2024-06-21 18:47:49 +02:00
|
|
|
{ config, pkgs, system, ... }:
|
2022-12-17 17:42:10 +01:00
|
|
|
let
|
2023-09-17 20:10:55 +02:00
|
|
|
domain = "auth.${config.networking.domain}";
|
2024-07-05 14:18:30 +02:00
|
|
|
# seedSettings = {
|
|
|
|
# groups = [
|
|
|
|
# {
|
|
|
|
# name = "admins";
|
|
|
|
# long_name = "Portunus Admin";
|
|
|
|
# members = [ "admin" ];
|
|
|
|
# permissions.portunus.is_admin = true;
|
|
|
|
# }
|
|
|
|
# {
|
|
|
|
# name = "search";
|
|
|
|
# long_name = "LDAP search group";
|
|
|
|
# members = [ "search" ];
|
|
|
|
# permissions.ldap.can_read = true;
|
|
|
|
# }
|
|
|
|
# {
|
|
|
|
# name = "fsr";
|
|
|
|
# long_name = "Mitglieder des iFSR";
|
|
|
|
# }
|
|
|
|
# ];
|
|
|
|
# users = [
|
|
|
|
# {
|
|
|
|
# login_name = "admin";
|
|
|
|
# given_name = "admin";
|
|
|
|
# family_name = "admin";
|
|
|
|
# password.from_command = [
|
|
|
|
# "${pkgs.coreutils}/bin/cat"
|
|
|
|
# config.sops.secrets."portunus/admin-password".path
|
|
|
|
# ];
|
|
|
|
# }
|
|
|
|
# {
|
|
|
|
# login_name = "search";
|
|
|
|
# given_name = "search";
|
|
|
|
# family_name = "search";
|
|
|
|
# password.from_command = [
|
|
|
|
# "${pkgs.coreutils}/bin/cat"
|
|
|
|
# config.sops.secrets."portunus/search-password".path
|
|
|
|
# ];
|
|
|
|
# }
|
|
|
|
# ];
|
|
|
|
# };
|
2022-12-17 17:42:10 +01:00
|
|
|
in
|
|
|
|
{
|
2024-07-05 14:18:30 +02:00
|
|
|
# sops.secrets = {
|
|
|
|
# "portunus/admin-password".owner = config.services.portunus.user;
|
|
|
|
# "portunus/search-password".owner = config.services.portunus.user;
|
|
|
|
# };
|
|
|
|
|
|
|
|
# services.portunus = {
|
|
|
|
# enable = true;
|
|
|
|
# package = pkgs.portunus.overrideAttrs (_old: {
|
|
|
|
# patches = [
|
|
|
|
# ./0001-update-user-validation-regex.patch
|
|
|
|
# ./0002-both-ldap-and-ldaps.patch
|
|
|
|
# ./0003-gecos-ascii-escape.patch
|
|
|
|
# ./0004-make-givenName-optional.patch
|
|
|
|
# ];
|
|
|
|
# doCheck = false; # posix regex related tests break
|
|
|
|
# });
|
2022-12-02 14:25:55 +01:00
|
|
|
|
2024-07-05 14:18:30 +02:00
|
|
|
# inherit domain seedSettings;
|
|
|
|
# port = 8681;
|
|
|
|
# ldap = {
|
|
|
|
# suffix = "dc=ifsr,dc=de";
|
|
|
|
# searchUserName = "search";
|
|
|
|
|
|
|
|
# # normally disables port 389 (but not with our patch), use 636 with tls
|
|
|
|
# # `portunus.domain` resolves to localhost
|
|
|
|
# tls = true;
|
|
|
|
# };
|
|
|
|
# };
|
|
|
|
services.openldap = {
|
2022-12-02 14:25:55 +01:00
|
|
|
enable = true;
|
2024-07-05 14:18:30 +02:00
|
|
|
urlList = [ "ldap:///" "ldaps:///" ];
|
|
|
|
settings = {
|
|
|
|
attrs = {
|
|
|
|
olcLogLevel = "conns";
|
|
|
|
|
|
|
|
olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
|
|
|
|
olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
|
|
|
|
olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
|
|
|
|
# olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
|
|
|
|
olcTLSCRLCheck = "none";
|
|
|
|
olcTLSVerifyClient = "never";
|
|
|
|
olcTLSProtocolMin = "3.1";
|
|
|
|
|
|
|
|
};
|
|
|
|
children = {
|
|
|
|
"cn=schema".includes = [
|
|
|
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
|
|
|
# attributetype ( 9999.1.1 NAME 'isMemberOf'
|
|
|
|
# DESC 'back-reference to groups this user is a member of'
|
|
|
|
# SUP distinguishedName )
|
|
|
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
|
|
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
|
|
|
"${pkgs.openldap}/etc/schema/nis.ldif"
|
|
|
|
# "${pkgs.writeText "openssh.schema" ''
|
|
|
|
# attributetype ( 9999.1.2 NAME 'sshPublicKey'
|
|
|
|
# DESC 'SSH public key used by this user'
|
|
|
|
# SUP name )
|
|
|
|
# ''}"
|
|
|
|
];
|
|
|
|
|
|
|
|
"olcDatabase={1}mdb" = {
|
|
|
|
attrs = {
|
|
|
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
|
|
|
|
|
|
|
olcDatabase = "{1}mdb";
|
|
|
|
olcDbDirectory = "/var/lib/openldap/data";
|
|
|
|
|
|
|
|
olcSuffix = "dc=ifsr,dc=de";
|
|
|
|
|
|
|
|
/* your admin account, do not use writeText on a production system */
|
|
|
|
olcRootDN = "cn=portunus,dc=ifsr,dc=de";
|
|
|
|
olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
|
2023-01-18 14:12:03 +01:00
|
|
|
|
2024-07-05 14:18:30 +02:00
|
|
|
olcAccess = [
|
|
|
|
/* custom access rules for userPassword attributes */
|
|
|
|
''{0}to attrs=userPassword
|
|
|
|
by self write
|
|
|
|
by anonymous auth
|
|
|
|
by * none''
|
2023-01-18 14:12:03 +01:00
|
|
|
|
2024-07-05 14:18:30 +02:00
|
|
|
/* allow read on anything else */
|
|
|
|
''{1}to *
|
|
|
|
by dn.base="cn=portunus,dc=ifsr,dc=de" write
|
|
|
|
by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
|
|
|
|
by self read
|
|
|
|
by anonymous auth
|
|
|
|
''
|
|
|
|
];
|
|
|
|
};
|
|
|
|
children = {
|
|
|
|
"olcOverlay={2}memberof".attrs = {
|
|
|
|
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
|
|
|
|
olcOverlay = "{2}memberof";
|
|
|
|
olcMemberOfRefInt = "TRUE";
|
|
|
|
olcMemberOfDangling = "ignore";
|
|
|
|
olcMemberOfGroupOC = "groupOfNames";
|
|
|
|
olcMemberOfMemberAD = "member";
|
|
|
|
olcMemberOfMemberOfAD = "memberOf";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2022-12-02 14:25:55 +01:00
|
|
|
};
|
2023-07-07 17:12:59 +02:00
|
|
|
};
|
2022-12-02 14:25:55 +01:00
|
|
|
|
2024-07-05 14:18:30 +02:00
|
|
|
systemd.services.openldap = {
|
|
|
|
wants = [ "acme-${domain}.service" ];
|
|
|
|
after = [ "acme-${domain}.service" ];
|
|
|
|
};
|
|
|
|
# security.acme.defaults.group = "certs";
|
|
|
|
# users.groups.certs.members = [ "openldap" ];
|
|
|
|
# certificate permissions
|
|
|
|
users.users.openldap.extraGroups = [ "nginx" ];
|
|
|
|
|
2023-08-22 15:25:33 +02:00
|
|
|
security.pam.services.sshd.makeHomeDir = true;
|
2023-02-15 11:29:47 +01:00
|
|
|
|
2022-12-17 13:58:06 +01:00
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
2024-07-05 14:18:30 +02:00
|
|
|
virtualHosts."${domain}" = {
|
|
|
|
# locations = {
|
|
|
|
# "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
|
|
|
# };
|
2022-12-17 13:58:06 +01:00
|
|
|
};
|
2022-12-02 14:25:55 +01:00
|
|
|
};
|
2023-11-28 23:00:41 +01:00
|
|
|
networking.firewall = {
|
|
|
|
extraInputRules = ''
|
2024-07-05 14:18:30 +02:00
|
|
|
ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
|
2023-11-28 23:00:41 +01:00
|
|
|
'';
|
|
|
|
};
|
2022-12-02 14:25:55 +01:00
|
|
|
}
|