mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-22 11:41:26 +00:00
minimal kanidm setup
Only Roundcube and Dovecot communicate with Kanidm.
This commit is contained in:
parent
4b0dfcd23c
commit
8f82a4c574
7
sp-modules/auth/config-paths-needed.json
Normal file
7
sp-modules/auth/config-paths-needed.json
Normal file
|
@ -0,0 +1,7 @@
|
|||
[
|
||||
["mailserver", "fqdn"],
|
||||
["security", "acme", "certs"],
|
||||
["selfprivacy", "domain"],
|
||||
["selfprivacy", "modules"],
|
||||
["services"]
|
||||
]
|
27
sp-modules/auth/flake.lock
Normal file
27
sp-modules/auth/flake.lock
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
"nodes": {
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1725194671,
|
||||
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
34
sp-modules/auth/flake.nix
Normal file
34
sp-modules/auth/flake.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{
|
||||
description = "User authentication and authorization module";
|
||||
|
||||
# TODO remove when working Kanidm lands in nixpkgs and Hydra
|
||||
inputs.nixpkgs-unstable.url = github:alexoundos/nixpkgs/b84444cbd57e934312f6a03d2d783ed0b7f94957;
|
||||
|
||||
outputs = { self, nixpkgs-unstable }: {
|
||||
overlays.default = _final: prev: {
|
||||
inherit (nixpkgs-unstable.legacyPackages.${prev.system})
|
||||
kanidm kanidm-provision oauth2-proxy;
|
||||
};
|
||||
|
||||
nixosModules.default = { ... }: {
|
||||
disabledModules = [
|
||||
"services/security/kanidm.nix"
|
||||
"services/security/oauth2-proxy.nix"
|
||||
"services/security/oauth2-proxy-nginx.nix"
|
||||
];
|
||||
imports = [
|
||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||
+ /nixos/modules/services/security/kanidm.nix)
|
||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||
+ /nixos/modules/services/security/oauth2-proxy.nix)
|
||||
(nixpkgs-unstable.legacyPackages.x86_64-linux.path
|
||||
+ /nixos/modules/services/security/oauth2-proxy-nginx.nix)
|
||||
./module.nix
|
||||
];
|
||||
nixpkgs.overlays = [ self.overlays.default ];
|
||||
};
|
||||
|
||||
configPathsNeeded =
|
||||
builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
|
||||
};
|
||||
}
|
172
sp-modules/auth/module.nix
Normal file
172
sp-modules/auth/module.nix
Normal file
|
@ -0,0 +1,172 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.domain;
|
||||
cfg = config.selfprivacy.modules.auth;
|
||||
auth-fqdn = cfg.subdomain + "." + domain;
|
||||
oauth2-introspection-url = client_id: client_secret:
|
||||
"https://${client_id}:${client_secret}@${auth-fqdn}/oauth2/token/introspect";
|
||||
oauth2-discovery-url = client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
|
||||
|
||||
kanidm-bind-address = "127.0.0.1:3013";
|
||||
ldap_host = "127.0.0.1";
|
||||
ldap_port = 3636;
|
||||
|
||||
dovecot-oauth2-conf-file = pkgs.writeTextFile {
|
||||
name = "dovecot-oauth2.conf.ext";
|
||||
text = ''
|
||||
introspection_mode = post
|
||||
introspection_url = ${oauth2-introspection-url "roundcube" "VERYSTRONGSECRETFORROUNDCUBE"}
|
||||
client_id = roundcube
|
||||
client_secret = VERYSTRONGSECRETFORROUNDCUBE # FIXME
|
||||
username_attribute = username
|
||||
# scope = email groups profile openid dovecotprofile
|
||||
scope = email profile openid
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
active_attribute = active
|
||||
active_value = true
|
||||
openid_configuration_url = ${oauth2-discovery-url "roundcube"}
|
||||
debug = yes # FIXME
|
||||
'';
|
||||
};
|
||||
|
||||
provisionAdminPassword = "abcd1234";
|
||||
provisionIdmAdminPassword = "abcd1234"; # FIXME
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.auth = {
|
||||
enable = lib.mkOption {
|
||||
default = true;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "auth";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# kanidm uses TLS in internal connection with nginx too
|
||||
# FIXME revise this: maybe kanidm must not have access to a public TLS
|
||||
users.groups."acmereceivers".members = [ "kanidm" ];
|
||||
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
|
||||
# kanidm with Rust code patches for OAuth and admin passwords provisioning
|
||||
# package = pkgs.kanidm.withSecretProvisioning;
|
||||
# FIXME
|
||||
package = pkgs.kanidm.withSecretProvisioning.overrideAttrs (_: {
|
||||
version = "git";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "AleXoundOS";
|
||||
repo = "kanidm";
|
||||
rev = "a1a55f2e53facbfa504c7d64c44c3b5d0eb796c2";
|
||||
hash = "sha256-ADh4Zwn6EMt4CiOrvgG0RbmNMeR5i0ilVTxF46t/wm8=";
|
||||
};
|
||||
doCheck = false;
|
||||
});
|
||||
|
||||
serverSettings = {
|
||||
inherit domain;
|
||||
# The origin for webauthn. This is the url to the server, with the port
|
||||
# included if it is non-standard (any port except 443). This must match or
|
||||
# be a descendent of the domain name you configure above. If these two
|
||||
# items are not consistent, the server WILL refuse to start!
|
||||
origin = "https://" + auth-fqdn;
|
||||
|
||||
# TODO revise this: maybe kanidm must not have access to a public TLS
|
||||
tls_chain =
|
||||
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
||||
tls_key =
|
||||
"${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||
|
||||
bindaddress = kanidm-bind-address; # nginx should connect to it
|
||||
ldapbindaddress = "${ldap_host}:${toString ldap_port}";
|
||||
|
||||
# kanidm is behind a proxy
|
||||
trust_x_forward_for = true;
|
||||
|
||||
log_level = "trace"; # FIXME
|
||||
};
|
||||
provision = {
|
||||
enable = true;
|
||||
autoRemove = false;
|
||||
|
||||
# FIXME read randomly generated password from ?
|
||||
adminPasswordFile = pkgs.writeText "admin-pw" provisionAdminPassword;
|
||||
idmAdminPasswordFile = pkgs.writeText "idm-admin-pw" provisionIdmAdminPassword;
|
||||
};
|
||||
enableClient = true;
|
||||
clientSettings = {
|
||||
uri = "https://" + auth-fqdn;
|
||||
verify_ca = false; # FIXME
|
||||
verify_hostnames = false; # FIXME
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${auth-fqdn} = {
|
||||
useACMEHost = domain;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass =
|
||||
"https://${kanidm-bind-address}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# TODO move to mailserver module everything below
|
||||
mailserver.debug = true; # FIXME
|
||||
mailserver.mailDirectory = "/var/vmail";
|
||||
services.dovecot2.extraConfig = ''
|
||||
auth_mechanisms = xoauth2 oauthbearer
|
||||
|
||||
passdb {
|
||||
driver = oauth2
|
||||
mechanisms = xoauth2 oauthbearer
|
||||
args = ${dovecot-oauth2-conf-file}
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=virtualMail gid=virtualMail home=/var/vmail/%u
|
||||
}
|
||||
|
||||
# provide SASL via unix socket to postfix
|
||||
service auth {
|
||||
unix_listener /var/lib/postfix/private/auth {
|
||||
mode = 0660
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
service auth {
|
||||
unix_listener auth-userdb {
|
||||
mode = 0660
|
||||
user = dovecot2
|
||||
}
|
||||
unix_listener dovecot-auth {
|
||||
mode = 0660
|
||||
# Assuming the default Postfix user and group
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
|
||||
#auth_username_format = %Ln
|
||||
auth_debug = yes
|
||||
auth_debug_passwords = yes # Be cautious with this in production as it logs passwords
|
||||
auth_verbose = yes
|
||||
mail_debug = yes
|
||||
'';
|
||||
services.dovecot2.enablePAM = false;
|
||||
services.postfix.extraConfig = ''
|
||||
smtpd_sasl_local_domain = ${domain}
|
||||
smtpd_relay_restrictions = permit_sasl_authenticated, reject
|
||||
smtpd_sasl_type = dovecot
|
||||
smtpd_sasl_path = private/auth
|
||||
smtpd_sasl_auth_enable = yes
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
[
|
||||
["selfprivacy", "domain"],
|
||||
["selfprivacy", "modules", "roundcube"],
|
||||
["selfprivacy", "modules", "auth"],
|
||||
["mailserver", "fqdn"]
|
||||
]
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.domain;
|
||||
cfg = config.selfprivacy.modules.roundcube;
|
||||
auth-module = config.selfprivacy.modules.auth;
|
||||
auth-fqdn = auth-module.subdomain + "." + domain;
|
||||
oauth-client-id = "roundcube";
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.roundcube = {
|
||||
|
@ -16,7 +19,6 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
services.roundcube = {
|
||||
enable = true;
|
||||
# this is the url of the vhost, not necessarily the same as the fqdn of
|
||||
|
@ -26,8 +28,22 @@ in
|
|||
# starttls needed for authentication, so the fqdn required to match
|
||||
# the certificate
|
||||
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
|
||||
$config['smtp_user'] = "%u";
|
||||
$config['smtp_pass'] = "%p";
|
||||
# $config['smtp_user'] = "%u";
|
||||
# $config['smtp_pass'] = "%p";
|
||||
'' + lib.strings.optionalString auth-module.enable ''
|
||||
$config['oauth_provider'] = 'generic';
|
||||
$config['oauth_provider_name'] = 'kanidm'; # FIXME
|
||||
$config['oauth_client_id'] = '${oauth-client-id}';
|
||||
$config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME
|
||||
|
||||
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
|
||||
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
|
||||
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
|
||||
$config['oauth_scope'] = 'email profile openid';
|
||||
$config['oauth_auth_parameters'] = [];
|
||||
$config['oauth_identity_fields'] = ['email'];
|
||||
$config['oauth_login_redirect'] = true;
|
||||
$config['auto_create_user'] = true;
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
|
@ -43,5 +59,38 @@ in
|
|||
description = "Roundcube service slice";
|
||||
};
|
||||
};
|
||||
services.kanidm.serverSettings.provision.systems.oauth2.roundcube =
|
||||
lib.mkIf auth-module.enable {
|
||||
displayName = "Roundcube";
|
||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE"; # FIXME
|
||||
preferShortUsername = false;
|
||||
allowInsecureClientDisablePkce = true; # FIXME is it required?
|
||||
scopeMaps.roundcube_users = [
|
||||
"email"
|
||||
"openid"
|
||||
"profile"
|
||||
# "dovecotprofile"
|
||||
# "groups"
|
||||
];
|
||||
};
|
||||
services.kanidm.provision.systems.oauth2.roundcube =
|
||||
lib.mkIf auth-module.enable {
|
||||
displayName = "Roundcube";
|
||||
originUrl = "https://${cfg.subdomain}.${domain}/";
|
||||
originLanding = "https://${cfg.subdomain}.${domain}/";
|
||||
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
||||
# when true, name is passed to a service instead of name@domain
|
||||
preferShortUsername = false;
|
||||
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
||||
scopeMaps.roundcube_users = [
|
||||
"email"
|
||||
# "groups"
|
||||
"profile"
|
||||
"openid"
|
||||
# "dovecotprofile"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue