VEGAS/mail: adjust ldap settings for idm-ldap

hosts/VEGAS/services/mail/default.nix

@@ -4,7 +4,6 @@
     ./imap.nix
     ./opendkim.nix
     ./postfix.nix
-    ./saslauthd.nix
   ];
   services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
     enableACME = true;

hosts/VEGAS/services/mail/imap.nix

@@ -9,16 +9,31 @@ let
   certDir = config.security.acme.certs."mail.${domain}".directory;
 
   # TODO: check how this thing does lookups, apply bind dn
-  ldapConfig = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
+
+  ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
     uris = ${ldap.server.url}
 
     auth_bind = yes
     auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}
     base = ${userSearchBase}
-    pass_filter = (uid=%n)
+    pass_filter = (&(objectClass=person)(${uidAttribute}=%n))
     pass_attrs = uid=user
+    dn = dn=token
+    dnpass = @DOVECOT2_LDAP_DNPASS@
+  '';
+
+  ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";
+
+  writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''
+    cp ${ldapConfigBase} ${ldapConfig}
+    chmod 600 ${ldapConfig}
+    ${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}
+    chmod 400 ${ldapConfig}
   '';
 in {
+
+  age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age;
+
   networking.firewall.allowedTCPPorts = [ 143 993 ];
 
   services.dovecot2 = {
@@ -62,6 +77,9 @@ in {
       auth_mechanisms = plain login
     '';
   };
+
+  systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];
+
   services.fail2ban.jails.dovecot = ''
     enabled = true
   '';

hosts/VEGAS/services/mail/saslauthd.nix

@@ -1,17 +0,0 @@
-{ pkgs, depot, ... }:
-let
-  inherit (depot.lib.identity) ldap;
-in
-{
-  services.saslauthd = {
-    enable = true;
-    mechanism = "ldap";
-    package = pkgs.cyrus_sasl.override { enableLdap = true; };
-    config = ''
-      ldap_servers: ${ldap.server.url}
-      ldap_filter: ${ldap.accounts.uidFilter}
-      ldap_search_base: ${ldap.accounts.userSearchBase}
-      ldapdb_canon_attr: ${ldap.accounts.uidAttribute}
-    '';
-  };
-}

secrets.nix

@@ -50,6 +50,7 @@ in with hosts;
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];