From e337ce91ffac3cdfb8ab270a1fd664cf938d5497 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 12 Aug 2024 02:29:58 +0200
Subject: [PATCH] Allow to restrict ldap domains users are allowed to use

---
 default.nix             | 9 +++++++++
 mail-server/postfix.nix | 1 +
 2 files changed, 10 insertions(+)

diff --git a/default.nix b/default.nix
index 3f46610..89936fe 100644
--- a/default.nix
+++ b/default.nix
@@ -210,6 +210,15 @@ in
     ldap = {
       enable = mkEnableOption "LDAP support";
 
+      domains = mkOption {
+        type = types.listOf types.str;
+        default = config.mailserver.domains;
+        example = ''[ "example.com" "example.org" ]'';
+        description = ''
+          Domains which ldap users are allowed to use.
+        '';
+      };
+
       uris  = mkOption {
         type = types.listOf types.str;
         example = literalExpression ''
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index d1c59b2..f7a33b0 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -150,6 +150,7 @@ let
     tls_ca_cert_file = ${cfg.ldap.tlsCAFile}
     tls_require_cert = yes
 
+    domain = ${lib.concatStringsSep ", " cfg.ldap.domains}
     search_base = ${cfg.ldap.searchBase}
     scope = ${cfg.ldap.searchScope}