frieder.hannenheim/fruitbasket
1
0
Fork 0
forked from wurzel/fruitbasket
Code Pull requests Activity

Synapse LDAP config, add Portunus search user, update flake

Browse source
This commit is contained in:
Lyn Fugmann 2023-01-18 14:12:03 +01:00
parent 4813ec4811
commit c3134e1e58
Signed by untrusted user: fugi
GPG key ID: 4472A20091BFA792
6 changed files with 83 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

23
modules/ldap.nix
View file

@ -29,9 +29,15 @@ in
members = [ "${ldapUser}" ];
};
sops.secrets."portunus_admin" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
sops.secrets = {
"portunus_admin" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
};
"portunus_search" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
};
};
services.portunus = {
@ -40,10 +46,16 @@ in
group = "${portunusGroup}";
domain = "${domain}";
port = 8081;
ldap = {
user = "${ldapUser}";
group = "${ldapGroup}";
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
# disables port 389, use 636 with tls
# `portunus.domain` resolves to localhost
tls = true;
};
@ -60,9 +72,4 @@ in
};
};
};
networking.firewall.allowedTCPPorts = [
80 # http
443 # https
];
}

61
modules/matrix.nix
View file

@ -8,7 +8,6 @@ let
base_url = "https://${domainServer}:443";
server_name = domainServer;
};
"m.identity_server" = { };
};
serverConfig = {
"m.server" = "${domainServer}:443";
@ -21,21 +20,17 @@ let
'';
in
{
# sops.secrets = {
# synapse_registration_secret = {
# owner = "matrix-synapse";
# group = "matrix-synapse";
# };
# };
sops.secrets.matrix_ldap_search = {
key = "portunus_search";
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
};
services = {
postgresql = {
enable = true;
ensureUsers = [
{
name = "matrix-synapse";
}
];
ensureUsers = [{
name = "matrix-synapse";
}];
};
nginx = {
@ -66,6 +61,7 @@ in
root = pkgs.element-web.override {
conf = {
default_server_config = clientConfig;
disable_3pid_login = true;
};
};
};
@ -75,6 +71,10 @@ in
matrix-synapse = {
enable = true;
plugins = with config.services.matrix-synapse.package.plugins; [
matrix-synapse-ldap3
];
settings = {
server_name = domainServer;
@ -89,17 +89,32 @@ in
compress = false;
}];
}];
# TODO: ldap
registration_shared_secret = "registration_shared_secret";
};
# extraConfigFiles = [
# (pkgs.writeTextFile {
# name = "matrix-synapse-extra-config.yml";
# text = ''
# '';
# })
# ];
extraConfigFiles = [
(pkgs.writeTextFile {
name = "matrix-synapse-extra-config.yml";
text = ''
# `password_providers` is deprecated but `modules` is not supported yet.
password_providers:
- module: ldap_auth_provider.LdapAuthProvider
config:
enabled: true
# have to use fqdn here for tls (still connects to localhost)
uri: ldaps://auth.nix.fugi.dev:636
base: ou=users,dc=ifsr,dc=de
# taken from kaki config
attributes:
uid: uid
mail: uid
name: cn
bind_dn: uid=search,ou=users,dc=ifsr,dc=de
# TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
bind_password: portunus_search
# bind_password_file: ${config.sops.secrets.portunus_search.path}
'';
})
];
};
};
@ -113,7 +128,7 @@ in
path = [ pkgs.sudo config.services.postgresql.package ];
# create database for synapse. will silently fail if already exists
# create database for synapse. will silently fail if it already exists
script = ''
sudo -u ${config.services.postgresql.superUser} psql <<SQL
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"