VEGAS/mail: adjust ldap settings for idm-ldap
This commit is contained in:
parent
25b62a503e
commit
ea29ed2375
6 changed files with 21 additions and 20 deletions
|
@ -4,7 +4,6 @@
|
|||
./imap.nix
|
||||
./opendkim.nix
|
||||
./postfix.nix
|
||||
./saslauthd.nix
|
||||
];
|
||||
services.nginx.virtualHosts."mail.${depot.lib.meta.domain}" = {
|
||||
enableACME = true;
|
||||
|
|
|
@ -9,16 +9,31 @@ let
|
|||
certDir = config.security.acme.certs."mail.${domain}".directory;
|
||||
|
||||
# TODO: check how this thing does lookups, apply bind dn
|
||||
ldapConfig = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
|
||||
|
||||
ldapConfigBase = with ldap.accounts; pkgs.writeText "dovecot-ldap.conf.ext" ''
|
||||
uris = ${ldap.server.url}
|
||||
|
||||
auth_bind = yes
|
||||
auth_bind_userdn = ${uidAttribute}=%n,${userSearchBase}
|
||||
base = ${userSearchBase}
|
||||
pass_filter = (uid=%n)
|
||||
pass_filter = (&(objectClass=person)(${uidAttribute}=%n))
|
||||
pass_attrs = uid=user
|
||||
dn = dn=token
|
||||
dnpass = @DOVECOT2_LDAP_DNPASS@
|
||||
'';
|
||||
|
||||
ldapConfig = "/run/dovecot2/dovecot-ldap.conf.ext";
|
||||
|
||||
writeLdapConfig = pkgs.writeShellScriptBin "write-ldap-config" ''
|
||||
cp ${ldapConfigBase} ${ldapConfig}
|
||||
chmod 600 ${ldapConfig}
|
||||
${pkgs.replace-secret}/bin/replace-secret '@DOVECOT2_LDAP_DNPASS@' "${config.age.secrets.dovecotLdapToken.path}" ${ldapConfig}
|
||||
chmod 400 ${ldapConfig}
|
||||
'';
|
||||
in {
|
||||
|
||||
age.secrets.dovecotLdapToken.file = ../../../../secrets/dovecot-ldap-token.age;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 143 993 ];
|
||||
|
||||
services.dovecot2 = {
|
||||
|
@ -62,6 +77,9 @@ in {
|
|||
auth_mechanisms = plain login
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.dovecot2.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];
|
||||
|
||||
services.fail2ban.jails.dovecot = ''
|
||||
enabled = true
|
||||
'';
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
{ pkgs, depot, ... }:
|
||||
let
|
||||
inherit (depot.lib.identity) ldap;
|
||||
in
|
||||
{
|
||||
services.saslauthd = {
|
||||
enable = true;
|
||||
mechanism = "ldap";
|
||||
package = pkgs.cyrus_sasl.override { enableLdap = true; };
|
||||
config = ''
|
||||
ldap_servers: ${ldap.server.url}
|
||||
ldap_filter: ${ldap.accounts.uidFilter}
|
||||
ldap_search_base: ${ldap.accounts.userSearchBase}
|
||||
ldapdb_canon_attr: ${ldap.accounts.uidAttribute}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -50,6 +50,7 @@ in with hosts;
|
|||
"cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
|
||||
"secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/dovecot-ldap-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
|
|
BIN
secrets/dovecot-ldap-token.age
Normal file
BIN
secrets/dovecot-ldap-token.age
Normal file
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue