Continue working on oauth2 auth in roundcube

nix/modules/nixos/infrastructure/mailserver/default.nix

@@ -89,24 +89,6 @@ in
       domains = cfg.domains;
       certificateScheme = "acme";
     };
-    services.dovecot2.extraConfig = ''
-      auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
-
-      passdb {
-        driver = oauth2
-        mechanisms = xoauth2 oauthbearer
-        args = /etc/dovecot/dovecot-oauth2.conf.ext
-      }
-    '';
-    environment.etc."dovecot/dovecot-oauth2.conf.ext".text = ''
-      scope = email openid profile
-      username_attribute = preferred_username
-      client_id = dovecot
-      client_secret = <${config.khscodes.infrastructure.kanidm-client-application.secretFile}
-      tokeninfo_url = https://login.kaareskovgaard.net/oauth2/token
-      introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect
-      introspection_mode = post
-    '';
     services.fail2ban.jails = {
       postfix = {
         settings = {

nix/modules/nixos/infrastructure/mailserver/openid-connect.nix

@@ -1,7 +1,46 @@
 { config, lib, ... }:
 let
   cfg = config.khscodes.infrastructure.mailserver;
+  oauthConfigFile = "/run/dovecot2/dovecot-oauth2.conf.ext";
 in
 {
-  config = lib.mkIf cfg.enable { };
+  config = lib.mkIf cfg.enable {
+    khscodes.services.vault-agent.templates = [
+      {
+        contents = ''
+          {{- with secret "kanidm/data/apps/dovecot" -}}
+          scope = email openid profile
+          username_attribute = preferred_username
+          debug = yes
+          tokeninfo_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo?access_token=
+          introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect
+          introspection_mode = post
+          {{- end -}}
+        '';
+        destination = oauthConfigFile;
+        perms = "0600";
+        owner = "root";
+        group = "root";
+        restartUnits = [ "dovecot2.service" ];
+      }
+    ];
+    services.dovecot2.extraConfig = ''
+      auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
+
+      passdb {
+        driver = oauth2
+        mechanisms = xoauth2 oauthbearer
+        args = ${oauthConfigFile}
+      }
+    '';
+    systemd.services.dovecot2 = {
+      serviceConfig.ReadOnlyPaths = [
+        oauthConfigFile
+      ];
+      unitConfig.ConditionPathExists = [
+        oauthConfigFile
+      ];
+    };
+
+  };
 }

nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix

@@ -31,7 +31,7 @@
       enable = true;
       appName = "dovecot";
       secretOwner = "dovecot2";
-      perms = "0600";
+      perms = "0644";
     };
     hetzner-instance = {
       enable = true;

nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix

@@ -91,7 +91,7 @@ in
       };
       monitoring = {
         allowedRedirectUris = [ "https://monitoring.kaareskovgaard.net/login/generic_oauth" ];
-        landingUri = "http://monitoring.kaareskovgaard.net";
+        landingUri = "http://monitoring.kaareskovgaard.net/login/generic_oauth";
         displayName = "Monitoring";
         scopeMaps = {
           "openbao_admin" = [