wurzel/fruitbasket
10
1
Fork 1
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

Refactor ldap and enable dex

Browse source 
Co-authored-by: revol-xut <revol-xut@protonmail.com>
This commit is contained in:
Lyn Fugmann 2023-07-07 17:12:59 +02:00
parent 80d016ae8f
commit e8263b93dc
Signed by: fugi
GPG key ID: 4472A20091BFA792
8 changed files with 72 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

110
modules/ldap/default.nix
View file

@ -1,48 +1,15 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
domain = "auth.${config.fsr.domain}";
portunusUser = "portunus";
portunusGroup = "portunus";
ldapUser = "openldap";
ldapGroup = "openldap";
in
{
sops.secrets.unix_ldap_search = {
key = "portunus_search";
owner = config.systemd.services.nslcd.serviceConfig.User;
};
users.users."${portunusUser}" = {
isSystemUser = true;
group = "${portunusGroup}";
};
users.groups."${portunusGroup}" = {
name = "${portunusGroup}";
members = [ "${portunusUser}" ];
};
users.users."${ldapUser}" = {
isSystemUser = true;
group = "${ldapGroup}";
};
users.groups."${ldapGroup}" = {
name = "${ldapGroup}";
members = [ "${ldapUser}" ];
};
sops.secrets = {
"portunus_admin" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
};
"portunus_search" = {
owner = "${portunusUser}";
group = "${portunusGroup}";
"portunus/admin-password".owner = config.services.portunus.user;
"portunus/search-password".owner = config.services.portunus.user;
"dex/environment".owner = config.systemd.services.dex.serviceConfig.User;
nslcd_ldap_search = {
key = "portunus/search-password";
owner = config.systemd.services.nslcd.serviceConfig.User;
};
};
@ -51,15 +18,13 @@ in
package = pkgs.portunus.overrideAttrs (old: {
patches = [ ./0001-update-user-validation-regex.patch ];
});
user = "${portunusUser}";
group = "${portunusGroup}";
domain = "${domain}";
port = 8081;
inherit domain;
port = 8681;
dex.enable = true;
seedPath = ../config/portunus_seeds.json;
ldap = {
user = "${ldapUser}";
group = "${ldapGroup}";
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
@ -67,30 +32,37 @@ in
# `portunus.domain` resolves to localhost
#tls = true;
};
seedPath = ../../config/portunus_seeds.json;
};
#users.ldap = {
#enable = true;
#server = "ldap://localhost";
#base = "${config.services.portunus.ldap.suffix}";
#};
users.ldap =
let
portunus = config.services.portunus;
base = "ou=users,${portunus.ldap.suffix}";
in
{
enable = true;
server = "ldap://localhost";
base = base;
bind = {
distinguishedName = "uid=${portunus.ldap.searchUserName},${base}";
passwordFile = config.sops.secrets.unix_ldap_search.path;
};
daemon.enable = true;
services.dex.settings.oauth2.skipApprovalScreen = true;
systemd.services.dex.serviceConfig = {
DynamicUser = lib.mkForce false;
EnvironmentFile = config.sops.secrets."dex/environment".path;
StateDirectory = "dex";
User = "dex";
};
users = {
users.dex = {
group = "dex";
isSystemUser = true;
};
groups.dex = { };
ldap =
let portunus = config.services.portunus;
in rec {
enable = true;
server = "ldap://localhost";
base = "ou=users,${portunus.ldap.suffix}";
bind = {
distinguishedName = "uid=${portunus.ldap.searchUserName},${base}";
passwordFile = config.sops.secrets.nslcd_ldap_search.path;
};
daemon.enable = true;
};
};
security.pam.services.sshd.text = ''
# Account management.
@ -113,7 +85,6 @@ in
session optional pam_mkhomedir.so
session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
services.nginx = {
@ -123,6 +94,7 @@ in
enableACME = true;
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
};
};
};