VEGAS/mail: adjust ldap settings for idm-ldap

This commit is contained in:
Max Headroom 2023-10-25 19:30:49 +02:00
parent 25b62a503e
commit ea29ed2375
6 changed files with 21 additions and 20 deletions

View file

@ -4,7 +4,6 @@
./imap.nix ./imap.nix
./opendkim.nix ./opendkim.nix
./postfix.nix ./postfix.nix
./saslauthd.nix
]; ];
services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = { services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
enableACME = true; enableACME = true;

View file

@ -9,16 +9,31 @@ let
certDir = config.security.acme.certs."mail.${domain}".directory; certDir = config.security.acme.certs."mail.${domain}".directory;
# TODO: check how this thing does lookups, apply bind dn # TODO: check how this thing does lookups, apply bind dn
ldapConfig = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
uris = ${ldap.server.url} uris = ${ldap.server.url}
auth_bind = yes auth_bind = yes
auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase} auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}
base = ${userSearchBase} base = ${userSearchBase}
pass_filter = (uid=%n) pass_filter = (&(objectClass=person)(${uidAttribute}=%n))
pass_attrs = uid=user pass_attrs = uid=user
dn = dn=token
dnpass = @DOVECOT2_LDAP_DNPASS@
'';
ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";
writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''
cp ${ldapConfigBase} ${ldapConfig}
chmod 600 ${ldapConfig}
${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}
chmod 400 ${ldapConfig}
''; '';
in { in {
age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age;
networking.firewall.allowedTCPPorts = [ 143 993 ]; networking.firewall.allowedTCPPorts = [ 143 993 ];
services.dovecot2 = { services.dovecot2 = {
@ -62,6 +77,9 @@ in {
auth_mechanisms = plain login auth_mechanisms = plain login
''; '';
}; };
systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];
services.fail2ban.jails.dovecot = '' services.fail2ban.jails.dovecot = ''
enabled = true enabled = true
''; '';

View file

@ -1,17 +0,0 @@
{ pkgs, depot, ... }:
let
inherit (depot.lib.identity) ldap;
in
{
services.saslauthd = {
enable = true;
mechanism = "ldap";
package = pkgs.cyrus_sasl.override { enableLdap = true; };
config = ''
ldap_servers: ${ldap.server.url}
ldap_filter: ${ldap.accounts.uidFilter}
ldap_search_base: ${ldap.accounts.userSearchBase}
ldapdb_canon_attr: ${ldap.accounts.uidAttribute}
'';
};
}

View file

@ -50,6 +50,7 @@ in with hosts;
"cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];

Binary file not shown.

Binary file not shown.