diff --git a/config/fudo/mail-container.nix b/config/fudo/mail-container.nix index aa7edb5..e12b9ff 100644 --- a/config/fudo/mail-container.nix +++ b/config/fudo/mail-container.nix @@ -160,21 +160,21 @@ in rec { }; }; - users = { - users = { - ${container-mail-user} = { - isSystemUser = true; - uid = container-mail-user-id; - group = "mailer"; - }; - }; + # users = { + # users = { + # ${container-mail-user} = { + # isSystemUser = true; + # uid = container-mail-user-id; + # group = "mailer"; + # }; + # }; - groups = { - ${container-mail-group} = { - members = ["mailer"]; - }; - }; - }; + # groups = { + # ${container-mail-group} = { + # members = ["mailer"]; + # }; + # }; + # }; fudo.mail-server = { enable = true; @@ -193,10 +193,12 @@ in rec { dovecot = { ssl-certificate = "/etc/${container-dovecot-cert}"; ssl-private-key = "/etc/dovecot-certs/key.pem"; - ldap-ca = "/etc/${container-fudo-ca-cert}"; - ldap-urls = cfg.dovecot.ldap-urls; - ldap-reader-dn = cfg.dovecot.ldap-reader-dn; - ldap-reader-passwd = cfg.dovecot.ldap-reader-passwd; + ldap = { + # ca = "/etc/${container-fudo-ca-cert}"; + server-urls = cfg.dovecot.ldap.server-urls; + reader-dn = cfg.dovecot.ldap.reader-dn; + reader-passwd = cfg.dovecot.ldap.reader-passwd; + }; }; local-domains = cfg.local-domains; diff --git a/config/fudo/mail/dovecot.nix b/config/fudo/mail/dovecot.nix index 9d8f1cf..ae994b7 100644 --- a/config/fudo/mail/dovecot.nix +++ b/config/fudo/mail/dovecot.nix @@ -53,30 +53,33 @@ let } ''; - ldapOpts = with types; { - ca = mkOption { - type = str; - description = "The path to the CA cert used to sign the LDAP server certificate."; - }; + ldapOpts = { + options = with types; { + ca = mkOption { + type = nullOr str; + description = "The path to the CA cert used to sign the LDAP server certificate."; + default = null; + }; - server-urls = mkOption { - type = listOf str; - description = "A list of LDAP server URLs used for authentication."; - }; + server-urls = mkOption { + type = listOf str; + description = "A list of LDAP server URLs used for authentication."; + }; - reader-dn = mkOption { - type = str; - description = '' + reader-dn = mkOption { + type = str; + description = '' DN to use for reading user information. Needs access to homeDirectory, uidNumber, gidNumber, and uid, but not password attributes. ''; - }; + }; - reader-pw = mkOption { - type = str; - description = '' + reader-passwd = mkOption { + type = str; + description = '' Password for the user specified in ldap-reader-dn. ''; + }; }; }; @@ -204,7 +207,7 @@ in { auth_mechanisms = login plain ${optionalString (cfg.dovecot.ldap != null) - (ldap-conf cfg.dovecot.ldap)} + (ldap-passwd-entry cfg.dovecot.ldap)} userdb { driver = static args = uid=${toString cfg.mail-user-id} home=${cfg.mail-directory}/%u diff --git a/hosts/france.nix b/hosts/france.nix index c866d88..ed3a775 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -237,11 +237,13 @@ in { state-directory = "${system-mail-directory}/var"; mail-directory = "${system-mail-directory}/mailboxes"; - dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; - dovecot.ldap-reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; + dovecot.ldap = { + reader-dn = "cn=user_db_reader,dc=fudo,dc=org"; + reader-passwd = fileContents /srv/ldap/secure/user_db.passwd; - # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. - dovecot.ldap-urls = [ "ldap://france.fudo.org" ]; + # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP. + server-urls = [ "ldap://france.fudo.org" ]; + }; clamav.enable = true; @@ -277,7 +279,7 @@ in { name = "webmail"; hostname = "localhost"; user = "webmail"; - password-file = /srv/webmail/secure/db.passwd; + password-file = "/srv/webmail/secure/db.passwd"; }; }; @@ -290,7 +292,7 @@ in { name = "webmail"; hostname = "localhost"; user = "webmail"; - password-file = /srv/webmail/secure/db.passwd; + password-file = "/srv/webmail/secure/db.passwd"; }; }; };