app passwordss cript needs to be a template

rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml

@@ -0,0 +1,3 @@
+[template]
+src = "app-passwords-lookup.lua.tmpl"
+dest = "/etc/dovecot/app-passwords-lookup.lua"

rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl

@@ -0,0 +1,56 @@
+require "lualdap"
+
+function auth_passdb_lookup(req)
+    local ldap_host = "{{ getenv "LDAP_HOST" }}"
+    local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
+    local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
+    local ldap_use_tls = {{ getenv "LDAP_USE_TLS" }}
+
+    ld = assert (lualdap.open_simple(
+        ldap_host,
+        ldap_bin_dn,
+        ldap_bind_password,
+        ldap_use_tls))
+
+    local username = req.username
+    local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
+    local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
+    local ldap_base_dn = {{ getenv "LDAP_BASE_DN" }}
+
+    local user_count = 0
+    for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
+        user_count = user_count + 1
+    end
+
+    local user_exists = user_count == 1
+    if user_exists then
+        local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
+        local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
+        local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
+        local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" }}"
+
+        local user_password = reg.password
+
+        for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
+            lualdap.open_simple(
+                ldap_host,
+                dn,
+                user_password,
+                ldap_use_tls)
+            if test_conn ~= nil then
+                return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", ldap_user_attribute))
+            end
+        end
+    else
+        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
+    end
+
+    return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
+end
+
+function script_init()
+    return 0
+end
+
+function script_deinit()
+end

rootfs/etc/dovecot/app-password-lookup.lua

@@ -1,50 +0,0 @@
-require "lualdap"
-
-function auth_passdb_lookup(req)
-    ldap_use_tls_env = os.getenv("LDAP_USE_TLS")
-    ldap_use_tls = ldap_use_tls_env == "true" and true or false
-
-    ld = assert (lualdap.open_simple(
-        os.getenv("LDAP_HOST"),
-        os.getenv("LDAP_BIND_DN"),
-        os.getenv("LDAP_BIND_PASSWORD"),
-        ldap_use_tls))
-
-    local username = req.username
-    local ldap_pass_filter = os.getenv("LDAP_PASS_FILTER"):gsub("%%u", username)
-
-    local user_count = 0
-    for dn, attribs in ld:search { base = os.getenv("LDAP_BASE_DN"), scope = "subtree", filter = ldap_pass_filter } do
-        user_count = user_count + 1
-    end
-
-    local user_exists = user_count == 1
-    if user_exists then
-        local app_base_dn = os.getenv("LDAP_APP_PASSWORDS_BASE_DN")
-        local app_pass_filter = os.getenv("LDAP_APP_PASSWORDS_FILTER")
-
-        local user_password = reg.password
-
-        for dn, attribs in ld:search { base = app_base_dn:gsub("%%u", username), scope = "subtree", filter = app_pass_filter } do
-            lualdap.open_simple(
-                os.getenv("LDAP_HOST"),
-                dn,
-                user_password,
-                ldap_use_tls)
-            if test_conn ~= nil then
-                return dovecot.auth.PASSDB_RESULT_OK, string.format("%s=user", os.getenv("LDAP_USER_ATTRIBUTE"))
-            end
-        end
-    else
-        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
-    end
-
-    return dovecot.auth.PASSDB_RESULT_NEXT, "no app password matches"
-end
-
-function script_init()
-    return 0
-end
-
-function script_deinit()
-end