minimal kanidm setup

Only Roundcube and Dovecot communicate with Kanidm.
2024-11-22 03:41:26 +00:00 · 2024-11-01 21:26:34 +04:00 · 2024-11-01 21:26:34 +04:00 · 8f82a4c574
parent 4b0dfcd23c
commit 8f82a4c574
6 changed files with 294 additions and 4 deletions
--- a/sp-modules/auth/config-paths-needed.json
+++ b/sp-modules/auth/config-paths-needed.json
@ -0,0 +1,7 @@
+[
+  ["mailserver", "fqdn"],
+  ["security", "acme", "certs"],
+  ["selfprivacy", "domain"],
+  ["selfprivacy", "modules"],
+  ["services"]
+]
--- a/sp-modules/auth/flake.lock
+++ b/sp-modules/auth/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1725194671,
+        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs-unstable": "nixpkgs-unstable"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/sp-modules/auth/flake.nix
+++ b/sp-modules/auth/flake.nix
@ -0,0 +1,34 @@
+{
+  description = "User authentication and authorization module";
+
+  # TODO remove when working Kanidm lands in nixpkgs and Hydra
+  inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
+
+  outputs = { self, nixpkgs-unstable }: {
+    overlays.default = _final: prev: {
+      inherit (nixpkgs-unstable.legacyPackages.${prev.system})
+        kanidm kanidm-provision oauth2-proxy;
+    };
+
+    nixosModules.default = { ... }: {
+      disabledModules = [
+        "services/security/kanidm.nix"
+        "services/security/oauth2-proxy.nix"
+        "services/security/oauth2-proxy-nginx.nix"
+      ];
+      imports = [
+        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+          + /nixos/modules/services/security/kanidm.nix)
+        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+          + /nixos/modules/services/security/oauth2-proxy.nix)
+        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
+          + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
+        ./module.nix
+      ];
+      nixpkgs.overlays = [ self.overlays.default ];
+    };
+
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
--- a/sp-modules/auth/module.nix
+++ b/sp-modules/auth/module.nix
@ -0,0 +1,172 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = config.selfprivacy.domain;
+  cfg = config.selfprivacy.modules.auth;
+  auth-fqdn = cfg.subdomain + "." + domain;
+  oauth2-introspection-url = client_id: client_secret:
+    "https://${client_id}:${client_secret}@${auth-fqdn}/oauth2/token/introspect";
+  oauth2-discovery-url = client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+
+  kanidm-bind-address = "127.0.0.1:3013";
+  ldap_host = "127.0.0.1";
+  ldap_port = 3636;
+
+  dovecot-oauth2-conf-file = pkgs.writeTextFile {
+    name = "dovecot-oauth2.conf.ext";
+    text = ''
+      introspection_mode = post
+      introspection_url = ${oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
+      client_id = roundcube
+      client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
+      username_attribute = username
+      # scope = email groups profile openid dovecotprofile
+      scope = email profile openid
+      tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+      active_attribute = active
+      active_value = true
+      openid_configuration_url = ${oauth2-discovery-url "roundcube"}
+      debug = yes # FIXME
+    '';
+  };
+
+  provisionAdminPassword = "abcd1234";
+  provisionIdmAdminPassword = "abcd1234"; # FIXME
+in
+{
+  options.selfprivacy.modules.auth = {
+    enable = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+    };
+    subdomain = lib.mkOption {
+      default = "auth";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # kanidm uses TLS in internal connection with nginx too
+    # FIXME revise this: maybe kanidm must not have access to a public TLS
+    users.groups."acmereceivers".members = [ "kanidm" ];
+
+    services.kanidm = {
+      enableServer = true;
+
+      # kanidm with Rust code patches for OAuth and admin passwords provisioning
+      # package = pkgs.kanidm.withSecretProvisioning;
+      # FIXME
+      package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
+        version = "git";
+        src = pkgs.fetchFromGitHub {
+          owner = "AleXoundOS";
+          repo = "kanidm";
+          rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
+          hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
+        };
+        doCheck = false;
+      });
+
+      serverSettings = {
+        inherit domain;
+        # The origin for webauthn. This is the url to the server, with the port
+        # included if it is non-standard (any port except 443). This must match or
+        # be a descendent of the domain name you configure above. If these two
+        # items are not consistent, the server WILL refuse to start!
+        origin = "https://" + auth-fqdn;
+
+        # TODO revise this: maybe kanidm must not have access to a public TLS
+        tls_chain =
+          "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
+        tls_key =
+          "${config.security.acme.certs.${domain}.directory}/key.pem";
+
+        bindaddress = kanidm-bind-address; # nginx should connect to it
+        ldapbindaddress = "${ldap_host}:${toString ldap_port}";
+
+        # kanidm is behind a proxy
+        trust_x_forward_for = true;
+
+        log_level = "trace"; # FIXME
+      };
+      provision = {
+        enable = true;
+        autoRemove = false;
+
+        # FIXME read randomly generated password from ?
+        adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
+        idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
+      };
+      enableClient = true;
+      clientSettings = {
+        uri = "https://" + auth-fqdn;
+        verify_ca = false; # FIXME
+        verify_hostnames = false; # FIXME
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts.${auth-fqdn} = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass =
+            "https://${kanidm-bind-address}";
+        };
+      };
+    };
+
+    # TODO move to mailserver module everything below
+    mailserver.debug = true; # FIXME
+    mailserver.mailDirectory = "/var/vmail";
+    services.dovecot2.extraConfig = ''
+      auth_mechanisms = xoauth2 oauthbearer
+
+      passdb {
+        driver = oauth2
+        mechanisms = xoauth2 oauthbearer
+        args = ${dovecot-oauth2-conf-file}
+      }
+
+      userdb {
+        driver = static
+        args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
+      }
+
+      # provide SASL via unix socket to postfix
+      service auth {
+        unix_listener /var/lib/postfix/private/auth {
+          mode = 0660
+          user = postfix
+          group = postfix
+        }
+      }
+      service auth {
+        unix_listener auth-userdb {
+          mode = 0660
+          user = dovecot2
+        }
+        unix_listener dovecot-auth {
+          mode = 0660
+          # Assuming the default Postfix user and group
+          user = postfix
+          group = postfix
+        }
+      }
+
+      #auth_username_format = %Ln
+      auth_debug = yes
+      auth_debug_passwords = yes  # Be cautious with this in production as it logs passwords
+      auth_verbose = yes
+      mail_debug = yes
+    '';
+    services.dovecot2.enablePAM = false;
+    services.postfix.extraConfig = ''
+      smtpd_sasl_local_domain = ${domain}
+      smtpd_relay_restrictions = permit_sasl_authenticated, reject
+      smtpd_sasl_type = dovecot
+      smtpd_sasl_path = private/auth
+      smtpd_sasl_auth_enable = yes
+    '';
+  };
+}
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@ -1,5 +1,6 @@
 [
  ["selfprivacy", "domain"],
  ["selfprivacy", "modules", "roundcube"],
+  ["selfprivacy", "modules", "auth"],
  ["mailserver", "fqdn"]
 ]
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@ -1,7 +1,10 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.roundcube;
+  auth-module = config.selfprivacy.modules.auth;
+  auth-fqdn = auth-module.subdomain + "." + domain;
+  oauth-client-id = "roundcube";
 in
 {
  options.selfprivacy.modules.roundcube = {
@ -16,7 +19,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-
    services.roundcube = {
      enable = true;
      # this is the url of the vhost, not necessarily the same as the fqdn of
@ -26,8 +28,22 @@ in
        # starttls needed for authentication, so the fqdn required to match
        # the certificate
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
-        $config['smtp_user'] = "%u";
-        $config['smtp_pass'] = "%p";
+        # $config['smtp_user'] = "%u";
+        # $config['smtp_pass'] = "%p";
+      '' + lib.strings.optionalString auth-module.enable ''
+        $config['oauth_provider'] = 'generic';
+        $config['oauth_provider_name'] = 'kanidm'; # FIXME
+        $config['oauth_client_id'] = '${oauth-client-id}';
+        $config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME
+
+        $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
+        $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
+        $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
+        $config['oauth_scope'] = 'email profile openid';
+        $config['oauth_auth_parameters'] = [];
+        $config['oauth_identity_fields'] = ['email'];
+        $config['oauth_login_redirect'] = true;
+        $config['auto_create_user'] = true;
      '';
    };
    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
@ -43,5 +59,38 @@ in
        description = "Roundcube service slice";
      };
    };
+    services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
+      lib.mkIf auth-module.enable {
+        displayName = "Roundcube";
+        originUrl = "https://${cfg.subdomain}.${domain}/";
+        originLanding = "https://${cfg.subdomain}.${domain}/";
+        basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
+        preferShortUsername = false;
+        allowInsecureClientDisablePkce = true; # FIXME is it required?
+        scopeMaps.roundcube_users = [
+          "email"
+          "openid"
+          "profile"
+          # "dovecotprofile"
+          # "groups"
+        ];
+      };
+    services.kanidm.provision.systems.oauth2.roundcube =
+      lib.mkIf auth-module.enable {
+        displayName = "Roundcube";
+        originUrl = "https://${cfg.subdomain}.${domain}/";
+        originLanding = "https://${cfg.subdomain}.${domain}/";
+        basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
+        # when true, name is passed to a service instead of name@domain
+        preferShortUsername = false;
+        allowInsecureClientDisablePkce = true; # FIXME is it needed?
+        scopeMaps.roundcube_users = [
+          "email"
+          # "groups"
+          "profile"
+          "openid"
+          # "dovecotprofile"
+        ];
+      };
  };
 }