wurzel/fruitbasket
10
1
Fork 1
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

[Draft] Basic LDAP/Portunus config #12

Merged
hxlcyxn merged 16 commits from ldap into main 2022-12-17 20:54:56 +01:00
Conversation 0 Commits 16 Files changed 5 +50 -16
1 changed files with 50 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 29e69b67ed - Show all commits

62
modules/ldap.nix
View file

@ -3,31 +3,53 @@
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tld = "moe"; tld = "moe";
hostname = "eisvogel"; hostname = "eisvogel";
domain = "portunus.${hostname}.${tld}"; domain = "portunus.${hostname}.${tld}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
portunusUser = "portunus";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
portunusGroup = "portunus";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
ldapUser = "openldap";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
ldapGroup = "openldap";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
in { in {
# TODO: acme/letsencrypt oder andere lösung? users.users."${portunusUser}" = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
# isSystemUser = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
services.nginx = { group = "${portunusGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
enable = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
virtualHosts."${domain}" = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
forceSSL = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
enableACME = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
locations = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
}; };
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
users.groups."${portunusGroup}" = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
name = "${portunusGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
members = ["${portunusUser}"];
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
}; };
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
users.users."${ldapUser}" = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
isSystemUser = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
group = "${ldapGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
};
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
users.groups."${ldapGroup}" = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
name = "${ldapGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
members = ["${ldapUser}"];
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
};
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
# TODO: eigenes secrets.yaml für seedfile?
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
sops.secrets.portunus_seedfile = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
owner = "${portunusUser}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
group = "${portunusGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
}; };
services.portunus = { services.portunus = {
enable = true; enable = true;
user = "${portunusUser}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
group = "${portunusGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
domain = "${domain}"; domain = "${domain}";
ldap = { ldap = {
user = "${ldapUser}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
group = "${ldapGroup}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
suffix = "dc=${hostname},dc=${tld}"; suffix = "dc=${hostname},dc=${tld}";
tls = true; tls = true;
}; };
# TODO: siehe unten sops, statische config # TODO: wohin seed file?
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
# seedPath = ""; seedPath = "";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
# falls wir das brauchen # falls wir das brauchen
# dex = { # dex = {
@ -41,7 +63,20 @@ in {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
enable = true; enable = true;
server = "ldaps://${domain}"; server = "ldaps://${domain}";
base = "dc=${hostname},dc=${tld}"; base = "dc=${hostname},dc=${tld}";
# useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
};
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
# TODO: acme/letsencrypt oder andere lösung?
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
services.nginx = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
enable = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
virtualHosts."${config.services.portunus.domain}" = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
forceSSL = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
enableACME = true;
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
locations = {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
};
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
};
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -49,5 +84,4 @@ in {
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
443 # https 443 # https
636 # ldaps 636 # ldaps
]; ];
# TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
} }

tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path
tanneberger commented 2022-12-17 19:41:28 +01:00 (Migrated from github.com)
Review
Copy link

potential security risk

potential security risk
tanneberger commented 2022-12-17 19:41:48 +01:00 (Migrated from github.com)
Review
Copy link

should be nix path

should be nix path