thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refact dovecot,auth: tmpfiles, minor renames, config-paths-needed.json

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-04-17 13:12:23 +04:00
parent 90758a2652
commit eb200cb792
2 changed files with 17 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
sp-modules/simple-nixos-mailserver/auth-dovecot.nix
View File

@@ -13,15 +13,9 @@ let
is-auth-enabled is-auth-enabled
; ;
runtime-directory = group; runtime-folder = group;
keysPath = auth-passthru.keys-path;
kanidmExecStartPreScriptRoot = pkgs.writeShellScript
"mailserver-kanidm-ExecStartPre-root-script.sh"
''
# set-group-ID bit allows for kanidm user to create files inheriting group
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${group}
chown kanidm:${group} /run/keys/${group}
'';
# create service account token, needed for LDAP # create service account token, needed for LDAP
kanidmExecStartPostScript = pkgs.writeShellScript kanidmExecStartPostScript = pkgs.writeShellScript
"mailserver-kanidm-ExecStartPost-script.sh" "mailserver-kanidm-ExecStartPost-script.sh"
@@ -71,7 +65,7 @@ let
fi fi
''; '';
ldapConfFile = "/run/${runtime-directory}/dovecot-ldap.conf.ext"; ldapConfFile = "/run/${runtime-folder}/dovecot-ldap.conf.ext";
mkLdapSearchScope = scope: ( mkLdapSearchScope = scope: (
if scope == "sub" then "subtree" if scope == "sub" then "subtree"
else if scope == "one" then "onelevel" else if scope == "one" then "onelevel"
@@ -108,14 +102,14 @@ let
}; };
oauth-client-id = "mailserver"; oauth-client-id = "mailserver";
oauth-client-secret-fp = oauth-client-secret-fp =
"/run/keys/${group}/kanidm-oauth-client-secret"; "${keysPath}/${group}/kanidm-oauth-client-secret";
oauth-secret-ExecStartPreScript = pkgs.writeShellScript oauth-secret-ExecStartPreScript = pkgs.writeShellScript
"${oauth-client-id}-kanidm-ExecStartPre-script.sh" '' "${oauth-client-id}-kanidm-ExecStartPre-script.sh" ''
set -o xtrace set -o xtrace
[ -f "${oauth-client-secret-fp}" ] || \ [ -f "${oauth-client-secret-fp}" ] || \
"${lib.getExe pkgs.openssl}" rand -base64 32 | tr "\n:@/+=" "012345" > "${oauth-client-secret-fp}" "${lib.getExe pkgs.openssl}" rand -base64 32 | tr "\n:@/+=" "012345" > "${oauth-client-secret-fp}"
''; '';
dovecot-oauth2-conf-fp = "/run/${runtime-directory}/dovecot-oauth2.conf.ext"; dovecot-oauth2-conf-fp = "/run/${runtime-folder}/dovecot-oauth2.conf.ext";
write-dovecot-oauth2-conf = appendSetting { write-dovecot-oauth2-conf = appendSetting {
name = "oauth2-conf-file"; name = "oauth2-conf-file";
file = builtins.toFile "dovecot-oauth2.conf.ext.template" '' file = builtins.toFile "dovecot-oauth2.conf.ext.template" ''
@@ -136,8 +130,13 @@ let
}; };
in in
{ {
# for dovecot2 to have access to get through /run/keys directory # for dovecot2 to have access to get through ${keysPath} directory
users.groups.keys.members = [ group ]; users.groups.keys.members = [ group ];
systemd.tmpfiles.settings."kanidm-secrets"."${keysPath}/${group}".d = {
user = "kanidm";
inherit group;
mode = "2750";
};
mailserver.ldap = { mailserver.ldap = {
# note: in `ldapsearch` first comes filter, then attributes # note: in `ldapsearch` first comes filter, then attributes
@@ -189,24 +188,19 @@ in
''; '';
services.dovecot2.enablePAM = false; services.dovecot2.enablePAM = false;
systemd.services.dovecot2 = { systemd.services.dovecot2 = {
# TODO does it merge with existing preStart?
preStart = setPwdInLdapConfFile + "\n" + write-dovecot-oauth2-conf + "\n"; preStart = setPwdInLdapConfFile + "\n" + write-dovecot-oauth2-conf + "\n";
# FIXME pass dependant services to auth module option instead?
after = [ auth-passthru.oauth2-systemd-service ]; after = [ auth-passthru.oauth2-systemd-service ];
requires = [ auth-passthru.oauth2-systemd-service ]; requires = [ auth-passthru.oauth2-systemd-service ];
serviceConfig.RuntimeDirectory = lib.mkForce [ runtime-directory ]; serviceConfig.RuntimeDirectory = lib.mkForce [ runtime-folder ];
}; };
# FIXME set auth module option instead
systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkBefore [ systemd.services.kanidm.serviceConfig.ExecStartPre = lib.mkBefore [
("-+" + kanidmExecStartPreScriptRoot)
("-" + oauth-secret-ExecStartPreScript) ("-" + oauth-secret-ExecStartPreScript)
]; ];
systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [ systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
("-" + kanidmExecStartPostScript) ("-" + kanidmExecStartPostScript)
]; ];
# does it merge with existing restartTriggers?
systemd.services.postfix.restartTriggers = [ systemd.services.postfix.restartTriggers = [
setPwdInLdapConfFile setPwdInLdapConfFile
write-dovecot-oauth2-conf write-dovecot-oauth2-conf

6
sp-modules/simple-nixos-mailserver/config-paths-needed.json
View File

@@ -7,6 +7,7 @@
[ "selfprivacy", "modules", "simple-nixos-mailserver" ], [ "selfprivacy", "modules", "simple-nixos-mailserver" ],
[ "selfprivacy", "passthru", "auth", "admins-group" ], [ "selfprivacy", "passthru", "auth", "admins-group" ],
[ "selfprivacy", "passthru", "auth", "full-users-group" ], [ "selfprivacy", "passthru", "auth", "full-users-group" ],
[ "selfprivacy", "passthru", "auth", "keys-path" ],
[ "selfprivacy", "passthru", "auth", "ldap-base-dn" ], [ "selfprivacy", "passthru", "auth", "ldap-base-dn" ],
[ "selfprivacy", "passthru", "auth", "ldap-port" ], [ "selfprivacy", "passthru", "auth", "ldap-port" ],
[ "selfprivacy", "passthru", "auth", "oauth2-discovery-url" ], [ "selfprivacy", "passthru", "auth", "oauth2-discovery-url" ],
@@ -20,7 +21,10 @@
[ "selfprivacy", "username" ], [ "selfprivacy", "username" ],
[ "selfprivacy", "users" ], [ "selfprivacy", "users" ],
[ "services", "dovecot2", "user" ], [ "services", "dovecot2", "user" ],
[ "services", "opendkim" ], [ "services", "opendkim", "configFile" ],
[ "services", "opendkim", "group" ],
[ "services", "opendkim", "socket" ],
[ "services", "opendkim", "user" ],
[ "services", "postfix", "group" ], [ "services", "postfix", "group" ],
[ "services", "postfix", "user" ], [ "services", "postfix", "user" ],
[ "services", "redis", "servers", "rspamd", "bind" ], [ "services", "redis", "servers", "rspamd", "bind" ],