From ea29ed2375d6c87943b385385aecb1b0be172c8b Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 25 Oct 2023 19:30:49 +0200
Subject: [PATCH] VEGAS/mail: adjust ldap settings for idm-ldap

---
 hosts/VEGAS/services/mail/default.nix   |   1 -
 hosts/VEGAS/services/mail/imap.nix      |  22 ++++++++++++++++++++--
 hosts/VEGAS/services/mail/saslauthd.nix |  17 -----------------
 secrets.nix                             |   1 +
 secrets/dovecot-ldap-token.age          | Bin 0 -> 1256 bytes
 secrets/postfix-ldap-mailboxes.age      | Bin 790 -> 1522 bytes
 6 files changed, 21 insertions(+), 20 deletions(-)
 delete mode 100644 hosts/VEGAS/services/mail/saslauthd.nix
 create mode 100644 secrets/dovecot-ldap-token.age

diff --git a/hosts/VEGAS/services/mail/default.nix b/hosts/VEGAS/services/mail/default.nix
index 1a899d8..ec3cf0c 100644
--- a/hosts/VEGAS/services/mail/default.nix
+++ b/hosts/VEGAS/services/mail/default.nix
@@ -4,7 +4,6 @@
     ./imap.nix
     ./opendkim.nix
     ./postfix.nix
-    ./saslauthd.nix
   ];
   services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
     enableACME = true;
diff --git a/hosts/VEGAS/services/mail/imap.nix b/hosts/VEGAS/services/mail/imap.nix
index 76bfff2..b89510f 100644
--- a/hosts/VEGAS/services/mail/imap.nix
+++ b/hosts/VEGAS/services/mail/imap.nix
@@ -9,16 +9,31 @@ let
   certDir = config.security.acme.certs."mail.${domain}".directory;
 
   # TODO: check how this thing does lookups, apply bind dn
-  ldapConfig = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
+
+  ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
     uris = ${ldap.server.url}
 
     auth_bind = yes
     auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}
     base = ${userSearchBase}
-    pass_filter = (uid=%n)
+    pass_filter = (&(objectClass=person)(${uidAttribute}=%n))
     pass_attrs = uid=user
+    dn = dn=token
+    dnpass = @DOVECOT2_LDAP_DNPASS@
+  '';
+
+  ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";
+
+  writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''
+    cp ${ldapConfigBase} ${ldapConfig}
+    chmod 600 ${ldapConfig}
+    ${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}
+    chmod 400 ${ldapConfig}
   '';
 in {
+
+  age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age;
+
   networking.firewall.allowedTCPPorts = [ 143 993 ];
 
   services.dovecot2 = {
@@ -62,6 +77,9 @@ in {
       auth_mechanisms = plain login
     '';
   };
+
+  systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];
+
   services.fail2ban.jails.dovecot = ''
     enabled = true
   '';
diff --git a/hosts/VEGAS/services/mail/saslauthd.nix b/hosts/VEGAS/services/mail/saslauthd.nix
deleted file mode 100644
index 67bc1c5..0000000
--- a/hosts/VEGAS/services/mail/saslauthd.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ pkgs, depot, ... }:
-let
-  inherit (depot.lib.identity) ldap;
-in
-{
-  services.saslauthd = {
-    enable = true;
-    mechanism = "ldap";
-    package = pkgs.cyrus_sasl.override { enableLdap = true; };
-    config = ''
-      ldap_servers: ${ldap.server.url}
-      ldap_filter: ${ldap.accounts.uidFilter}
-      ldap_search_base: ${ldap.accounts.userSearchBase}
-      ldapdb_canon_attr: ${ldap.accounts.uidAttribute}
-    '';
-  };
-}
diff --git a/secrets.nix b/secrets.nix
index f1e7a13..5b0b418 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -50,6 +50,7 @@ in with hosts;
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
diff --git a/secrets/dovecot-ldap-token.age b/secrets/dovecot-ldap-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..0e18a5e00c593b52268f39940fd7515c50c46fb4
GIT binary patch
literal 1256
zcmV<E1Q+{ZXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LPER#9GC?3r
zctSx=H#9?6M?x=gVQEioVQx+~N_94JIe9fjGgfqMGgB*UWOZj{QB?|WVliVcICo}h
zW;ZfPS#d*iLrZ#kGh|SCP)1L5YI<T;GfFsVHCbwBM=%O4J|J^*Xf0)AGBq_ZIUqGJ
zdQ>oXAUJhcFLH53Oj$%{YBXtNOE^VHPGfj&Qg<<QbaORkIbl{vYH@IOV=;I|3N>bS
zRB?8CM{`(gb~#s0c}q=MIY)P7ST;^qL~~<EY;$QuH#ll}GE*ye3N1b$b8~1dWn?ln
zH8D9LWHVPsbwMCFVl*^0WNuDFP*Y(vb2KtxXf;(eb44$0dPiC-VMS<0IWJ*QZAWrz
zFj)#^IBGFTS9fwTa6)ryD@1ESSXEX^NjFw?d2}yMaCvq#Gi7>rcT;&yV>AjaJ|Hw#
zNiAn`Wnpt=AW<MaB`!*8B??z}3N0-yAY*iFGB;T-b~Q#zIWR#=Z*fs8OF?K?Hd8NF
zad>GmZCPP<WHd)dX>4Xy3MXI(Qmc_=MF_dnT?b9$96_-zDUn*&^u$PUbxSo~IWfg}
z)~i@{e;rC-Kw)HiK`VR}(}OIy&OE6Lu!Bdr{h1nJlrje=8<m6ilb@Jg3<)PP@h~cv
z@#~E^@C~0uFS6ND7KzOt?HFaLW$tt*0Q$%MG<^BJ-oBvRa6lu#HG?qxb<0ZN*SyNX
zz((;LZ<{4Ia38#v#8h$l+hEcovyRCNN<sC3>9lI_lJs3jv$TvU#xpa^uT_N#XRt7%
z(og40KrqzuS>qQ4jD}OHPgg5U39y7#E#2(rcJa_eYeBMf*vN>Z9s9Qjln`j_5{EKj
zMF%nRgHaxVs!tS|c#Sb?p)}A6)Pp<m#w}<GPXq;$y{$lXcer)7Y2vr!zS`vpPkUqd
z#U=Kq9)~vRQ7oRGO?Q8i1fbDP>zjzJsT-xAn#p^U?c|zb*)8c|Q+F;&b6h@N-7Q5m
zPU@YhuhJ$YtnxTW$zLb}zwC4aqbL&3!3IknQDdv9Ri=6`8+;z{7UL#@*WIjCybO{0
zJLjUJ4$V<)K*1HzosI1AR#hsN8wERh61B%_hPBtFx^vE2?(0Z&^?fGitTnSH@0Dnd
zha~=VUnJ1J`C;#(YLs?{R5r?dkksm6#rT3(u62NlS5n12s_d&*--|j}WIFs7vhwfb
zQgLT%t1NWjmv0{!>9+@8KL+lC7UPAwR+1H#f@gCjs8Z*#mbS2s6?tK1e+bW+tCQNJ
z^b*bGP!NxD;rF})-mP13f3-G8E77oThCUZ)t5xf!&LT8w!#Xv|m7%F<!`I5WL79w{
zL+AXEEErhc{{V^ZVO#_<nlL8_fUTML);s=!JDSHL367GH7B1cfR(c*cCWWsl4rhMy
zhpKtIS-(L(WN}`}yl|b)%dzhf948{G$a%sTw4EaU#V^DWn{~Zzo4WauIMVeq077zK
z#4}y}h&3o~kmQdNOJMNZ|CnT>h#{!m9(hE0d(-?CFpBBYJ;DsFoWe)DGLWZ%cT8Ya
zK!IqDRL<2_E|fa=pSJt>V6&NC5oIvx8(;xGxSz^9F>0wB!Ir3Cras99cP&^=`H{EU
SFrS_U)gN>Z<L%Jy4{g@%%Ohw2

literal 0
HcmV?d00001

diff --git a/secrets/postfix-ldap-mailboxes.age b/secrets/postfix-ldap-mailboxes.age
index 6ea7b72a1cf61e32a57f386eb256ca61a7b4132e..4fb0caf89344def4a45407fb33b9a4dcb5ecae0f 100644
GIT binary patch
delta 1476
zcmV;#1v~nd2J#D#EPr!WW?4yfF=Tg9Xir5+aa3e!XK!*&IdMidWN~yhM>9!tdQLP$
zM|W*!RSGa^Id?%gXLW2jLPBCtVOLFcL{>O+V{I#DWG`wrOf_LRGju{QX>U?mSqd#a
zAaiqQEoEdfH8n9gAT=*~R4{iSYh_YMYI<36Q8aQ%OHpxpRYp}%OLH+*HBfC#HBdKk
zMNwr$N?2o4W@c$H3O7P^H+gnVbulYgRyJWvc}H<GdQ)vTQcy8rFF0^+O;Au_N@6QY
zb1^bSk?|LQdP6g8NJ~aDQCc-KLS;#FIXGBPV{$S?Gk9TEb}vFRNoP=0L^ozqHdRpy
zR8et4Q)O*1Y;<CBWmPY2XktZ3HhDoaVQ5KaZcKDVFK&8iL~uDnLp50nEj}P}B784r
zVoEJ%a%Ew2WgvQNO>%25NLL^_DIjrfK{p{IU?U2Db8Jg=b#y{bIb}y-IZ{-4Yf4vU
zOHO%8Y-b8BEiE8+M?z*;SwvwqWG_f~VR>$8MoTMhRYYt{d235}XEIk%R7h-OdN*lB
zR&xsYjW!^RQY*`*@NFu(T)vaLjgkC&BX|UWr79F@&zU0?p)z{fK^Oi1w@uW4_4uDq
zw`DtjnB|ZtfH94tmm}Uo1rwXp$&`fz#y#9hr*4CL9oM$gHn;~^`Frs14*do2!~uwa
zrXCAX`jZn~Q|Nusn$Qx-Zy!<Fy~ury<c9B9nvsRGd0O9HF=!PV^j|j&YyxMY4Z7B=
zhod6SEs-#g!>-62f8#HmsE6pO*KscxescAHzYO^m*{d-UoY*+)O`aidl54){K3|Dh
z?)maY1PSgRH!BvZ?u37@M?%V$&!NK{JG3kQs=(atd-Fl5DHu=rC4vi}72`FLeVDN!
zHHdIm{Q0BU6-w0f58A|lW|r{Gt&KA@DqS)2FOnUbO@5Z=l3i_WdZsU&Qp8baQ3Vly
z`@E|IH1rY7K`^zM`&mgOi%G&ekb{C&*KM`Ps{S`4Pu1(k8Zxs}s*B@K8mEOsNKzKD
z?`e@%?H<xZwU_wiz!Pz&3kw3tqRvcTM5L~<$6RcpiC6uxAr*M>cF6g8qYP3YWTty!
zpDrfKFtzA}7)+|>bmOPaM4`Gj>;7DSax$Cs<eY^tmaR{!xl)LAO}#I7(f5!e`Q}lJ
zm+J1+^pZUbX&q)B!KCr(6y;XuSJ*uYx(wn&>ZDq_v2*+3bDH6#Y(G@6jq}e5QZgIr
zg8vCh-!;%ACi^z6Atssfl_;$;v7BX^cg+8u)jU19)nE%{FZ$zDZgs^BB<Nm$n$2fh
z;`A^OOrKo!Av>oVsw}Jm_86_e^0)y5FSW0G_0YrtDa82vG7LX>SXpe9dx2a4MUvD%
zXPKQ)_$WzE{8gEuHcLwXKqjX`KK*U7edp#ShOFI_Q^d2e+`KbLl&N~azBCjZ;|xX+
zgR&QwMxtY@i#G!*xNmCUCp61{>m9A`q@@-!U!si9Cu0`{b1Q+`*O5QgG=0mWy>3?b
zJPx8LqAdnO<AlY~`6A3PD&k$x9f)`k;}e;UO>N(cn3IPd98@?%>~gqmnN5oU>%6B<
z!W}tde<}s}AkbW>Npt#xJ4eR#8&E`&70$EP9;B7AEdzU`UynMcyv1{W4V-(tH+qI3
z<O{F`mLm%H+Cev0|86yP>s0g7yJQbojKi1f^=ZA)me!NQX1u|m02T=n{W)P|R;k3-
z)F(JeVuxGu(>m(Mk>&b1hwKrVwD(ez6NU$BN(*cdpn(Sg8<w&o{JLFfWwu~40_RPn
zkB+;%1NZ&ib%6#<_lEp)?7eiTjZtc@?HSx2d?L%g<`%gdk+Doj9urNMBXgI(s^@JA
z5e(M*+NIqKJuAn}Yt8wjo@F=yHw9?hcO1!VY0-Ll%;sy*HseLf0g)|{xnMmEZnO26
e9sp_m;su(~Ht+i$Q{gytu+Z1j*X@-27(7{oik*P~

delta 739
zcmV<90v!GF3zi0uEPrEeQg3j1GE{OjLq<wRWOrd<Oj>b9R8wI$WK45TcQkEzac4Ix
zD`-P#Q3`TaLwQ6|c~CN9bT(v5L|JDySY<L$XjW)2H*QK)XH`aIO)z>_MOAG^Q3@?S
zAaiqQEoEdfH8n9gAT=*~R4{iScX)YCcxgvtV|8w2Lv(0QYeq>;bT}_|Gf`t@X*PIO
zax+0}bxurGaz;^W3R!kVVqsc1V@6mpF>6dUM=wipF;!PXL18miI7V-7ZcuACa4=DG
zaAr|Sk?|LQNib7zLS!pYdTDD!XGAn)cQQyYNH1$kRYPoPZbngPNp)#xc{5TmFhw{D
zZD@K_Wp^?;NJVCJcsMY3FIQ?oOm1s9P-J*UVNGp$X;gSbId(BrLP}K%Ej}P8Ix;P1
za%Ew2WguQ)B`peNIayLiXhkq}RZd1sNOn+fOiea_P;+ZhXf#1iLUTe!WllH>EiEk|
zZAnf{PdPz&a&CB8I8<atW^zPMcz1VnXe(@4LUc}UMORQUNpV$HD>pa_$#jucB5#eR
zQ$@&V0tZ>S)gb6MDxO;F{}bZ&j#fbYd@C;n;lnrqT8)<T(*-G`=mm1aSny*AQpKwK
z1;1T??OrP6y&yf#9a^qzFBA3=hO-A;$y*7#Vm>XWASXiHWynZ9=7yw}=z=07hTa@E
z>ojR#r3)uBzQpWG!z`<{m+#?%aErh=S7(qD#Y~<o0o;l)c~-0NbqAVy3v>QI*x%U6
z^3N@ND#&l_^rzH5J~Dd^sYB4g&}|ou84crqSkIB`L%JN=VnS2OfA-Zls^*(ebGe3t
z9{=5`!;1gef*N*g7LD2VM)ca>5E!T^z;U+L)#uqPWpCzKX>Ih4&P^4Y=I))y_)wxJ
zG@1u|LiiG26_;@d>r4A77OUn)q*Q+>eUEBl!_Ks{uKQt|-7?2XM(L39;5PMD5}zm%
VYh3EenNr$^{KS<kyd>PykowOvFpK~I