wip

2021-07-09 00:43:29 +02:00 · 2021-07-09 00:43:29 +02:00 · ca52fc7b64
commit ca52fc7b64
parent b8f5888c3e
7 changed files with 32 additions and 4 deletions
--- a/bundles/dovecot/files/dovecot-sql.conf
+++ b/bundles/dovecot/files/dovecot-sql.conf
@ -1,6 +1,6 @@
 connect = host=${host} dbname=${name} user=${user} password=${password}
 driver = pgsql
-default_pass_scheme = SHA512-CRYPT
+default_pass_scheme = ARGON2ID

 password_query = SELECT CONCAT(users.name, '@', domains.name) AS user, password\
  FROM users \
--- a/bundles/dovecot/files/sudors
+++ b/bundles/dovecot/files/sudors
@ -0,0 +1 @@
+www-data ALL=(ALL) NOPASSWD: /usr/bin/doveadm pw -s ARGON2ID
--- a/bundles/roundcube/files/password.config.inc.php
+++ b/bundles/roundcube/files/password.config.inc.php
@ -9,7 +9,9 @@ $config['password_log'] = true;
 $config['password_hosts'] = null;
 $config['password_force_save'] = false;
 $config['password_force_new_user'] = false;
-$config['password_algorithm'] = 'sha512-crypt';
-$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
+$config['password_algorithm'] = 'dovecot';
+$config['password_dovecotpw'] = '/usr/bin/sudo /usr/bin/doveadm pw';
+$config['password_dovecotpw_method'] = 'ARGON2ID';
+$config['password_dovecotpw_with_method'] = true;
 $config['password_db_dsn'] = 'pgsql://mailserver:${mailserver_db_password}@localhost/mailserver';
-$config['password_query'] = "UPDATE users SET password=%P FROM domains WHERE domains.id = domain_id AND domains.name = %d AND users.name = %l";
+$config['password_query'] = "UPDATE users SET password=%D FROM domains WHERE domains.id = domain_id AND domains.name = %d AND users.name = %l";
--- a/bundles/roundcube/metadata.py
+++ b/bundles/roundcube/metadata.py
@ -51,6 +51,9 @@ defaults = {
            },
        },
    },
+    'sudoers': {
+        'www-data': ['/usr/bin/doveadm pw -s ARGON2ID'],
+    },
 }

@metadata_reactor.provides(
--- a/bundles/sudo/items.py
+++ b/bundles/sudo/items.py
@ -0,0 +1,11 @@
+directories = {
+    '/etc/sudoers.d': {
+        'purge': True,
+    },
+}
+
+for user, commands in node.metadata.get('sudoers').items():
+    files[f'/etc/sudoers.d/{user}'] = {
+        'content': f"{user} ALL=(ALL) NOPASSWD: {', '.join(commands)}",
+        'mode': '500',
+    }
--- a/bundles/sudo/metadata.py
+++ b/bundles/sudo/metadata.py
@ -0,0 +1,10 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'sudo': {},
+        },
+    },
+    'sudoers': {
+        'root': ['ALL'],
+    },
+}
--- a/groups/all.py
+++ b/groups/all.py
@ -1,5 +1,6 @@
 {
    'bundles': [
+        'sudo',
        'users',
        'zsh',
    ],
				`@ -0,0 +1 @@`
				`www-data ALL=(ALL) NOPASSWD: /usr/bin/doveadm pw -s ARGON2ID`