Try enabling SSSD
This commit is contained in:
parent
66128a5cd2
commit
2a46e1bfe3
43
dovecot.nix
43
dovecot.nix
|
|
@ -207,6 +207,48 @@ in {
|
||||||
after = [ "dovecot2.service" ];
|
after = [ "dovecot2.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sssd = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/run/dovecotSecrets/sssd.env";
|
||||||
|
config = ''
|
||||||
|
[nss]
|
||||||
|
filter_users = root
|
||||||
|
filter_groups = root
|
||||||
|
reconnection_retries = 3
|
||||||
|
|
||||||
|
[sssd]
|
||||||
|
config_file_version = 2
|
||||||
|
reconnection_retries = 3
|
||||||
|
sbus_timeout = 30
|
||||||
|
domains = informis.land
|
||||||
|
services = nss, pam
|
||||||
|
|
||||||
|
[pam]
|
||||||
|
reconnection_retries = 3
|
||||||
|
|
||||||
|
[domain/informis.land]
|
||||||
|
cache_credentials = False
|
||||||
|
id_provider = ldap
|
||||||
|
auth_provider = ldap
|
||||||
|
access_provider = ldap
|
||||||
|
chpass_provider = ldap
|
||||||
|
ldap_uri = SSSD_LDAP_SERVER
|
||||||
|
|
||||||
|
ldap_schema = rfc2307bis
|
||||||
|
ldap_search_base = SSSD_LDAP_SEARCH_BASE
|
||||||
|
ldap_user_search_base = SSSD_LDAP_USER_SEARCH_BASE
|
||||||
|
ldap_group_search_base = SSSD_LDAP_GROUP_SEARCH_BASE
|
||||||
|
|
||||||
|
ldap_user_object_class = user
|
||||||
|
ldap_user_name = cn
|
||||||
|
ldap_group_object_class = group
|
||||||
|
ldap_group_name = cn
|
||||||
|
|
||||||
|
ldap_default_bind_fn = SSSD_LDAP_BIND_DN
|
||||||
|
ldap_default_authtok = SSSD_LDAP_AUTH_TOKEN
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
dovecot-sieve-generator = let
|
dovecot-sieve-generator = let
|
||||||
isRegularFile = _: type: type == "regular";
|
isRegularFile = _: type: type == "regular";
|
||||||
sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
|
sieves = filterAttrs isRegularFile (builtins.readDir ./sieves);
|
||||||
|
|
@ -356,7 +398,6 @@ in {
|
||||||
|
|
||||||
passdb {
|
passdb {
|
||||||
driver = ldap
|
driver = ldap
|
||||||
user_format = %n
|
|
||||||
args = ${cfg.ldap-conf}
|
args = ${cfg.ldap-conf}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -199,6 +199,18 @@ in {
|
||||||
target-file = "/run/ldap-proxy/env";
|
target-file = "/run/ldap-proxy/env";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dovecotSssdEnv = {
|
||||||
|
source-file = pkgs.writeText "dovecot-sssd.env" (concatStringsSep "\n" [
|
||||||
|
"SSSD_LDAP_SERVER=ldap://ldap-proxy:3389/"
|
||||||
|
"SSSD_LDAP_SEARCH_BASE=${cfg.ldap.base}"
|
||||||
|
"SSSD_LDAP_USER_SEARCH_BASE=${cfg.ldap.user-ou},${cfg.ldap.base}"
|
||||||
|
"SSSD_LDAP_GROUP_SEARCH_BASE=${cfg.ldap.group-ou},${cfg.ldap.base}"
|
||||||
|
"SSSD_LDAP_BIND_DN=${cfg.ldap.bind-dn}"
|
||||||
|
"SSSD_LDAP_AUTH_TOKEN=${readFile cfg.ldap.bind-password-file}"
|
||||||
|
]);
|
||||||
|
target-file = "/run/dovecot-secret/sssd.env";
|
||||||
|
};
|
||||||
|
|
||||||
dovecotLdapConfig = {
|
dovecotLdapConfig = {
|
||||||
source-file = pkgs.writeText "dovecot-ldap.conf"
|
source-file = pkgs.writeText "dovecot-ldap.conf"
|
||||||
(concatStringsSep "\n" [
|
(concatStringsSep "\n" [
|
||||||
|
|
@ -321,6 +333,7 @@ in {
|
||||||
"${cfg.imap.ssl-directory}:/run/certs/imap"
|
"${cfg.imap.ssl-directory}:/run/certs/imap"
|
||||||
"${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams"
|
"${cfg.state-directory}/dovecot-dhparams:/var/lib/dhparams"
|
||||||
"${cfg.state-directory}/mail:/mail"
|
"${cfg.state-directory}/mail:/mail"
|
||||||
|
"${hostSecrets.dovecotSssdEnv}:/run/dovecot-secrets/sssd.env"
|
||||||
];
|
];
|
||||||
depends_on = [ "antispam" "ldap-proxy" ];
|
depends_on = [ "antispam" "ldap-proxy" ];
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue