From 8cdbd6659fa2218e2f84f89806bf9bf7f7a67920 Mon Sep 17 00:00:00 2001 From: goeranh Date: Fri, 30 May 2025 23:09:51 +0200 Subject: [PATCH] mailserver accepting thunderbid login ldap --- authentik.nix | 24 ++++++++-- configuration.nix | 115 ++++++++++++++++++++++++++++++++++++---------- flake.nix | 24 ++++++---- 3 files changed, 125 insertions(+), 38 deletions(-) diff --git a/authentik.nix b/authentik.nix index 45f4e45..0460ec3 100644 --- a/authentik.nix +++ b/authentik.nix @@ -13,6 +13,7 @@ }; services.authentik-ldap = { enable = true; + environmentFile = "/var/lib/authentik-ldap-env"; }; services.authentik = { enable = true; @@ -32,10 +33,25 @@ avatars = "initials"; }; - nginx = { - enable = true; - enableACME = true; - host = "auth.${config.networking.domain}"; + # nginx = { + # enable = true; + # enableACME = true; + # host = "auth.${config.networking.domain}"; + # }; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "auth.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:9000"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; }; }; } diff --git a/configuration.nix b/configuration.nix index fb3c51f..3ffa2ea 100644 --- a/configuration.nix +++ b/configuration.nix @@ -4,7 +4,23 @@ pkgs, ... }: +let + generatedAliases = pkgs.writeText "generated-aliases" ( + lib.concatStringsSep "\n" ( + lib.mapCartesianProduct ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de") { + aliases = [ + "abuse" + "hostmaster" + "noreply" + "postmaster" + "webmaster" + ]; + domain = config.mailserver.domains; + } + ) + ); +in { imports = [ ./hardware-configuration.nix @@ -33,6 +49,9 @@ boot.loader.grub.efiInstallAsRemovable = true; networking.hostName = "mail"; + networking.extraHosts = '' + 127.0.0.1 auth.test.htw.stura-dresden.de + ''; networking.domain = "test.htw.stura-dresden.de"; networking.interfaces.ens18.ipv4.addresses = [ { @@ -78,6 +97,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7" ]; + # users.ldap = { + # server = "ldaps://auth.test.htw.stura-dresden.de:6636"; + # enable = true; + # bind = { + # distinguishedName = "cn=dovecot,ou=users,dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de"; + # passwordFile = "/var/lib/dovecot_ldap_passwd"; + # }; + # base = "dc=dovecot,dc=test,dc=htw,dc=stura-dresden,dc=de"; + # }; + environment.systemPackages = with pkgs; [ tmux git @@ -87,11 +116,11 @@ services.openssh.enable = true; services.dovecot2 = { - extraConfig = '' - auth_verbose = yes - auth_debug = yes - auth_debug_passwords = yes - ''; + # extraConfig = '' + # auth_verbose = yes + # auth_debug = yes + # auth_debug_passwords = yes + # ''; }; services.nginx.virtualHosts."auth.test.htw.stura-dresden.de".locations."/".extraConfig = '' @@ -116,16 +145,6 @@ ]; }; - services.postfix.config.relay_domains = [ - "hash:/var/lib/mailman/data/postfix_domains" - ]; - services.postfix.config.transport_maps = [ - "hash:/var/lib/mailman/data/postfix_lmtp" - ]; - services.postfix.config.local_recipient_maps = [ - "hash:/var/lib/mailman/data/postfix_lmtp" - ]; - services.mailman.siteOwner = "mailman@${config.networking.domain}"; mailserver = { enable = true; @@ -138,26 +157,29 @@ ldap = { enable = true; bind = { - dn = "cn=ldapservice,ou=users,dc=auth,dc=htw,dc=stura-dresden,dc=de"; + dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de"; passwordFile = "/var/lib/dovecot_ldap_passwd"; }; dovecot = { - #userFilter = "(&(objectClass=posixAccount)(cn=%u))"; - #passFilter = "(&(objectClass=posixAccount)(cn=%u))"; + userFilter = "(&(objectClass=posixAccount)(mail=%u))"; + passFilter = "(&(objectClass=posixAccount)(mail=%u))"; + userAttrs = "mail"; }; postfix = { - #filter = "(&(objectClass=posixUser)(cn=%s))"; + filter = "(&(objectClass=posixAccount)(mail=%s))"; + mailAttribute = "mail"; + uidAttribute = "cn"; }; - searchBase = "dc=auth,dc=htw,dc=stura-dresden,dc=de"; + searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de"; uris = [ - "ldap://localhost:389" + "ldap://auth.test.htw.stura-dresden.de:3389" ]; }; certificateScheme = "acme-nginx"; enableImap = true; enableImapSsl = true; - enableManageSieve = false; + enableManageSieve = true; enableSubmission = true; enableSubmissionSsl = true; extraVirtualAliases = { }; @@ -185,8 +207,53 @@ }; - services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n"; - # services.postfix.relayHost = "141.56.51.14"; + # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n"; + services.postfix = + let + submissionOptions = { + # hash:/etc/postfix/virtual, + smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + }; + in + { + config = { + unknown_local_recipient_reject_code = 550; + virtual_mailbox_domains = [ + "ldap:/run/postfix/ldap-sender-login-map.cf" + ]; + virtual_mailbox_maps = [ + "ldap:/run/postfix/ldap-virtual-mailbox-map.cf" + ]; + virtual_alias_maps = [ + "texthash:${generatedAliases}" + "ldap:/run/postfix/ldap-sender-login-map.cf" + ]; + + smtpd_sender_login_maps = [ + "texthash:${generatedAliases}" + "ldap:/run/postfix/ldap-sender-login-map.cf" + ]; + + relay_domains = [ + "hash:/var/lib/mailman/data/postfix_domains" + ]; + transport_maps = [ + "hash:/var/lib/mailman/data/postfix_lmtp" + "ldap:/run/postfix/ldap-sender-login-map.cf" + ]; + local_recipient_maps = [ + "hash:/var/lib/mailman/data/postfix_lmtp" + "ldap:/run/postfix/ldap-sender-login-map.cf" + ]; + }; + # mapFiles = { + # "valias" = lib.mkForce "/var/lib/postfix/valias"; + # "virtual" = lib.mkForce "/var/lib/postfix/virtual"; + # }; + submissionOptions = submissionOptions; + submissionsOptions = submissionOptions; + }; # virtualisation.docker.enable = true; security.acme.acceptTerms = true; diff --git a/flake.nix b/flake.nix index 6c00a53..20f6d11 100644 --- a/flake.nix +++ b/flake.nix @@ -1,14 +1,5 @@ { description = "A very basic flake"; - nixConfig = { - extra-substituters = [ - "https://nix-community.cachix.org" - ]; - extra-trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; - inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; authentik = { @@ -21,7 +12,10 @@ nixpkgs-25_05.follows = "nixpkgs"; }; }; - # mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11"; + sops = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; @@ -35,10 +29,19 @@ authentik, mailserver, disko, + sops, }: { formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style; + devShells.x86_64-linux = { + default = nixpkgs.legacyPackages.x86_64-linux.mkShell { + packages = with nixpkgs.legacyPackages.x86_64-linux; [ + ssh-to-age + sops + ]; + }; + }; nixosConfigurations = { authentik = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -48,6 +51,7 @@ disko.nixosModules.disko authentik.nixosModules.default mailserver.nixosModules.mailserver + sops.nixosModules.sops ]; }; };