fruitbasket/modules/ldap/default.nix

{ config, pkgs, nixpkgs-unstable, system, ... }:
let
  domain = "auth.${config.networking.domain}";
  seedSettings = {
    groups = [
      {
        name = "admins";
        long_name = "Portunus Admin";
        members = [ "admin" ];
        permissions.portunus.is_admin = true;
      }
      {
        name = "search";
        long_name = "LDAP search group";
        members = [ "search" ];
        permissions.ldap.can_read = true;
      }
      {
        name = "fsr";
        long_name = "Mitglieder des iFSR";
      }
    ];
    users = [
      {
        login_name = "admin";
        given_name = "admin";
        family_name = "admin";
        password.from_command = [
          "${pkgs.coreutils}/bin/cat"
          config.sops.secrets."portunus/admin-password".path
        ];
      }
      {
        login_name = "search";
        given_name = "search";
        family_name = "search";
        password.from_command = [
          "${pkgs.coreutils}/bin/cat"
          config.sops.secrets."portunus/search-password".path
        ];
      }
    ];
  };
in
{
  # Use portunus from unstable branch until 24.05 is here
  disabledModules = [ "services/misc/portunus.nix" ];
  imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ];
  nixpkgs.overlays = [
    (_self: _super: {
      inherit (nixpkgs-unstable.legacyPackages.${system}) portunus;
    })
  ];

  sops.secrets = {
    "portunus/admin-password".owner = config.services.portunus.user;
    "portunus/search-password".owner = config.services.portunus.user;
  };

  services.portunus = {
    enable = true;
    package = pkgs.portunus.overrideAttrs (_old: {
      patches = [
        ./0001-update-user-validation-regex.patch
        ./0002-both-ldap-and-ldaps.patch
        ./0003-gecos-ascii-escape.patch
        ./0004-make-givenName-optional.patch
      ];
      doCheck = false; # posix regex related tests break
    });

    inherit domain seedSettings;
    port = 8681;
    ldap = {
      suffix = "dc=ifsr,dc=de";
      searchUserName = "search";

      # normally disables port 389 (but not with our patch), use 636 with tls
      # `portunus.domain` resolves to localhost
      tls = true;
    };
  };

  security.pam.services.sshd.makeHomeDir = true;

  services.nginx = {
    enable = true;
    virtualHosts."${config.services.portunus.domain}" = {
      locations = {
        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
      };
    };
  };
  networking.firewall = {
    extraInputRules = ''
      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
    '';
  };
}
dex: deconfigure 2024-05-08 15:37:19 +02:00			`{ config, pkgs, nixpkgs-unstable, system, ... }:`
format ldap.nix 2022-12-17 17:42:10 +01:00			`let`
refactor: fsr.domain -> networking.domain 2023-09-17 20:10:55 +02:00			`domain = "auth.${config.networking.domain}";`
use portunus from nixos-unstable 2024-03-05 15:10:20 +01:00			`seedSettings = {`
nixify portunus seeds 2023-07-07 17:13:17 +02:00			`groups = [`
			`{`
			`name = "admins";`
			`long_name = "Portunus Admin";`
			`members = [ "admin" ];`
			`permissions.portunus.is_admin = true;`
			`}`
			`{`
			`name = "search";`
			`long_name = "LDAP search group";`
			`members = [ "search" ];`
			`permissions.ldap.can_read = true;`
			`}`
			`{`
			`name = "fsr";`
			`long_name = "Mitglieder des iFSR";`
			`}`
			`];`
			`users = [`
			`{`
			`login_name = "admin";`
			`given_name = "admin";`
			`family_name = "admin";`
			`password.from_command = [`
			`"${pkgs.coreutils}/bin/cat"`
			`config.sops.secrets."portunus/admin-password".path`
			`];`
			`}`
			`{`
			`login_name = "search";`
			`given_name = "search";`
			`family_name = "search";`
			`password.from_command = [`
			`"${pkgs.coreutils}/bin/cat"`
			`config.sops.secrets."portunus/search-password".path`
			`];`
			`}`
			`];`
			`};`
format ldap.nix 2022-12-17 17:42:10 +01:00			`in`
			`{`
use portunus from nixos-unstable 2024-03-05 15:10:20 +01:00			`# Use portunus from unstable branch until 24.05 is here`
			`disabledModules = [ "services/misc/portunus.nix" ];`
			`imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ];`
			`nixpkgs.overlays = [`
treewide: ran deadnix 2024-03-11 22:49:12 +01:00			`(_self: _super: {`
use portunus from nixos-unstable 2024-03-05 15:10:20 +01:00			`inherit (nixpkgs-unstable.legacyPackages.${system}) portunus;`
			`})`
			`];`

Synapse LDAP config, add Portunus search user, update flake 2023-01-18 14:12:03 +01:00			`sops.secrets = {`
Refactor ldap and enable dex Co-authored-by: revol-xut <revol-xut@protonmail.com> 2023-07-07 17:12:59 +02:00			`"portunus/admin-password".owner = config.services.portunus.user;`
			`"portunus/search-password".owner = config.services.portunus.user;`
basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet 2022-12-02 14:25:55 +01:00			`};`

			`services.portunus = {`
			`enable = true;`
refactor: ran deadnix 2023-09-17 20:14:32 +02:00			`package = pkgs.portunus.overrideAttrs (_old: {`
Patch Portunus to allow using both insecure ldap and ldaps at once 2023-07-23 22:28:16 +02:00			`patches = [`
			`./0001-update-user-validation-regex.patch`
			`./0002-both-ldap-and-ldaps.patch`
portunus: add patch to fix non-ascii character bug 2023-09-01 00:14:41 +02:00			`./0003-gecos-ascii-escape.patch`
patch portunus to make givenname optional 2023-09-15 13:26:45 +02:00			`./0004-make-givenName-optional.patch`
Patch Portunus to allow using both insecure ldap and ldaps at once 2023-07-23 22:28:16 +02:00			`];`
use portunus from nixos-unstable 2024-03-05 15:10:20 +01:00			`doCheck = false; # posix regex related tests break`
use portunus.package to override 2023-07-04 17:06:18 +02:00			`});`
Synapse LDAP config, add Portunus search user, update flake 2023-01-18 14:12:03 +01:00
use portunus from nixos-unstable 2024-03-05 15:10:20 +01:00			`inherit domain seedSettings;`
Refactor ldap and enable dex Co-authored-by: revol-xut <revol-xut@protonmail.com> 2023-07-07 17:12:59 +02:00			`port = 8681;`
			`ldap = {`
use `config.fsr.domain` 2022-12-17 19:21:16 +01:00			`suffix = "dc=ifsr,dc=de";`
Synapse LDAP config, add Portunus search user, update flake 2023-01-18 14:12:03 +01:00			`searchUserName = "search";`

Patch Portunus to allow using both insecure ldap and ldaps at once 2023-07-23 22:28:16 +02:00			`# normally disables port 389 (but not with our patch), use 636 with tls`
Synapse LDAP config, add Portunus search user, update flake 2023-01-18 14:12:03 +01:00			# `portunus.domain` resolves to localhost
Patch Portunus to allow using both insecure ldap and ldaps at once 2023-07-23 22:28:16 +02:00			`tls = true;`
basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet 2022-12-02 14:25:55 +01:00			`};`
Refactor ldap and enable dex Co-authored-by: revol-xut <revol-xut@protonmail.com> 2023-07-07 17:12:59 +02:00			`};`
basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet 2022-12-02 14:25:55 +01:00
ldap: simplify homedir creation 2023-08-22 15:25:33 +02:00			`security.pam.services.sshd.makeHomeDir = true;`
fixing the ldap user and temp disabling tls 2023-02-15 11:29:47 +01:00
expanded portunus config - daclaritve portunus and openldap users/groups - basic sops stuff still needs discussion 2022-12-17 13:58:06 +01:00			`services.nginx = {`
			`enable = true;`
			`virtualHosts."${config.services.portunus.domain}" = {`
			`locations = {`
			`"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";`
			`};`
			`};`
basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet 2022-12-02 14:25:55 +01:00			`};`
quitte: allow ldaps access 2023-11-28 23:00:41 +01:00			`networking.firewall = {`
			`extraInputRules = ''`
firewall: allow ldaps from podman 2024-05-19 11:15:58 +02:00			`ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"`
quitte: allow ldaps access 2023-11-28 23:00:41 +01:00			`'';`
			`};`
basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet 2022-12-02 14:25:55 +01:00			`}`