From e5cd04465c947a46c4f2e376b7279c80f6f60b42 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Sat, 23 Mar 2024 01:57:50 -0400
Subject: [PATCH] dovecot oauth2

---
 group_vars/mail.yml                           | 18 ++++++++--
 playbooks/roles/mail/tasks/main.yml           | 26 +++++++++++---
 .../mail/templates/docker-compose.yml.j2      | 35 +++++++++++++++----
 .../roles/mail/templates/oauth2.inc.php.j2    | 19 ++++++++++
 .../roles/mail/templates/user-patches.sh.j2   | 12 +++++++
 .../https.mail.hatecomputers.club.conf        |  2 +-
 secrets.txt                                   |  2 ++
 7 files changed, 99 insertions(+), 15 deletions(-)
 create mode 100644 playbooks/roles/mail/templates/oauth2.inc.php.j2

diff --git a/group_vars/mail.yml b/group_vars/mail.yml
index 2a46f19..1bae194 100644
--- a/group_vars/mail.yml
+++ b/group_vars/mail.yml
@@ -15,8 +15,22 @@ ldap_query_filter_alias: "(&(objectClass=posixAccount)(emailalternative=%s))"
 ldap_query_filter_domain: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
 ldap_query_filter_senders: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
 
-sasl_ldap_filter: "(&(|(uid=%U)(mail=%U))(class=posixAccount))"
+sasl_ldap_filter: >
+  (&(|(uid=%U)(mail=%U))(class=posixAccount)
+  (memberOf=cn=mail,dc=auth,dc=hatecomputers,dc=club))
 
-dovecot_user_filter: "(&(class=posixAccount)(uid=%u))"
+dovecot_user_filter: >
+  (&(class=posixAccount)(uid=%u)
+  (memberOf=cn=mail,dc=auth,dc=hatecomputers,dc=club))
 dovecot_auth_bind_userdn: "uid=%u,dc=auth,dc=hatecomputers,dc=club"
 dovecot_user_attrs: "=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
+
+roundcube_default_host: "ssl://mail.hatecomputers.club"
+roundcube_default_port: 993
+roundcube_smtp_host: "ssl://mail.hatecomputers.club"
+roundcube_smtp_port: 465
+
+roundcube_oauth2_auth_uri: "https://auth.hatecomputers.club/ui/oauth2"
+roundcube_oauth2_user_uri: >
+  https://auth.hatecomputers.club/oauth2/openid/roundcube/userinfo
+roundcube_oauth2_token_uri: "https://auth.hatecomputers.club/oauth2/token"
diff --git a/playbooks/roles/mail/tasks/main.yml b/playbooks/roles/mail/tasks/main.yml
index 8296d28..dc329a4 100644
--- a/playbooks/roles/mail/tasks/main.yml
+++ b/playbooks/roles/mail/tasks/main.yml
@@ -9,7 +9,7 @@
     mode: 0700
 
 - name: Ensure mail config volume exist
-  file:
+  ansible.builtin.file:
     path: /etc/docker/compose/mail/docker-data/dms/config
     state: directory
     owner: root
@@ -17,12 +17,12 @@
     mode: 0700
 
 - name: Ensure mail entries volume exist with correct permission
-  file:
+  ansible.builtin.file:
     path: /etc/docker/compose/mail/docker-data/dms/mail-data/
     state: directory
-    owner: root
-    group: root
-    mode: 0777
+    owner: 5000
+    group: 5000
+    mode: 0700
     recurse: true
 
 - name: Ensure dovecot ldap config exist
@@ -41,6 +41,22 @@
     group: root
     mode: 0700
 
+- name: Ensure roundcube config volume exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail/docker-data/roundcube/config
+    state: directory
+    owner: root
+    group: root
+    mode: 0777
+
+- name: Build roundcube oauth2 config
+  ansible.builtin.template:
+    src: oauth2.inc.php.j2
+    dest: /etc/docker/compose/mail/docker-data/roundcube/config/oauth2.inc.php
+    owner: root
+    group: root
+    mode: 0777
+
 - name: Build mail docker-compose.yml.j2
   ansible.builtin.template:
     src: docker-compose.yml.j2
diff --git a/playbooks/roles/mail/templates/docker-compose.yml.j2 b/playbooks/roles/mail/templates/docker-compose.yml.j2
index e493458..bde0d82 100644
--- a/playbooks/roles/mail/templates/docker-compose.yml.j2
+++ b/playbooks/roles/mail/templates/docker-compose.yml.j2
@@ -1,13 +1,32 @@
+version: '3'
+
 services:
+  roundcube:
+    image: roundcube/roundcubemail:latest
+    restart: always
+    volumes:
+      - ./docker-data/roundcube/www:/var/www/html
+      - ./docker-data/roundcube/db/sqlite:/var/roundcube/db
+      - ./docker-data/roundcube/config:/var/roundcube/config
+    ports:
+      - 127.0.0.1:9002:80
+    environment:
+      - ROUNDCUBEMAIL_DB_TYPE=sqlite
+      - ROUNDCUBEMAIL_SKIN=elastic
+      - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
+      - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
+      - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
+      - ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
+
   mailserver:
     image: ghcr.io/docker-mailserver/docker-mailserver:latest
-    container_name: mailserver
     hostname: {{ mail_domain }}
+    restart: always
     ports:
-      - "0.0.0.0:25:25"
-      - "0.0.0.0:465:465"
-      - "0.0.0.0:587:587"
-      - "0.0.0.0:993:993"
+      - 0.0.0.0:25:25
+      - 0.0.0.0:465:465
+      - 0.0.0.0:587:587
+      - 0.0.0.0:993:993
     volumes:
       - ./docker-data/dms/mail-data/:/var/mail/
       - ./docker-data/dms/mail-state/:/var/mail-state/
@@ -18,7 +37,7 @@ services:
       - /etc/localtime:/etc/localtime:ro
     environment:
       - SSL_TYPE=letsencrypt
-      - ENABLE_CLAMAV=1
+      - ENABLE_CLAMAV=0
       - ENABLE_AMAVIS=1
       - ENABLE_FAIL2BAN=1
       - ENABLE_SASLAUTHD=1
@@ -42,4 +61,6 @@ services:
       - ENABLE_SASLAUTHD=1
       - SASLAUTHD_MECHANISMS=ldap
       - SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }} 
-    restart: always
+
+      - ENABLE_OAUTH2=1
+      - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}
diff --git a/playbooks/roles/mail/templates/oauth2.inc.php.j2 b/playbooks/roles/mail/templates/oauth2.inc.php.j2
new file mode 100644
index 0000000..9bee067
--- /dev/null
+++ b/playbooks/roles/mail/templates/oauth2.inc.php.j2
@@ -0,0 +1,19 @@
+<?php
+
+$config['oauth_provider'] = 'generic';
+$config['oauth_provider_name'] = 'hatecomputers.club <3';
+$config['oauth_client_id'] = '{{ roundcube_oauth2_client_id }}';
+$config['oauth_client_secret'] = '{{ roundcube_oauth2_client_basic_secret }}';
+$config['oauth_auth_uri'] = '{{ roundcube_oauth2_auth_uri }}';
+$config['oauth_token_uri'] = '{{ roundcube_oauth2_token_uri }}';
+$config['oauth_identity_uri'] = '{{ roundcube_oauth2_user_uri }}';
+
+$config['oauth_verify_peer'] = true;
+
+$config['oauth_scope'] = 'email openid profile';
+$config['oauth_identity_fields'] = ['email'];
+
+$config['oauth_login_redirect'] = true;
+
+$config['force_https'] = true;
+$config['use_https'] = true;
diff --git a/playbooks/roles/mail/templates/user-patches.sh.j2 b/playbooks/roles/mail/templates/user-patches.sh.j2
index 313b30b..8d49a9b 100644
--- a/playbooks/roles/mail/templates/user-patches.sh.j2
+++ b/playbooks/roles/mail/templates/user-patches.sh.j2
@@ -8,3 +8,15 @@ postconf -e 'smtpd_sasl_auth_enable = yes'
 postconf -e 'broken_sasl_auth_clients = yes'
 
 echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf
+
+echo 'username_format = %Ln' >> /etc/dovecot/dovecot-oauth2.conf.ext
+
+echo "passdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+userdb {
+    driver = static
+    args = uid=5000 gid=5000 home=/var/mail/%u
+}" > /etc/dovecot/conf.d/auth-ldap.conf.ext
diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf
index 1c6d579..ff2459f 100644
--- a/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf
+++ b/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf
@@ -14,7 +14,7 @@ server {
   ssl_certificate_key /etc/letsencrypt/live/mail.hatecomputers.club/privkey.pem;
 
   location / {
-    proxy_pass         http://127.0.0.1:8331;
+    proxy_pass         http://127.0.0.1:9002;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   Host $host;
   }
diff --git a/secrets.txt b/secrets.txt
index 59f81b8..581af2b 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -1,3 +1,5 @@
 cloudflare_api_token
 certbot_email
 email_ldap_api_token
+roundcube_oauth2_client_id
+roundcube_oauth2_client_basic_secret