From 8f82a4c5744fa67ca4d3f8fc781175948e028718 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Fri, 1 Nov 2024 21:26:34 +0400 Subject: [PATCH] minimal kanidm setup Only Roundcube and Dovecot communicate with Kanidm. --- sp-modules/auth/config-paths-needed.json | 7 + sp-modules/auth/flake.lock | 27 +++ sp-modules/auth/flake.nix | 34 ++++ sp-modules/auth/module.nix | 172 ++++++++++++++++++ sp-modules/roundcube/config-paths-needed.json | 1 + sp-modules/roundcube/module.nix | 57 +++++- 6 files changed, 294 insertions(+), 4 deletions(-) create mode 100644 sp-modules/auth/config-paths-needed.json create mode 100644 sp-modules/auth/flake.lock create mode 100644 sp-modules/auth/flake.nix create mode 100644 sp-modules/auth/module.nix diff --git a/sp-modules/auth/config-paths-needed.json b/sp-modules/auth/config-paths-needed.json new file mode 100644 index 0000000..f75f298 --- /dev/null +++ b/sp-modules/auth/config-paths-needed.json @@ -0,0 +1,7 @@ +[ + ["mailserver", "fqdn"], + ["security", "acme", "certs"], + ["selfprivacy", "domain"], + ["selfprivacy", "modules"], + ["services"] +] diff --git a/sp-modules/auth/flake.lock b/sp-modules/auth/flake.lock new file mode 100644 index 0000000..d9ce328 --- /dev/null +++ b/sp-modules/auth/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs-unstable": { + "locked": { + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/sp-modules/auth/flake.nix b/sp-modules/auth/flake.nix new file mode 100644 index 0000000..a86ec75 --- /dev/null +++ b/sp-modules/auth/flake.nix @@ -0,0 +1,34 @@ +{ + description = "User authentication and authorization module"; + + # TODO remove when working Kanidm lands in nixpkgs and Hydra + inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957; + + outputs = { self, nixpkgs-unstable }: { + overlays.default = _final: prev: { + inherit (nixpkgs-unstable.legacyPackages.${prev.system}) + kanidm kanidm-provision oauth2-proxy; + }; + + nixosModules.default = { ... }: { + disabledModules = [ + "services/security/kanidm.nix" + "services/security/oauth2-proxy.nix" + "services/security/oauth2-proxy-nginx.nix" + ]; + imports = [ + (nixpkgs-unstable.legacyPackages.x86_64-linux.path + + /nixos/modules/services/security/kanidm.nix) + (nixpkgs-unstable.legacyPackages.x86_64-linux.path + + /nixos/modules/services/security/oauth2-proxy.nix) + (nixpkgs-unstable.legacyPackages.x86_64-linux.path + + /nixos/modules/services/security/oauth2-proxy-nginx.nix) + ./module.nix + ]; + nixpkgs.overlays = [ self.overlays.default ]; + }; + + configPathsNeeded = + builtins.fromJSON (builtins.readFile ./config-paths-needed.json); + }; +} diff --git a/sp-modules/auth/module.nix b/sp-modules/auth/module.nix new file mode 100644 index 0000000..684915e --- /dev/null +++ b/sp-modules/auth/module.nix @@ -0,0 +1,172 @@ +{ config, lib, pkgs, ... }: +let + domain = config.selfprivacy.domain; + cfg = config.selfprivacy.modules.auth; + auth-fqdn = cfg.subdomain + "." + domain; + oauth2-introspection-url = client_id: client_secret: + "https://${client_id}:${client_secret}@${auth-fqdn}/oauth2/token/introspect"; + oauth2-discovery-url = client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration"; + + kanidm-bind-address = "127.0.0.1:3013"; + ldap_host = "127.0.0.1"; + ldap_port = 3636; + + dovecot-oauth2-conf-file = pkgs.writeTextFile { + name = "dovecot-oauth2.conf.ext"; + text = '' + introspection_mode = post + introspection_url = ${oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"} + client_id = roundcube + client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME + username_attribute = username + # scope = email groups profile openid dovecotprofile + scope = email profile openid + tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt + active_attribute = active + active_value = true + openid_configuration_url = ${oauth2-discovery-url "roundcube"} + debug = yes # FIXME + ''; + }; + + provisionAdminPassword = "abcd1234"; + provisionIdmAdminPassword = "abcd1234"; # FIXME +in +{ + options.selfprivacy.modules.auth = { + enable = lib.mkOption { + default = true; + type = lib.types.bool; + }; + subdomain = lib.mkOption { + default = "auth"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; + }; + + config = lib.mkIf cfg.enable { + # kanidm uses TLS in internal connection with nginx too + # FIXME revise this: maybe kanidm must not have access to a public TLS + users.groups."acmereceivers".members = [ "kanidm" ]; + + services.kanidm = { + enableServer = true; + + # kanidm with Rust code patches for OAuth and admin passwords provisioning + # package = pkgs.kanidm.withSecretProvisioning; + # FIXME + package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: { + version = "git"; + src = pkgs.fetchFromGitHub { + owner = "AleXoundOS"; + repo = "kanidm"; + rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2"; + hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8="; + }; + doCheck = false; + }); + + serverSettings = { + inherit domain; + # The origin for webauthn. This is the url to the server, with the port + # included if it is non-standard (any port except 443). This must match or + # be a descendent of the domain name you configure above. If these two + # items are not consistent, the server WILL refuse to start! + origin = "https://" + auth-fqdn; + + # TODO revise this: maybe kanidm must not have access to a public TLS + tls_chain = + "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + tls_key = + "${config.security.acme.certs.${domain}.directory}/key.pem"; + + bindaddress = kanidm-bind-address; # nginx should connect to it + ldapbindaddress = "${ldap_host}:${toString ldap_port}"; + + # kanidm is behind a proxy + trust_x_forward_for = true; + + log_level = "trace"; # FIXME + }; + provision = { + enable = true; + autoRemove = false; + + # FIXME read randomly generated password from ? + adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword; + idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword; + }; + enableClient = true; + clientSettings = { + uri = "https://" + auth-fqdn; + verify_ca = false; # FIXME + verify_hostnames = false; # FIXME + }; + }; + + services.nginx = { + enable = true; + virtualHosts.${auth-fqdn} = { + useACMEHost = domain; + forceSSL = true; + locations."/" = { + proxyPass = + "https://${kanidm-bind-address}"; + }; + }; + }; + + # TODO move to mailserver module everything below + mailserver.debug = true; # FIXME + mailserver.mailDirectory = "/var/vmail"; + services.dovecot2.extraConfig = '' + auth_mechanisms = xoauth2 oauthbearer + + passdb { + driver = oauth2 + mechanisms = xoauth2 oauthbearer + args = ${dovecot-oauth2-conf-file} + } + + userdb { + driver = static + args = uid=virtualMail gid=virtualMail home=/var/vmail/%u + } + + # provide SASL via unix socket to postfix + service auth { + unix_listener /var/lib/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } + } + service auth { + unix_listener auth-userdb { + mode = 0660 + user = dovecot2 + } + unix_listener dovecot-auth { + mode = 0660 + # Assuming the default Postfix user and group + user = postfix + group = postfix + } + } + + #auth_username_format = %Ln + auth_debug = yes + auth_debug_passwords = yes # Be cautious with this in production as it logs passwords + auth_verbose = yes + mail_debug = yes + ''; + services.dovecot2.enablePAM = false; + services.postfix.extraConfig = '' + smtpd_sasl_local_domain = ${domain} + smtpd_relay_restrictions = permit_sasl_authenticated, reject + smtpd_sasl_type = dovecot + smtpd_sasl_path = private/auth + smtpd_sasl_auth_enable = yes + ''; + }; +} diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json index a650a1e..4ee28e6 100644 --- a/sp-modules/roundcube/config-paths-needed.json +++ b/sp-modules/roundcube/config-paths-needed.json @@ -1,5 +1,6 @@ [ ["selfprivacy", "domain"], ["selfprivacy", "modules", "roundcube"], + ["selfprivacy", "modules", "auth"], ["mailserver", "fqdn"] ] diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix index a279ff1..c88ecc6 100644 --- a/sp-modules/roundcube/module.nix +++ b/sp-modules/roundcube/module.nix @@ -1,7 +1,10 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let domain = config.selfprivacy.domain; cfg = config.selfprivacy.modules.roundcube; + auth-module = config.selfprivacy.modules.auth; + auth-fqdn = auth-module.subdomain + "." + domain; + oauth-client-id = "roundcube"; in { options.selfprivacy.modules.roundcube = { @@ -16,7 +19,6 @@ in }; config = lib.mkIf cfg.enable { - services.roundcube = { enable = true; # this is the url of the vhost, not necessarily the same as the fqdn of @@ -26,8 +28,22 @@ in # starttls needed for authentication, so the fqdn required to match # the certificate $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; - $config['smtp_user'] = "%u"; - $config['smtp_pass'] = "%p"; + # $config['smtp_user'] = "%u"; + # $config['smtp_pass'] = "%p"; + '' + lib.strings.optionalString auth-module.enable '' + $config['oauth_provider'] = 'generic'; + $config['oauth_provider_name'] = 'kanidm'; # FIXME + $config['oauth_client_id'] = '${oauth-client-id}'; + $config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME + + $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2'; + $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token'; + $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo'; + $config['oauth_scope'] = 'email profile openid'; + $config['oauth_auth_parameters'] = []; + $config['oauth_identity_fields'] = ['email']; + $config['oauth_login_redirect'] = true; + $config['auto_create_user'] = true; ''; }; services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = { @@ -43,5 +59,38 @@ in description = "Roundcube service slice"; }; }; + services.kanidm.serverSettings.provision.systems.oauth2.roundcube = + lib.mkIf auth-module.enable { + displayName = "Roundcube"; + originUrl = "https://${cfg.subdomain}.${domain}/"; + originLanding = "https://${cfg.subdomain}.${domain}/"; + basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME + preferShortUsername = false; + allowInsecureClientDisablePkce = true; # FIXME is it required? + scopeMaps.roundcube_users = [ + "email" + "openid" + "profile" + # "dovecotprofile" + # "groups" + ]; + }; + services.kanidm.provision.systems.oauth2.roundcube = + lib.mkIf auth-module.enable { + displayName = "Roundcube"; + originUrl = "https://${cfg.subdomain}.${domain}/"; + originLanding = "https://${cfg.subdomain}.${domain}/"; + basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; + # when true, name is passed to a service instead of name@domain + preferShortUsername = false; + allowInsecureClientDisablePkce = true; # FIXME is it needed? + scopeMaps.roundcube_users = [ + "email" + # "groups" + "profile" + "openid" + # "dovecotprofile" + ]; + }; }; }