services/openldap: Overhaul integrations to allow services

config/modules/meta/deploy.nix

@@ -23,6 +23,9 @@ let
       tfModule
       "${toString sources.tf-nix}/modules"
     ];
+    specialArgs = {
+      meta = config;
+    };
     shorthandOnlyDefinesConfig = true;
   };
 in

config/services/mail/default.nix

@@ -6,6 +6,7 @@
     ./dovecot.nix
     ./opendkim.nix
     ./autoconfig.nix
-    ./roundcube.nix
+#    ./roundcube.nix
+    ./sogo.nix
   ];
 }

config/services/mail/dovecot.nix

@@ -7,7 +7,7 @@ let
     auth_bind = no
     ldap_version = 3
     base = ou=users,dc=kittywit,dc=ch
-    user_filter = (&(objectClass=mailAccount)(mail=%u))
+    user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u)))
     user_attrs = \
       quota=quota_rule=*:bytes=%$, \
       =home=/var/vmail/%d/%n/, \
@@ -26,7 +26,7 @@ let
     auth_bind = no
     ldap_version = 3
     base = ou=services,dc=kittywit,dc=ch
-    user_filter = (&(objectClass=mailAccount)(mail=%u))
+    user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u)))
     user_attrs = \
       quota=quota_rule=*:bytes=%$, \
       =home=/var/vmail/%d/%n/, \

config/services/mail/postfix.nix

@@ -45,7 +45,7 @@ in {
       text = ''
         server_host = ${ldaps}
         search_base = ou=users,dc=kittywit,dc=ch
-        query_filter = (&(objectClass=mailAccount)(mail=%s))
+        query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s)))
         result_attribute = mail
         version = 3
         bind = yes
@@ -60,7 +60,7 @@ in {
       text = ''
         server_host = ${ldaps}
         search_base = ou=services,dc=kittywit,dc=ch
-        query_filter = (&(objectClass=mailAccount)(mail=%s))
+        query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s)))
         result_attribute = mail
         version = 3
         bind = yes

config/services/mail/sogo.nix

@@ -0,0 +1,81 @@
+{ config, tf, lib, ... }: with lib; {
+  kw.secrets.variables.sogo-ldap = {
+    path = "secrets/sogo";
+    field = "password";
+  };
+
+  secrets.files.sogo-ldap = {
+    text = ''
+      ${tf.variables.sogo-ldap.ref}
+    '';
+    owner = "sogo";
+    group = "sogo";
+  };
+
+  services.nginx.virtualHosts."mail.${config.network.dns.domain}" = {
+    useACMEHost = "dovecot_domains";
+    enableACME = mkForce false;
+    forceSSL = true;
+  };
+
+  users.users.nginx.extraGroups = singleton "postfix";
+
+  deploy.tf.dns.records.services_sogo = {
+    inherit (config.network.dns) zone;
+    domain = "mail";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "sogo" ];
+    ensureUsers = [{
+      name = "sogo";
+      ensurePermissions."DATABASE sogo" = "ALL PRIVILEGES";
+    }];
+  };
+
+  services.memcached = {
+    enable = true;
+  };
+
+  services.sogo = {
+    enable = true;
+    timezone = "Europe/London";
+    vhostName = "mail.${config.network.dns.domain}";
+    extraConfig = ''
+      SOGoMailDomain = "kittywit.ch";
+      SOGoPageTitle = "kittywitch";
+      SOGoProfileURL =
+          "postgresql://sogo@/sogo/sogo_user_profile";
+      OCSFolderInfoURL =
+          "postgresql://sogo@/sogo/sogo_folder_info";
+      OCSSessionsFolderURL =
+          "postgresql://sogo@/sogo/sogo_sessions_folder";
+      SOGoMailingMechanism = "smtp";
+      SOGoForceExternalLoginWithEmail = YES;
+      SOGoSMTPServer = "smtps://${config.network.addresses.public.domain}:465";
+      SOGoIMAPServer = "imaps://${config.network.addresses.public.domain}:993";
+      SOGoUserSources = (
+          {
+              type = ldap;
+              CNFieldName = cn;
+              IDFieldName = uid;
+              UIDFieldName = uid;
+              baseDN = "ou=users,dc=kittywit,dc=ch";
+              bindDN = "cn=sogo,ou=services,dc=kittywit,dc=ch";
+              bindFields = (uid,mail);
+              bindPassword = "LDAP_BINDPW";
+              canAuthenticate = YES;
+              displayName = "kittywitch Org";
+              hostname = "ldaps://auth.kittywit.ch:636";
+              id = public;
+              isAddressBook = YES;
+          }
+      );
+    '';
+    configReplaces = {
+      LDAP_BINDPW = config.secrets.files.sogo-ldap.path;
+    };
+  };
+}

config/services/openldap/default.nix

@@ -60,17 +60,20 @@
                 by anonymous auth
                 by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
                   by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
+                  by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read
                 by self write
                 by * none''
                 ''{1}to dn.subtree="dc=kittywit,dc=ch"
                   by dn.exact="cn=root,dc=kittywit,dc=ch" manage
                   by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
                   by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
+                  by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read
                   by dn.subtree="ou=users,dc=kittywit,dc=ch" read
                 ''
               ''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch"
                    by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read
                     by dn.base="cn=xbackbone,ou=services,dc=kittywit,dc=ch" read
+                    by dn.base="cn=sogo,ou=services,dc=kittywit,dc=ch" read
                    by dn.subtree="ou=users,dc=kittywit,dc=ch" read
                    by dn.subtree="ou=services,dc=kittywit,dc=ch" read
                      by * none''

config/services/tt-rss.nix

@@ -63,7 +63,7 @@
       define('LDAP_AUTH_LOGIN_ATTRIB', 'mail');
       define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
       // ??? will be replaced with the entered username(escaped) at login
-      define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???))');
+      define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???)))');
       // Optional configuration
       define('LDAP_AUTH_LOG_ATTEMPTS', TRUE);
       // Enable Debug Logging

config/tf.nix

@@ -1,20 +1,20 @@
-{ config, lib, ... }: with lib;
+{ config, meta, lib, ... }: with lib;
 
 {
   deploy.gcroot.enable = true;
 
   variables.katdns-address = {
-    value.shellCommand = "bitw get secrets/katdns -f address";
+    value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f address";
     type = "string";
     sensitive = true;
   };
   variables.katdns-name = {
-    value.shellCommand = "bitw get secrets/katdns -f username";
+    value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f username";
     type = "string";
     sensitive = true;
   };
   variables.katdns-key = {
-    value.shellCommand = "bitw get secrets/katdns -f password";
+    value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f password";
     type = "string";
     sensitive = true;
   };

nix/sources.json

@@ -147,10 +147,10 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bcd607489d76795508c48261e1ad05f5d4b7672f",
-        "sha256": "0yjp9lrhzvyh9dc4b9dl456fr6nlchfmn85adq0vi4pnwfmh90z6",
+        "rev": "79c444b5bdeaba142d128afddee14c89ecf2a968",
+        "sha256": "1qpkmv90b7sf2dvrc24nm8x2ws78w4aif1qi1zlglqssxfy888jm",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/bcd607489d76795508c48261e1ad05f5d4b7672f.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/79c444b5bdeaba142d128afddee14c89ecf2a968.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nur": {