diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix index 7ec034d..9ca01f4 100644 --- a/hosts/quitte/network.nix +++ b/hosts/quitte/network.nix @@ -2,10 +2,10 @@ { networking = { # portunus module does weird things to this, so we force it to some sane values - hosts = { - "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; - "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; - }; + # hosts = { + # "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; + # "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; + # }; hostId = "a71c81fc"; domain = "ifsr.de"; hostName = "quitte"; diff --git a/modules/core/podman.nix b/modules/core/podman.nix index ad47b5b..625d25b 100644 --- a/modules/core/podman.nix +++ b/modules/core/podman.nix @@ -23,4 +23,4 @@ #docker-compose # start group of containers for dev #podman-compose # start group of containers for dev ]; -} \ No newline at end of file +} diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index f815530..d56106a 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -85,17 +85,16 @@ in systemd.services.forgejo.preStart = let exe = lib.getExe config.services.forgejo.package; - portunus = config.services.portunus; - basedn = "ou=users,${portunus.ldap.suffix}"; + basedn = "ou=users,dc=ifsr,dc=de"; ldapConfigArgs = '' --name LDAP \ --active \ --security-protocol unencrypted \ - --host '${portunus.domain}' \ + --host 'auth.ifsr.de' \ --port 389 \ --user-search-base '${basedn}' \ --user-filter '(&(objectClass=posixAccount)(uid=%s))' \ - --admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \ + --admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \ --username-attribute uid \ --firstname-attribute givenName \ --surname-attribute sn \ diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 5352ba1..acfc46e 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -54,9 +54,9 @@ in # ldap auth ldap = rec { url = "ldap://localhost"; - searchBase = "ou=users,${config.services.portunus.ldap.suffix}"; + searchBase = "ou=users,dc=ifsr,dc=de"; searchFilter = "(uid={{username}})"; - bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}"; + bindDn = "uid=search,${searchBase}"; bindCredentials = "\${LDAP_CREDENTIALS}"; useridField = "uid"; providerName = "iFSR"; diff --git a/modules/kanboard.nix b/modules/kanboard.nix index 9edc86a..6b4841f 100644 --- a/modules/kanboard.nix +++ b/modules/kanboard.nix @@ -5,7 +5,7 @@ let in { sops.secrets."kanboard_env" = { }; - + virtualisation.oci-containers = { containers.kanboard = { image = "ghcr.io/kanboard/kanboard:v1.2.36"; diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix index 85ba359..385e976 100644 --- a/modules/ldap/default.nix +++ b/modules/ldap/default.nix @@ -1,90 +1,175 @@ { config, pkgs, system, ... }: let domain = "auth.${config.networking.domain}"; - seedSettings = { - groups = [ - { - name = "admins"; - long_name = "Portunus Admin"; - members = [ "admin" ]; - permissions.portunus.is_admin = true; - } - { - name = "search"; - long_name = "LDAP search group"; - members = [ "search" ]; - permissions.ldap.can_read = true; - } - { - name = "fsr"; - long_name = "Mitglieder des iFSR"; - } - ]; - users = [ - { - login_name = "admin"; - given_name = "admin"; - family_name = "admin"; - password.from_command = [ - "${pkgs.coreutils}/bin/cat" - config.sops.secrets."portunus/admin-password".path - ]; - } - { - login_name = "search"; - given_name = "search"; - family_name = "search"; - password.from_command = [ - "${pkgs.coreutils}/bin/cat" - config.sops.secrets."portunus/search-password".path - ]; - } - ]; - }; + # seedSettings = { + # groups = [ + # { + # name = "admins"; + # long_name = "Portunus Admin"; + # members = [ "admin" ]; + # permissions.portunus.is_admin = true; + # } + # { + # name = "search"; + # long_name = "LDAP search group"; + # members = [ "search" ]; + # permissions.ldap.can_read = true; + # } + # { + # name = "fsr"; + # long_name = "Mitglieder des iFSR"; + # } + # ]; + # users = [ + # { + # login_name = "admin"; + # given_name = "admin"; + # family_name = "admin"; + # password.from_command = [ + # "${pkgs.coreutils}/bin/cat" + # config.sops.secrets."portunus/admin-password".path + # ]; + # } + # { + # login_name = "search"; + # given_name = "search"; + # family_name = "search"; + # password.from_command = [ + # "${pkgs.coreutils}/bin/cat" + # config.sops.secrets."portunus/search-password".path + # ]; + # } + # ]; + # }; in { - sops.secrets = { - "portunus/admin-password".owner = config.services.portunus.user; - "portunus/search-password".owner = config.services.portunus.user; - }; + # sops.secrets = { + # "portunus/admin-password".owner = config.services.portunus.user; + # "portunus/search-password".owner = config.services.portunus.user; + # }; - services.portunus = { + # services.portunus = { + # enable = true; + # package = pkgs.portunus.overrideAttrs (_old: { + # patches = [ + # ./0001-update-user-validation-regex.patch + # ./0002-both-ldap-and-ldaps.patch + # ./0003-gecos-ascii-escape.patch + # ./0004-make-givenName-optional.patch + # ]; + # doCheck = false; # posix regex related tests break + # }); + + # inherit domain seedSettings; + # port = 8681; + # ldap = { + # suffix = "dc=ifsr,dc=de"; + # searchUserName = "search"; + + # # normally disables port 389 (but not with our patch), use 636 with tls + # # `portunus.domain` resolves to localhost + # tls = true; + # }; + # }; + services.openldap = { enable = true; - package = pkgs.portunus.overrideAttrs (_old: { - patches = [ - ./0001-update-user-validation-regex.patch - ./0002-both-ldap-and-ldaps.patch - ./0003-gecos-ascii-escape.patch - ./0004-make-givenName-optional.patch - ]; - doCheck = false; # posix regex related tests break - }); + urlList = [ "ldap:///" "ldaps:///" ]; + settings = { + attrs = { + olcLogLevel = "conns"; - inherit domain seedSettings; - port = 8681; - ldap = { - suffix = "dc=ifsr,dc=de"; - searchUserName = "search"; + olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem"; + olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem"; + olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem"; + # olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; - # normally disables port 389 (but not with our patch), use 636 with tls - # `portunus.domain` resolves to localhost - tls = true; + }; + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + # attributetype ( 9999.1.1 NAME 'isMemberOf' + # DESC 'back-reference to groups this user is a member of' + # SUP distinguishedName ) + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + # "${pkgs.writeText "openssh.schema" '' + # attributetype ( 9999.1.2 NAME 'sshPublicKey' + # DESC 'SSH public key used by this user' + # SUP name ) + # ''}" + ]; + + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=ifsr,dc=de"; + + /* your admin account, do not use writeText on a production system */ + olcRootDN = "cn=portunus,dc=ifsr,dc=de"; + olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32"; + + olcAccess = [ + /* custom access rules for userPassword attributes */ + ''{0}to attrs=userPassword + by self write + by anonymous auth + by * none'' + + /* allow read on anything else */ + ''{1}to * + by dn.base="cn=portunus,dc=ifsr,dc=de" write + by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read + by self read + by anonymous auth + '' + ]; + }; + children = { + "olcOverlay={2}memberof".attrs = { + objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ]; + olcOverlay = "{2}memberof"; + olcMemberOfRefInt = "TRUE"; + olcMemberOfDangling = "ignore"; + olcMemberOfGroupOC = "groupOfNames"; + olcMemberOfMemberAD = "member"; + olcMemberOfMemberOfAD = "memberOf"; + }; + }; + }; + }; }; }; + systemd.services.openldap = { + wants = [ "acme-${domain}.service" ]; + after = [ "acme-${domain}.service" ]; + }; + # security.acme.defaults.group = "certs"; + # users.groups.certs.members = [ "openldap" ]; + # certificate permissions + users.users.openldap.extraGroups = [ "nginx" ]; + security.pam.services.sshd.makeHomeDir = true; services.nginx = { enable = true; - virtualHosts."${config.services.portunus.domain}" = { - locations = { - "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; - }; + virtualHosts."${domain}" = { + # locations = { + # "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + # }; }; }; networking.firewall = { extraInputRules = '' - ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman" + ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman" ''; }; } diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index f21db85..d4ca31f 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -96,22 +96,21 @@ in extraConfigFiles = [ (pkgs.writeTextFile { name = "matrix-synapse-extra-config.yml"; - text = let portunus = config.services.portunus; in - '' - modules: - - module: ldap_auth_provider.LdapAuthProviderModule - config: - enabled: true - uri: ldap://localhost - base: ou=users,${portunus.ldap.suffix} - # taken from kaki config - attributes: - uid: uid - mail: uid - name: cn - bind_dn: uid=search,ou=users,${portunus.ldap.suffix} - bind_password_file: ${config.sops.secrets.matrix_ldap_search.path} - ''; + text = '' + modules: + - module: ldap_auth_provider.LdapAuthProviderModule + config: + enabled: true + uri: ldap://localhost + base: ou=users,dc=ifsr,dc=de + # taken from kaki config + attributes: + uid: uid + mail: uid + name: cn + bind_dn: uid=search,ou=users,dc=ifsr,dc=de + bind_password_file: ${config.sops.secrets.matrix_ldap_search.path} + ''; }) ]; }; diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 5688d47..ac11e63 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -59,7 +59,7 @@ in occ = lib.getExe config.services.nextcloud.occ; ldapConfig = rec { ldapAgentName = "uid=search,ou=users,${ldapBase}"; - ldapBase = config.services.portunus.ldap.suffix; + ldapBase = "dc=ifsr,dc=de"; ldapBaseGroups = "ou=groups,${ldapBase}"; ldapBaseUsers = "ou=users,${ldapBase}"; ldapConfigurationActive = "1";