security: harden some SP modules NixOS config evaluation permissions

sp-modules/auth/config-paths-needed.json

@@ -1,11 +1,10 @@
 [
-  ["mailserver", "fqdn"],
-  ["mailserver", "ldap"],
-  ["mailserver", "vmailUID"],
-  ["passthru", "selfprivacy", "auth"],
-  ["security", "acme", "certs"],
-  ["selfprivacy", "domain"],
-  ["selfprivacy", "modules"],
-  ["services"],
-  ["systemd", "services", "kanidm"]
+  [ "passthru", "selfprivacy", "auth" ],
+  [ "security", "acme", "certs" ],
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "auth" ],
+  [ "services", "kanidm" ],
+  [ "services", "oauth2-proxy", "enable" ],
+  [ "services", "oauth2-proxy", "nginx" ],
+  [ "systemd", "services", "kanidm" ]
 ]

sp-modules/roundcube/config-paths-needed.json

@@ -1,9 +1,8 @@
 [
-  ["mailserver", "fqdn"],
-  ["passthru", "selfprivacy", "auth", "auth-fqdn"],
-  ["passthru", "selfprivacy", "auth", "oauth2-provider-name"],
-  ["selfprivacy", "domain"],
-  ["selfprivacy", "modules", "auth"],
-  ["selfprivacy", "modules", "roundcube"],
-  ["service", "kanidm"]
+  [ "mailserver", "fqdn" ],
+  [ "passthru", "selfprivacy", "auth", "auth-fqdn" ],
+  [ "passthru", "selfprivacy", "auth", "oauth2-provider-name" ],
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "auth" ],
+  [ "selfprivacy", "modules", "roundcube" ]
 ]

sp-modules/simple-nixos-mailserver/config-paths-needed.json

@@ -13,6 +13,8 @@
   [ "services", "opendkim" ],
   [ "services", "postfix", "group" ],
   [ "services", "postfix", "user" ],
-  [ "services", "redis" ],
+  [ "services", "redis", "servers", "rspamd", "bind" ],
+  [ "services", "redis", "servers", "rspamd", "port" ],
+  [ "services", "redis", "servers", "rspamd", "requirePass" ],
   [ "services", "rspamd" ]
 ]