From 7ed8b64466a11715c7b0742069c888e2664362ea Mon Sep 17 00:00:00 2001 From: niten Date: Fri, 22 Sep 2023 10:08:18 -0700 Subject: [PATCH] Make sure kerberos database belongs to kerberos user --- lib/fudo/auth/kerberos/kdc.nix | 11 ++++-- lib/fudo/mail/dovecot.nix | 61 +++++++++++++++++----------------- 2 files changed, 40 insertions(+), 32 deletions(-) diff --git a/lib/fudo/auth/kerberos/kdc.nix b/lib/fudo/auth/kerberos/kdc.nix index 12c00da..759a5de 100644 --- a/lib/fudo/auth/kerberos/kdc.nix +++ b/lib/fudo/auth/kerberos/kdc.nix @@ -210,8 +210,8 @@ let # ${convertCmd} # ls $RUNTIME_DIRECTORY # ''; - ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" - (concatStringsSep " " [ + ExecStartPre = let + dumpScript = (concatStringsSep " " [ "${pkgs.heimdal}/bin/kadmin" "--local" "--config-file=${kdcConf}" @@ -220,6 +220,13 @@ let "--format=Heimdal" "${staging-db}" ]); + in pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" '' + chown ${cfg.user}:${cfg.group} ${staging-db} + chown ${cfg.user}:${cfg.group} ${cfg.kdc.database} + chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log + ${dumpScript} + ''; + ExecStart = pkgs.writeShellScript "kdc-hprop.sh" (concatStringsSep " " ([ "${pkgs.heimdal}/libexec/heimdal/hprop" diff --git a/lib/fudo/mail/dovecot.nix b/lib/fudo/mail/dovecot.nix index 974b408..75bef78 100644 --- a/lib/fudo/mail/dovecot.nix +++ b/lib/fudo/mail/dovecot.nix @@ -33,30 +33,30 @@ let tls = yes tls_require_cert = try ''; - in - pkgs.writeText "dovecot2-ldap-config.conf.template" '' - uris = ${concatStringsSep " " ldap-cfg.server-urls} - ldap_version = 3 - dn = ${ldap-cfg.reader-dn} - dnpass = __LDAP_READER_PASSWORD__ - auth_bind = yes - auth_bind_userdn = uid=%u,ou=members,dc=fudo,dc=org - base = dc=fudo,dc=org - ${ssl-config} - ''; + in pkgs.writeText "dovecot2-ldap-config.conf.template" '' + uris = ${concatStringsSep " " ldap-cfg.server-urls} + ldap_version = 3 + dn = ${ldap-cfg.reader-dn} + dnpass = __LDAP_READER_PASSWORD__ + auth_bind = yes + auth_bind_userdn = uid=%u,ou=members,dc=fudo,dc=org + base = dc=fudo,dc=org + ${ssl-config} + ''; - ldap-conf-generator = ldap-cfg: let - template = ldap-conf-template ldap-cfg; - target-dir = dirOf ldap-cfg.generated-ldap-config; - target = ldap-cfg.generated-ldap-config; - in pkgs.writeScript "dovecot2-ldap-password-swapper.sh" '' - mkdir -p ${target-dir} - touch ${target} - chmod 600 ${target} - chown ${config.services.dovecot2.user} ${target} - LDAP_READER_PASSWORD=$( cat "${ldap-cfg.reader-password-file}" ) - sed 's/__LDAP_READER_PASSWORD__/$LDAP_READER_PASSWORD/' '${template}' > ${target} - ''; + ldap-conf-generator = ldap-cfg: + let + template = ldap-conf-template ldap-cfg; + target-dir = dirOf ldap-cfg.generated-ldap-config; + target = ldap-cfg.generated-ldap-config; + in pkgs.writeScript "dovecot2-ldap-password-swapper.sh" '' + mkdir -p ${target-dir} + touch ${target} + chmod 600 ${target} + chown ${config.services.dovecot2.user} ${target} + LDAP_READER_PASSWORD=$( cat "${ldap-cfg.reader-password-file}" ) + sed 's/__LDAP_READER_PASSWORD__/$LDAP_READER_PASSWORD/' '${template}' > ${target} + ''; ldap-passwd-entry = ldap-config: '' passdb { @@ -69,7 +69,8 @@ let options = with types; { ca = mkOption { type = nullOr str; - description = "The path to the CA cert used to sign the LDAP server certificate."; + description = + "The path to the CA cert used to sign the LDAP server certificate."; default = null; }; @@ -99,7 +100,8 @@ let generated-ldap-config = mkOption { type = str; - description = "Path at which to store the generated LDAP config file, including password."; + description = + "Path at which to store the generated LDAP config file, including password."; default = "/run/dovecot2/config/ldap.conf"; }; }; @@ -132,7 +134,7 @@ in { services.prometheus.exporters.dovecot = mkIf cfg.monitoring.enable { enable = true; - scopes = ["user" "global"]; + scopes = [ "user" "global" ]; listenAddress = "127.0.0.1"; port = cfg.monitoring.dovecot-listen-port; socketPath = "/var/run/dovecot2/old-stats"; @@ -295,9 +297,8 @@ in { }; systemd = { - tmpfiles.rules = [ - "d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -" - ]; + tmpfiles.rules = + [ "d ${sieve-path} 750 ${dovecot-user} ${cfg.mail-group} - -" ]; services.dovecot2.preStart = '' rm -f ${sieve-path}/* @@ -307,7 +308,7 @@ in { done ${optionalString (cfg.dovecot.ldap != null) - (ldap-conf-generator cfg.dovecot.ldap)} + (ldap-conf-generator cfg.dovecot.ldap)} ''; }; };