From 85c7a13692f72de74f3fa5e8a1b2de62b3cde29d Mon Sep 17 00:00:00 2001
From: Christian Ulrich <christian@ulrich.earth>
Date: Thu, 31 Oct 2024 16:58:53 +0100
Subject: [PATCH] implement OAuth support

---
 default.nix             | 15 +++++++++++++++
 mail-server/dovecot.nix | 10 +++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/default.nix b/default.nix
index 45875a3..7d63cd0 100644
--- a/default.nix
+++ b/default.nix
@@ -358,6 +358,21 @@ in
       };
     };
 
+    oauth = {
+      enable = mkEnableOption "OAuth 2.0 support";
+
+      backendConfigFile = mkOption {
+        type = types.path;
+        default = null;
+        description = ''
+          Path to the dovecot backend configuration file. See
+          https://doc.dovecot.org/2.3/configuration_manual/authentication/oauth2/
+          for more information.
+        '';
+        example = "/var/lib/dovecot/dovecot-oauth2.conf.ext";
+      };
+    };
+
     indexDir = mkOption {
       type = types.nullOr types.str;
       default = null;
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 11f2708..59ec2bc 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -324,6 +324,14 @@ in
         }
         ''}
 
+        ${lib.optionalString cfg.oauth.enable ''
+        passdb {
+          driver = oauth2
+          mechanisms = xoauth2 oauthbearer
+          args = ${cfg.oauth.backendConfigFile}
+        }
+        ''}
+
         service auth {
           unix_listener auth {
             mode = 0660
@@ -332,7 +340,7 @@ in
           }
         }
 
-        auth_mechanisms = plain login
+        auth_mechanisms = plain login${lib.optionalString cfg.oauth.enable " oauthbearer xoauth2"}
 
         namespace inbox {
           separator = ${cfg.hierarchySeparator}