diff --git a/config/modules/meta/deploy.nix b/config/modules/meta/deploy.nix index 5e921f54..12026aa8 100644 --- a/config/modules/meta/deploy.nix +++ b/config/modules/meta/deploy.nix @@ -23,6 +23,9 @@ let tfModule "${toString sources.tf-nix}/modules" ]; + specialArgs = { + meta = config; + }; shorthandOnlyDefinesConfig = true; }; in diff --git a/config/services/mail/default.nix b/config/services/mail/default.nix index c6ea2ed7..ed7aa338 100644 --- a/config/services/mail/default.nix +++ b/config/services/mail/default.nix @@ -6,6 +6,7 @@ ./dovecot.nix ./opendkim.nix ./autoconfig.nix - ./roundcube.nix +# ./roundcube.nix + ./sogo.nix ]; } diff --git a/config/services/mail/dovecot.nix b/config/services/mail/dovecot.nix index 6e501283..8a14aa6d 100644 --- a/config/services/mail/dovecot.nix +++ b/config/services/mail/dovecot.nix @@ -7,7 +7,7 @@ let auth_bind = no ldap_version = 3 base = ou=users,dc=kittywit,dc=ch - user_filter = (&(objectClass=mailAccount)(mail=%u)) + user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u))) user_attrs = \ quota=quota_rule=*:bytes=%$, \ =home=/var/vmail/%d/%n/, \ @@ -26,7 +26,7 @@ let auth_bind = no ldap_version = 3 base = ou=services,dc=kittywit,dc=ch - user_filter = (&(objectClass=mailAccount)(mail=%u)) + user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u))) user_attrs = \ quota=quota_rule=*:bytes=%$, \ =home=/var/vmail/%d/%n/, \ diff --git a/config/services/mail/postfix.nix b/config/services/mail/postfix.nix index 1cf2564d..7f5217c6 100644 --- a/config/services/mail/postfix.nix +++ b/config/services/mail/postfix.nix @@ -45,7 +45,7 @@ in { text = '' server_host = ${ldaps} search_base = ou=users,dc=kittywit,dc=ch - query_filter = (&(objectClass=mailAccount)(mail=%s)) + query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s))) result_attribute = mail version = 3 bind = yes @@ -60,7 +60,7 @@ in { text = '' server_host = ${ldaps} search_base = ou=services,dc=kittywit,dc=ch - query_filter = (&(objectClass=mailAccount)(mail=%s)) + query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s))) result_attribute = mail version = 3 bind = yes diff --git a/config/services/mail/sogo.nix b/config/services/mail/sogo.nix new file mode 100644 index 00000000..5386374c --- /dev/null +++ b/config/services/mail/sogo.nix @@ -0,0 +1,81 @@ +{ config, tf, lib, ... }: with lib; { + kw.secrets.variables.sogo-ldap = { + path = "secrets/sogo"; + field = "password"; + }; + + secrets.files.sogo-ldap = { + text = '' + ${tf.variables.sogo-ldap.ref} + ''; + owner = "sogo"; + group = "sogo"; + }; + + services.nginx.virtualHosts."mail.${config.network.dns.domain}" = { + useACMEHost = "dovecot_domains"; + enableACME = mkForce false; + forceSSL = true; + }; + + users.users.nginx.extraGroups = singleton "postfix"; + + deploy.tf.dns.records.services_sogo = { + inherit (config.network.dns) zone; + domain = "mail"; + cname = { inherit (config.network.addresses.public) target; }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "sogo" ]; + ensureUsers = [{ + name = "sogo"; + ensurePermissions."DATABASE sogo" = "ALL PRIVILEGES"; + }]; + }; + + services.memcached = { + enable = true; + }; + + services.sogo = { + enable = true; + timezone = "Europe/London"; + vhostName = "mail.${config.network.dns.domain}"; + extraConfig = '' + SOGoMailDomain = "kittywit.ch"; + SOGoPageTitle = "kittywitch"; + SOGoProfileURL = + "postgresql://sogo@/sogo/sogo_user_profile"; + OCSFolderInfoURL = + "postgresql://sogo@/sogo/sogo_folder_info"; + OCSSessionsFolderURL = + "postgresql://sogo@/sogo/sogo_sessions_folder"; + SOGoMailingMechanism = "smtp"; + SOGoForceExternalLoginWithEmail = YES; + SOGoSMTPServer = "smtps://${config.network.addresses.public.domain}:465"; + SOGoIMAPServer = "imaps://${config.network.addresses.public.domain}:993"; + SOGoUserSources = ( + { + type = ldap; + CNFieldName = cn; + IDFieldName = uid; + UIDFieldName = uid; + baseDN = "ou=users,dc=kittywit,dc=ch"; + bindDN = "cn=sogo,ou=services,dc=kittywit,dc=ch"; + bindFields = (uid,mail); + bindPassword = "LDAP_BINDPW"; + canAuthenticate = YES; + displayName = "kittywitch Org"; + hostname = "ldaps://auth.kittywit.ch:636"; + id = public; + isAddressBook = YES; + } + ); + ''; + configReplaces = { + LDAP_BINDPW = config.secrets.files.sogo-ldap.path; + }; + }; +} diff --git a/config/services/openldap/default.nix b/config/services/openldap/default.nix index f4a87484..2fa1544c 100644 --- a/config/services/openldap/default.nix +++ b/config/services/openldap/default.nix @@ -60,17 +60,20 @@ by anonymous auth by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read + by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read by self write by * none'' ''{1}to dn.subtree="dc=kittywit,dc=ch" by dn.exact="cn=root,dc=kittywit,dc=ch" manage by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read + by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read by dn.subtree="ou=users,dc=kittywit,dc=ch" read '' ''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch" by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read + by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read by dn.subtree="ou=users,dc=kittywit,dc=ch" read by dn.subtree="ou=services,dc=kittywit,dc=ch" read by * none'' diff --git a/config/services/tt-rss.nix b/config/services/tt-rss.nix index 0182faba..730b1b9c 100644 --- a/config/services/tt-rss.nix +++ b/config/services/tt-rss.nix @@ -63,7 +63,7 @@ define('LDAP_AUTH_LOGIN_ATTRIB', 'mail'); define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); // ??? will be replaced with the entered username(escaped) at login - define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???))'); + define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???)))'); // Optional configuration define('LDAP_AUTH_LOG_ATTEMPTS', TRUE); // Enable Debug Logging diff --git a/config/tf.nix b/config/tf.nix index bf58abd3..a464a16e 100644 --- a/config/tf.nix +++ b/config/tf.nix @@ -1,20 +1,20 @@ -{ config, lib, ... }: with lib; +{ config, meta, lib, ... }: with lib; { deploy.gcroot.enable = true; variables.katdns-address = { - value.shellCommand = "bitw get secrets/katdns -f address"; + value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f address"; type = "string"; sensitive = true; }; variables.katdns-name = { - value.shellCommand = "bitw get secrets/katdns -f username"; + value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f username"; type = "string"; sensitive = true; }; variables.katdns-key = { - value.shellCommand = "bitw get secrets/katdns -f password"; + value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f password"; type = "string"; sensitive = true; }; diff --git a/nix/sources.json b/nix/sources.json index 9a57e174..630e8b50 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -147,10 +147,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "bcd607489d76795508c48261e1ad05f5d4b7672f", - "sha256": "0yjp9lrhzvyh9dc4b9dl456fr6nlchfmn85adq0vi4pnwfmh90z6", + "rev": "79c444b5bdeaba142d128afddee14c89ecf2a968", + "sha256": "1qpkmv90b7sf2dvrc24nm8x2ws78w4aif1qi1zlglqssxfy888jm", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/bcd607489d76795508c48261e1ad05f5d4b7672f.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/79c444b5bdeaba142d128afddee14c89ecf2a968.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nur": {