switch to ldaps

2023-06-15 17:48:20 +02:00 · 2023-06-15 17:48:20 +02:00 · c6ebb06f68
commit c6ebb06f68
parent 6bed81c8a9
6 changed files with 19 additions and 22 deletions
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -44,15 +44,17 @@ in
        allowAnonymousEdits = true;
        defaultPermission = "limited";
        # ldap auth
-        ldap = rec {
+        ldap =
-          url = "ldap://localhost";
+          let portunus = config.services.portunus;
-          searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
+          in rec {
-          searchFilter = "(uid={{username}})";
+            url = "ldaps://${portunus.domain}";
-          bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
+            searchBase = "ou=users,${portunus.ldap.suffix}";
-          bindCredentials = "\${LDAP_CREDENTIALS}";
+            searchFilter = "(uid={{username}})";
-          useridField = "uid";
+            bindDn = "uid=${portunus.ldap.searchUserName},${searchBase}";
-          providerName = "iFSR";
+            bindCredentials = "\${LDAP_CREDENTIALS}";
-        };
+            useridField = "uid";
            providerName = "iFSR";
          };
      };
    };
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@ -7,18 +7,13 @@ let
        name = "admins";
        long_name = "Portunus Admin";
        members = [ "admin" ];
-        permissions = {
+        permissions.portunus.is_admin = true;
          portunus.is_admin = true;
          ldap.can_read = true;
        };
      }
      {
        name = "search";
        long_name = "LDAP search group";
        members = [ "search" ];
-        permissions = {
+        permissions.ldap.can_read = true;
          ldap.can_read = true;
        };
      }
      {
        name = "fsr";
@ -73,7 +68,7 @@ in
        # disables port 389, use 636 with tls
        # `portunus.domain` resolves to localhost
-        tls = false;
+        tls = true;
      };
      seedPath = pkgs.writeText "portunus-seed.json" (builtins.toJSON seed);
@ -113,7 +108,7 @@ in
      let portunus = config.services.portunus;
      in rec {
        enable = true;
-        server = "ldap://localhost";
+        server = "ldaps://${portunus.domain}";
        base = "ou=users,${portunus.ldap.suffix}";
        bind = {
          distinguishedName = "uid=${portunus.ldap.searchUserName},${base}";
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -11,7 +11,7 @@ let
  #result_attribute=mail
  #'';
  dovecot-ldap-args = pkgs.writeText "ldap-args" ''
-    uris = ldap://localhost
+    uris = ldaps://${config.services.portunus.domain}
    dn = uid=search, ou=users, dc=ifsr, dc=de
    auth_bind = yes
    !include ${config.sops.secrets."dovecot_ldap_search".path}
--- a/modules/mailman.nix
+++ b/modules/mailman.nix
@ -13,7 +13,7 @@
    siteOwner = "root@${config.fsr.domain}";
    ldap = {
      enable = true;
-      serverUri = "ldap://localhost";
+      serverUri = "ldaps://${config.services.portunus.domain}";
      bindDn = "uid=search, ou=users, dc=ifsr, dc=de";
      bindPasswordFile = config.sops.secrets.mailman_ldap_search.path;
      userSearch = {
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -101,7 +101,7 @@ in
              - module: ldap_auth_provider.LdapAuthProviderModule
                config:
                  enabled: true
-                  uri: ldap://localhost
+                  uri: ldaps://${portunus.domain}
                  base: ou=users,${portunus.ldap.suffix}
                  # taken from kaki config
                  attributes:
--- a/modules/sogo.nix
+++ b/modules/sogo.nix
@ -28,7 +28,7 @@ in
                  baseDN = "ou=users, dc=ifsr, dc=de";
                  bindDN = "uid=search, ou=users, dc=ifsr, dc=de";
                  bindPassword = LDAP_SEARCH;
-                  hostname = "ldap://localhost";
+                  hostname = "ldaps://${config.services.portunus.domain}";
                  canAuthenticate = YES;
                  id = directory;