minimal kanidm setup

Only Roundcube and Dovecot communicate with Kanidm.
2024-11-22 11:41:26 +00:00 · 2024-11-01 21:26:34 +04:00 · 2024-11-01 21:26:34 +04:00 · 8f82a4c574
parent 4b0dfcd23c
commit 8f82a4c574
6 changed files with 294 additions and 4 deletions
--- a/sp-modules/auth/config-paths-needed.json
+++ b/sp-modules/auth/config-paths-needed.json
@ -0,0 +1,7 @@
 [
  ["mailserver", "fqdn"],
  ["security", "acme", "certs"],
  ["selfprivacy", "domain"],
  ["selfprivacy", "modules"],
  ["services"]
 ]
--- a/sp-modules/auth/flake.lock
+++ b/sp-modules/auth/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1725194671,
        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs-unstable": "nixpkgs-unstable"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/sp-modules/auth/flake.nix
+++ b/sp-modules/auth/flake.nix
@ -0,0 +1,34 @@
 {
  description = "User authentication and authorization module";
  # TODO remove when working Kanidm lands in nixpkgs and Hydra
  inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
  outputs = { self, nixpkgs-unstable }: {
    overlays.default = _final: prev: {
      inherit (nixpkgs-unstable.legacyPackages.${prev.system})
        kanidm kanidm-provision oauth2-proxy;
    };
    nixosModules.default = { ... }: {
      disabledModules = [
        "services/security/kanidm.nix"
        "services/security/oauth2-proxy.nix"
        "services/security/oauth2-proxy-nginx.nix"
      ];
      imports = [
        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
          + /nixos/modules/services/security/kanidm.nix)
        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
          + /nixos/modules/services/security/oauth2-proxy.nix)
        (nixpkgs-unstable.legacyPackages.x86_64-linux.path
          + /nixos/modules/services/security/oauth2-proxy-nginx.nix)
        ./module.nix
      ];
      nixpkgs.overlays = [ self.overlays.default ];
    };
    configPathsNeeded =
      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
  };
 }
--- a/sp-modules/auth/module.nix
+++ b/sp-modules/auth/module.nix
@ -0,0 +1,172 @@
 { config, lib, pkgs, ... }:
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.auth;
  auth-fqdn = cfg.subdomain + "." + domain;
  oauth2-introspection-url = client_id: client_secret:
    "https://${client_id}:${client_secret}@${auth-fqdn}/oauth2/token/introspect";
  oauth2-discovery-url = client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
  kanidm-bind-address = "127.0.0.1:3013";
  ldap_host = "127.0.0.1";
  ldap_port = 3636;
  dovecot-oauth2-conf-file = pkgs.writeTextFile {
    name = "dovecot-oauth2.conf.ext";
    text = ''
      introspection_mode = post
      introspection_url = ${oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
      client_id = roundcube
      client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
      username_attribute = username
      # scope = email groups profile openid dovecotprofile
      scope = email profile openid
      tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
      active_attribute = active
      active_value = true
      openid_configuration_url = ${oauth2-discovery-url "roundcube"}
      debug = yes # FIXME
    '';
  };
  provisionAdminPassword = "abcd1234";
  provisionIdmAdminPassword = "abcd1234"; # FIXME
 in
 {
  options.selfprivacy.modules.auth = {
    enable = lib.mkOption {
      default = true;
      type = lib.types.bool;
    };
    subdomain = lib.mkOption {
      default = "auth";
      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
    };
  };
  config = lib.mkIf cfg.enable {
    # kanidm uses TLS in internal connection with nginx too
    # FIXME revise this: maybe kanidm must not have access to a public TLS
    users.groups."acmereceivers".members = [ "kanidm" ];
    services.kanidm = {
      enableServer = true;
      # kanidm with Rust code patches for OAuth and admin passwords provisioning
      # package = pkgs.kanidm.withSecretProvisioning;
      # FIXME
      package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
        version = "git";
        src = pkgs.fetchFromGitHub {
          owner = "AleXoundOS";
          repo = "kanidm";
          rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
          hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
        };
        doCheck = false;
      });
      serverSettings = {
        inherit domain;
        # The origin for webauthn. This is the url to the server, with the port
        # included if it is non-standard (any port except 443). This must match or
        # be a descendent of the domain name you configure above. If these two
        # items are not consistent, the server WILL refuse to start!
        origin = "https://" + auth-fqdn;
        # TODO revise this: maybe kanidm must not have access to a public TLS
        tls_chain =
          "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
        tls_key =
          "${config.security.acme.certs.${domain}.directory}/key.pem";
        bindaddress = kanidm-bind-address; # nginx should connect to it
        ldapbindaddress = "${ldap_host}:${toString ldap_port}";
        # kanidm is behind a proxy
        trust_x_forward_for = true;
        log_level = "trace"; # FIXME
      };
      provision = {
        enable = true;
        autoRemove = false;
        # FIXME read randomly generated password from ?
        adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
        idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
      };
      enableClient = true;
      clientSettings = {
        uri = "https://" + auth-fqdn;
        verify_ca = false; # FIXME
        verify_hostnames = false; # FIXME
      };
    };
    services.nginx = {
      enable = true;
      virtualHosts.${auth-fqdn} = {
        useACMEHost = domain;
        forceSSL = true;
        locations."/" = {
          proxyPass =
            "https://${kanidm-bind-address}";
        };
      };
    };
    # TODO move to mailserver module everything below
    mailserver.debug = true; # FIXME
    mailserver.mailDirectory = "/var/vmail";
    services.dovecot2.extraConfig = ''
      auth_mechanisms = xoauth2 oauthbearer
      passdb {
        driver = oauth2
        mechanisms = xoauth2 oauthbearer
        args = ${dovecot-oauth2-conf-file}
      }
      userdb {
        driver = static
        args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
      }
      # provide SASL via unix socket to postfix
      service auth {
        unix_listener /var/lib/postfix/private/auth {
          mode = 0660
          user = postfix
          group = postfix
        }
      }
      service auth {
        unix_listener auth-userdb {
          mode = 0660
          user = dovecot2
        }
        unix_listener dovecot-auth {
          mode = 0660
          # Assuming the default Postfix user and group
          user = postfix
          group = postfix
        }
      }
      #auth_username_format = %Ln
      auth_debug = yes
      auth_debug_passwords = yes  # Be cautious with this in production as it logs passwords
      auth_verbose = yes
      mail_debug = yes
    '';
    services.dovecot2.enablePAM = false;
    services.postfix.extraConfig = ''
      smtpd_sasl_local_domain = ${domain}
      smtpd_relay_restrictions = permit_sasl_authenticated, reject
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth
      smtpd_sasl_auth_enable = yes
    '';
  };
 }
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@ -1,5 +1,6 @@
 [
  ["selfprivacy", "domain"],
  ["selfprivacy", "modules", "roundcube"],
  ["selfprivacy", "modules", "auth"],
  ["mailserver", "fqdn"]
 ]
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@ -1,7 +1,10 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.roundcube;
  auth-module = config.selfprivacy.modules.auth;
  auth-fqdn = auth-module.subdomain + "." + domain;
  oauth-client-id = "roundcube";
 in
 {
  options.selfprivacy.modules.roundcube = {
@ -16,7 +19,6 @@ in
  };
  config = lib.mkIf cfg.enable {
    services.roundcube = {
      enable = true;
      # this is the url of the vhost, not necessarily the same as the fqdn of
@ -26,8 +28,22 @@ in
        # starttls needed for authentication, so the fqdn required to match
        # the certificate
        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
-        $config['smtp_user'] = "%u";
+        # $config['smtp_user'] = "%u";
-        $config['smtp_pass'] = "%p";
+        # $config['smtp_pass'] = "%p";
      '' + lib.strings.optionalString auth-module.enable ''
        $config['oauth_provider'] = 'generic';
        $config['oauth_provider_name'] = 'kanidm'; # FIXME
        $config['oauth_client_id'] = '${oauth-client-id}';
        $config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME
        $config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
        $config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
        $config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
        $config['oauth_scope'] = 'email profile openid';
        $config['oauth_auth_parameters'] = [];
        $config['oauth_identity_fields'] = ['email'];
        $config['oauth_login_redirect'] = true;
        $config['auto_create_user'] = true;
      '';
    };
    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
@ -43,5 +59,38 @@ in
        description = "Roundcube service slice";
      };
    };
    services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
      lib.mkIf auth-module.enable {
        displayName = "Roundcube";
        originUrl = "https://${cfg.subdomain}.${domain}/";
        originLanding = "https://${cfg.subdomain}.${domain}/";
        basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
        preferShortUsername = false;
        allowInsecureClientDisablePkce = true; # FIXME is it required?
        scopeMaps.roundcube_users = [
          "email"
          "openid"
          "profile"
          # "dovecotprofile"
          # "groups"
        ];
      };
    services.kanidm.provision.systems.oauth2.roundcube =
      lib.mkIf auth-module.enable {
        displayName = "Roundcube";
        originUrl = "https://${cfg.subdomain}.${domain}/";
        originLanding = "https://${cfg.subdomain}.${domain}/";
        basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
        # when true, name is passed to a service instead of name@domain
        preferShortUsername = false;
        allowInsecureClientDisablePkce = true; # FIXME is it needed?
        scopeMaps.roundcube_users = [
          "email"
          # "groups"
          "profile"
          "openid"
          # "dovecotprofile"
        ];
      };
  };
 }