From c3134e1e586c5548ac41f12c35876d7fc3793355 Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Wed, 18 Jan 2023 14:12:03 +0100
Subject: [PATCH] Synapse LDAP config, add Portunus search user, update flake

---
 config/portunus_seeds.json | 15 ++++++++++
 flake.lock                 | 18 +++++------
 modules/ldap.nix           | 23 +++++++++-----
 modules/matrix.nix         | 61 ++++++++++++++++++++++++--------------
 secrets/quitte.yaml        |  5 ++--
 secrets/test.yaml          |  5 ++--
 6 files changed, 83 insertions(+), 44 deletions(-)

diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json
index 5b213fd..b73bf07 100644
--- a/config/portunus_seeds.json
+++ b/config/portunus_seeds.json
@@ -26,6 +26,15 @@
 				"portunus": { "is_admin": false },
 				"ldap": { "can_read": false }
 			}
+		},
+		{
+			"name": "search",
+			"long_name": "LDAP search group",
+			"members": ["search"],
+			"permissions": {
+				"portunus": { "is_admin": false },
+				"ldap": { "can_read": true }
+			}
 		}
 	],
 	"users": [
@@ -34,6 +43,12 @@
 			"given_name": "admin",
 			"family_name": "admin",
 			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] }
+		},
+		{
+			"login_name": "search",
+			"given_name": "search",
+			"family_name": "search",
+			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_search"] }
 		}
 	]
 }
diff --git a/flake.lock b/flake.lock
index 714027c..84b48fd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -71,11 +71,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1670146390,
-        "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
+        "lastModified": 1673740915,
+        "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "86370507cb20c905800527539fc049a2bf09c667",
+        "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1671215800,
-        "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=",
+        "lastModified": 1673800717,
+        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9d692a724e74d2a49f7c985132972f991d144254",
+        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1670149631,
-        "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
+        "lastModified": 1673752321,
+        "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "da98a111623101c64474a14983d83dad8f09f93d",
+        "rev": "e18eefd2b133a58309475298052c341c08470717",
         "type": "github"
       },
       "original": {
diff --git a/modules/ldap.nix b/modules/ldap.nix
index 20a8cc8..a1965a6 100644
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@@ -29,9 +29,15 @@ in
     members = [ "${ldapUser}" ];
   };
 
-  sops.secrets."portunus_admin" = {
-    owner = "${portunusUser}";
-    group = "${portunusGroup}";
+  sops.secrets = {
+    "portunus_admin" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
+    "portunus_search" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
   };
 
   services.portunus = {
@@ -40,10 +46,16 @@ in
     group = "${portunusGroup}";
     domain = "${domain}";
     port = 8081;
+
     ldap = {
       user = "${ldapUser}";
       group = "${ldapGroup}";
+
       suffix = "dc=ifsr,dc=de";
+      searchUserName = "search";
+
+      # disables port 389, use 636 with tls
+      # `portunus.domain` resolves to localhost
       tls = true;
     };
 
@@ -60,9 +72,4 @@ in
       };
     };
   };
-
-  networking.firewall.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
 }
diff --git a/modules/matrix.nix b/modules/matrix.nix
index be57b89..5648c1b 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -8,7 +8,6 @@ let
       base_url = "https://${domainServer}:443";
       server_name = domainServer;
     };
-    "m.identity_server" = { };
   };
   serverConfig = {
     "m.server" = "${domainServer}:443";
@@ -21,21 +20,17 @@ let
   '';
 in
 {
-  # sops.secrets = {
-  #   synapse_registration_secret = {
-  #     owner = "matrix-synapse";
-  #     group = "matrix-synapse";
-  #   };
-  # };
+  sops.secrets.matrix_ldap_search = {
+    key = "portunus_search";
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
 
   services = {
     postgresql = {
       enable = true;
-      ensureUsers = [
-        {
-          name = "matrix-synapse";
-        }
-      ];
+      ensureUsers = [{
+        name = "matrix-synapse";
+      }];
     };
 
     nginx = {
@@ -66,6 +61,7 @@ in
           root = pkgs.element-web.override {
             conf = {
               default_server_config = clientConfig;
+              disable_3pid_login = true;
             };
           };
         };
@@ -75,6 +71,10 @@ in
     matrix-synapse = {
       enable = true;
 
+      plugins = with config.services.matrix-synapse.package.plugins; [
+        matrix-synapse-ldap3
+      ];
+
       settings = {
         server_name = domainServer;
 
@@ -89,17 +89,32 @@ in
             compress = false;
           }];
         }];
-
-        # TODO: ldap
-        registration_shared_secret = "registration_shared_secret";
       };
-      # extraConfigFiles = [
-      #   (pkgs.writeTextFile {
-      #     name = "matrix-synapse-extra-config.yml";
-      #     text = ''
-      #     '';
-      #   })
-      # ];
+
+      extraConfigFiles = [
+        (pkgs.writeTextFile {
+          name = "matrix-synapse-extra-config.yml";
+          text = ''
+            # `password_providers` is deprecated but `modules` is not supported yet.
+            password_providers:
+              - module: ldap_auth_provider.LdapAuthProvider
+                config:
+                  enabled: true
+                  # have to use fqdn here for tls (still connects to localhost)
+                  uri: ldaps://auth.nix.fugi.dev:636
+                  base: ou=users,dc=ifsr,dc=de
+                  # taken from kaki config
+                  attributes:
+                    uid: uid
+                    mail: uid
+                    name: cn
+                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
+                  # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
+                  bind_password: portunus_search
+                  # bind_password_file: ${config.sops.secrets.portunus_search.path}
+          '';
+        })
+      ];
     };
   };
 
@@ -113,7 +128,7 @@ in
 
     path = [ pkgs.sudo config.services.postgresql.package ];
 
-    # create database for synapse. will silently fail if already exists
+    # create database for synapse. will silently fail if it already exists
     script = ''
       sudo -u ${config.services.postgresql.superUser} psql <<SQL
         CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 716bca9..c01f749 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
 wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
 portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
+portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@@ -24,8 +25,8 @@ sops:
             Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
             KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T17:42:18Z"
-    mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str]
+    lastmodified: "2023-01-17T22:50:14Z"
+    mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:48Z"
           enc: |
diff --git a/secrets/test.yaml b/secrets/test.yaml
index a5e8835..bc0d72f 100644
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3E
 hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
 wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
 portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
+portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
@@ -24,8 +25,8 @@ sops:
             MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
             ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T20:37:05Z"
-    mac: ENC[AES256_GCM,data:zRn9Y43k9jEYmI9gU5vKPAEcG0N+O7ILFisyttXDHbdaiYJfAWu8556Hkofq1hS6WByB/ZE+BZO9vJ9JFzGxodCDeOTF0XLmFeb5frL7Vb9u2MXvT+z640kwA9VJUoLligoqmVt4O+ba3Tr+wU1qy85vLxyDFeEIj6ATo68E8b0=,iv:LaB6cJx5oXGVNNWvfwIievTm8KmVCAJ1j6RVOwFsyBU=,tag:3H7PnmpU65ub6ysVLsB3bQ==,type:str]
+    lastmodified: "2023-01-17T22:26:52Z"
+    mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:58Z"
           enc: |