portunus: remove

hosts/quitte/network.nix

@@ -2,10 +2,10 @@
 {
   networking = {
     # portunus module does weird things to this, so we force it to some sane values
-    hosts = {
+    # hosts = {
-      "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+    #   "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
-      "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+    #   "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
-    };
+    # };
     hostId = "a71c81fc";
     domain = "ifsr.de";
     hostName = "quitte";

modules/core/podman.nix

@@ -23,4 +23,4 @@
     #docker-compose # start group of containers for dev
     #podman-compose # start group of containers for dev
   ];
-}
+}

modules/forgejo/default.nix

@@ -85,17 +85,16 @@ in
   systemd.services.forgejo.preStart =
     let
       exe = lib.getExe config.services.forgejo.package;
-      portunus = config.services.portunus;
+      basedn = "ou=users,dc=ifsr,dc=de";
-      basedn = "ou=users,${portunus.ldap.suffix}";
       ldapConfigArgs = ''
         --name LDAP \
         --active \
         --security-protocol unencrypted \
-        --host '${portunus.domain}' \
+        --host 'auth.ifsr.de' \
         --port 389 \
         --user-search-base '${basedn}' \
         --user-filter '(&(objectClass=posixAccount)(uid=%s))' \
-        --admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
+        --admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
         --username-attribute uid \
         --firstname-attribute givenName \
         --surname-attribute sn \

modules/hedgedoc.nix

@@ -54,9 +54,9 @@ in
         # ldap auth
         ldap = rec {
           url = "ldap://localhost";
-          searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
+          searchBase = "ou=users,dc=ifsr,dc=de";
           searchFilter = "(uid={{username}})";
-          bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
+          bindDn = "uid=search,${searchBase}";
           bindCredentials = "\${LDAP_CREDENTIALS}";
           useridField = "uid";
           providerName = "iFSR";

modules/kanboard.nix

@@ -5,7 +5,7 @@ let
 in
 {
   sops.secrets."kanboard_env" = { };
-  
+
   virtualisation.oci-containers = {
     containers.kanboard = {
       image = "ghcr.io/kanboard/kanboard:v1.2.36";

modules/ldap/default.nix

@@ -1,90 +1,175 @@
 { config, pkgs, system, ... }:
 let
   domain = "auth.${config.networking.domain}";
-  seedSettings = {
+  # seedSettings = {
-    groups = [
+  #   groups = [
-      {
+  #     {
-        name = "admins";
+  #       name = "admins";
-        long_name = "Portunus Admin";
+  #       long_name = "Portunus Admin";
-        members = [ "admin" ];
+  #       members = [ "admin" ];
-        permissions.portunus.is_admin = true;
+  #       permissions.portunus.is_admin = true;
-      }
+  #     }
-      {
+  #     {
-        name = "search";
+  #       name = "search";
-        long_name = "LDAP search group";
+  #       long_name = "LDAP search group";
-        members = [ "search" ];
+  #       members = [ "search" ];
-        permissions.ldap.can_read = true;
+  #       permissions.ldap.can_read = true;
-      }
+  #     }
-      {
+  #     {
-        name = "fsr";
+  #       name = "fsr";
-        long_name = "Mitglieder des iFSR";
+  #       long_name = "Mitglieder des iFSR";
-      }
+  #     }
-    ];
+  #   ];
-    users = [
+  #   users = [
-      {
+  #     {
-        login_name = "admin";
+  #       login_name = "admin";
-        given_name = "admin";
+  #       given_name = "admin";
-        family_name = "admin";
+  #       family_name = "admin";
-        password.from_command = [
+  #       password.from_command = [
-          "${pkgs.coreutils}/bin/cat"
+  #         "${pkgs.coreutils}/bin/cat"
-          config.sops.secrets."portunus/admin-password".path
+  #         config.sops.secrets."portunus/admin-password".path
-        ];
+  #       ];
-      }
+  #     }
-      {
+  #     {
-        login_name = "search";
+  #       login_name = "search";
-        given_name = "search";
+  #       given_name = "search";
-        family_name = "search";
+  #       family_name = "search";
-        password.from_command = [
+  #       password.from_command = [
-          "${pkgs.coreutils}/bin/cat"
+  #         "${pkgs.coreutils}/bin/cat"
-          config.sops.secrets."portunus/search-password".path
+  #         config.sops.secrets."portunus/search-password".path
-        ];
+  #       ];
-      }
+  #     }
-    ];
+  #   ];
-  };
+  # };
 in
 {
-  sops.secrets = {
+  # sops.secrets = {
-    "portunus/admin-password".owner = config.services.portunus.user;
+  #   "portunus/admin-password".owner = config.services.portunus.user;
-    "portunus/search-password".owner = config.services.portunus.user;
+  #   "portunus/search-password".owner = config.services.portunus.user;
-  };
+  # };
 
-  services.portunus = {
+  # services.portunus = {
+  #   enable = true;
+  #   package = pkgs.portunus.overrideAttrs (_old: {
+  #     patches = [
+  #       ./0001-update-user-validation-regex.patch
+  #       ./0002-both-ldap-and-ldaps.patch
+  #       ./0003-gecos-ascii-escape.patch
+  #       ./0004-make-givenName-optional.patch
+  #     ];
+  #     doCheck = false; # posix regex related tests break
+  #   });
+
+  #   inherit domain seedSettings;
+  #   port = 8681;
+  #   ldap = {
+  #     suffix = "dc=ifsr,dc=de";
+  #     searchUserName = "search";
+
+  #     # normally disables port 389 (but not with our patch), use 636 with tls
+  #     # `portunus.domain` resolves to localhost
+  #     tls = true;
+  #   };
+  # };
+  services.openldap = {
     enable = true;
-    package = pkgs.portunus.overrideAttrs (_old: {
+    urlList = [ "ldap:///" "ldaps:///" ];
-      patches = [
+    settings = {
-        ./0001-update-user-validation-regex.patch
+      attrs = {
-        ./0002-both-ldap-and-ldaps.patch
+        olcLogLevel = "conns";
-        ./0003-gecos-ascii-escape.patch
-        ./0004-make-givenName-optional.patch
-      ];
-      doCheck = false; # posix regex related tests break
-    });
 
-    inherit domain seedSettings;
+        olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
-    port = 8681;
+        olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
-    ldap = {
+        olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
-      suffix = "dc=ifsr,dc=de";
+        # olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
-      searchUserName = "search";
+        olcTLSCRLCheck = "none";
+        olcTLSVerifyClient = "never";
+        olcTLSProtocolMin = "3.1";
 
-      # normally disables port 389 (but not with our patch), use 636 with tls
+      };
-      # `portunus.domain` resolves to localhost
+      children = {
-      tls = true;
+        "cn=schema".includes = [
+          "${pkgs.openldap}/etc/schema/core.ldif"
+          # attributetype ( 9999.1.1 NAME 'isMemberOf'
+          # DESC 'back-reference to groups this user is a member of'
+          # SUP distinguishedName )
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+          "${pkgs.openldap}/etc/schema/nis.ldif"
+          # "${pkgs.writeText "openssh.schema" ''
+          # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
+          # 		DESC 'SSH public key used by this user'
+          # 		SUP name )
+          # ''}"
+        ];
+
+        "olcDatabase={1}mdb" = {
+          attrs = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/var/lib/openldap/data";
+
+            olcSuffix = "dc=ifsr,dc=de";
+
+            /* your admin account, do not use writeText on a production system */
+            olcRootDN = "cn=portunus,dc=ifsr,dc=de";
+            olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+
+            olcAccess = [
+              /* custom access rules for userPassword attributes */
+              ''{0}to attrs=userPassword
+                by self write
+                by anonymous auth
+                by * none''
+
+              /* allow read on anything else */
+              ''{1}to *
+                 by dn.base="cn=portunus,dc=ifsr,dc=de" write
+                 by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
+                 by self read
+                 by anonymous auth
+            ''
+            ];
+          };
+          children = {
+            "olcOverlay={2}memberof".attrs = {
+              objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
+              olcOverlay = "{2}memberof";
+              olcMemberOfRefInt = "TRUE";
+              olcMemberOfDangling = "ignore";
+              olcMemberOfGroupOC = "groupOfNames";
+              olcMemberOfMemberAD = "member";
+              olcMemberOfMemberOfAD = "memberOf";
+            };
+          };
+        };
+      };
     };
   };
 
+  systemd.services.openldap = {
+    wants = [ "acme-${domain}.service" ];
+    after = [ "acme-${domain}.service" ];
+  };
+  # security.acme.defaults.group = "certs";
+  # users.groups.certs.members = [ "openldap" ];
+  # certificate permissions
+  users.users.openldap.extraGroups = [ "nginx" ];
+
   security.pam.services.sshd.makeHomeDir = true;
 
   services.nginx = {
     enable = true;
-    virtualHosts."${config.services.portunus.domain}" = {
+    virtualHosts."${domain}" = {
-      locations = {
+      # locations = {
-        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
+      #   "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
-      };
+      # };
     };
   };
   networking.firewall = {
     extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
+      ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
     '';
   };
 }

modules/matrix/default.nix

@@ -96,22 +96,21 @@ in
       extraConfigFiles = [
         (pkgs.writeTextFile {
           name = "matrix-synapse-extra-config.yml";
-          text = let portunus = config.services.portunus; in
+          text = ''
-            ''
+            modules:
-              modules:
+              - module: ldap_auth_provider.LdapAuthProviderModule
-                - module: ldap_auth_provider.LdapAuthProviderModule
+                config:
-                  config:
+                  enabled: true
-                    enabled: true
+                  uri: ldap://localhost
-                    uri: ldap://localhost
+                  base: ou=users,dc=ifsr,dc=de
-                    base: ou=users,${portunus.ldap.suffix}
+                  # taken from kaki config
-                    # taken from kaki config
+                  attributes:
-                    attributes:
+                    uid: uid
-                      uid: uid
+                    mail: uid
-                      mail: uid
+                    name: cn
-                      name: cn
+                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
-                    bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
+                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
-                    bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
+          '';
-            '';
         })
       ];
     };

modules/nextcloud.nix

@@ -59,7 +59,7 @@ in
       occ = lib.getExe config.services.nextcloud.occ;
       ldapConfig = rec {
         ldapAgentName = "uid=search,ou=users,${ldapBase}";
-        ldapBase = config.services.portunus.ldap.suffix;
+        ldapBase = "dc=ifsr,dc=de";
         ldapBaseGroups = "ou=groups,${ldapBase}";
         ldapBaseUsers = "ou=users,${ldapBase}";
         ldapConfigurationActive = "1";