Compare commits
1 commit
0e89677675
...
3eeeb49662
Author | SHA1 | Date | |
---|---|---|---|
3eeeb49662 |
|
@ -2,10 +2,10 @@
|
|||
{
|
||||
networking = {
|
||||
# portunus module does weird things to this, so we force it to some sane values
|
||||
hosts = {
|
||||
"127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
|
||||
"::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
|
||||
};
|
||||
# hosts = {
|
||||
# "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
|
||||
# "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
|
||||
# };
|
||||
hostId = "a71c81fc";
|
||||
domain = "ifsr.de";
|
||||
hostName = "quitte";
|
||||
|
|
|
@ -85,17 +85,16 @@ in
|
|||
systemd.services.forgejo.preStart =
|
||||
let
|
||||
exe = lib.getExe config.services.forgejo.package;
|
||||
portunus = config.services.portunus;
|
||||
basedn = "ou=users,${portunus.ldap.suffix}";
|
||||
basedn = "ou=users,dc=ifsr,dc=de";
|
||||
ldapConfigArgs = ''
|
||||
--name LDAP \
|
||||
--active \
|
||||
--security-protocol unencrypted \
|
||||
--host '${portunus.domain}' \
|
||||
--host 'auth.ifsr.de' \
|
||||
--port 389 \
|
||||
--user-search-base '${basedn}' \
|
||||
--user-filter '(&(objectClass=posixAccount)(uid=%s))' \
|
||||
--admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
|
||||
--admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
|
||||
--username-attribute uid \
|
||||
--firstname-attribute givenName \
|
||||
--surname-attribute sn \
|
||||
|
|
|
@ -54,9 +54,9 @@ in
|
|||
# ldap auth
|
||||
ldap = rec {
|
||||
url = "ldap://localhost";
|
||||
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
|
||||
searchBase = "ou=users,dc=ifsr,dc=de";
|
||||
searchFilter = "(uid={{username}})";
|
||||
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
|
||||
bindDn = "uid=search,${searchBase}";
|
||||
bindCredentials = "\${LDAP_CREDENTIALS}";
|
||||
useridField = "uid";
|
||||
providerName = "iFSR";
|
||||
|
|
|
@ -1,90 +1,175 @@
|
|||
{ config, pkgs, system, ... }:
|
||||
let
|
||||
domain = "auth.${config.networking.domain}";
|
||||
seedSettings = {
|
||||
groups = [
|
||||
{
|
||||
name = "admins";
|
||||
long_name = "Portunus Admin";
|
||||
members = [ "admin" ];
|
||||
permissions.portunus.is_admin = true;
|
||||
}
|
||||
{
|
||||
name = "search";
|
||||
long_name = "LDAP search group";
|
||||
members = [ "search" ];
|
||||
permissions.ldap.can_read = true;
|
||||
}
|
||||
{
|
||||
name = "fsr";
|
||||
long_name = "Mitglieder des iFSR";
|
||||
}
|
||||
];
|
||||
users = [
|
||||
{
|
||||
login_name = "admin";
|
||||
given_name = "admin";
|
||||
family_name = "admin";
|
||||
password.from_command = [
|
||||
"${pkgs.coreutils}/bin/cat"
|
||||
config.sops.secrets."portunus/admin-password".path
|
||||
];
|
||||
}
|
||||
{
|
||||
login_name = "search";
|
||||
given_name = "search";
|
||||
family_name = "search";
|
||||
password.from_command = [
|
||||
"${pkgs.coreutils}/bin/cat"
|
||||
config.sops.secrets."portunus/search-password".path
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
# seedSettings = {
|
||||
# groups = [
|
||||
# {
|
||||
# name = "admins";
|
||||
# long_name = "Portunus Admin";
|
||||
# members = [ "admin" ];
|
||||
# permissions.portunus.is_admin = true;
|
||||
# }
|
||||
# {
|
||||
# name = "search";
|
||||
# long_name = "LDAP search group";
|
||||
# members = [ "search" ];
|
||||
# permissions.ldap.can_read = true;
|
||||
# }
|
||||
# {
|
||||
# name = "fsr";
|
||||
# long_name = "Mitglieder des iFSR";
|
||||
# }
|
||||
# ];
|
||||
# users = [
|
||||
# {
|
||||
# login_name = "admin";
|
||||
# given_name = "admin";
|
||||
# family_name = "admin";
|
||||
# password.from_command = [
|
||||
# "${pkgs.coreutils}/bin/cat"
|
||||
# config.sops.secrets."portunus/admin-password".path
|
||||
# ];
|
||||
# }
|
||||
# {
|
||||
# login_name = "search";
|
||||
# given_name = "search";
|
||||
# family_name = "search";
|
||||
# password.from_command = [
|
||||
# "${pkgs.coreutils}/bin/cat"
|
||||
# config.sops.secrets."portunus/search-password".path
|
||||
# ];
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"portunus/admin-password".owner = config.services.portunus.user;
|
||||
"portunus/search-password".owner = config.services.portunus.user;
|
||||
};
|
||||
# sops.secrets = {
|
||||
# "portunus/admin-password".owner = config.services.portunus.user;
|
||||
# "portunus/search-password".owner = config.services.portunus.user;
|
||||
# };
|
||||
|
||||
services.portunus = {
|
||||
# services.portunus = {
|
||||
# enable = true;
|
||||
# package = pkgs.portunus.overrideAttrs (_old: {
|
||||
# patches = [
|
||||
# ./0001-update-user-validation-regex.patch
|
||||
# ./0002-both-ldap-and-ldaps.patch
|
||||
# ./0003-gecos-ascii-escape.patch
|
||||
# ./0004-make-givenName-optional.patch
|
||||
# ];
|
||||
# doCheck = false; # posix regex related tests break
|
||||
# });
|
||||
|
||||
# inherit domain seedSettings;
|
||||
# port = 8681;
|
||||
# ldap = {
|
||||
# suffix = "dc=ifsr,dc=de";
|
||||
# searchUserName = "search";
|
||||
|
||||
# # normally disables port 389 (but not with our patch), use 636 with tls
|
||||
# # `portunus.domain` resolves to localhost
|
||||
# tls = true;
|
||||
# };
|
||||
# };
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
package = pkgs.portunus.overrideAttrs (_old: {
|
||||
patches = [
|
||||
./0001-update-user-validation-regex.patch
|
||||
./0002-both-ldap-and-ldaps.patch
|
||||
./0003-gecos-ascii-escape.patch
|
||||
./0004-make-givenName-optional.patch
|
||||
urlList = [ "ldap:///" "ldaps:///" ];
|
||||
settings = {
|
||||
attrs = {
|
||||
olcLogLevel = "conns";
|
||||
|
||||
olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
|
||||
olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
|
||||
olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
|
||||
# olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
|
||||
olcTLSCRLCheck = "none";
|
||||
olcTLSVerifyClient = "never";
|
||||
olcTLSProtocolMin = "3.1";
|
||||
|
||||
};
|
||||
children = {
|
||||
"cn=schema".includes = [
|
||||
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||
# attributetype ( 9999.1.1 NAME 'isMemberOf'
|
||||
# DESC 'back-reference to groups this user is a member of'
|
||||
# SUP distinguishedName )
|
||||
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
"${pkgs.openldap}/etc/schema/nis.ldif"
|
||||
# "${pkgs.writeText "openssh.schema" ''
|
||||
# attributetype ( 9999.1.2 NAME 'sshPublicKey'
|
||||
# DESC 'SSH public key used by this user'
|
||||
# SUP name )
|
||||
# ''}"
|
||||
];
|
||||
doCheck = false; # posix regex related tests break
|
||||
});
|
||||
|
||||
inherit domain seedSettings;
|
||||
port = 8681;
|
||||
ldap = {
|
||||
suffix = "dc=ifsr,dc=de";
|
||||
searchUserName = "search";
|
||||
"olcDatabase={1}mdb" = {
|
||||
attrs = {
|
||||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||
|
||||
# normally disables port 389 (but not with our patch), use 636 with tls
|
||||
# `portunus.domain` resolves to localhost
|
||||
tls = true;
|
||||
olcDatabase = "{1}mdb";
|
||||
olcDbDirectory = "/var/lib/openldap/data";
|
||||
|
||||
olcSuffix = "dc=ifsr,dc=de";
|
||||
|
||||
/* your admin account, do not use writeText on a production system */
|
||||
olcRootDN = "cn=portunus,dc=ifsr,dc=de";
|
||||
olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
|
||||
|
||||
olcAccess = [
|
||||
/* custom access rules for userPassword attributes */
|
||||
''{0}to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
|
||||
/* allow read on anything else */
|
||||
''{1}to *
|
||||
by dn.base="cn=portunus,dc=ifsr,dc=de" write
|
||||
by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
|
||||
by self read
|
||||
by anonymous auth
|
||||
''
|
||||
];
|
||||
};
|
||||
children = {
|
||||
"olcOverlay={2}memberof".attrs = {
|
||||
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
|
||||
olcOverlay = "{2}memberof";
|
||||
olcMemberOfRefInt = "TRUE";
|
||||
olcMemberOfDangling = "ignore";
|
||||
olcMemberOfGroupOC = "groupOfNames";
|
||||
olcMemberOfMemberAD = "member";
|
||||
olcMemberOfMemberOfAD = "memberOf";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.openldap = {
|
||||
wants = [ "acme-${domain}.service" ];
|
||||
after = [ "acme-${domain}.service" ];
|
||||
};
|
||||
# security.acme.defaults.group = "certs";
|
||||
# users.groups.certs.members = [ "openldap" ];
|
||||
# certificate permissions
|
||||
users.users.openldap.extraGroups = [ "nginx" ];
|
||||
|
||||
security.pam.services.sshd.makeHomeDir = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${config.services.portunus.domain}" = {
|
||||
locations = {
|
||||
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||
};
|
||||
virtualHosts."${domain}" = {
|
||||
# locations = {
|
||||
# "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||
# };
|
||||
};
|
||||
};
|
||||
networking.firewall = {
|
||||
extraInputRules = ''
|
||||
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
|
||||
ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -96,20 +96,19 @@ in
|
|||
extraConfigFiles = [
|
||||
(pkgs.writeTextFile {
|
||||
name = "matrix-synapse-extra-config.yml";
|
||||
text = let portunus = config.services.portunus; in
|
||||
''
|
||||
text = ''
|
||||
modules:
|
||||
- module: ldap_auth_provider.LdapAuthProviderModule
|
||||
config:
|
||||
enabled: true
|
||||
uri: ldap://localhost
|
||||
base: ou=users,${portunus.ldap.suffix}
|
||||
base: ou=users,dc=ifsr,dc=de
|
||||
# taken from kaki config
|
||||
attributes:
|
||||
uid: uid
|
||||
mail: uid
|
||||
name: cn
|
||||
bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
|
||||
bind_dn: uid=search,ou=users,dc=ifsr,dc=de
|
||||
bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
|
||||
'';
|
||||
})
|
||||
|
|
|
@ -59,7 +59,7 @@ in
|
|||
occ = lib.getExe config.services.nextcloud.occ;
|
||||
ldapConfig = rec {
|
||||
ldapAgentName = "uid=search,ou=users,${ldapBase}";
|
||||
ldapBase = config.services.portunus.ldap.suffix;
|
||||
ldapBase = "dc=ifsr,dc=de";
|
||||
ldapBaseGroups = "ou=groups,${ldapBase}";
|
||||
ldapBaseUsers = "ou=users,${ldapBase}";
|
||||
ldapConfigurationActive = "1";
|
||||
|
|
Loading…
Reference in a new issue