refactor and fix stuff

This commit is contained in:
Lyn Fugmann 2023-06-11 00:30:36 +02:00
parent a7c23f9b88
commit e26a50a704
Signed by: fugi
GPG key ID: 4472A20091BFA792
4 changed files with 46 additions and 100 deletions

View file

@ -5,8 +5,7 @@
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, sops-nix, ... }@inputs:
let
in {
{
#packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
packages."x86_64-linux".quitte = self.nixosConfigurations.quitte-vm.config.system.build.vm;
packages."x86_64-linux".default = self.packages."x86_64-linux".quitte;

View file

@ -1,62 +1,39 @@
{ config, lib, pkgs, ... }:
let
domain = "auth.${config.fsr.domain}";
portunusUser = "portunus";
portunusGroup = "portunus";
ldapUser = "openldap";
ldapGroup = "openldap";
in
{
sops.secrets = {
"portunus/users/admin-password" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
};
"portunus/users/search-password" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
mode = "0440";
};
"dex/environment" = {
owner = config.systemd.services.dex.serviceConfig.User;
group = "dex";
};
"matrix_ldap_search" = {
"portunus/users/admin-password".owner = config.services.portunus.user;
"portunus/users/search-password".owner = config.services.portunus.user;
"dex/environment".owner = config.systemd.services.dex.serviceConfig.User;
nslcd_ldap_search = {
key = "portunus/users/search-password";
owner = config.systemd.services.nslcd.serviceConfig.User;
};
};
services.portunus = {
enable = true;
user = "${portunusUser}";
group = "${portunusGroup}";
domain = "${domain}";
port = 8681;
userRegex = "[a-z_][a-z0-9_.-]*\$?";
dex = {
enable = true;
};
ldap = {
#user = "${ldapUser}";
#group = "${ldapGroup}";
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
# disables port 389, use 636 with tls
# `portunus.domain` resolves to localhost
tls = false;
};
seedPath = ../config/portunus_seeds.json;
};
services = {
portunus = {
enable = true;
domain = "${domain}";
port = 8681;
userRegex = "[a-z_][a-z0-9_.-]*\$?";
dex = {
enable = true;
};
ldap = {
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
# disables port 389, use 636 with tls
# `portunus.domain` resolves to localhost
tls = false;
};
seedPath = ../config/portunus_seeds.json;
};
dex.settings.oauth2.skipApprovalScreen = true;
nginx = {
@ -80,54 +57,22 @@ in
};
users = {
groups = {
dex = { };
groups.dex = { };
"${portunusGroup}" = {
name = "${portunusGroup}";
members = [
"${portunusUser}"
config.systemd.services."matrix-synapse".serviceConfig.User
config.systemd.services.sogo.serviceConfig.User
config.systemd.services.hedgedoc.serviceConfig.User
config.systemd.services.mailman.serviceConfig.User
config.systemd.services."mailman-web-setup".serviceConfig.User
config.systemd.services.hyperkitty.serviceConfig.User
config.systemd.services.nslcd.serviceConfig.User
];
};
"${ldapGroup}" = {
name = "${ldapGroup}";
members = [ "${ldapUser}" ];
};
users.dex = {
group = "dex";
isSystemUser = true;
};
users = {
dex = {
group = "dex";
isSystemUser = true;
};
"${portunusUser}" = {
isSystemUser = true;
group = "${portunusGroup}";
};
"${ldapUser}" = {
isSystemUser = true;
group = "${ldapGroup}";
};
};
ldap =
let
portunus = config.services.portunus;
base = "ou=users,${portunus.ldap.suffix}";
in
{
let portunus = config.services.portunus;
in rec {
enable = true;
server = "ldap://localhost";
base = base;
base = "ou=users,${portunus.ldap.suffix}";
bind = {
distinguishedName = "uid=${portunus.ldap.searchUserName},${base}";
passwordFile = config.sops.secrets."portunus/users/search-password".path;
passwordFile = config.sops.secrets.nslcd_ldap_search.path;
};
daemon.enable = true;
};
@ -154,7 +99,6 @@ in
session optional pam_mkhomedir.so
session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
nixpkgs.overlays = [

View file

@ -24,10 +24,10 @@ let
# matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
in
{
#sops.secrets.matrix_ldap_search = {
# key = "portunus/users/search-password";
# owner = config.systemd.services.matrix-synapse.serviceConfig.User;
#};
sops.secrets.matrix_ldap_search = {
key = "portunus/users/search-password";
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
};
services = {
postgresql = {
@ -109,7 +109,7 @@ in
mail: uid
name: cn
bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
bind_password_file: ${config.sops.secrets."portunus/users/search-password".path}
bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
'';
})
];

View file

@ -6,9 +6,12 @@ postgres_sogo: ENC[AES256_GCM,data:L2n5FxSQ6PPaLecmcg==,iv:9aykDfFp5Ysqpi14J7Aj0
nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
ldap_search: ENC[AES256_GCM,data:HJvh/fKhMK4C2Xs=,iv:nCqgJ6XPwLdbhGe0uJRksQS6G07bDO+x+R/XKtURf3Y=,tag:0Y3Dblfu2Tv2MtTytXLubw==,type:str]
dex:
environment: ENC[AES256_GCM,data:k4bwMLO1tkz0zPO+58f47YKqdUv4l0HeepsDypatAAk0zyYWQ7/j6UR/R+Uqimrs+Melwnhk49B8FCn+QhRi5zitgw39Y56uQ8JjwieMSTRygErLZR17xJgq8vHYa6dGq9ZuW2hZCNkgLXtryFPhS/TJVZg6heOdeNaa9GvENzumHLAmffvqkb51sXeAYb4pIn/RM1S0k8YC7FsxfuubBf0e8yZRtnMtMYCFxuonVZ+txA==,iv:CjwBvTzXdNfSPd8pFN2XoWo8jzDaa5MnMUXjzaJyLvk=,tag:dDW5ODhJtd1sDOaWfUo56w==,type:str]
portunus:
users:
admin-password: ENC[AES256_GCM,data:MukQ4kc4gs/I08KrTdA=,iv:Z+RyejG2W98kml99zJsYF0vraj09M+K1MO5Euxi1aQk=,tag:zDYUIWsmDjww0CemPD1XBg==,type:str]
search-password: ENC[AES256_GCM,data:+qR1rtzENTRk1t9YXcIn,iv:j/BckEQ+G5DbH+Z/Jtbk038LlPjcKf0g/OKlljmHve8=,tag:MidDBBhpjyuaN5RNpcZaMA==,type:str]
dovecot_ldap_search: ENC[AES256_GCM,data:ROoz+hiVWhGT3wYqp2Bg94AwlwyWLMVcrJkk,iv:PiUAqXAh58qIcF/ZWH8UdS68gxQtq28+lWXcLJ1mK9Y=,tag:gXeKisqVhJyx1xJ6x4hSyA==,type:str]
rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str]
mediawiki:
@ -30,8 +33,8 @@ sops:
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-03T21:29:36Z"
mac: ENC[AES256_GCM,data:tsnXkf9D/EzNozBWEK8fca0S+vSc4fH0y9KXpjlYtcFkgjSjvuwnlo2tH3stdEAo5odHO/rsW29uCvCDomTHwMUeKWmD7NdUAVbBuUNfl6pl6gll9p+9yfTB5lZH9QpFGnC/6ANbwhLN7vBO5ZCRbfpl5hlIN4iQ25GyiPZ/GCM=,iv:2YWxDXfsonj+Td/ZeEBKZYuDpGktEVYw1LBPxqIyofA=,tag:aaX98g7PtGh5Ob81EWmHcA==,type:str]
lastmodified: "2023-06-08T12:23:52Z"
mac: ENC[AES256_GCM,data:KqjtVX6diijUnCNxwsWqHYrV5w0V0ydm5SBjK0DdFlVEdkVvUrA6g8K25XtZxR69hDaBd8381o1U6FDjwENHC8pimSFyX9EmXzWgIsmB5WMU2ccP1hWg3ZVt9mppf80ZS9M7CMT9ZNjppnsggr+yVpPgFS626paXUEPQMH3UHOY=,iv:IqSLufoCQJysSEoGKkk7pZEH52SvrZW2sjiu3tpHrCI=,tag:jeQwunD+5ysz8Y2c9UZrHA==,type:str]
pgp:
- created_at: "2022-11-18T16:37:58Z"
enc: |