nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions
machines/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/openid-connect.nix
Kaare Hoff Skovgaard 6ac55b7e44
Some checks failed
/ check (push) Failing after 2m13s
Details
/ dev-shell (push) Successful in 2m41s
Details
/ rust-packages (push) Successful in 14m7s
Details
/ terraform-providers (push) Successful in 13m11s
Details
/ systems (push) Successful in 53m57s
Details
I think I finally understand how the postfix and dovecot 
integration works now. Now the regular accounts should work again,
and with proper handling of catch all aliases for domains, as well
as handling postmaster and abuse emails being forwarded to khs
with proper auto tagging of the mails.
2025-08-01 00:53:09 +02:00

60 lines
1.9 KiB
Nix
Raw Blame History

{ config, ... }:
let
oauthConfigFile = "/run/secret/dovecot/dovecot-oauth2.conf.ext";
in
{
config = {
khscodes.infrastructure.kanidm-client-application = {
enable = true;
appName = "dovecot";
secretOwner = "root";
perms = "0644";
};
khscodes.services.vault-agent.templates = [
{
contents = ''
{{- with secret "kanidm/data/apps/dovecot" -}}
scope = email openid profile
username_attribute = username
introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect
introspection_mode = post
{{- end -}}
'';
destination = oauthConfigFile;
perms = "0600";
owner = "root";
group = "root";
restartUnits = [ "dovecot2.service" ];
}
];
services.roundcube.extraConfig = ''
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Kanidm';
$config['oauth_client_id'] = 'dovecot';
$config['oauth_client_secret'] = file_get_contents("${config.khscodes.infrastructure.kanidm-client-application.secretFile}");
$config['oauth_auth_uri'] = 'https://login.kaareskovgaard.net/ui/oauth2';
$config['oauth_token_uri'] = 'https://login.kaareskovgaard.net/oauth2/token';
$config['oauth_identity_uri'] = 'https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo';
$config['oauth_identity_fields'] = ['preferred_username'];
$config['oauth_scope'] = 'email openid profile';
'';
services.dovecot2.extraConfig = ''
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = ${oauthConfigFile}
}
'';
systemd.services.dovecot2 = {
serviceConfig.ReadOnlyPaths = [
oauthConfigFile
];
unitConfig.ConditionPathExists = [
oauthConfigFile
];
};
};
}
Reference in a new issue View git blame Copy permalink