forked from wurzel/fruitbasket
expanded portunus config
- daclaritve portunus and openldap users/groups - basic sops stuff still needs discussion
This commit is contained in:
halcyon
parent
00291f7e9f
commit
29e69b67ed
1 changed files with 50 additions and 16 deletions
|
|
@ -3,31 +3,53 @@
|
||||||
tld = "moe";
|
tld = "moe";
|
||||||
hostname = "eisvogel";
|
hostname = "eisvogel";
|
||||||
domain = "portunus.${hostname}.${tld}";
|
domain = "portunus.${hostname}.${tld}";
|
||||||
|
|
||||||
|
portunusUser = "portunus";
|
||||||
|
portunusGroup = "portunus";
|
||||||
|
|
||||||
|
ldapUser = "openldap";
|
||||||
|
ldapGroup = "openldap";
|
||||||
in {
|
in {
|
||||||
# TODO: acme/letsencrypt oder andere lösung?
|
users.users."${portunusUser}" = {
|
||||||
#
|
isSystemUser = true;
|
||||||
services.nginx = {
|
group = "${portunusGroup}";
|
||||||
enable = true;
|
};
|
||||||
virtualHosts."${domain}" = {
|
|
||||||
forceSSL = true;
|
users.groups."${portunusGroup}" = {
|
||||||
enableACME = true;
|
name = "${portunusGroup}";
|
||||||
locations = {
|
members = ["${portunusUser}"];
|
||||||
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
};
|
||||||
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
|
|
||||||
};
|
users.users."${ldapUser}" = {
|
||||||
};
|
isSystemUser = true;
|
||||||
|
group = "${ldapGroup}";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups."${ldapGroup}" = {
|
||||||
|
name = "${ldapGroup}";
|
||||||
|
members = ["${ldapUser}"];
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: eigenes secrets.yaml für seedfile?
|
||||||
|
sops.secrets.portunus_seedfile = {
|
||||||
|
owner = "${portunusUser}";
|
||||||
|
group = "${portunusGroup}";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.portunus = {
|
services.portunus = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
user = "${portunusUser}";
|
||||||
|
group = "${portunusGroup}";
|
||||||
domain = "${domain}";
|
domain = "${domain}";
|
||||||
ldap = {
|
ldap = {
|
||||||
|
user = "${ldapUser}";
|
||||||
|
group = "${ldapGroup}";
|
||||||
suffix = "dc=${hostname},dc=${tld}";
|
suffix = "dc=${hostname},dc=${tld}";
|
||||||
tls = true;
|
tls = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: siehe unten sops, statische config
|
# TODO: wohin seed file?
|
||||||
# seedPath = "";
|
seedPath = "";
|
||||||
|
|
||||||
# falls wir das brauchen
|
# falls wir das brauchen
|
||||||
# dex = {
|
# dex = {
|
||||||
|
|
@ -41,7 +63,20 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
server = "ldaps://${domain}";
|
server = "ldaps://${domain}";
|
||||||
base = "dc=${hostname},dc=${tld}";
|
base = "dc=${hostname},dc=${tld}";
|
||||||
# useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen
|
# useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: acme/letsencrypt oder andere lösung?
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."${config.services.portunus.domain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations = {
|
||||||
|
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||||
|
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
|
@ -49,5 +84,4 @@ in {
|
||||||
443 # https
|
443 # https
|
||||||
636 # ldaps
|
636 # ldaps
|
||||||
];
|
];
|
||||||
# TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue