mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-22 19:41:30 +00:00
minimal kanidm setup
Only Roundcube and Dovecot communicate with Kanidm.
This commit is contained in:
parent
4b0dfcd23c
commit
8f82a4c574
7
sp-modules/auth/config-paths-needed.json
Normal file
7
sp-modules/auth/config-paths-needed.json
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
[
|
||||||
|
["mailserver", "fqdn"],
|
||||||
|
["security", "acme", "certs"],
|
||||||
|
["selfprivacy", "domain"],
|
||||||
|
["selfprivacy", "modules"],
|
||||||
|
["services"]
|
||||||
|
]
|
27
sp-modules/auth/flake.lock
Normal file
27
sp-modules/auth/flake.lock
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"nixpkgs-unstable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725194671,
|
||||||
|
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
34
sp-modules/auth/flake.nix
Normal file
34
sp-modules/auth/flake.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{
|
||||||
|
description = "User authentication and authorization module";
|
||||||
|
|
||||||
|
# TODO remove when working Kanidm lands in nixpkgs and Hydra
|
||||||
|
inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
|
||||||
|
|
||||||
|
outputs = { self, nixpkgs-unstable }: {
|
||||||
|
overlays.default = _final: prev: {
|
||||||
|
inherit (nixpkgs-unstable.legacyPackages.${prev.system})
|
||||||
|
kanidm kanidm-provision oauth2-proxy;
|
||||||
|
};
|
||||||
|
|
||||||
|
nixosModules.default = { ... }: {
|
||||||
|
disabledModules = [
|
||||||
|
"services/security/kanidm.nix"
|
||||||
|
"services/security/oauth2-proxy.nix"
|
||||||
|
"services/security/oauth2-proxy-nginx.nix"
|
||||||
|
];
|
||||||
|
imports = [
|
||||||
|
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||||
|
+ /nixos/modules/services/security/kanidm.nix)
|
||||||
|
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||||
|
+ /nixos/modules/services/security/oauth2-proxy.nix)
|
||||||
|
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||||
|
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
|
||||||
|
./module.nix
|
||||||
|
];
|
||||||
|
nixpkgs.overlays = [ self.overlays.default ];
|
||||||
|
};
|
||||||
|
|
||||||
|
configPathsNeeded =
|
||||||
|
builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
|
||||||
|
};
|
||||||
|
}
|
172
sp-modules/auth/module.nix
Normal file
172
sp-modules/auth/module.nix
Normal file
|
@ -0,0 +1,172 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = config.selfprivacy.domain;
|
||||||
|
cfg = config.selfprivacy.modules.auth;
|
||||||
|
auth-fqdn = cfg.subdomain + "." + domain;
|
||||||
|
oauth2-introspection-url = client_id: client_secret:
|
||||||
|
"https://${client_id}:${client_secret}@${auth-fqdn}/oauth2/token/introspect";
|
||||||
|
oauth2-discovery-url = client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
|
||||||
|
|
||||||
|
kanidm-bind-address = "127.0.0.1:3013";
|
||||||
|
ldap_host = "127.0.0.1";
|
||||||
|
ldap_port = 3636;
|
||||||
|
|
||||||
|
dovecot-oauth2-conf-file = pkgs.writeTextFile {
|
||||||
|
name = "dovecot-oauth2.conf.ext";
|
||||||
|
text = ''
|
||||||
|
introspection_mode = post
|
||||||
|
introspection_url = ${oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
|
||||||
|
client_id = roundcube
|
||||||
|
client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
|
||||||
|
username_attribute = username
|
||||||
|
# scope = email groups profile openid dovecotprofile
|
||||||
|
scope = email profile openid
|
||||||
|
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||||
|
active_attribute = active
|
||||||
|
active_value = true
|
||||||
|
openid_configuration_url = ${oauth2-discovery-url "roundcube"}
|
||||||
|
debug = yes # FIXME
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
provisionAdminPassword = "abcd1234";
|
||||||
|
provisionIdmAdminPassword = "abcd1234"; # FIXME
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.selfprivacy.modules.auth = {
|
||||||
|
enable = lib.mkOption {
|
||||||
|
default = true;
|
||||||
|
type = lib.types.bool;
|
||||||
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "auth";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
# kanidm uses TLS in internal connection with nginx too
|
||||||
|
# FIXME revise this: maybe kanidm must not have access to a public TLS
|
||||||
|
users.groups."acmereceivers".members = [ "kanidm" ];
|
||||||
|
|
||||||
|
services.kanidm = {
|
||||||
|
enableServer = true;
|
||||||
|
|
||||||
|
# kanidm with Rust code patches for OAuth and admin passwords provisioning
|
||||||
|
# package = pkgs.kanidm.withSecretProvisioning;
|
||||||
|
# FIXME
|
||||||
|
package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
|
||||||
|
version = "git";
|
||||||
|
src = pkgs.fetchFromGitHub {
|
||||||
|
owner = "AleXoundOS";
|
||||||
|
repo = "kanidm";
|
||||||
|
rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
|
||||||
|
hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
|
||||||
|
};
|
||||||
|
doCheck = false;
|
||||||
|
});
|
||||||
|
|
||||||
|
serverSettings = {
|
||||||
|
inherit domain;
|
||||||
|
# The origin for webauthn. This is the url to the server, with the port
|
||||||
|
# included if it is non-standard (any port except 443). This must match or
|
||||||
|
# be a descendent of the domain name you configure above. If these two
|
||||||
|
# items are not consistent, the server WILL refuse to start!
|
||||||
|
origin = "https://" + auth-fqdn;
|
||||||
|
|
||||||
|
# TODO revise this: maybe kanidm must not have access to a public TLS
|
||||||
|
tls_chain =
|
||||||
|
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
||||||
|
tls_key =
|
||||||
|
"${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||||
|
|
||||||
|
bindaddress = kanidm-bind-address; # nginx should connect to it
|
||||||
|
ldapbindaddress = "${ldap_host}:${toString ldap_port}";
|
||||||
|
|
||||||
|
# kanidm is behind a proxy
|
||||||
|
trust_x_forward_for = true;
|
||||||
|
|
||||||
|
log_level = "trace"; # FIXME
|
||||||
|
};
|
||||||
|
provision = {
|
||||||
|
enable = true;
|
||||||
|
autoRemove = false;
|
||||||
|
|
||||||
|
# FIXME read randomly generated password from ?
|
||||||
|
adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
|
||||||
|
idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
|
||||||
|
};
|
||||||
|
enableClient = true;
|
||||||
|
clientSettings = {
|
||||||
|
uri = "https://" + auth-fqdn;
|
||||||
|
verify_ca = false; # FIXME
|
||||||
|
verify_hostnames = false; # FIXME
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts.${auth-fqdn} = {
|
||||||
|
useACMEHost = domain;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass =
|
||||||
|
"https://${kanidm-bind-address}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO move to mailserver module everything below
|
||||||
|
mailserver.debug = true; # FIXME
|
||||||
|
mailserver.mailDirectory = "/var/vmail";
|
||||||
|
services.dovecot2.extraConfig = ''
|
||||||
|
auth_mechanisms = xoauth2 oauthbearer
|
||||||
|
|
||||||
|
passdb {
|
||||||
|
driver = oauth2
|
||||||
|
mechanisms = xoauth2 oauthbearer
|
||||||
|
args = ${dovecot-oauth2-conf-file}
|
||||||
|
}
|
||||||
|
|
||||||
|
userdb {
|
||||||
|
driver = static
|
||||||
|
args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
|
||||||
|
}
|
||||||
|
|
||||||
|
# provide SASL via unix socket to postfix
|
||||||
|
service auth {
|
||||||
|
unix_listener /var/lib/postfix/private/auth {
|
||||||
|
mode = 0660
|
||||||
|
user = postfix
|
||||||
|
group = postfix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
service auth {
|
||||||
|
unix_listener auth-userdb {
|
||||||
|
mode = 0660
|
||||||
|
user = dovecot2
|
||||||
|
}
|
||||||
|
unix_listener dovecot-auth {
|
||||||
|
mode = 0660
|
||||||
|
# Assuming the default Postfix user and group
|
||||||
|
user = postfix
|
||||||
|
group = postfix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#auth_username_format = %Ln
|
||||||
|
auth_debug = yes
|
||||||
|
auth_debug_passwords = yes # Be cautious with this in production as it logs passwords
|
||||||
|
auth_verbose = yes
|
||||||
|
mail_debug = yes
|
||||||
|
'';
|
||||||
|
services.dovecot2.enablePAM = false;
|
||||||
|
services.postfix.extraConfig = ''
|
||||||
|
smtpd_sasl_local_domain = ${domain}
|
||||||
|
smtpd_relay_restrictions = permit_sasl_authenticated, reject
|
||||||
|
smtpd_sasl_type = dovecot
|
||||||
|
smtpd_sasl_path = private/auth
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,6 @@
|
||||||
[
|
[
|
||||||
["selfprivacy", "domain"],
|
["selfprivacy", "domain"],
|
||||||
["selfprivacy", "modules", "roundcube"],
|
["selfprivacy", "modules", "roundcube"],
|
||||||
|
["selfprivacy", "modules", "auth"],
|
||||||
["mailserver", "fqdn"]
|
["mailserver", "fqdn"]
|
||||||
]
|
]
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domain = config.selfprivacy.domain;
|
domain = config.selfprivacy.domain;
|
||||||
cfg = config.selfprivacy.modules.roundcube;
|
cfg = config.selfprivacy.modules.roundcube;
|
||||||
|
auth-module = config.selfprivacy.modules.auth;
|
||||||
|
auth-fqdn = auth-module.subdomain + "." + domain;
|
||||||
|
oauth-client-id = "roundcube";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.selfprivacy.modules.roundcube = {
|
options.selfprivacy.modules.roundcube = {
|
||||||
|
@ -16,7 +19,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
services.roundcube = {
|
services.roundcube = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# this is the url of the vhost, not necessarily the same as the fqdn of
|
# this is the url of the vhost, not necessarily the same as the fqdn of
|
||||||
|
@ -26,8 +28,22 @@ in
|
||||||
# starttls needed for authentication, so the fqdn required to match
|
# starttls needed for authentication, so the fqdn required to match
|
||||||
# the certificate
|
# the certificate
|
||||||
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
|
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
|
||||||
$config['smtp_user'] = "%u";
|
# $config['smtp_user'] = "%u";
|
||||||
$config['smtp_pass'] = "%p";
|
# $config['smtp_pass'] = "%p";
|
||||||
|
'' + lib.strings.optionalString auth-module.enable ''
|
||||||
|
$config['oauth_provider'] = 'generic';
|
||||||
|
$config['oauth_provider_name'] = 'kanidm'; # FIXME
|
||||||
|
$config['oauth_client_id'] = '${oauth-client-id}';
|
||||||
|
$config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME
|
||||||
|
|
||||||
|
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
|
||||||
|
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
|
||||||
|
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
|
||||||
|
$config['oauth_scope'] = 'email profile openid';
|
||||||
|
$config['oauth_auth_parameters'] = [];
|
||||||
|
$config['oauth_identity_fields'] = ['email'];
|
||||||
|
$config['oauth_login_redirect'] = true;
|
||||||
|
$config['auto_create_user'] = true;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||||
|
@ -43,5 +59,38 @@ in
|
||||||
description = "Roundcube service slice";
|
description = "Roundcube service slice";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
|
||||||
|
lib.mkIf auth-module.enable {
|
||||||
|
displayName = "Roundcube";
|
||||||
|
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||||
|
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||||
|
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
|
||||||
|
preferShortUsername = false;
|
||||||
|
allowInsecureClientDisablePkce = true; # FIXME is it required?
|
||||||
|
scopeMaps.roundcube_users = [
|
||||||
|
"email"
|
||||||
|
"openid"
|
||||||
|
"profile"
|
||||||
|
# "dovecotprofile"
|
||||||
|
# "groups"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
services.kanidm.provision.systems.oauth2.roundcube =
|
||||||
|
lib.mkIf auth-module.enable {
|
||||||
|
displayName = "Roundcube";
|
||||||
|
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||||
|
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||||
|
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
||||||
|
# when true, name is passed to a service instead of name@domain
|
||||||
|
preferShortUsername = false;
|
||||||
|
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
||||||
|
scopeMaps.roundcube_users = [
|
||||||
|
"email"
|
||||||
|
# "groups"
|
||||||
|
"profile"
|
||||||
|
"openid"
|
||||||
|
# "dovecotprofile"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue