sourcephile / git / sourcephile-nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8658c4b)
dovecot: fix passdb
authorJulien Moutinho <julm@sourcephile.fr>
Mon, 17 Feb 2020 12:34:16 +0000 (13:34 +0100)
committerJulien Moutinho <julm@sourcephile.fr>
Mon, 17 Feb 2020 12:34:16 +0000 (13:34 +0100)
servers/mermet/dovecot.nix patch | blob | history
servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml [new file with mode: 0644] patch | blob
servers/mermet/dovecot/autogeree.net.nix patch | blob | history
servers/mermet/dovecot/sourcephile.fr.nix patch | blob | history
servers/mermet/openldap/sourcephile.fr.nix patch | blob | history
servers/mermet/postfix/sourcephile.fr.nix patch | blob | history

diff --git a/servers/mermet/dovecot.nix b/servers/mermet/dovecot.nix
index 3cb4ed3f6e3278c3a6d97f1628ace393750e61d7..0c82f07ff6b11bea1e0e2c47d1638097576351e1 100644 (file)
--- a/servers/mermet/dovecot.nix
+++ b/servers/mermet/dovecot.nix
@@ -68,7 +68,6 @@ systemd.services.dovecot2 = {
   after = [
     "postfix.service"
     "openldap.service"
-    "${networking.domain}.key.pem-key.service"
   ];
   /*
   preStart = ''
@@ -115,8 +114,8 @@ services.dovecot2 = {
     ssl_dh = <${../../../sec/openssl/dh.pem}
     ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL
     ssl_prefer_server_ciphers = yes
-    ssl_cert = <${loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem")}
-    ssl_key = </run/keys/${networking.domain}.key.pem
+    ssl_cert = </var/lib/acme/${networking.domain}/fullchain.pem
+    ssl_key = </var/lib/acme/${networking.domain}/key.pem
     #ssl_ca = <''${caPath}
     #ssl_verify_client_cert = yes
 
@@ -177,7 +176,7 @@ services.dovecot2 = {
     userdb {
       driver = ldap
       # A different path than passdb's args enables non-blocking LDAP requests
-      args = ${dovecot/ldap.conf}
+      args = ${pkgs.symlinkJoin {name="ldap"; paths=[./dovecot];}}/ldap.conf
       default_fields =
       override_fields =
     }
diff --git a/servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml b/servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml
new file mode 100644 (file)
index 0000000..9173454
--- /dev/null
+++ b/servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<clientConfig version="1.1">
+  <emailProvider id="%EMAILDOMAIN%">
+    <!-- <displayName></displayName> -->
+    <!-- <displayShortName></displayShortName> -->
+    <domain>%EMAILDOMAIN%</domain>
+    <incomingServer type="imap">
+      <hostname>mail.%EMAILDOMAIN%</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <username>%EMAILADDRESS%</username>
+      <authentication>password-cleartext</authentication>
+    </incomingServer>
+    <!--
+    <incomingServer type="pop3">
+      <hostname>mail.%EMAILDOMAIN%</hostname>
+      <port>995</port>
+      <socketType>SSL</socketType>
+      <username>%EMAILADDRESS%</username>
+      <authentication>password-cleartext</authentication>
+      <pop3>
+        <leaveMessagesOnServer>false</leaveMessagesOnServer>
+        <downloadOnBiff>true</downloadOnBiff>
+      </pop3>
+    </incomingServer>
+    -->
+    <outgoingServer type="smtp">
+      <hostname>mail.%EMAILDOMAIN%</hostname>
+      <port>465</port>
+      <socketType>SSL</socketType> <!-- see above -->
+      <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
+      <authentication>password-cleartext</authentication>
+      <!-- <restriction>client-IP-address</restriction> -->
+      <addThisServer>true</addThisServer>
+      <useGlobalPreferredServer>false</useGlobalPreferredServer>
+    </outgoingServer>
+  </emailProvider>
+  <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
+</clientConfig>
diff --git a/servers/mermet/dovecot/autogeree.net.nix b/servers/mermet/dovecot/autogeree.net.nix
index 8e67e75ea1e373374a17041779183a7d865922fc..514b56ae2adf752febb450ae0918bb4616d07849 100644 (file)
--- a/servers/mermet/dovecot/autogeree.net.nix
+++ b/servers/mermet/dovecot/autogeree.net.nix
@@ -1,15 +1,41 @@
 { pkgs, lib, config, ... }:
 let
+  inherit (builtins) readFile;
   inherit (config.services) dovecot2;
   stateDir = "/var/lib/dovecot";
   domain = "autogeree.net";
   domainGroup = "autogeree";
-  domainConfig = ''
+in
+{
+services.dovecot2.extraConfig =
+  let domainConfig = ''
     ssl_cert = <${../../../../sec/openssl/autogeree.net/cert.self-signed.pem}
     ssl_key = </run/keys/${domain}.key.pem
   '';
-in
-{
+  in lib.mkAfter ''
+  local_name mail.${domain} {
+    ${domainConfig}
+  }
+  local_name imap.${domain} {
+    ${domainConfig}
+  }
+  passdb {
+    username_filter = *@${domain}
+    # Because auth_bind=yes and auth_bind_userdn are used,
+    # this cannot prefetch any userdb_*.
+    driver = ldap
+    # The path to the ldap.conf must be unique,
+    # otherwise dovecot caches the result from other passdb,
+    # which may be wrong because of username_filter.
+    args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
+    default_fields =
+    override_fields =
+    skip = authenticated
+  }
+'';
+systemd.services.dovecot2.after = [
+  "${domain}.key.pem-key.service"
+];
 systemd.services.dovecot2 = {
   preStart = ''
     install -D -d -m 1770 \
@@ -27,25 +53,6 @@ systemd.services.dovecot2 = {
     chmod -t ${stateDir}/acl/${domain}
   '';
 };
-services.dovecot2 = {
-  extraConfig = lib.mkAfter ''
-    passdb {
-      username_filter = *@${domain}
-      driver = ldap
-      # Because auth_bind=yes and auth_bind_userdn are used,
-      # this cannot prefetch any userdb_*.
-      args = ${./ldap.conf}
-      default_fields =
-      override_fields =
-    }
-    local_name mail.${domain} {
-      ${domainConfig}
-    }
-    local_name imap.${domain} {
-      ${domainConfig}
-    }
-  '';
-};
 services.nginx.virtualHosts."autoconfig.${domain}" = {
   serverName = "autoconfig.${domain}";
   #addSSL = true;
@@ -53,48 +60,6 @@ services.nginx.virtualHosts."autoconfig.${domain}" = {
     access_log off;
     log_not_found off;
   '';
-  root = pkgs.writeTextFile {
-    name = "autoconfig";
-    destination = "/mail/config-v1.1.xml";
-    text = ''
-      <?xml version="1.0"?>
-      <clientConfig version="1.1">
-        <emailProvider id="%EMAILDOMAIN%">
-          <!-- <displayName></displayName> -->
-          <!-- <displayShortName></displayShortName> -->
-          <domain>%EMAILDOMAIN%</domain>
-          <incomingServer type="imap">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>993</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-          </incomingServer>
-          <incomingServer type="pop3">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>995</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-            <pop3>
-              <leaveMessagesOnServer>false</leaveMessagesOnServer>
-              <downloadOnBiff>true</downloadOnBiff>
-            </pop3>
-          </incomingServer>
-          <outgoingServer type="smtp">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>465</port>
-            <socketType>SSL</socketType> <!-- see above -->
-            <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
-            <authentication>password-cleartext</authentication>
-            <!-- <restriction>client-IP-address</restriction> -->
-            <addThisServer>true</addThisServer>
-            <useGlobalPreferredServer>false</useGlobalPreferredServer>
-          </outgoingServer>
-        </emailProvider>
-        <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
-      </clientConfig>
-    '';
-  };
+  root = ./autoconfig;
 };
 }
diff --git a/servers/mermet/dovecot/sourcephile.fr.nix b/servers/mermet/dovecot/sourcephile.fr.nix
index 7271c05b54c9c565d60aef5551290750a1f997b7..f9a8efdf2adad095a6b10caced421e228c9b2bfc 100644 (file)
--- a/servers/mermet/dovecot/sourcephile.fr.nix
+++ b/servers/mermet/dovecot/sourcephile.fr.nix
@@ -1,15 +1,42 @@
 { pkgs, lib, config, ... }:
 let
+  inherit (builtins) readFile;
   inherit (config.services) dovecot2;
   stateDir = "/var/lib/dovecot";
   domain = "sourcephile.fr";
   domainGroup = "sourcephile";
-  domainConfig = ''
-    ssl_cert = <${../../../../sec/openssl/sourcephile.fr/cert.self-signed.pem}
-    ssl_key = </run/keys/${domain}.key.pem
-  '';
 in
 {
+services.dovecot2.extraConfig =
+  let domainConfig = ''
+    ssl_cert = </var/lib/acme/${domain}/fullchain.pem
+    ssl_key = </var/lib/acme/${domain}/key.pem
+  '';
+  in lib.mkAfter ''
+  local_name mail.${domain} {
+    ${domainConfig}
+  }
+  local_name imap.${domain} {
+    ${domainConfig}
+  }
+  passdb {
+    username_filter = *@${domain}
+    # Because auth_bind=yes and auth_bind_userdn are used,
+    # this cannot prefetch any userdb_*.
+    driver = ldap
+    # The path to the ldap.conf must be unique,
+    # otherwise dovecot caches the result from other passdb,
+    # which may be wrong because of username_filter.
+    args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
+    default_fields =
+    override_fields =
+    skip = authenticated
+  }
+'';
+users.groups.acme.members = [ dovecot2.user ];
+systemd.services.dovecot2.after = [
+  "acme-${domain}.service"
+];
 systemd.services.dovecot2 = {
   preStart = ''
     install -D -d -m 1770 \
@@ -27,25 +54,6 @@ systemd.services.dovecot2 = {
     chmod -t ${stateDir}/acl/${domain}
   '';
 };
-services.dovecot2 = {
-  extraConfig = lib.mkAfter ''
-    passdb {
-      username_filter = *@${domain}
-      driver = ldap
-      # Because auth_bind=yes and auth_bind_userdn are used,
-      # this cannot prefetch any userdb_*.
-      args = ${./ldap.conf}
-      default_fields =
-      override_fields =
-    }
-    local_name mail.${domain} {
-      ${domainConfig}
-    }
-    local_name imap.${domain} {
-      ${domainConfig}
-    }
-  '';
-};
 services.nginx.virtualHosts."autoconfig.${domain}" = {
   serverName = "autoconfig.${domain}";
   #addSSL = true;
@@ -55,48 +63,6 @@ services.nginx.virtualHosts."autoconfig.${domain}" = {
   '';
   forceSSL = true;
   useACMEHost = domain;
-  root = pkgs.writeTextFile {
-    name = "autoconfig";
-    destination = "/mail/config-v1.1.xml";
-    text = ''
-      <?xml version="1.0"?>
-      <clientConfig version="1.1">
-        <emailProvider id="%EMAILDOMAIN%">
-          <!-- <displayName></displayName> -->
-          <!-- <displayShortName></displayShortName> -->
-          <domain>%EMAILDOMAIN%</domain>
-          <incomingServer type="imap">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>993</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-          </incomingServer>
-          <incomingServer type="pop3">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>995</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-            <pop3>
-              <leaveMessagesOnServer>false</leaveMessagesOnServer>
-              <downloadOnBiff>true</downloadOnBiff>
-            </pop3>
-          </incomingServer>
-          <outgoingServer type="smtp">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>465</port>
-            <socketType>SSL</socketType> <!-- see above -->
-            <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
-            <authentication>password-cleartext</authentication>
-            <!-- <restriction>client-IP-address</restriction> -->
-            <addThisServer>true</addThisServer>
-            <useGlobalPreferredServer>false</useGlobalPreferredServer>
-          </outgoingServer>
-        </emailProvider>
-        <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
-      </clientConfig>
-    '';
-  };
+  root = ./autoconfig;
 };
 }
diff --git a/servers/mermet/openldap/sourcephile.fr.nix b/servers/mermet/openldap/sourcephile.fr.nix
index 3094384b611d4082165c05e8f2bfcbbacba907ba..49caec9674b6391e2d1ab800aabcdb89ac9e25b3 100644 (file)
--- a/servers/mermet/openldap/sourcephile.fr.nix
+++ b/servers/mermet/openldap/sourcephile.fr.nix
@@ -122,11 +122,6 @@ services.openldap.databases."${domainSuffix}" = {
         # neither sorting them by date).
         "maildir:${stateDir}/home/${d}/${uid}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
     }
-    #{ uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy";
-    #  mailAlias = ["severine.popek" "ouais-ouais"]; }
-    #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
-    #{ uid="post"; mailForwardingAddress = ["ju@${domain}"]; }
-    #{ uid="host"; mailForwardingAddress = ["ju@${domain}"]; }
   ];
 };
 }
diff --git a/servers/mermet/postfix/sourcephile.fr.nix b/servers/mermet/postfix/sourcephile.fr.nix
index a7782c7ba6f705180a40eeb09e8a6b4534021965..18701c48523adf31c0dd0402481941d85e1ff5c1 100644 (file)
--- a/servers/mermet/postfix/sourcephile.fr.nix
+++ b/servers/mermet/postfix/sourcephile.fr.nix
@@ -1,12 +1,14 @@
 { pkgs, lib, config, ... }:
 let
   inherit (pkgs.lib) loadFile;
+  inherit (config.services) postfix;
   domain = "sourcephile.fr";
   domainSuffix = "dc=sourcephile,dc=fr";
 in
 {
+users.groups.acme.members = [ postfix.user ];
 systemd.services.postfix.after = [
-  "${domain}.key.pem-key.service"
+  "acme-${domain}.service"
 ];
 services.postfix = {
   extraAliases = ''
@@ -16,8 +18,8 @@ services.postfix = {
   '';
   tls_server_sni_maps =
     let chain = [
-      "/run/keys/${domain}.key.pem"
-      (loadFile (../../../../sec/openssl + "/${domain}/cert.self-signed.pem"))
+      "/var/lib/acme/${domain}/key.pem"
+      "/var/lib/acme/${domain}/fullchain.pem"
     ]; in {
     "smtp.${domain}" = chain;
     "mail.${domain}" = chain;
NixOS configurations for Sourcephile's infrastructure