diff --git a/hosts/VEGAS/services/mail/default.nix b/hosts/VEGAS/services/mail/default.nix index 1a899d8..ec3cf0c 100644 --- a/hosts/VEGAS/services/mail/default.nix +++ b/hosts/VEGAS/services/mail/default.nix @@ -4,7 +4,6 @@ ./imap.nix ./opendkim.nix ./postfix.nix - ./saslauthd.nix ]; services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = { enableACME = true; diff --git a/hosts/VEGAS/services/mail/imap.nix b/hosts/VEGAS/services/mail/imap.nix index 76bfff2..b89510f 100644 --- a/hosts/VEGAS/services/mail/imap.nix +++ b/hosts/VEGAS/services/mail/imap.nix @@ -9,16 +9,31 @@ let certDir = config.security.acme.certs."mail.${domain}".directory; # TODO: check how this thing does lookups, apply bind dn - ldapConfig = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" '' + + ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" '' uris = ${ldap.server.url} auth_bind = yes auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase} base = ${userSearchBase} - pass_filter = (uid=%n) + pass_filter = (&(objectClass=person)(${uidAttribute}=%n)) pass_attrs = uid=user + dn = dn=token + dnpass = @DOVECOT2_LDAP_DNPASS@ + ''; + + ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext"; + + writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" '' + cp ${ldapConfigBase} ${ldapConfig} + chmod 600 ${ldapConfig} + ${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig} + chmod 400 ${ldapConfig} ''; in { + + age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age; + networking.firewall.allowedTCPPorts = [ 143 993 ]; services.dovecot2 = { @@ -62,6 +77,9 @@ in { auth_mechanisms = plain login ''; }; + + systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ]; + services.fail2ban.jails.dovecot = '' enabled = true ''; diff --git a/hosts/VEGAS/services/mail/saslauthd.nix b/hosts/VEGAS/services/mail/saslauthd.nix deleted file mode 100644 index 67bc1c5..0000000 --- a/hosts/VEGAS/services/mail/saslauthd.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, depot, ... }: -let - inherit (depot.lib.identity) ldap; -in -{ - services.saslauthd = { - enable = true; - mechanism = "ldap"; - package = pkgs.cyrus_sasl.override { enableLdap = true; }; - config = '' - ldap_servers: ${ldap.server.url} - ldap_filter: ${ldap.accounts.uidFilter} - ldap_search_base: ${ldap.accounts.userSearchBase} - ldapdb_canon_attr: ${ldap.accounts.uidAttribute} - ''; - }; -} diff --git a/secrets.nix b/secrets.nix index f1e7a13..5b0b418 100644 --- a/secrets.nix +++ b/secrets.nix @@ -50,6 +50,7 @@ in with hosts; "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; diff --git a/secrets/dovecot-ldap-token.age b/secrets/dovecot-ldap-token.age new file mode 100644 index 0000000..0e18a5e Binary files /dev/null and b/secrets/dovecot-ldap-token.age differ diff --git a/secrets/postfix-ldap-mailboxes.age b/secrets/postfix-ldap-mailboxes.age index 6ea7b72..4fb0caf 100644 Binary files a/secrets/postfix-ldap-mailboxes.age and b/secrets/postfix-ldap-mailboxes.age differ