diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix index 252e015..dd0e918 100644 --- a/hosts/mail/modules/dovecot.nix +++ b/hosts/mail/modules/dovecot.nix @@ -55,6 +55,10 @@ let doveadm user *@scana11y.com | while read user; do doveadm -v sync -u $user $SERVER done + + doveadm user *@docfast.dev | while read user; do + doveadm -v sync -u $user $SERVER + done ''; quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" '' @@ -250,7 +254,7 @@ in }; users.groups.acme.members = [ "openldap" ]; - + /* trigger the actual certificate generation for your hostname */ security.acme.certs."imap.${domain}" = { extraDomainNames = [ diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix index 2a22cbb..f693b58 100644 --- a/hosts/mail/modules/openldap.nix +++ b/hosts/mail/modules/openldap.nix @@ -1,11 +1,11 @@ -{ - pkgs, - config, - ... +{ pkgs +, config +, ... }: let domain = config.networking.domain; -in { +in +{ services.openldap = { enable = true; @@ -33,7 +33,7 @@ in { ]; "olcDatabase={1}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; @@ -101,7 +101,7 @@ in { # }; "olcDatabase={2}monitor".attrs = { olcDatabase = "{2}monitor"; - objectClass = ["olcDatabaseConfig" "olcMonitorConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMonitorConfig" ]; olcAccess = [ '' {0}to * @@ -112,7 +112,7 @@ in { }; "olcDatabase={4}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{4}mdb"; olcDbDirectory = "/var/lib/openldap/data"; @@ -158,7 +158,7 @@ in { "olcDatabase={6}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{6}mdb"; olcDbDirectory = "/var/lib/openldap/data"; @@ -203,7 +203,7 @@ in { # }; "olcDatabase={7}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{7}mdb"; olcDbDirectory = "/var/lib/openldap/data"; @@ -249,7 +249,7 @@ in { # }; "olcDatabase={8}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{8}mdb"; olcDbDirectory = "/var/lib/openldap/data"; @@ -285,7 +285,7 @@ in { }; "olcDatabase={9}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{9}mdb"; olcDbDirectory = "/var/lib/openldap/data"; @@ -320,6 +320,52 @@ in { ]; }; + "olcDatabase={10}mdb".attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + + olcDatabase = "{10}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=docfast,dc=dev"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + "olcOverlay=memberof,olcDatabase={10}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; + olcOverlay = "memberof"; + olcMemberOfRefint = "TRUE"; + }; + "olcOverlay=ppolicy,olcDatabase={10}mdb".attrs = { + objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ]; + olcOverlay = "ppolicy"; + olcPPolicyHashCleartext = "TRUE"; + }; + # "cn=module{0},cn=config" = { # attrs = { # objectClass = "olcModuleList"; @@ -537,7 +583,7 @@ in { }; users.groups.acme.members = [ "openldap" ]; - + /* trigger the actual certificate generation for your hostname */ security.acme.certs."ldap.${domain}" = { extraDomainNames = [