diff --git a/flake.lock b/flake.lock index 59ede56..6d91b84 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1681005198, - "narHash": "sha256-5LrnBeXR7Hv8OXh6eany7br4qBW+ZNl4LKf1CJu9zbg=", + "lastModified": 1683504292, + "narHash": "sha256-jlZbBIKGa6IMGkcJkQ08pbKnouTAPfeq1fD5I7l/rBw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e45cc0138829ad86e7ff17a76acf2d05e781e30a", + "rev": "ba0086c178d4ed60a7899f739caea553eca2e046", "type": "github" }, "original": { @@ -87,16 +87,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1681269223, - "narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=", - "owner": "nixos", + "lastModified": 1682690464, + "narHash": "sha256-GGbMZLYG7/4oZupWeBbw7qx7QEnDDyVE0IEmnsy+NnY=", + "owner": "revol-xut", "repo": "nixpkgs", - "rev": "87edbd74246ccdfa64503f334ed86fa04010bab9", + "rev": "a381a30411963ccb19030b8b49e071bd21aa8517", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-22.11", + "owner": "revol-xut", + "ref": "master", "repo": "nixpkgs", "type": "github" } @@ -116,11 +116,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1681209176, - "narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=", + "lastModified": 1683545104, + "narHash": "sha256-48wC0zzHAej/wLFWIgV+uj63AvQ2UUk85g7wmXJzTqk=", "owner": "Mic92", "repo": "sops-nix", - "rev": "00d5fd73756d424de5263b92235563bc06f2c6e1", + "rev": "36b062a2c85a0efb37de1300c79c54602a094fab", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7e351f7..04864fc 100755 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = github:nixos/nixpkgs/nixos-22.11; + nixpkgs.url = github:revol-xut/nixpkgs/master; sops-nix.url = github:Mic92/sops-nix; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; fsr-infoscreen.url = github:fsr/infoscreen; diff --git a/modules/ldap.nix b/modules/ldap.nix index 4d28d08..2495c98 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "auth.${config.fsr.domain}"; @@ -9,50 +9,33 @@ let ldapGroup = "openldap"; in { - sops.secrets.unix_ldap_search = { - key = "portunus_search"; - owner = config.systemd.services.nslcd.serviceConfig.User; - }; - - - users.users."${portunusUser}" = { - isSystemUser = true; - group = "${portunusGroup}"; - }; - - users.groups."${portunusGroup}" = { - name = "${portunusGroup}"; - members = [ "${portunusUser}" ]; - }; - - users.users."${ldapUser}" = { - isSystemUser = true; - group = "${ldapGroup}"; - }; - - users.groups."${ldapGroup}" = { - name = "${ldapGroup}"; - members = [ "${ldapUser}" ]; - }; - sops.secrets = { - "portunus_admin" = { + "portunus/users/admin-password" = { owner = "${portunusUser}"; group = "${portunusGroup}"; }; - "portunus_search" = { + "portunus/users/search-password" = { owner = "${portunusUser}"; group = "${portunusGroup}"; }; + "dex/environment" = { + owner = config.systemd.services.dex.serviceConfig.User; + group = "dex"; + }; }; + services.dex.settings.oauth2.skipApprovalScreen = true; + services.portunus = { enable = true; user = "${portunusUser}"; group = "${portunusGroup}"; domain = "${domain}"; port = 8081; - + userRegex = "[a-z_][a-z0-9_.-]*\$?"; + dex = { + enable = true; + }; ldap = { user = "${ldapUser}"; group = "${ldapGroup}"; @@ -62,18 +45,47 @@ in # disables port 389, use 636 with tls # `portunus.domain` resolves to localhost - #tls = true; + tls = true; }; seedPath = ../config/portunus_seeds.json; }; + systemd.services.dex.serviceConfig = { + DynamicUser = lib.mkForce false; + EnvironmentFile = config.sops.secrets."dex/environment".path; + StateDirectory = "dex"; + User = "dex"; + }; - #users.ldap = { - #enable = true; - #server = "ldap://localhost"; - #base = "${config.services.portunus.ldap.suffix}"; - #}; - users.ldap = + users = { + groups = { + dex = {}; + + "${portunusGroup}" = { + name = "${portunusGroup}"; + members = [ "${portunusUser}" ]; + }; + "${ldapGroup}" = { + name = "${ldapGroup}"; + members = [ "${ldapUser}" ]; + }; + }; + users = { + dex = { + group = "dex"; + isSystemUser = true; + }; + "${portunusUser}" = { + isSystemUser = true; + group = "${portunusGroup}"; + }; + + "${ldapUser}" = { + isSystemUser = true; + group = "${ldapGroup}"; + }; + }; + ldap = let portunus = config.services.portunus; base = "ou=users,${portunus.ldap.suffix}"; @@ -84,10 +96,11 @@ in base = base; bind = { distinguishedName = "uid=${portunus.ldap.searchUserName},${base}"; - passwordFile = config.sops.secrets.unix_ldap_search.path; + passwordFile = config.sops.secrets."portunus/users/search-password".path; }; daemon.enable = true; }; + }; security.pam.services.sshd.text = '' # Account management. @@ -123,7 +136,6 @@ in }; }; }; - nixpkgs.overlays = [ (self: super: { @@ -131,10 +143,11 @@ in src = super.fetchFromGitHub { owner = "revol-xut"; repo = "portunus"; - rev = "4dc29febacb11c613785bc95352fa00e0ca9b14a"; - sha256 = "sha256-6O2392aHXhgvgZf6ftDY5Bh6hG3OzzCnlriig/Vkkz8="; + rev = "8bad0661ecca9276991447f8e585c20c450ad57a"; + sha256 = "sha256-59AvNWhnsvtrVmAJRcHeNOYOlHCx1ZZSqwFvyAM+Ye8="; }; }); }) ]; + } diff --git a/modules/wiki.nix b/modules/wiki.nix index aa4e5cc..8647cd4 100644 --- a/modules/wiki.nix +++ b/modules/wiki.nix @@ -20,8 +20,8 @@ name = "FSR Wiki"; passwordFile = config.sops.secrets."mediawiki/initial_admin".path; database = { + createLocally = false; type = "postgres"; - # socket = "/run/postgresql"; user = "mediawiki"; name = "mediawiki"; host = "localhost";