VEGAS/mail: adjust ldap settings for idm-ldap

2023-10-25 19:30:49 +02:00 · 2023-10-25 19:30:49 +02:00 · ea29ed2375
commit ea29ed2375
parent 25b62a503e
6 changed files with 21 additions and 20 deletions
--- a/hosts/VEGAS/services/mail/default.nix
+++ b/hosts/VEGAS/services/mail/default.nix
@ -4,7 +4,6 @@
    ./imap.nix
    ./opendkim.nix
    ./postfix.nix
-    ./saslauthd.nix
  ];
  services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
    enableACME = true;
--- a/hosts/VEGAS/services/mail/imap.nix
+++ b/hosts/VEGAS/services/mail/imap.nix
@ -9,16 +9,31 @@ let
  certDir = config.security.acme.certs."mail.${domain}".directory;

  # TODO: check how this thing does lookups, apply bind dn
-  ldapConfig = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
+
+  ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
    uris = ${ldap.server.url}

    auth_bind = yes
    auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}
    base = ${userSearchBase}
-    pass_filter = (uid=%n)
+    pass_filter = (&(objectClass=person)(${uidAttribute}=%n))
    pass_attrs = uid=user
+    dn = dn=token
+    dnpass = @DOVECOT2_LDAP_DNPASS@
+  '';
+
+  ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";
+
+  writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''
+    cp ${ldapConfigBase} ${ldapConfig}
+    chmod 600 ${ldapConfig}
+    ${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}
+    chmod 400 ${ldapConfig}
  '';
 in {
+
+  age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age;
+
  networking.firewall.allowedTCPPorts = [ 143 993 ];

  services.dovecot2 = {
@ -62,6 +77,9 @@ in {
      auth_mechanisms = plain login
    '';
  };
+
+  systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];
+
  services.fail2ban.jails.dovecot = ''
    enabled = true
  '';
--- a/hosts/VEGAS/services/mail/saslauthd.nix
+++ b/hosts/VEGAS/services/mail/saslauthd.nix
@ -1,17 +0,0 @@
-{ pkgs, depot, ... }:
-let
-  inherit (depot.lib.identity) ldap;
-in
-{
-  services.saslauthd = {
-    enable = true;
-    mechanism = "ldap";
-    package = pkgs.cyrus_sasl.override { enableLdap = true; };
-    config = ''
-      ldap_servers: ${ldap.server.url}
-      ldap_filter: ${ldap.accounts.uidFilter}
-      ldap_search_base: ${ldap.accounts.userSearchBase}
-      ldapdb_canon_attr: ${ldap.accounts.uidAttribute}
-    '';
-  };
-}
--- a/secrets.nix
+++ b/secrets.nix
@ -50,6 +50,7 @@ in with hosts;
  "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
  "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
--- a/secrets/dovecot-ldap-token.age
+++ b/secrets/dovecot-ldap-token.age
--- a/secrets/postfix-ldap-mailboxes.age
+++ b/secrets/postfix-ldap-mailboxes.age