From 2a46e1bfe3f9efe578eeb24008df34f5a3a6caa9 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Sun, 1 Oct 2023 14:51:39 -0700
Subject: [PATCH] Try enabling SSSD

---
 dovecot.nix     | 43 ++++++++++++++++++++++++++++++++++++++++++-
 mail-server.nix | 13 +++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/dovecot.nix b/dovecot.nix
index 92d6ac2..aeb9dbb 100644
--- a/dovecot.nix
+++ b/dovecot.nix
@@ -207,6 +207,48 @@ in {
           after = [ "dovecot2.service" ];
         };
 
+        sssd = {
+          enable = true;
+          environmentFile = "/run/dovecotSecrets/sssd.env";
+          config = ''
+            [nss]
+            filter_users = root
+            filter_groups = root
+            reconnection_retries = 3
+
+            [sssd]
+            config_file_version = 2
+            reconnection_retries = 3
+            sbus_timeout = 30
+            domains = informis.land
+            services = nss, pam
+
+            [pam]
+            reconnection_retries = 3
+
+            [domain/informis.land]
+            cache_credentials = False
+            id_provider = ldap
+            auth_provider = ldap
+            access_provider = ldap
+            chpass_provider = ldap
+            ldap_uri = SSSD_LDAP_SERVER
+
+            ldap_schema = rfc2307bis
+            ldap_search_base = SSSD_LDAP_SEARCH_BASE
+            ldap_user_search_base = SSSD_LDAP_USER_SEARCH_BASE
+            ldap_group_search_base = SSSD_LDAP_GROUP_SEARCH_BASE
+
+            ldap_user_object_class = user
+            ldap_user_name = cn
+            ldap_group_object_class = group
+            ldap_group_name = cn
+
+            ldap_default_bind_fn = SSSD_LDAP_BIND_DN
+            ldap_default_authtok = SSSD_LDAP_AUTH_TOKEN
+          '';
+        };
+
         dovecot-sieve-generator = let
           isRegularFile = _: type: type == "regular";
           sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
@@ -356,7 +398,6 @@ in {
 
           passdb {
             driver = ldap
-            user_format = %n
             args = ${cfg.ldap-conf}
           }
 
diff --git a/mail-server.nix b/mail-server.nix
index a2b3d18..be94fbe 100644
--- a/mail-server.nix
+++ b/mail-server.nix
@@ -199,6 +199,18 @@ in {
         target-file = "/run/ldap-proxy/env";
       };
 
+      dovecotSssdEnv = {
+        source-file = pkgs.writeText "dovecot-sssd.env" (concatStringsSep "\n" [
+          "SSSD_LDAP_SERVER=ldap://ldap-proxy:3389/"
+          "SSSD_LDAP_SEARCH_BASE=${cfg.ldap.base}"
+          "SSSD_LDAP_USER_SEARCH_BASE=${cfg.ldap.user-ou},${cfg.ldap.base}"
+          "SSSD_LDAP_GROUP_SEARCH_BASE=${cfg.ldap.group-ou},${cfg.ldap.base}"
+          "SSSD_LDAP_BIND_DN=${cfg.ldap.bind-dn}"
+          "SSSD_LDAP_AUTH_TOKEN=${readFile cfg.ldap.bind-password-file}"
+        ]);
+        target-file = "/run/dovecot-secret/sssd.env";
+      };
+
       dovecotLdapConfig = {
         source-file = pkgs.writeText "dovecot-ldap.conf"
           (concatStringsSep "\n" [
@@ -321,6 +333,7 @@ in {
                 "${cfg.imap.ssl-directory}:/run/certs/imap"
                 "${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams"
                 "${cfg.state-directory}/mail:/mail"
+                "${hostSecrets.dovecotSssdEnv}:/run/dovecot-secrets/sssd.env"
               ];
               depends_on = [ "antispam" "ldap-proxy" ];
             };