From 4d48bc1457efe00f3933d16e0f19eeb139faa669 Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Tue, 29 Jul 2025 15:30:44 +0200 Subject: [PATCH] Continue working on oauth2 auth in roundcube --- .../infrastructure/mailserver/default.nix | 18 -------- .../mailserver/openid-connect.nix | 41 ++++++++++++++++++- .../mx.kaareskovgaard.net/default.nix | 2 +- .../security.kaareskovgaard.net/kanidm.nix | 2 +- 4 files changed, 42 insertions(+), 21 deletions(-) diff --git a/nix/modules/nixos/infrastructure/mailserver/default.nix b/nix/modules/nixos/infrastructure/mailserver/default.nix index 3f5d38e..f59e4e1 100644 --- a/nix/modules/nixos/infrastructure/mailserver/default.nix +++ b/nix/modules/nixos/infrastructure/mailserver/default.nix @@ -89,24 +89,6 @@ in domains = cfg.domains; certificateScheme = "acme"; }; - services.dovecot2.extraConfig = '' - auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 - - passdb { - driver = oauth2 - mechanisms = xoauth2 oauthbearer - args = /etc/dovecot/dovecot-oauth2.conf.ext - } - ''; - environment.etc."dovecot/dovecot-oauth2.conf.ext".text = '' - scope = email openid profile - username_attribute = preferred_username - client_id = dovecot - client_secret = <${config.khscodes.infrastructure.kanidm-client-application.secretFile} - tokeninfo_url = https://login.kaareskovgaard.net/oauth2/token - introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect - introspection_mode = post - ''; services.fail2ban.jails = { postfix = { settings = { diff --git a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix index fdb959d..896633b 100644 --- a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix +++ b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix @@ -1,7 +1,46 @@ { config, lib, ... }: let cfg = config.khscodes.infrastructure.mailserver; + oauthConfigFile = "/run/dovecot2/dovecot-oauth2.conf.ext"; in { - config = lib.mkIf cfg.enable { }; + config = lib.mkIf cfg.enable { + khscodes.services.vault-agent.templates = [ + { + contents = '' + {{- with secret "kanidm/data/apps/dovecot" -}} + scope = email openid profile + username_attribute = preferred_username + debug = yes + tokeninfo_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo?access_token= + introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect + introspection_mode = post + {{- end -}} + ''; + destination = oauthConfigFile; + perms = "0600"; + owner = "root"; + group = "root"; + restartUnits = [ "dovecot2.service" ]; + } + ]; + services.dovecot2.extraConfig = '' + auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 + + passdb { + driver = oauth2 + mechanisms = xoauth2 oauthbearer + args = ${oauthConfigFile} + } + ''; + systemd.services.dovecot2 = { + serviceConfig.ReadOnlyPaths = [ + oauthConfigFile + ]; + unitConfig.ConditionPathExists = [ + oauthConfigFile + ]; + }; + + }; } diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix index 6976ed5..737fa57 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix @@ -31,7 +31,7 @@ enable = true; appName = "dovecot"; secretOwner = "dovecot2"; - perms = "0600"; + perms = "0644"; }; hetzner-instance = { enable = true; diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix index 63ae288..5ff66ee 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix @@ -91,7 +91,7 @@ in }; monitoring = { allowedRedirectUris = [ "https://monitoring.kaareskovgaard.net/login/generic_oauth" ]; - landingUri = "http://monitoring.kaareskovgaard.net"; + landingUri = "http://monitoring.kaareskovgaard.net/login/generic_oauth"; displayName = "Monitoring"; scopeMaps = { "openbao_admin" = [