.restartTriggers = [ setPwdInLdapConfFile ];
+
+    environment.systemPackages = lib.lists.optionals cfg.debug [
+      pkgs.shelldap
+      pkgs.openldap
+    ];
   };
 }

sp-modules/roundcube/module.nix

@@ -5,6 +5,79 @@ let
   auth-module = config.selfprivacy.modules.auth;
   auth-fqdn = auth-module.subdomain + "." + domain;
   oauth-client-id = "roundcube";
+  dovecot-service-account-name = "dovecot-service-account";
+  postfix-service-account-name = "postfix-service-account";
+  dovecot-service-account-token-name = "dovecot-service-account-token";
+  postfix-service-account-token-name = "postfix-service-account-token";
+  # dovecot-service-account-token-fp = "/run/kanidm/token/dovecot";
+  dovecot-service-account-token-fp =
+    "/run/keys/dovecot/kanidm-service-account-token";
+  postfix-service-account-token-fp =
+    "/run/keys/postfix/kanidm-service-account-token";
+  dovecot-group = "dovecot2"; # FIXME
+  postfix-group = "postfix"; # FIXME
+  # FIXME use usernames and groups from `config`
+  # FIXME dependency on dovecot2 and postfix
+  # set-group-ID bit allows for kanidm user to create files,
+  # which inherit directory group (.e.g dovecot, postfix)
+  kanidmExecStartPostScriptRoot = pkgs.writeShellScript
+    "roundcube-kanidm-ExecStartPost-root-script.sh"
+    ''
+      mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/dovecot
+      chown kanidm:dovecot2 /run/keys/dovecot
+
+      mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/postfix
+      chown kanidm:postfix /run/keys/postfix
+    '';
+  # FIXME parameterize names like "dovecot2" group
+  kanidmExecStartPostScript = pkgs.writeShellScript
+    "roundcube-kanidm-ExecStartPost-script.sh"
+    ''
+      export HOME=$RUNTIME_DIRECTORY/client_home
+      readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
+
+      # get Kanidm service account for Dovecot
+      KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${dovecot-service-account-name}$")"
+      echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
+      if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
+      then
+          echo "kanidm service account \"${dovecot-service-account-name}\" is found"
+      else
+          echo "kanidm service account \"${dovecot-service-account-name}\" is not found"
+          echo "creating new kanidm service account \"${dovecot-service-account-name}\""
+          if $KANIDM service-account create --name idm_admin ${dovecot-service-account-name} ${dovecot-service-account-name} idm_admin
+          then
+              "kanidm service account \"${dovecot-service-account-name}\" created"
+          else
+              echo "error: cannot create kanidm service account \"${dovecot-service-account-name}\""
+              exit 1
+          fi
+      fi
+
+      # add Kanidm service account to `idm_mail_servers` group
+      $KANIDM group add-members idm_mail_servers ${dovecot-service-account-name}
+
+      # create a new read-only token for Dovecot
+      if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin ${dovecot-service-account-name} ${dovecot-service-account-token-name} --output json)"
+      then
+          echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
+          exit 1
+      fi
+      if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
+      then
+          echo "error: cannot get service-account API token from JSON"
+          exit 1
+      fi
+
+      # if ! printf "%s\n" "$KANIDM_SERVICE_ACCOUNT_TOKEN" > ${dovecot-service-account-token-fp}
+      if ! install --mode=640 \
+      <(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
+      ${dovecot-service-account-token-fp}
+      then
+          echo "error: cannot write token to \"${dovecot-service-account-token-fp}\""
+          exit 1
+      fi
+    '';
 in
 {
   options.selfprivacy.modules.roundcube = {
@@ -32,15 +105,40 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # FIXME get user names from `config`
+    # in order to allow access below /run/keys
+    users.groups.keys.members = [ "kanidm" "dovecot2" "postfix" ];
     services.roundcube = {
       enable = true;
+      # package = pkgs.roundcube.overrideAttrs (_: rec {
+      #   version = "1.6.9";
+      #   src = pkgs.fetchurl {
+      #     url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/roundcubemail-${version}-complete.tar.gz";
+      #     sha256 = "sha256-thpfXCL4kMKZ6TWqz88IcGdpkNiuv/DWzf8HW/F8708=";
+      #   };
+      #   # src = pkgs.fetchurl {
+      #   #   url = "https://github.com/roundcube/roundcubemail/archive/master/3a6e25a5b386e0d87427b934ccd2e0e282e0a74e.tar.gz";
+      #   #   sha256 = "sha256-EpEI4E+r3reYbI/5rquia+zgz1+6k49lPChlp4QiZTE=";
+      #   # };
+      #   postFixup = ''
+      #     cp -v ${/data/sp/roundcubemail-1.6.9/program/include/rcmail_oauth.php} $out/program/include/rcmail_oauth.php
+      #     cp -v ${/data/sp/roundcubemail-1.6.9/program/actions/login/oauth.php} $out/program/actions/login/oauth.php
+      #     rm -r $out/program/localization/*
+      #   '';
+      # });
+      # package = pkgs.runCommandNoCCLocal "roundcube-debug" {} ''
+      #   cp -r --no-preserve=all ${pkgs.roundcube} $out
+      #   cp -v ${/data/sp/roundcubemail-1.6.8/plugins/debug_logger/debug_logger.php} $out/plugins/debug_logger/debug_logger.php
+      #   cp -v ${/data/sp/roundcubemail-1.6.8/program/include/rcmail_oauth.php} $out/program/include/rcmail_oauth.php
+      # '';
       # this is the url of the vhost, not necessarily the same as the fqdn of
       # the mailserver
       hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
+      # plugins = [ "debug_logger" ];
       extraConfig = ''
         # starttls needed for authentication, so the fqdn required to match
         # the certificate
-        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+        $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
         # $config['smtp_user'] = "%u";
         # $config['smtp_pass'] = "%p";
       '' + lib.strings.optionalString auth-module.enable ''
@@ -53,20 +151,62 @@ in
         $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
         $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
         $config['oauth_scope'] = 'email profile openid';
+        # $config['oauth_scope'] = 'email openid dovecotprofile';
         $config['oauth_auth_parameters'] = [];
         $config['oauth_identity_fields'] = ['email'];
-        $config['oauth_login_redirect'] = true;
+        $config['oauth_login_redirect'] = false;
         $config['auto_create_user'] = true;
+
+        $config['log_dir'] = '/tmp/roundcube';
+        $config['log_driver'] = 'stdout';
+        $config['log_errors'] = 1;
+        // Log SQL queries to <log_dir>/sql or to syslog
+        $config['sql_debug'] = true;
+
+        // Log IMAP conversation to <log_dir>/imap or to syslog
+        $config['imap_debug'] = true;
+        $config['log_debug'] = true;
+        $config['oauth_debug'] = true;
+
+        // Log LDAP conversation to <log_dir>/ldap or to syslog
+        $config['ldap_debug'] = true;
+
+        // Log SMTP conversation to <log_dir>/smtp or to syslog
+        $config['smtp_debug'] = true;
+
+        $config['debug_logger']['master'] = 'master';
+        $config['debug_logger']['oauth'] = 'oauth';
+        $config['debug_logger']['imap'] = 'imap';
+        $config['debug_logger']['log'] = 'log';
+        $config['debug_logger']['smtp'] = 'smtp';
+
+        $config['oauth_verify_peer'] = false;
+        $config['log_logins'] = true;
+        $config['log_session'] = true;
+        # $config['oauth_pkce'] = 'S256';
       '';
     };
     services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
       forceSSL = true;
       useACMEHost = domain;
       enableACME = false;
+      # extraConfig = ''
+      #   add_header X-Frame-Options DENY;
+      #   add_header X-Content-Type-Options nosniff;
+      #   add_header X-XSS-Protection "1; mode=block";
+      # '';
     };
     systemd = {
       services = {
-        phpfpm-roundcube.serviceConfig.Slice = lib.mkForce "roundcube.slice";
+        phpfpm-roundcube.serviceConfig = {
+          Slice = lib.mkForce "roundcube.slice";
+          StandardError = "journal";
+          StandardOutput = "journal";
+        };
+        kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
+          ("+" + kanidmExecStartPostScriptRoot)
+          kanidmExecStartPostScript
+        ];
       };
       slices.roundcube = {
         description = "Roundcube service slice";
@@ -75,23 +215,33 @@ in
 
     services.kanidm.provision = lib.mkIf auth-module.enable {
       groups.roundcube_users.present = true;
-      systems.oauth2.roundcube =
+      systems.oauth2.roundcube = {
-        {
+        displayName = "Roundcube";
-          displayName = "Roundcube";
+        originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
-          originUrl = "https://${cfg.subdomain}.${domain}/";
+        originLanding = "https://${cfg.subdomain}.${domain}/";
-          originLanding = "https://${cfg.subdomain}.${domain}/";
+        basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
-          basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
+        # when true, name is passed to a service instead of name@domain
-          # when true, name is passed to a service instead of name@domain
+        preferShortUsername = false;
-          preferShortUsername = false;
+        allowInsecureClientDisablePkce = true; # FIXME is it needed?
-          allowInsecureClientDisablePkce = true; # FIXME is it needed?
+        scopeMaps.roundcube_users = [
-          scopeMaps.roundcube_users = [
+          "email"
-            "email"
+          "profile"
-            # "groups"
+          "openid"
-            "profile"
+        ];
-            "openid"
+        # scopeMaps.roundcube_users = [
-            # "dovecotprofile"
+        #   "email"
-          ];
+        #   "openid"
-        };
+        #   "dovecotprofile"
+        # ];
+
+        # add more scopes when a user is a member of specific group
+        # claimMaps.groups = {
+        #   joinType = "array";
+        #   valuesByGroup = {
+        #     "sp.roundcube.admin" = [ "admin" ];
+        #   };
+        # };
+      };
     };
   };
 }