From fbcd590bfe6327748aff33ba0e0b20ef58f561a3 Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Wed, 30 Jul 2025 11:07:45 +0200 Subject: [PATCH] Final attempt at getting stalwart working before revert Non working parts: 1. OIDC login, stalwart assumes the entire token is base64 encoded, which it is not. 2. Apparently there's no support for mixed directories, allowing both logins from ldap and from internal database. I want this in order to support accounts for services as well as persons. --- .../nixos/infrastructure/mailserver/acme.nix | 1 + .../infrastructure/mailserver/default.nix | 35 +++++++-- .../nixos/infrastructure/mailserver/dkim.nix | 4 + .../nixos/infrastructure/mailserver/ldap.nix | 3 + .../mailserver/openid-connect.nix | 74 ++++++++++--------- .../mailserver/package/nixos-module.nix | 15 +++- .../infrastructure/mailserver/prometheus.nix | 7 +- .../mx.kaareskovgaard.net/default.nix | 2 + 8 files changed, 95 insertions(+), 46 deletions(-) diff --git a/nix/modules/nixos/infrastructure/mailserver/acme.nix b/nix/modules/nixos/infrastructure/mailserver/acme.nix index c13d0ca..ba54139 100644 --- a/nix/modules/nixos/infrastructure/mailserver/acme.nix +++ b/nix/modules/nixos/infrastructure/mailserver/acme.nix @@ -19,6 +19,7 @@ in services.stalwart-mail.settings = { certificate.default = { cert = "%{file:${acmeDir}/fullchain.pem}%"; + default = true; private-key = "%{file:${config.security.acme.certs.${fqdn}.directory}/key.pem}%"; }; }; diff --git a/nix/modules/nixos/infrastructure/mailserver/default.nix b/nix/modules/nixos/infrastructure/mailserver/default.nix index a4b7289..9e5bc73 100644 --- a/nix/modules/nixos/infrastructure/mailserver/default.nix +++ b/nix/modules/nixos/infrastructure/mailserver/default.nix @@ -36,8 +36,34 @@ in enable = true; package = pkgs.callPackage ./package/package.nix { }; settings = { + config = { + local-keys = + # defaults + [ + "store.*" + "directory.*" + "tracer.*" + "!server.blocked-ip.*" + "!server.allowed-ip.*" + "server.*" + "authentication.fallback-admin.*" + "cluster.*" + "config.local-keys.*" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "certificate.*" + ] + # KHS addded + ++ [ + "http.*" + "lookup.default.*" + ]; + }; http = { - url = "https://${fqdn}"; + url = "'https://${fqdn}'"; use-x-forwarded = true; }; server = { @@ -63,13 +89,9 @@ in protocol = "imap"; tls.implicit = true; }; - jmap = { - bind = "[::]:8080"; - url = "https://${fqdn}"; - protocol = "jmap"; - }; management = { bind = "[::]:8080"; + url = "https://${fqdn}"; protocol = "http"; }; }; @@ -78,7 +100,6 @@ in hostname = fqdn; domain = "kaareskovgaard.net"; }; - spam-filter.resource = "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml"; }; }; # TODO: Include a similiar rule for openstack diff --git a/nix/modules/nixos/infrastructure/mailserver/dkim.nix b/nix/modules/nixos/infrastructure/mailserver/dkim.nix index 894c6e5..68ddd50 100644 --- a/nix/modules/nixos/infrastructure/mailserver/dkim.nix +++ b/nix/modules/nixos/infrastructure/mailserver/dkim.nix @@ -213,6 +213,10 @@ in ]) cfg.domains ); services.stalwart-mail.settings = { + config.local-keys = [ + "auth.*" + "signature.*" + ]; auth.dkim = { sign = authDkim ++ [ (otherwise false) diff --git a/nix/modules/nixos/infrastructure/mailserver/ldap.nix b/nix/modules/nixos/infrastructure/mailserver/ldap.nix index c009b5a..ed1c0ed 100644 --- a/nix/modules/nixos/infrastructure/mailserver/ldap.nix +++ b/nix/modules/nixos/infrastructure/mailserver/ldap.nix @@ -17,6 +17,9 @@ in config = lib.mkIf cfg.enable { services.stalwart-mail.settings = { + config.local-keys = [ + "storage.ldap.*" + ]; storage = { directory = "ldap"; }; diff --git a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix index 43c383f..2fe2075 100644 --- a/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix +++ b/nix/modules/nixos/infrastructure/mailserver/openid-connect.nix @@ -5,41 +5,43 @@ let in { config = lib.mkIf cfg.enable { - # khscodes.services.vault-agent.templates = [ - # { - # contents = '' - # {{- with secret "kanidm/data/apps/dovecot" -}} - # scope = email openid profile - # username_attribute = username - # debug = yes - # introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect - # introspection_mode = post - # {{- end -}} - # ''; - # destination = oauthConfigFile; - # perms = "0600"; - # owner = "root"; - # group = "root"; - # restartUnits = [ "dovecot2.service" ]; - # } - # ]; - # services.dovecot2.extraConfig = '' - # auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 - - # passdb { - # driver = oauth2 - # mechanisms = xoauth2 oauthbearer - # args = ${oauthConfigFile} - # } - # ''; - # systemd.services.dovecot2 = { - # serviceConfig.ReadOnlyPaths = [ - # oauthConfigFile - # ]; - # unitConfig.ConditionPathExists = [ - # oauthConfigFile - # ]; - # }; - + services.stalwart-mail.settings = { + tracer.stdout.level = "trace"; + directory.oidc = { + type = "oidc"; + url = "ldaps://login.kaareskovgaard.net"; + timeout = "1s"; + endpoint.url = "https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo"; + endpoint.method = "userinfo"; + auth.method = "user-token"; + auth.username = "dovecot"; + auth.secret = "%{file:${oauthConfigFile}}%"; + fields.email = "email"; + fields.username = "preferred_username"; + fields.full-name = "name"; + }; + }; + khscodes.services.vault-agent.templates = [ + { + contents = '' + {{- with secret "kanidm/data/apps/dovecot" -}} + {{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect + {{- end -}} + ''; + destination = oauthConfigFile; + perms = "0600"; + owner = "stalwart-mail"; + group = "stalwart-mail"; + restartUnits = [ "stalwart-mail.service" ]; + } + ]; + systemd.services.stalwart-mail = { + serviceConfig.ReadOnlyPaths = [ + oauthConfigFile + ]; + unitConfig.ConditionPathExists = [ + oauthConfigFile + ]; + }; }; } diff --git a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix index 5d4160c..9aa349f 100644 --- a/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix +++ b/nix/modules/nixos/infrastructure/mailserver/package/nixos-module.nix @@ -1,4 +1,5 @@ -# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail +# This file contains patches for Nixos 25.05 to be compatible with new stalwart mail. +# Also some minor patches to avoid having warnings on startup { lib, config, @@ -10,6 +11,17 @@ let configFile = configFormat.generate "stalwart-mail.toml" config.services.stalwart-mail.settings; in { + services.stalwart-mail.settings = { + config.local-keys = [ + "spam-filter.resource" + ] + ++ [ + # I think these maybe should be added to nixpkgs? + "resolver.*" + "webadmin.*" + ]; + spam-filter.resource = "file://${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml"; + }; systemd.services.stalwart-mail = lib.mkIf config.services.stalwart-mail.enable { serviceConfig = { User = "stalwart-mail"; @@ -18,6 +30,7 @@ in "" "${lib.getExe config.services.stalwart-mail.package} --config=${configFile}" ]; + ReadOnlyPaths = [ "${config.services.stalwart-mail.package.spam-filter}/spam-filter.toml" ]; }; }; } diff --git a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix index 9c1e7f5..51d9dcf 100644 --- a/nix/modules/nixos/infrastructure/mailserver/prometheus.nix +++ b/nix/modules/nixos/infrastructure/mailserver/prometheus.nix @@ -5,8 +5,11 @@ let in { config = lib.mkIf cfg.enable { - services.stalwart-mail.settings.metrics.prometheus = { - enable = true; + services.stalwart-mail.settings = { + config.local-keys = [ "metrics.prometheus.*" ]; + metrics.prometheus = { + enable = true; + }; }; # Don't expose the endpoint khscodes.services.nginx.virtualHosts."${fqdn}".locations."=/metrics/prometheus" = { diff --git a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix index 737fa57..0d92018 100644 --- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix @@ -74,6 +74,8 @@ $config['oauth_identity_uri'] = 'https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo'; $config['oauth_identity_fields'] = ['preferred_username']; $config['oauth_scope'] = 'email openid profile'; + # Don't show login dialog, just redirect to oauth login page + # $config['oauth_login_redirect'] = true; ''; }; khscodes.services.nginx = {