nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Continue working on oauth2 auth in roundcube
Some checks failed
/ systems (push) Successful in 3m49s
Details
/ dev-shell (push) Successful in 40s
Details
/ rust-packages (push) Successful in 45s
Details
/ terraform-providers (push) Successful in 40s
Details
/ check (push) Failing after 56s
Details

Browse source
This commit is contained in:
Kaare Hoff Skovgaard 2025-07-29 15:30:44 +02:00
parent d62c0a32ec
commit 4d48bc1457
Signed by: khs
GPG key ID: C7D890804F01E9F0
4 changed files with 42 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

18
nix/modules/nixos/infrastructure/mailserver/default.nix
View file

@ -89,24 +89,6 @@ in
domains = cfg.domains; domains = cfg.domains;
certificateScheme = "acme"; certificateScheme = "acme";
}; };
services.dovecot2.extraConfig = ''
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
'';
environment.etc."dovecot/dovecot-oauth2.conf.ext".text = ''
scope = email openid profile
username_attribute = preferred_username
client_id = dovecot
client_secret = <${config.khscodes.infrastructure.kanidm-client-application.secretFile}
tokeninfo_url = https://login.kaareskovgaard.net/oauth2/token
introspection_url = https://login.kaareskovgaard.net/oauth2/token/introspect
introspection_mode = post
'';
services.fail2ban.jails = { services.fail2ban.jails = {
postfix = { postfix = {
settings = { settings = {

41
nix/modules/nixos/infrastructure/mailserver/openid-connect.nix
View file

@ -1,7 +1,46 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.khscodes.infrastructure.mailserver; cfg = config.khscodes.infrastructure.mailserver;
oauthConfigFile = "/run/dovecot2/dovecot-oauth2.conf.ext";
in in
{ {
config = lib.mkIf cfg.enable { }; config = lib.mkIf cfg.enable {
khscodes.services.vault-agent.templates = [
{
contents = ''
{{- with secret "kanidm/data/apps/dovecot" -}}
scope = email openid profile
username_attribute = preferred_username
debug = yes
tokeninfo_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo?access_token=
introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect
introspection_mode = post
{{- end -}}
'';
destination = oauthConfigFile;
perms = "0600";
owner = "root";
group = "root";
restartUnits = [ "dovecot2.service" ];
}
];
services.dovecot2.extraConfig = ''
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = ${oauthConfigFile}
}
'';
systemd.services.dovecot2 = {
serviceConfig.ReadOnlyPaths = [
oauthConfigFile
];
unitConfig.ConditionPathExists = [
oauthConfigFile
];
};
};
} }

2
nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix
View file

@ -31,7 +31,7 @@
enable = true; enable = true;
appName = "dovecot"; appName = "dovecot";
secretOwner = "dovecot2"; secretOwner = "dovecot2";
perms = "0600"; perms = "0644";
}; };
hetzner-instance = { hetzner-instance = {
enable = true; enable = true;

2
nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
View file

@ -91,7 +91,7 @@ in
}; };
monitoring = { monitoring = {
allowedRedirectUris = [ "https://monitoring.kaareskovgaard.net/login/generic_oauth" ]; allowedRedirectUris = [ "https://monitoring.kaareskovgaard.net/login/generic_oauth" ];
landingUri = "http://monitoring.kaareskovgaard.net"; landingUri = "http://monitoring.kaareskovgaard.net/login/generic_oauth";
displayName = "Monitoring"; displayName = "Monitoring";
scopeMaps = { scopeMaps = {
"openbao_admin" = [ "openbao_admin" = [