mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2025-03-13 09:23:50 +00:00
247 lines
9.9 KiB
Nix
247 lines
9.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
domain = config.selfprivacy.domain;
|
|
cfg = config.selfprivacy.modules.roundcube;
|
|
auth-module = config.selfprivacy.modules.auth;
|
|
auth-fqdn = auth-module.subdomain + "." + domain;
|
|
oauth-client-id = "roundcube";
|
|
dovecot-service-account-name = "dovecot-service-account";
|
|
postfix-service-account-name = "postfix-service-account";
|
|
dovecot-service-account-token-name = "dovecot-service-account-token";
|
|
postfix-service-account-token-name = "postfix-service-account-token";
|
|
# dovecot-service-account-token-fp = "/run/kanidm/token/dovecot";
|
|
dovecot-service-account-token-fp =
|
|
"/run/keys/dovecot/kanidm-service-account-token";
|
|
postfix-service-account-token-fp =
|
|
"/run/keys/postfix/kanidm-service-account-token";
|
|
dovecot-group = "dovecot2"; # FIXME
|
|
postfix-group = "postfix"; # FIXME
|
|
# FIXME use usernames and groups from `config`
|
|
# FIXME dependency on dovecot2 and postfix
|
|
# set-group-ID bit allows for kanidm user to create files,
|
|
# which inherit directory group (.e.g dovecot, postfix)
|
|
kanidmExecStartPostScriptRoot = pkgs.writeShellScript
|
|
"roundcube-kanidm-ExecStartPost-root-script.sh"
|
|
''
|
|
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/dovecot
|
|
chown kanidm:dovecot2 /run/keys/dovecot
|
|
|
|
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/postfix
|
|
chown kanidm:postfix /run/keys/postfix
|
|
'';
|
|
# FIXME parameterize names like "dovecot2" group
|
|
kanidmExecStartPostScript = pkgs.writeShellScript
|
|
"roundcube-kanidm-ExecStartPost-script.sh"
|
|
''
|
|
export HOME=$RUNTIME_DIRECTORY/client_home
|
|
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
|
|
|
|
# get Kanidm service account for Dovecot
|
|
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${dovecot-service-account-name}$")"
|
|
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
|
|
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
|
|
then
|
|
echo "kanidm service account \"${dovecot-service-account-name}\" is found"
|
|
else
|
|
echo "kanidm service account \"${dovecot-service-account-name}\" is not found"
|
|
echo "creating new kanidm service account \"${dovecot-service-account-name}\""
|
|
if $KANIDM service-account create --name idm_admin ${dovecot-service-account-name} ${dovecot-service-account-name} idm_admin
|
|
then
|
|
"kanidm service account \"${dovecot-service-account-name}\" created"
|
|
else
|
|
echo "error: cannot create kanidm service account \"${dovecot-service-account-name}\""
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# add Kanidm service account to `idm_mail_servers` group
|
|
$KANIDM group add-members idm_mail_servers ${dovecot-service-account-name}
|
|
|
|
# create a new read-only token for Dovecot
|
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin ${dovecot-service-account-name} ${dovecot-service-account-token-name} --output json)"
|
|
then
|
|
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
|
exit 1
|
|
fi
|
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
|
|
then
|
|
echo "error: cannot get service-account API token from JSON"
|
|
exit 1
|
|
fi
|
|
|
|
# if ! printf "%s\n" "$KANIDM_SERVICE_ACCOUNT_TOKEN" > ${dovecot-service-account-token-fp}
|
|
if ! install --mode=640 \
|
|
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
|
|
${dovecot-service-account-token-fp}
|
|
then
|
|
echo "error: cannot write token to \"${dovecot-service-account-token-fp}\""
|
|
exit 1
|
|
fi
|
|
'';
|
|
in
|
|
{
|
|
options.selfprivacy.modules.roundcube = {
|
|
enable = (lib.mkOption {
|
|
default = false;
|
|
type = lib.types.bool;
|
|
description = "Enable";
|
|
}) // {
|
|
meta = {
|
|
type = "enable";
|
|
};
|
|
};
|
|
subdomain = (lib.mkOption {
|
|
default = "roundcube";
|
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
|
description = "Subdomain";
|
|
}) // {
|
|
meta = {
|
|
widget = "subdomain";
|
|
type = "string";
|
|
regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
|
weight = 0;
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# FIXME get user names from `config`
|
|
# in order to allow access below /run/keys
|
|
users.groups.keys.members = [ "kanidm" "dovecot2" "postfix" ];
|
|
services.roundcube = {
|
|
enable = true;
|
|
# package = pkgs.roundcube.overrideAttrs (_: rec {
|
|
# version = "1.6.9";
|
|
# src = pkgs.fetchurl {
|
|
# url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/roundcubemail-${version}-complete.tar.gz";
|
|
# sha256 = "sha256-thpfXCL4kMKZ6TWqz88IcGdpkNiuv/DWzf8HW/F8708=";
|
|
# };
|
|
# # src = pkgs.fetchurl {
|
|
# # url = "https://github.com/roundcube/roundcubemail/archive/master/3a6e25a5b386e0d87427b934ccd2e0e282e0a74e.tar.gz";
|
|
# # sha256 = "sha256-EpEI4E+r3reYbI/5rquia+zgz1+6k49lPChlp4QiZTE=";
|
|
# # };
|
|
# postFixup = ''
|
|
# cp -v ${/data/sp/roundcubemail-1.6.9/program/include/rcmail_oauth.php} $out/program/include/rcmail_oauth.php
|
|
# cp -v ${/data/sp/roundcubemail-1.6.9/program/actions/login/oauth.php} $out/program/actions/login/oauth.php
|
|
# rm -r $out/program/localization/*
|
|
# '';
|
|
# });
|
|
# package = pkgs.runCommandNoCCLocal "roundcube-debug" {} ''
|
|
# cp -r --no-preserve=all ${pkgs.roundcube} $out
|
|
# cp -v ${/data/sp/roundcubemail-1.6.8/plugins/debug_logger/debug_logger.php} $out/plugins/debug_logger/debug_logger.php
|
|
# cp -v ${/data/sp/roundcubemail-1.6.8/program/include/rcmail_oauth.php} $out/program/include/rcmail_oauth.php
|
|
# '';
|
|
# this is the url of the vhost, not necessarily the same as the fqdn of
|
|
# the mailserver
|
|
hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
|
|
# plugins = [ "debug_logger" ];
|
|
extraConfig = ''
|
|
# starttls needed for authentication, so the fqdn required to match
|
|
# the certificate
|
|
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
|
|
# $config['smtp_user'] = "%u";
|
|
# $config['smtp_pass'] = "%p";
|
|
'' + lib.strings.optionalString auth-module.enable ''
|
|
$config['oauth_provider'] = 'generic';
|
|
$config['oauth_provider_name'] = 'kanidm'; # FIXME
|
|
$config['oauth_client_id'] = '${oauth-client-id}';
|
|
$config['oauth_client_secret'] = 'VERYSTRONGSECRETFORROUNDCUBE'; # FIXME
|
|
|
|
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
|
|
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
|
|
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
|
|
$config['oauth_scope'] = 'email profile openid';
|
|
# $config['oauth_scope'] = 'email openid dovecotprofile';
|
|
$config['oauth_auth_parameters'] = [];
|
|
$config['oauth_identity_fields'] = ['email'];
|
|
$config['oauth_login_redirect'] = false;
|
|
$config['auto_create_user'] = true;
|
|
|
|
$config['log_dir'] = '/tmp/roundcube';
|
|
$config['log_driver'] = 'stdout';
|
|
$config['log_errors'] = 1;
|
|
// Log SQL queries to <log_dir>/sql or to syslog
|
|
$config['sql_debug'] = true;
|
|
|
|
// Log IMAP conversation to <log_dir>/imap or to syslog
|
|
$config['imap_debug'] = true;
|
|
$config['log_debug'] = true;
|
|
$config['oauth_debug'] = true;
|
|
|
|
// Log LDAP conversation to <log_dir>/ldap or to syslog
|
|
$config['ldap_debug'] = true;
|
|
|
|
// Log SMTP conversation to <log_dir>/smtp or to syslog
|
|
$config['smtp_debug'] = true;
|
|
|
|
$config['debug_logger']['master'] = 'master';
|
|
$config['debug_logger']['oauth'] = 'oauth';
|
|
$config['debug_logger']['imap'] = 'imap';
|
|
$config['debug_logger']['log'] = 'log';
|
|
$config['debug_logger']['smtp'] = 'smtp';
|
|
|
|
$config['oauth_verify_peer'] = false;
|
|
$config['log_logins'] = true;
|
|
$config['log_session'] = true;
|
|
# $config['oauth_pkce'] = 'S256';
|
|
'';
|
|
};
|
|
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
|
forceSSL = true;
|
|
useACMEHost = domain;
|
|
enableACME = false;
|
|
# extraConfig = ''
|
|
# add_header X-Frame-Options DENY;
|
|
# add_header X-Content-Type-Options nosniff;
|
|
# add_header X-XSS-Protection "1; mode=block";
|
|
# '';
|
|
};
|
|
systemd = {
|
|
services = {
|
|
phpfpm-roundcube.serviceConfig = {
|
|
Slice = lib.mkForce "roundcube.slice";
|
|
StandardError = "journal";
|
|
StandardOutput = "journal";
|
|
};
|
|
kanidm.serviceConfig.ExecStartPost = lib.mkAfter [
|
|
("+" + kanidmExecStartPostScriptRoot)
|
|
kanidmExecStartPostScript
|
|
];
|
|
};
|
|
slices.roundcube = {
|
|
description = "Roundcube service slice";
|
|
};
|
|
};
|
|
|
|
services.kanidm.provision = lib.mkIf auth-module.enable {
|
|
groups.roundcube_users.present = true;
|
|
systems.oauth2.roundcube = {
|
|
displayName = "Roundcube";
|
|
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
|
|
originLanding = "https://${cfg.subdomain}.${domain}/";
|
|
basicSecretFile = pkgs.writeText "bs-roundcube" "VERYSTRONGSECRETFORROUNDCUBE";
|
|
# when true, name is passed to a service instead of name@domain
|
|
preferShortUsername = false;
|
|
allowInsecureClientDisablePkce = true; # FIXME is it needed?
|
|
scopeMaps.roundcube_users = [
|
|
"email"
|
|
"profile"
|
|
"openid"
|
|
];
|
|
# scopeMaps.roundcube_users = [
|
|
# "email"
|
|
# "openid"
|
|
# "dovecotprofile"
|
|
# ];
|
|
|
|
# add more scopes when a user is a member of specific group
|
|
# claimMaps.groups = {
|
|
# joinType = "array";
|
|
# valuesByGroup = {
|
|
# "sp.roundcube.admin" = [ "admin" ];
|
|
# };
|
|
# };
|
|
};
|
|
};
|
|
};
|
|
}
|