expanded portunus config

- daclaritve portunus and openldap users/groups - basic sops stuff still needs discussion
2022-12-17 13:58:06 +01:00 · 2022-12-17 13:58:06 +01:00 · 29e69b67ed
parent 00291f7e9f
commit 29e69b67ed
1 changed files with 50 additions and 16 deletions
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@ -3,31 +3,53 @@
  tld = "moe";
  hostname = "eisvogel";
  domain = "portunus.${hostname}.${tld}";
+
+  portunusUser = "portunus";
+  portunusGroup = "portunus";
+
+  ldapUser = "openldap";
+  ldapGroup = "openldap";
 in {
-  # TODO: acme/letsencrypt oder andere lösung?
-  #
-  services.nginx = {
-    enable = true;
-    virtualHosts."${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations = {
-        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
-        "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
-      };
-    };
+  users.users."${portunusUser}" = {
+    isSystemUser = true;
+    group = "${portunusGroup}";
+  };
+
+  users.groups."${portunusGroup}" = {
+    name = "${portunusGroup}";
+    members = ["${portunusUser}"];
+  };
+
+  users.users."${ldapUser}" = {
+    isSystemUser = true;
+    group = "${ldapGroup}";
+  };
+
+  users.groups."${ldapGroup}" = {
+    name = "${ldapGroup}";
+    members = ["${ldapUser}"];
+  };
+
+  # TODO: eigenes secrets.yaml für seedfile?
+  sops.secrets.portunus_seedfile = {
+    owner = "${portunusUser}";
+    group = "${portunusGroup}";
  };

  services.portunus = {
    enable = true;
+    user = "${portunusUser}";
+    group = "${portunusGroup}";
    domain = "${domain}";
    ldap = {
+      user = "${ldapUser}";
+      group = "${ldapGroup}";
      suffix = "dc=${hostname},dc=${tld}";
      tls = true;
    };

-    # TODO: siehe unten sops, statische config
-    # seedPath = "";
+    # TODO: wohin seed file?
+    seedPath = "";

    # falls wir das brauchen
    # dex = {
@ -41,7 +63,20 @@ in {
    enable = true;
    server = "ldaps://${domain}";
    base = "dc=${hostname},dc=${tld}";
-    # useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen
+    # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen
+  };
+
+  # TODO: acme/letsencrypt oder andere lösung?
+  services.nginx = {
+    enable = true;
+    virtualHosts."${config.services.portunus.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
+        "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
+      };
+    };
  };

  networking.firewall.allowedTCPPorts = [
@ -49,5 +84,4 @@ in {
    443 # https
    636 # ldaps
  ];
-  # TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll
 }