mailserver accepting thunderbid login ldap

2025-05-30 23:09:51 +02:00 · 2025-05-30 23:09:51 +02:00 · 8cdbd6659f
commit 8cdbd6659f
parent 4b03344165
3 changed files with 125 additions and 38 deletions
--- a/authentik.nix
+++ b/authentik.nix
@ -13,6 +13,7 @@
  };
  services.authentik-ldap = {
    enable = true;
+    environmentFile = "/var/lib/authentik-ldap-env";
  };
  services.authentik = {
    enable = true;
@ -32,10 +33,25 @@
      avatars = "initials";
    };

-    nginx = {
-      enable = true;
-      enableACME = true;
-      host = "auth.${config.networking.domain}";
+    # nginx = {
+    #   enable = true;
+    #   enableACME = true;
+    #   host = "auth.${config.networking.domain}";
+    # };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "auth.${config.networking.domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:9000";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
+      };
    };
  };
 }
--- a/configuration.nix
+++ b/configuration.nix
@ -4,7 +4,23 @@
  pkgs,
  ...
 }:
+let
+  generatedAliases = pkgs.writeText "generated-aliases" (
+    lib.concatStringsSep "\n" (
+      lib.mapCartesianProduct ({ aliases, domain }: "${aliases}@${domain}  root@test.htw.stura-dresden.de") {
+        aliases = [
+          "abuse"
+          "hostmaster"
+          "noreply"
+          "postmaster"
+          "webmaster"
+        ];
+        domain = config.mailserver.domains;
+      }
+    )
+  );

+in
 {
  imports = [
    ./hardware-configuration.nix
@ -33,6 +49,9 @@
  boot.loader.grub.efiInstallAsRemovable = true;

  networking.hostName = "mail";
+  networking.extraHosts = ''
+    127.0.0.1 auth.test.htw.stura-dresden.de
+  '';
  networking.domain = "test.htw.stura-dresden.de";
  networking.interfaces.ens18.ipv4.addresses = [
    {
@ -78,6 +97,16 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
  ];

+  # users.ldap = {
+  #   server = "ldaps://auth.test.htw.stura-dresden.de:6636";
+  #   enable = true;
+  #   bind = {
+  #     distinguishedName = "cn=dovecot,ou=users,dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
+  #     passwordFile = "/var/lib/dovecot_ldap_passwd";
+  #   };
+  #   base = "dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de";
+  # };
+
  environment.systemPackages = with pkgs; [
    tmux
    git
@ -87,11 +116,11 @@

  services.openssh.enable = true;
  services.dovecot2 = {
-    extraConfig = ''
-      auth_verbose = yes
-      auth_debug = yes
-      auth_debug_passwords = yes
-    '';
+    # extraConfig = ''
+    #   auth_verbose = yes
+    #   auth_debug = yes
+    #   auth_debug_passwords = yes
+    # '';
  };

  services.nginx.virtualHosts."auth.test.htw.stura-dresden.de".locations."/".extraConfig = ''
@ -116,16 +145,6 @@
    ];
  };

-  services.postfix.config.relay_domains = [
-    "hash:/var/lib/mailman/data/postfix_domains"
-  ];
-  services.postfix.config.transport_maps = [
-    "hash:/var/lib/mailman/data/postfix_lmtp"
-  ];
-  services.postfix.config.local_recipient_maps = [
-    "hash:/var/lib/mailman/data/postfix_lmtp"
-  ];
-
  services.mailman.siteOwner = "mailman@${config.networking.domain}";
  mailserver = {
    enable = true;
@ -138,26 +157,29 @@
    ldap = {
      enable = true;
      bind = {
-        dn = "cn=ldapservice,ou=users,dc=auth,dc=htw,dc=stura-dresden,dc=de";
+        dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
        passwordFile = "/var/lib/dovecot_ldap_passwd";
      };
      dovecot = {
-        #userFilter = "(&(objectClass=posixAccount)(cn=%u))";
-        #passFilter = "(&(objectClass=posixAccount)(cn=%u))";
+        userFilter = "(&(objectClass=posixAccount)(mail=%u))";
+        passFilter = "(&(objectClass=posixAccount)(mail=%u))";
+        userAttrs = "mail";
      };
      postfix = {
-        #filter = "(&(objectClass=posixUser)(cn=%s))";
+        filter = "(&(objectClass=posixAccount)(mail=%s))";
+        mailAttribute = "mail";
+        uidAttribute = "cn";
      };
-      searchBase = "dc=auth,dc=htw,dc=stura-dresden,dc=de";
+      searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
      uris = [
-        "ldap://localhost:389"
+        "ldap://auth.test.htw.stura-dresden.de:3389"
      ];
    };

    certificateScheme = "acme-nginx";
    enableImap = true;
    enableImapSsl = true;
-    enableManageSieve = false;
+    enableManageSieve = true;
    enableSubmission = true;
    enableSubmissionSsl = true;
    extraVirtualAliases = { };
@ -185,8 +207,53 @@

  };

-  services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
-  # services.postfix.relayHost = "141.56.51.14";
+  # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
+  services.postfix =
+    let
+      submissionOptions = {
+        # hash:/etc/postfix/virtual,
+        smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
+        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+      };
+    in
+    {
+      config = {
+        unknown_local_recipient_reject_code = 550;
+        virtual_mailbox_domains = [
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+        virtual_mailbox_maps = [
+          "ldap:/run/postfix/ldap-virtual-mailbox-map.cf"
+        ];
+        virtual_alias_maps = [
+          "texthash:${generatedAliases}"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+
+        smtpd_sender_login_maps = [
+          "texthash:${generatedAliases}"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+
+        relay_domains = [
+          "hash:/var/lib/mailman/data/postfix_domains"
+        ];
+        transport_maps = [
+          "hash:/var/lib/mailman/data/postfix_lmtp"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+        local_recipient_maps = [
+          "hash:/var/lib/mailman/data/postfix_lmtp"
+          "ldap:/run/postfix/ldap-sender-login-map.cf"
+        ];
+      };
+      # mapFiles = {
+      #   "valias" = lib.mkForce "/var/lib/postfix/valias";
+      #   "virtual" = lib.mkForce "/var/lib/postfix/virtual";
+      # };
+      submissionOptions = submissionOptions;
+      submissionsOptions = submissionOptions;
+    };

  # virtualisation.docker.enable = true;
  security.acme.acceptTerms = true;
--- a/flake.nix
+++ b/flake.nix
@ -1,14 +1,5 @@
 {
  description = "A very basic flake";
-  nixConfig = {
-    extra-substituters = [
-      "https://nix-community.cachix.org"
-    ];
-    extra-trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
-  };
-
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
    authentik = {
@ -21,7 +12,10 @@
        nixpkgs-25_05.follows = "nixpkgs";
      };
    };
-    # mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11";
+    sops = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
@ -35,10 +29,19 @@
      authentik,
      mailserver,
      disko,
+      sops,
    }:
    {
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;

+      devShells.x86_64-linux = {
+        default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
+          packages = with nixpkgs.legacyPackages.x86_64-linux; [
+            ssh-to-age
+            sops
+          ];
+        };
+      };
      nixosConfigurations = {
        authentik = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
@ -48,6 +51,7 @@
            disko.nixosModules.disko
            authentik.nixosModules.default
            mailserver.nixosModules.mailserver
+            sops.nixosModules.sops
          ];
        };
      };