gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

services/openldap: Overhaul integrations to allow services

Browse source
This commit is contained in:
kat witch 2021-09-21 00:53:30 +01:00
parent 480d5b4fce
commit 2c1f873fae
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
9 changed files with 101 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/modules/meta/deploy.nix
View file

@ -23,6 +23,9 @@ let
tfModule tfModule
"${toString sources.tf-nix}/modules" "${toString sources.tf-nix}/modules"
]; ];
specialArgs = {
meta = config;
};
shorthandOnlyDefinesConfig = true; shorthandOnlyDefinesConfig = true;
}; };
in in

3
config/services/mail/default.nix
View file

@ -6,6 +6,7 @@
./dovecot.nix ./dovecot.nix
./opendkim.nix ./opendkim.nix
./autoconfig.nix ./autoconfig.nix
./roundcube.nix # ./roundcube.nix
./sogo.nix
]; ];
} }

4
config/services/mail/dovecot.nix
View file

@ -7,7 +7,7 @@ let
auth_bind = no auth_bind = no
ldap_version = 3 ldap_version = 3
base = ou=users,dc=kittywit,dc=ch base = ou=users,dc=kittywit,dc=ch
user_filter = (&(objectClass=mailAccount)(mail=%u)) user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u)))
user_attrs = \ user_attrs = \
quota=quota_rule=*:bytes=%$, \ quota=quota_rule=*:bytes=%$, \
=home=/var/vmail/%d/%n/, \ =home=/var/vmail/%d/%n/, \
@ -26,7 +26,7 @@ let
auth_bind = no auth_bind = no
ldap_version = 3 ldap_version = 3
base = ou=services,dc=kittywit,dc=ch base = ou=services,dc=kittywit,dc=ch
user_filter = (&(objectClass=mailAccount)(mail=%u)) user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u)))
user_attrs = \ user_attrs = \
quota=quota_rule=*:bytes=%$, \ quota=quota_rule=*:bytes=%$, \
=home=/var/vmail/%d/%n/, \ =home=/var/vmail/%d/%n/, \

4
config/services/mail/postfix.nix
View file

@ -45,7 +45,7 @@ in {
text = '' text = ''
server_host = ${ldaps} server_host = ${ldaps}
search_base = ou=users,dc=kittywit,dc=ch search_base = ou=users,dc=kittywit,dc=ch
query_filter = (&(objectClass=mailAccount)(mail=%s)) query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s)))
result_attribute = mail result_attribute = mail
version = 3 version = 3
bind = yes bind = yes
@ -60,7 +60,7 @@ in {
text = '' text = ''
server_host = ${ldaps} server_host = ${ldaps}
search_base = ou=services,dc=kittywit,dc=ch search_base = ou=services,dc=kittywit,dc=ch
query_filter = (&(objectClass=mailAccount)(mail=%s)) query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s)))
result_attribute = mail result_attribute = mail
version = 3 version = 3
bind = yes bind = yes

81
config/services/mail/sogo.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, tf, lib, ... }: with lib; {
kw.secrets.variables.sogo-ldap = {
path = "secrets/sogo";
field = "password";
};
secrets.files.sogo-ldap = {
text = ''
${tf.variables.sogo-ldap.ref}
'';
owner = "sogo";
group = "sogo";
};
services.nginx.virtualHosts."mail.${config.network.dns.domain}" = {
useACMEHost = "dovecot_domains";
enableACME = mkForce false;
forceSSL = true;
};
users.users.nginx.extraGroups = singleton "postfix";
deploy.tf.dns.records.services_sogo = {
inherit (config.network.dns) zone;
domain = "mail";
cname = { inherit (config.network.addresses.public) target; };
};
services.postgresql = {
enable = true;
ensureDatabases = [ "sogo" ];
ensureUsers = [{
name = "sogo";
ensurePermissions."DATABASE sogo" = "ALL PRIVILEGES";
}];
};
services.memcached = {
enable = true;
};
services.sogo = {
enable = true;
timezone = "Europe/London";
vhostName = "mail.${config.network.dns.domain}";
extraConfig = ''
SOGoMailDomain = "kittywit.ch";
SOGoPageTitle = "kittywitch";
SOGoProfileURL =
"postgresql://sogo@/sogo/sogo_user_profile";
OCSFolderInfoURL =
"postgresql://sogo@/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"postgresql://sogo@/sogo/sogo_sessions_folder";
SOGoMailingMechanism = "smtp";
SOGoForceExternalLoginWithEmail = YES;
SOGoSMTPServer = "smtps://${config.network.addresses.public.domain}:465";
SOGoIMAPServer = "imaps://${config.network.addresses.public.domain}:993";
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = uid;
baseDN = "ou=users,dc=kittywit,dc=ch";
bindDN = "cn=sogo,ou=services,dc=kittywit,dc=ch";
bindFields = (uid,mail);
bindPassword = "LDAP_BINDPW";
canAuthenticate = YES;
displayName = "kittywitch Org";
hostname = "ldaps://auth.kittywit.ch:636";
id = public;
isAddressBook = YES;
}
);
'';
configReplaces = {
LDAP_BINDPW = config.secrets.files.sogo-ldap.path;
};
};
}

3
config/services/openldap/default.nix
View file

@ -60,17 +60,20 @@
by anonymous auth by anonymous auth
by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read
by self write by self write
by * none'' by * none''
''{1}to dn.subtree="dc=kittywit,dc=ch" ''{1}to dn.subtree="dc=kittywit,dc=ch"
by dn.exact="cn=root,dc=kittywit,dc=ch" manage by dn.exact="cn=root,dc=kittywit,dc=ch" manage
by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read
by dn.subtree="ou=users,dc=kittywit,dc=ch" read by dn.subtree="ou=users,dc=kittywit,dc=ch" read
'' ''
''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch" ''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch"
by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read
by dn.subtree="ou=users,dc=kittywit,dc=ch" read by dn.subtree="ou=users,dc=kittywit,dc=ch" read
by dn.subtree="ou=services,dc=kittywit,dc=ch" read by dn.subtree="ou=services,dc=kittywit,dc=ch" read
by * none'' by * none''

2
config/services/tt-rss.nix
View file

@ -63,7 +63,7 @@
define('LDAP_AUTH_LOGIN_ATTRIB', 'mail'); define('LDAP_AUTH_LOGIN_ATTRIB', 'mail');
define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
// ??? will be replaced with the entered username(escaped) at login // ??? will be replaced with the entered username(escaped) at login
define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???))'); define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???)))');
// Optional configuration // Optional configuration
define('LDAP_AUTH_LOG_ATTEMPTS', TRUE); define('LDAP_AUTH_LOG_ATTEMPTS', TRUE);
// Enable Debug Logging // Enable Debug Logging

8
config/tf.nix
View file

@ -1,20 +1,20 @@
{ config, lib, ... }: with lib; { config, meta, lib, ... }: with lib;
{ {
deploy.gcroot.enable = true; deploy.gcroot.enable = true;
variables.katdns-address = { variables.katdns-address = {
value.shellCommand = "bitw get secrets/katdns -f address"; value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f address";
type = "string"; type = "string";
sensitive = true; sensitive = true;
}; };
variables.katdns-name = { variables.katdns-name = {
value.shellCommand = "bitw get secrets/katdns -f username"; value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f username";
type = "string"; type = "string";
sensitive = true; sensitive = true;
}; };
variables.katdns-key = { variables.katdns-key = {
value.shellCommand = "bitw get secrets/katdns -f password"; value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f password";
type = "string"; type = "string";
sensitive = true; sensitive = true;
}; };

6
nix/sources.json
View file

@ -147,10 +147,10 @@
"homepage": "", "homepage": "",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bcd607489d76795508c48261e1ad05f5d4b7672f", "rev": "79c444b5bdeaba142d128afddee14c89ecf2a968",
"sha256": "0yjp9lrhzvyh9dc4b9dl456fr6nlchfmn85adq0vi4pnwfmh90z6", "sha256": "1qpkmv90b7sf2dvrc24nm8x2ws78w4aif1qi1zlglqssxfy888jm",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/bcd607489d76795508c48261e1ad05f5d4b7672f.tar.gz", "url": "https://github.com/nixos/nixpkgs/archive/79c444b5bdeaba142d128afddee14c89ecf2a968.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nur": { "nur": {