Compare commits

...

2 commits

Author SHA1 Message Date
quitte 0e89677675
portunus: remove 2024-07-07 14:05:59 +02:00
Rouven Seifert 3480be73ef
updates 2024-07-07 2024-07-07 14:04:55 +02:00
9 changed files with 192 additions and 109 deletions

View file

@ -143,11 +143,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719832725, "lastModified": 1720334033,
"narHash": "sha256-dr8DkeS74KVNTgi8BE0BiUKALb+EKlMIV86G2xPYO64=", "narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "2917972ed34ce292309b3a4976286f8b5c08db27", "rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -174,27 +174,27 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1719663039, "lastModified": 1720282526,
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=", "narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119", "rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "release-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1719956923, "lastModified": 1720244366,
"narHash": "sha256-nNJHJ9kfPdzYsCOlHOnbiiyKjZUW5sWbwx3cakg3/C4=", "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "706eef542dec88cc0ed25b9075d3037564b2d164", "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -283,11 +283,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1719873517, "lastModified": 1720321395,
"narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "a11224af8d824935f363928074b4717ca2e280db", "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -2,10 +2,10 @@
{ {
networking = { networking = {
# portunus module does weird things to this, so we force it to some sane values # portunus module does weird things to this, so we force it to some sane values
hosts = { # hosts = {
"127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; # "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
"::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; # "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
}; # };
hostId = "a71c81fc"; hostId = "a71c81fc";
domain = "ifsr.de"; domain = "ifsr.de";
hostName = "quitte"; hostName = "quitte";

View file

@ -85,17 +85,16 @@ in
systemd.services.forgejo.preStart = systemd.services.forgejo.preStart =
let let
exe = lib.getExe config.services.forgejo.package; exe = lib.getExe config.services.forgejo.package;
portunus = config.services.portunus; basedn = "ou=users,dc=ifsr,dc=de";
basedn = "ou=users,${portunus.ldap.suffix}";
ldapConfigArgs = '' ldapConfigArgs = ''
--name LDAP \ --name LDAP \
--active \ --active \
--security-protocol unencrypted \ --security-protocol unencrypted \
--host '${portunus.domain}' \ --host 'auth.ifsr.de' \
--port 389 \ --port 389 \
--user-search-base '${basedn}' \ --user-search-base '${basedn}' \
--user-filter '(&(objectClass=posixAccount)(uid=%s))' \ --user-filter '(&(objectClass=posixAccount)(uid=%s))' \
--admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \ --admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
--username-attribute uid \ --username-attribute uid \
--firstname-attribute givenName \ --firstname-attribute givenName \
--surname-attribute sn \ --surname-attribute sn \

View file

@ -54,9 +54,9 @@ in
# ldap auth # ldap auth
ldap = rec { ldap = rec {
url = "ldap://localhost"; url = "ldap://localhost";
searchBase = "ou=users,${config.services.portunus.ldap.suffix}"; searchBase = "ou=users,dc=ifsr,dc=de";
searchFilter = "(uid={{username}})"; searchFilter = "(uid={{username}})";
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}"; bindDn = "uid=search,${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}"; bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid"; useridField = "uid";
providerName = "iFSR"; providerName = "iFSR";

View file

@ -1,90 +1,175 @@
{ config, pkgs, system, ... }: { config, pkgs, system, ... }:
let let
domain = "auth.${config.networking.domain}"; domain = "auth.${config.networking.domain}";
seedSettings = { # seedSettings = {
groups = [ # groups = [
{ # {
name = "admins"; # name = "admins";
long_name = "Portunus Admin"; # long_name = "Portunus Admin";
members = [ "admin" ]; # members = [ "admin" ];
permissions.portunus.is_admin = true; # permissions.portunus.is_admin = true;
} # }
{ # {
name = "search"; # name = "search";
long_name = "LDAP search group"; # long_name = "LDAP search group";
members = [ "search" ]; # members = [ "search" ];
permissions.ldap.can_read = true; # permissions.ldap.can_read = true;
} # }
{ # {
name = "fsr"; # name = "fsr";
long_name = "Mitglieder des iFSR"; # long_name = "Mitglieder des iFSR";
} # }
]; # ];
users = [ # users = [
{ # {
login_name = "admin"; # login_name = "admin";
given_name = "admin"; # given_name = "admin";
family_name = "admin"; # family_name = "admin";
password.from_command = [ # password.from_command = [
"${pkgs.coreutils}/bin/cat" # "${pkgs.coreutils}/bin/cat"
config.sops.secrets."portunus/admin-password".path # config.sops.secrets."portunus/admin-password".path
]; # ];
} # }
{ # {
login_name = "search"; # login_name = "search";
given_name = "search"; # given_name = "search";
family_name = "search"; # family_name = "search";
password.from_command = [ # password.from_command = [
"${pkgs.coreutils}/bin/cat" # "${pkgs.coreutils}/bin/cat"
config.sops.secrets."portunus/search-password".path # config.sops.secrets."portunus/search-password".path
]; # ];
} # }
]; # ];
}; # };
in in
{ {
sops.secrets = { # sops.secrets = {
"portunus/admin-password".owner = config.services.portunus.user; # "portunus/admin-password".owner = config.services.portunus.user;
"portunus/search-password".owner = config.services.portunus.user; # "portunus/search-password".owner = config.services.portunus.user;
}; # };
services.portunus = { # services.portunus = {
# enable = true;
# package = pkgs.portunus.overrideAttrs (_old: {
# patches = [
# ./0001-update-user-validation-regex.patch
# ./0002-both-ldap-and-ldaps.patch
# ./0003-gecos-ascii-escape.patch
# ./0004-make-givenName-optional.patch
# ];
# doCheck = false; # posix regex related tests break
# });
# inherit domain seedSettings;
# port = 8681;
# ldap = {
# suffix = "dc=ifsr,dc=de";
# searchUserName = "search";
# # normally disables port 389 (but not with our patch), use 636 with tls
# # `portunus.domain` resolves to localhost
# tls = true;
# };
# };
services.openldap = {
enable = true; enable = true;
package = pkgs.portunus.overrideAttrs (_old: { urlList = [ "ldap:///" "ldaps:///" ];
patches = [ settings = {
./0001-update-user-validation-regex.patch attrs = {
./0002-both-ldap-and-ldaps.patch olcLogLevel = "conns";
./0003-gecos-ascii-escape.patch
./0004-make-givenName-optional.patch olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
# olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
# attributetype ( 9999.1.1 NAME 'isMemberOf'
# DESC 'back-reference to groups this user is a member of'
# SUP distinguishedName )
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
# "${pkgs.writeText "openssh.schema" ''
# attributetype ( 9999.1.2 NAME 'sshPublicKey'
# DESC 'SSH public key used by this user'
# SUP name )
# ''}"
]; ];
doCheck = false; # posix regex related tests break
});
inherit domain seedSettings; "olcDatabase={1}mdb" = {
port = 8681; attrs = {
ldap = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
# normally disables port 389 (but not with our patch), use 636 with tls olcDatabase = "{1}mdb";
# `portunus.domain` resolves to localhost olcDbDirectory = "/var/lib/openldap/data";
tls = true;
olcSuffix = "dc=ifsr,dc=de";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=portunus,dc=ifsr,dc=de";
olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by dn.base="cn=portunus,dc=ifsr,dc=de" write
by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
by self read
by anonymous auth
''
];
};
children = {
"olcOverlay={2}memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
olcOverlay = "{2}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
}; };
}; };
};
};
};
};
systemd.services.openldap = {
wants = [ "acme-${domain}.service" ];
after = [ "acme-${domain}.service" ];
};
# security.acme.defaults.group = "certs";
# users.groups.certs.members = [ "openldap" ];
# certificate permissions
users.users.openldap.extraGroups = [ "nginx" ];
security.pam.services.sshd.makeHomeDir = true; security.pam.services.sshd.makeHomeDir = true;
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."${config.services.portunus.domain}" = { virtualHosts."${domain}" = {
locations = { # locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; # "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
}; # };
}; };
}; };
networking.firewall = { networking.firewall = {
extraInputRules = '' extraInputRules = ''
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman" ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
''; '';
}; };
} }

View file

@ -96,20 +96,19 @@ in
extraConfigFiles = [ extraConfigFiles = [
(pkgs.writeTextFile { (pkgs.writeTextFile {
name = "matrix-synapse-extra-config.yml"; name = "matrix-synapse-extra-config.yml";
text = let portunus = config.services.portunus; in text = ''
''
modules: modules:
- module: ldap_auth_provider.LdapAuthProviderModule - module: ldap_auth_provider.LdapAuthProviderModule
config: config:
enabled: true enabled: true
uri: ldap://localhost uri: ldap://localhost
base: ou=users,${portunus.ldap.suffix} base: ou=users,dc=ifsr,dc=de
# taken from kaki config # taken from kaki config
attributes: attributes:
uid: uid uid: uid
mail: uid mail: uid
name: cn name: cn
bind_dn: uid=search,ou=users,${portunus.ldap.suffix} bind_dn: uid=search,ou=users,dc=ifsr,dc=de
bind_password_file: ${config.sops.secrets.matrix_ldap_search.path} bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
''; '';
}) })

View file

@ -59,7 +59,7 @@ in
occ = lib.getExe config.services.nextcloud.occ; occ = lib.getExe config.services.nextcloud.occ;
ldapConfig = rec { ldapConfig = rec {
ldapAgentName = "uid=search,ou=users,${ldapBase}"; ldapAgentName = "uid=search,ou=users,${ldapBase}";
ldapBase = config.services.portunus.ldap.suffix; ldapBase = "dc=ifsr,dc=de";
ldapBaseGroups = "ou=groups,${ldapBase}"; ldapBaseGroups = "ou=groups,${ldapBase}";
ldapBaseUsers = "ou=users,${ldapBase}"; ldapBaseUsers = "ou=users,${ldapBase}";
ldapConfigurationActive = "1"; ldapConfigurationActive = "1";