refactor and fix stuff
This commit is contained in:
parent
a7c23f9b88
commit
e26a50a704
4 changed files with 46 additions and 100 deletions
|
@ -5,8 +5,7 @@
|
|||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
outputs = { self, nixpkgs, sops-nix, ... }@inputs:
|
||||
let
|
||||
in {
|
||||
{
|
||||
#packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
|
||||
packages."x86_64-linux".quitte = self.nixosConfigurations.quitte-vm.config.system.build.vm;
|
||||
packages."x86_64-linux".default = self.packages."x86_64-linux".quitte;
|
||||
|
|
120
modules/ldap.nix
120
modules/ldap.nix
|
@ -1,62 +1,39 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
domain = "auth.${config.fsr.domain}";
|
||||
|
||||
portunusUser = "portunus";
|
||||
portunusGroup = "portunus";
|
||||
|
||||
ldapUser = "openldap";
|
||||
ldapGroup = "openldap";
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"portunus/users/admin-password" = {
|
||||
owner = "${portunusUser}";
|
||||
group = "${portunusGroup}";
|
||||
};
|
||||
"portunus/users/search-password" = {
|
||||
owner = "${portunusUser}";
|
||||
group = "${portunusGroup}";
|
||||
mode = "0440";
|
||||
};
|
||||
"dex/environment" = {
|
||||
owner = config.systemd.services.dex.serviceConfig.User;
|
||||
group = "dex";
|
||||
};
|
||||
"matrix_ldap_search" = {
|
||||
"portunus/users/admin-password".owner = config.services.portunus.user;
|
||||
"portunus/users/search-password".owner = config.services.portunus.user;
|
||||
"dex/environment".owner = config.systemd.services.dex.serviceConfig.User;
|
||||
nslcd_ldap_search = {
|
||||
key = "portunus/users/search-password";
|
||||
owner = config.systemd.services.nslcd.serviceConfig.User;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.portunus = {
|
||||
enable = true;
|
||||
user = "${portunusUser}";
|
||||
group = "${portunusGroup}";
|
||||
domain = "${domain}";
|
||||
port = 8681;
|
||||
userRegex = "[a-z_][a-z0-9_.-]*\$?";
|
||||
dex = {
|
||||
enable = true;
|
||||
};
|
||||
ldap = {
|
||||
#user = "${ldapUser}";
|
||||
#group = "${ldapGroup}";
|
||||
|
||||
suffix = "dc=ifsr,dc=de";
|
||||
searchUserName = "search";
|
||||
|
||||
# disables port 389, use 636 with tls
|
||||
# `portunus.domain` resolves to localhost
|
||||
tls = false;
|
||||
};
|
||||
|
||||
seedPath = ../config/portunus_seeds.json;
|
||||
};
|
||||
|
||||
|
||||
services = {
|
||||
portunus = {
|
||||
enable = true;
|
||||
domain = "${domain}";
|
||||
port = 8681;
|
||||
userRegex = "[a-z_][a-z0-9_.-]*\$?";
|
||||
dex = {
|
||||
enable = true;
|
||||
};
|
||||
ldap = {
|
||||
suffix = "dc=ifsr,dc=de";
|
||||
searchUserName = "search";
|
||||
|
||||
# disables port 389, use 636 with tls
|
||||
# `portunus.domain` resolves to localhost
|
||||
tls = false;
|
||||
};
|
||||
|
||||
seedPath = ../config/portunus_seeds.json;
|
||||
};
|
||||
|
||||
dex.settings.oauth2.skipApprovalScreen = true;
|
||||
|
||||
nginx = {
|
||||
|
@ -80,54 +57,22 @@ in
|
|||
};
|
||||
|
||||
users = {
|
||||
groups = {
|
||||
dex = { };
|
||||
groups.dex = { };
|
||||
|
||||
"${portunusGroup}" = {
|
||||
name = "${portunusGroup}";
|
||||
members = [
|
||||
"${portunusUser}"
|
||||
config.systemd.services."matrix-synapse".serviceConfig.User
|
||||
config.systemd.services.sogo.serviceConfig.User
|
||||
config.systemd.services.hedgedoc.serviceConfig.User
|
||||
config.systemd.services.mailman.serviceConfig.User
|
||||
config.systemd.services."mailman-web-setup".serviceConfig.User
|
||||
config.systemd.services.hyperkitty.serviceConfig.User
|
||||
config.systemd.services.nslcd.serviceConfig.User
|
||||
];
|
||||
};
|
||||
"${ldapGroup}" = {
|
||||
name = "${ldapGroup}";
|
||||
members = [ "${ldapUser}" ];
|
||||
};
|
||||
users.dex = {
|
||||
group = "dex";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users = {
|
||||
dex = {
|
||||
group = "dex";
|
||||
isSystemUser = true;
|
||||
};
|
||||
"${portunusUser}" = {
|
||||
isSystemUser = true;
|
||||
group = "${portunusGroup}";
|
||||
};
|
||||
|
||||
"${ldapUser}" = {
|
||||
isSystemUser = true;
|
||||
group = "${ldapGroup}";
|
||||
};
|
||||
};
|
||||
ldap =
|
||||
let
|
||||
portunus = config.services.portunus;
|
||||
base = "ou=users,${portunus.ldap.suffix}";
|
||||
in
|
||||
{
|
||||
let portunus = config.services.portunus;
|
||||
in rec {
|
||||
enable = true;
|
||||
server = "ldap://localhost";
|
||||
base = base;
|
||||
base = "ou=users,${portunus.ldap.suffix}";
|
||||
bind = {
|
||||
distinguishedName = "uid=${portunus.ldap.searchUserName},${base}";
|
||||
passwordFile = config.sops.secrets."portunus/users/search-password".path;
|
||||
passwordFile = config.sops.secrets.nslcd_ldap_search.path;
|
||||
};
|
||||
daemon.enable = true;
|
||||
};
|
||||
|
@ -154,7 +99,6 @@ in
|
|||
session optional pam_mkhomedir.so
|
||||
session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||
|
||||
'';
|
||||
|
||||
nixpkgs.overlays = [
|
||||
|
|
|
@ -24,10 +24,10 @@ let
|
|||
# matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
|
||||
in
|
||||
{
|
||||
#sops.secrets.matrix_ldap_search = {
|
||||
# key = "portunus/users/search-password";
|
||||
# owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||
#};
|
||||
sops.secrets.matrix_ldap_search = {
|
||||
key = "portunus/users/search-password";
|
||||
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||
};
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
|
@ -109,7 +109,7 @@ in
|
|||
mail: uid
|
||||
name: cn
|
||||
bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
|
||||
bind_password_file: ${config.sops.secrets."portunus/users/search-password".path}
|
||||
bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
|
||||
'';
|
||||
})
|
||||
];
|
||||
|
|
|
@ -6,9 +6,12 @@ postgres_sogo: ENC[AES256_GCM,data:L2n5FxSQ6PPaLecmcg==,iv:9aykDfFp5Ysqpi14J7Aj0
|
|||
nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
|
||||
hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
|
||||
wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
|
||||
portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
|
||||
portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
|
||||
ldap_search: ENC[AES256_GCM,data:HJvh/fKhMK4C2Xs=,iv:nCqgJ6XPwLdbhGe0uJRksQS6G07bDO+x+R/XKtURf3Y=,tag:0Y3Dblfu2Tv2MtTytXLubw==,type:str]
|
||||
dex:
|
||||
environment: ENC[AES256_GCM,data:k4bwMLO1tkz0zPO+58f47YKqdUv4l0HeepsDypatAAk0zyYWQ7/j6UR/R+Uqimrs+Melwnhk49B8FCn+QhRi5zitgw39Y56uQ8JjwieMSTRygErLZR17xJgq8vHYa6dGq9ZuW2hZCNkgLXtryFPhS/TJVZg6heOdeNaa9GvENzumHLAmffvqkb51sXeAYb4pIn/RM1S0k8YC7FsxfuubBf0e8yZRtnMtMYCFxuonVZ+txA==,iv:CjwBvTzXdNfSPd8pFN2XoWo8jzDaa5MnMUXjzaJyLvk=,tag:dDW5ODhJtd1sDOaWfUo56w==,type:str]
|
||||
portunus:
|
||||
users:
|
||||
admin-password: ENC[AES256_GCM,data:MukQ4kc4gs/I08KrTdA=,iv:Z+RyejG2W98kml99zJsYF0vraj09M+K1MO5Euxi1aQk=,tag:zDYUIWsmDjww0CemPD1XBg==,type:str]
|
||||
search-password: ENC[AES256_GCM,data:+qR1rtzENTRk1t9YXcIn,iv:j/BckEQ+G5DbH+Z/Jtbk038LlPjcKf0g/OKlljmHve8=,tag:MidDBBhpjyuaN5RNpcZaMA==,type:str]
|
||||
dovecot_ldap_search: ENC[AES256_GCM,data:ROoz+hiVWhGT3wYqp2Bg94AwlwyWLMVcrJkk,iv:PiUAqXAh58qIcF/ZWH8UdS68gxQtq28+lWXcLJ1mK9Y=,tag:gXeKisqVhJyx1xJ6x4hSyA==,type:str]
|
||||
rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str]
|
||||
mediawiki:
|
||||
|
@ -30,8 +33,8 @@ sops:
|
|||
MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
|
||||
ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-03T21:29:36Z"
|
||||
mac: ENC[AES256_GCM,data:tsnXkf9D/EzNozBWEK8fca0S+vSc4fH0y9KXpjlYtcFkgjSjvuwnlo2tH3stdEAo5odHO/rsW29uCvCDomTHwMUeKWmD7NdUAVbBuUNfl6pl6gll9p+9yfTB5lZH9QpFGnC/6ANbwhLN7vBO5ZCRbfpl5hlIN4iQ25GyiPZ/GCM=,iv:2YWxDXfsonj+Td/ZeEBKZYuDpGktEVYw1LBPxqIyofA=,tag:aaX98g7PtGh5Ob81EWmHcA==,type:str]
|
||||
lastmodified: "2023-06-08T12:23:52Z"
|
||||
mac: ENC[AES256_GCM,data:KqjtVX6diijUnCNxwsWqHYrV5w0V0ydm5SBjK0DdFlVEdkVvUrA6g8K25XtZxR69hDaBd8381o1U6FDjwENHC8pimSFyX9EmXzWgIsmB5WMU2ccP1hWg3ZVt9mppf80ZS9M7CMT9ZNjppnsggr+yVpPgFS626paXUEPQMH3UHOY=,iv:IqSLufoCQJysSEoGKkk7pZEH52SvrZW2sjiu3tpHrCI=,tag:jeQwunD+5ysz8Y2c9UZrHA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-11-18T16:37:58Z"
|
||||
enc: |
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue