diff --git a/flake.nix b/flake.nix index 8e22a9f..e7535f4 100755 --- a/flake.nix +++ b/flake.nix @@ -5,8 +5,7 @@ sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, sops-nix, ... }@inputs: - let - in { + { #packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; packages."x86_64-linux".quitte = self.nixosConfigurations.quitte-vm.config.system.build.vm; packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; diff --git a/modules/ldap.nix b/modules/ldap.nix index 5d30c86..8bca96a 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,62 +1,39 @@ { config, lib, pkgs, ... }: let domain = "auth.${config.fsr.domain}"; - - portunusUser = "portunus"; - portunusGroup = "portunus"; - - ldapUser = "openldap"; - ldapGroup = "openldap"; in { sops.secrets = { - "portunus/users/admin-password" = { - owner = "${portunusUser}"; - group = "${portunusGroup}"; - }; - "portunus/users/search-password" = { - owner = "${portunusUser}"; - group = "${portunusGroup}"; - mode = "0440"; - }; - "dex/environment" = { - owner = config.systemd.services.dex.serviceConfig.User; - group = "dex"; - }; - "matrix_ldap_search" = { + "portunus/users/admin-password".owner = config.services.portunus.user; + "portunus/users/search-password".owner = config.services.portunus.user; + "dex/environment".owner = config.systemd.services.dex.serviceConfig.User; + nslcd_ldap_search = { key = "portunus/users/search-password"; owner = config.systemd.services.nslcd.serviceConfig.User; }; }; - - - services.portunus = { - enable = true; - user = "${portunusUser}"; - group = "${portunusGroup}"; - domain = "${domain}"; - port = 8681; - userRegex = "[a-z_][a-z0-9_.-]*\$?"; - dex = { - enable = true; - }; - ldap = { - #user = "${ldapUser}"; - #group = "${ldapGroup}"; - - suffix = "dc=ifsr,dc=de"; - searchUserName = "search"; - - # disables port 389, use 636 with tls - # `portunus.domain` resolves to localhost - tls = false; - }; - - seedPath = ../config/portunus_seeds.json; - }; - services = { + portunus = { + enable = true; + domain = "${domain}"; + port = 8681; + userRegex = "[a-z_][a-z0-9_.-]*\$?"; + dex = { + enable = true; + }; + ldap = { + suffix = "dc=ifsr,dc=de"; + searchUserName = "search"; + + # disables port 389, use 636 with tls + # `portunus.domain` resolves to localhost + tls = false; + }; + + seedPath = ../config/portunus_seeds.json; + }; + dex.settings.oauth2.skipApprovalScreen = true; nginx = { @@ -80,54 +57,22 @@ in }; users = { - groups = { - dex = { }; + groups.dex = { }; - "${portunusGroup}" = { - name = "${portunusGroup}"; - members = [ - "${portunusUser}" - config.systemd.services."matrix-synapse".serviceConfig.User - config.systemd.services.sogo.serviceConfig.User - config.systemd.services.hedgedoc.serviceConfig.User - config.systemd.services.mailman.serviceConfig.User - config.systemd.services."mailman-web-setup".serviceConfig.User - config.systemd.services.hyperkitty.serviceConfig.User - config.systemd.services.nslcd.serviceConfig.User - ]; - }; - "${ldapGroup}" = { - name = "${ldapGroup}"; - members = [ "${ldapUser}" ]; - }; + users.dex = { + group = "dex"; + isSystemUser = true; }; - users = { - dex = { - group = "dex"; - isSystemUser = true; - }; - "${portunusUser}" = { - isSystemUser = true; - group = "${portunusGroup}"; - }; - "${ldapUser}" = { - isSystemUser = true; - group = "${ldapGroup}"; - }; - }; ldap = - let - portunus = config.services.portunus; - base = "ou=users,${portunus.ldap.suffix}"; - in - { + let portunus = config.services.portunus; + in rec { enable = true; server = "ldap://localhost"; - base = base; + base = "ou=users,${portunus.ldap.suffix}"; bind = { distinguishedName = "uid=${portunus.ldap.searchUserName},${base}"; - passwordFile = config.sops.secrets."portunus/users/search-password".path; + passwordFile = config.sops.secrets.nslcd_ldap_search.path; }; daemon.enable = true; }; @@ -154,7 +99,6 @@ in session optional pam_mkhomedir.so session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so - ''; nixpkgs.overlays = [ diff --git a/modules/matrix.nix b/modules/matrix.nix index 9e01430..a79e4a7 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -24,10 +24,10 @@ let # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3; in { - #sops.secrets.matrix_ldap_search = { - # key = "portunus/users/search-password"; - # owner = config.systemd.services.matrix-synapse.serviceConfig.User; - #}; + sops.secrets.matrix_ldap_search = { + key = "portunus/users/search-password"; + owner = config.systemd.services.matrix-synapse.serviceConfig.User; + }; services = { postgresql = { @@ -109,7 +109,7 @@ in mail: uid name: cn bind_dn: uid=search,ou=users,${portunus.ldap.suffix} - bind_password_file: ${config.sops.secrets."portunus/users/search-password".path} + bind_password_file: ${config.sops.secrets.matrix_ldap_search.path} ''; }) ]; diff --git a/secrets/test.yaml b/secrets/test.yaml index e68e340..5f8e7d7 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -6,9 +6,12 @@ postgres_sogo: ENC[AES256_GCM,data:L2n5FxSQ6PPaLecmcg==,iv:9aykDfFp5Ysqpi14J7Aj0 nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] -portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str] -portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str] -ldap_search: ENC[AES256_GCM,data:HJvh/fKhMK4C2Xs=,iv:nCqgJ6XPwLdbhGe0uJRksQS6G07bDO+x+R/XKtURf3Y=,tag:0Y3Dblfu2Tv2MtTytXLubw==,type:str] +dex: + environment: ENC[AES256_GCM,data:k4bwMLO1tkz0zPO+58f47YKqdUv4l0HeepsDypatAAk0zyYWQ7/j6UR/R+Uqimrs+Melwnhk49B8FCn+QhRi5zitgw39Y56uQ8JjwieMSTRygErLZR17xJgq8vHYa6dGq9ZuW2hZCNkgLXtryFPhS/TJVZg6heOdeNaa9GvENzumHLAmffvqkb51sXeAYb4pIn/RM1S0k8YC7FsxfuubBf0e8yZRtnMtMYCFxuonVZ+txA==,iv:CjwBvTzXdNfSPd8pFN2XoWo8jzDaa5MnMUXjzaJyLvk=,tag:dDW5ODhJtd1sDOaWfUo56w==,type:str] +portunus: + users: + admin-password: ENC[AES256_GCM,data:MukQ4kc4gs/I08KrTdA=,iv:Z+RyejG2W98kml99zJsYF0vraj09M+K1MO5Euxi1aQk=,tag:zDYUIWsmDjww0CemPD1XBg==,type:str] + search-password: ENC[AES256_GCM,data:+qR1rtzENTRk1t9YXcIn,iv:j/BckEQ+G5DbH+Z/Jtbk038LlPjcKf0g/OKlljmHve8=,tag:MidDBBhpjyuaN5RNpcZaMA==,type:str] dovecot_ldap_search: ENC[AES256_GCM,data:ROoz+hiVWhGT3wYqp2Bg94AwlwyWLMVcrJkk,iv:PiUAqXAh58qIcF/ZWH8UdS68gxQtq28+lWXcLJ1mK9Y=,tag:gXeKisqVhJyx1xJ6x4hSyA==,type:str] rspamd-password: ENC[AES256_GCM,data:PG3qO7lDXjd/kw3Bp65k5KPWKU16yBmRXQeYeuo=,iv:pmDqdeyziD1ZUif0LABiN2BTqGw0VkvlrtwSSjo3lk8=,tag:QwnycEj+Nab0bCDeemUX0Q==,type:str] mediawiki: @@ -30,8 +33,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-03T21:29:36Z" - mac: ENC[AES256_GCM,data:tsnXkf9D/EzNozBWEK8fca0S+vSc4fH0y9KXpjlYtcFkgjSjvuwnlo2tH3stdEAo5odHO/rsW29uCvCDomTHwMUeKWmD7NdUAVbBuUNfl6pl6gll9p+9yfTB5lZH9QpFGnC/6ANbwhLN7vBO5ZCRbfpl5hlIN4iQ25GyiPZ/GCM=,iv:2YWxDXfsonj+Td/ZeEBKZYuDpGktEVYw1LBPxqIyofA=,tag:aaX98g7PtGh5Ob81EWmHcA==,type:str] + lastmodified: "2023-06-08T12:23:52Z" + mac: ENC[AES256_GCM,data:KqjtVX6diijUnCNxwsWqHYrV5w0V0ydm5SBjK0DdFlVEdkVvUrA6g8K25XtZxR69hDaBd8381o1U6FDjwENHC8pimSFyX9EmXzWgIsmB5WMU2ccP1hWg3ZVt9mppf80ZS9M7CMT9ZNjppnsggr+yVpPgFS626paXUEPQMH3UHOY=,iv:IqSLufoCQJysSEoGKkk7pZEH52SvrZW2sjiu3tpHrCI=,tag:jeQwunD+5ysz8Y2c9UZrHA==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: |