fruitbasket/modules/ldap/default.nix

100 lines
2.6 KiB
Nix
Raw Normal View History

2024-05-08 15:37:19 +02:00
{ config, pkgs, nixpkgs-unstable, system, ... }:
2022-12-17 17:42:10 +01:00
let
domain = "auth.${config.networking.domain}";
2024-03-05 15:10:20 +01:00
seedSettings = {
2023-07-07 17:13:17 +02:00
groups = [
{
name = "admins";
long_name = "Portunus Admin";
members = [ "admin" ];
permissions.portunus.is_admin = true;
}
{
name = "search";
long_name = "LDAP search group";
members = [ "search" ];
permissions.ldap.can_read = true;
}
{
name = "fsr";
long_name = "Mitglieder des iFSR";
}
];
users = [
{
login_name = "admin";
given_name = "admin";
family_name = "admin";
password.from_command = [
"${pkgs.coreutils}/bin/cat"
config.sops.secrets."portunus/admin-password".path
];
}
{
login_name = "search";
given_name = "search";
family_name = "search";
password.from_command = [
"${pkgs.coreutils}/bin/cat"
config.sops.secrets."portunus/search-password".path
];
}
];
};
2022-12-17 17:42:10 +01:00
in
{
2024-03-05 15:10:20 +01:00
# Use portunus from unstable branch until 24.05 is here
disabledModules = [ "services/misc/portunus.nix" ];
imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ];
nixpkgs.overlays = [
2024-03-11 22:49:12 +01:00
(_self: _super: {
2024-03-05 15:10:20 +01:00
inherit (nixpkgs-unstable.legacyPackages.${system}) portunus;
})
];
sops.secrets = {
"portunus/admin-password".owner = config.services.portunus.user;
"portunus/search-password".owner = config.services.portunus.user;
};
services.portunus = {
enable = true;
2023-09-17 20:14:32 +02:00
package = pkgs.portunus.overrideAttrs (_old: {
patches = [
./0001-update-user-validation-regex.patch
./0002-both-ldap-and-ldaps.patch
./0003-gecos-ascii-escape.patch
./0004-make-givenName-optional.patch
];
2024-03-05 15:10:20 +01:00
doCheck = false; # posix regex related tests break
2023-07-04 17:06:18 +02:00
});
2024-03-05 15:10:20 +01:00
inherit domain seedSettings;
port = 8681;
ldap = {
2022-12-17 19:21:16 +01:00
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
# normally disables port 389 (but not with our patch), use 636 with tls
# `portunus.domain` resolves to localhost
tls = true;
};
};
2023-08-22 15:25:33 +02:00
security.pam.services.sshd.makeHomeDir = true;
services.nginx = {
enable = true;
virtualHosts."${config.services.portunus.domain}" = {
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
};
};
};
2023-11-28 23:00:41 +01:00
networking.firewall = {
extraInputRules = ''
ip saddr { 141.30.86.192/26, 141.76.100.128/25 } tcp dport 636 accept comment "Allow ldaps access from office nets"
'';
};
}