frieder.hannenheim/fruitbasket
1
0
Fork 0
forked from wurzel/fruitbasket
Code Pull requests Activity

expanded portunus config

Browse source 
- daclaritve portunus and openldap users/groups
- basic sops stuff

still needs discussion
This commit is contained in:
halcyon 2022-12-17 13:58:06 +01:00
parent 00291f7e9f
commit 29e69b67ed
No known key found for this signature in database
GPG key ID: 7C1F2DA2BC929412
1 changed files with 50 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
modules/ldap.nix
View file

@ -3,31 +3,53 @@
tld = "moe"; tld = "moe";
hostname = "eisvogel"; hostname = "eisvogel";
domain = "portunus.${hostname}.${tld}"; domain = "portunus.${hostname}.${tld}";
portunusUser = "portunus";
portunusGroup = "portunus";
ldapUser = "openldap";
ldapGroup = "openldap";
in { in {
# TODO: acme/letsencrypt oder andere lösung? users.users."${portunusUser}" = {
# isSystemUser = true;
services.nginx = { group = "${portunusGroup}";
enable = true;
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
}; };
users.groups."${portunusGroup}" = {
name = "${portunusGroup}";
members = ["${portunusUser}"];
}; };
users.users."${ldapUser}" = {
isSystemUser = true;
group = "${ldapGroup}";
};
users.groups."${ldapGroup}" = {
name = "${ldapGroup}";
members = ["${ldapUser}"];
};
# TODO: eigenes secrets.yaml für seedfile?
sops.secrets.portunus_seedfile = {
owner = "${portunusUser}";
group = "${portunusGroup}";
}; };
services.portunus = { services.portunus = {
enable = true; enable = true;
user = "${portunusUser}";
group = "${portunusGroup}";
domain = "${domain}"; domain = "${domain}";
ldap = { ldap = {
user = "${ldapUser}";
group = "${ldapGroup}";
suffix = "dc=${hostname},dc=${tld}"; suffix = "dc=${hostname},dc=${tld}";
tls = true; tls = true;
}; };
# TODO: siehe unten sops, statische config # TODO: wohin seed file?
# seedPath = ""; seedPath = "";
# falls wir das brauchen # falls wir das brauchen
# dex = { # dex = {
@ -41,7 +63,20 @@ in {
enable = true; enable = true;
server = "ldaps://${domain}"; server = "ldaps://${domain}";
base = "dc=${hostname},dc=${tld}"; base = "dc=${hostname},dc=${tld}";
# useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen
};
# TODO: acme/letsencrypt oder andere lösung?
services.nginx = {
enable = true;
virtualHosts."${config.services.portunus.domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
};
};
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -49,5 +84,4 @@ in {
443 # https 443 # https
636 # ldaps 636 # ldaps
]; ];
# TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll
} }