[Draft] Basic LDAP/Portunus config #12
39
config/portunus_seeds.json
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
{
|
||||||
|
"groups": [
|
||||||
|
{
|
||||||
|
"name": "admins",
|
||||||
|
"long-name": "Portunus Admins",
|
||||||
|
"members": ["admin"],
|
||||||
|
"permissions": {
|
||||||
|
"portunus": { "is-admin": true },
|
||||||
|
"ldap": { "can-read": true }
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "ifsr",
|
||||||
|
"long-name": "Mitglieder des ifsr",
|
||||||
|
"members": [],
|
||||||
|
"permissions": {
|
||||||
|
"portunus": { "is-admin": false },
|
||||||
|
"ldap": { "can-read": false }
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "strukturer",
|
||||||
|
"long-name": "Strukturer des ifsr",
|
||||||
|
"members": [],
|
||||||
|
"permissions": {
|
||||||
|
"portunus": { "is-admin": false },
|
||||||
|
"ldap": { "can-read": false }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"users": [
|
||||||
|
{
|
||||||
|
"login_name": "admin",
|
||||||
|
"given_name": "admin",
|
||||||
|
"family_name": "admin",
|
||||||
|
"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] }
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
26
flake.lock
|
@ -69,34 +69,34 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-22_05": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1668307144,
|
"lastModified": 1670146390,
|
||||||
"narHash": "sha256-uY2StvGJvTfgtLaiz3uvX+EQeWZDkiLFiz2vekgJ9ZE=",
|
"narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "eac99848dfd869e486573d8272b0c10729675ca2",
|
"rev": "86370507cb20c905800527539fc049a2bf09c667",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-22.05",
|
"ref": "release-22.11",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1668595291,
|
"lastModified": 1671215800,
|
||||||
"narHash": "sha256-j8cyfbtT5sAYPYwbERgTDzfD48ZernL0/V668eGpXAM=",
|
"narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b",
|
"rev": "9d692a724e74d2a49f7c985132972f991d144254",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"ref": "nixos-22.05",
|
"ref": "nixos-22.11",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -113,14 +113,14 @@
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
"nixpkgs-22_05": "nixpkgs-22_05"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1668311578,
|
"lastModified": 1670149631,
|
||||||
"narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=",
|
"narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb",
|
"rev": "da98a111623101c64474a14983d83dad8f09f93d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = github:nixos/nixpkgs/nixos-22.05;
|
nixpkgs.url = github:nixos/nixpkgs/nixos-22.11;
|
||||||
sops-nix.url = github:Mic92/sops-nix;
|
sops-nix.url = github:Mic92/sops-nix;
|
||||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
fsr-infoscreen.url = github:fsr/infoscreen;
|
fsr-infoscreen.url = github:fsr/infoscreen;
|
||||||
|
@ -59,6 +59,7 @@
|
||||||
./modules/options.nix
|
./modules/options.nix
|
||||||
./modules/base.nix
|
./modules/base.nix
|
||||||
./modules/sops.nix
|
./modules/sops.nix
|
||||||
|
./modules/ldap.nix
|
||||||
# ./modules/keycloak.nix replaced by portunus
|
# ./modules/keycloak.nix replaced by portunus
|
||||||
./modules/nginx.nix
|
./modules/nginx.nix
|
||||||
./modules/hedgedoc.nix
|
./modules/hedgedoc.nix
|
||||||
|
|
67
modules/ldap.nix
Normal file
|
@ -0,0 +1,67 @@
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
{ config, ... }:
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
let
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
domain = "auth.${config.fsr.domain}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
portunusUser = "portunus";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
portunusGroup = "portunus";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
ldapUser = "openldap";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
ldapGroup = "openldap";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
in
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
{
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
users.users."${portunusUser}" = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
isSystemUser = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
group = "${portunusGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
users.groups."${portunusGroup}" = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
name = "${portunusGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
members = [ "${portunusUser}" ];
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
users.users."${ldapUser}" = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
isSystemUser = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
group = "${ldapGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
users.groups."${ldapGroup}" = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
name = "${ldapGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
members = [ "${ldapUser}" ];
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
sops.secrets."portunus_admin" = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
owner = "${portunusUser}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
group = "${portunusGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
services.portunus = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
enable = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
user = "${portunusUser}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
group = "${portunusGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
domain = "${domain}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
ldap = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
user = "${ldapUser}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
group = "${ldapGroup}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
suffix = "dc=ifsr,dc=de";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
tls = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
seedPath = ../config/portunus_seeds.json;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
services.nginx = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
enable = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
virtualHosts."${config.services.portunus.domain}" = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
forceSSL = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
enableACME = true;
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
locations = {
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
};
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
80 # http
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
443 # https
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
];
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|||||||
|
}
|
||||||
potential security risk potential security risk
should be nix path should be nix path
|
|
@ -4,6 +4,7 @@ postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR
|
||||||
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
||||||
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
||||||
wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
|
wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
|
||||||
|
portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
|
||||||
mediawiki:
|
mediawiki:
|
||||||
postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
|
postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
|
||||||
initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
|
initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
|
||||||
|
@ -23,8 +24,8 @@ sops:
|
||||||
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
|
Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
|
||||||
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
|
KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-11-18T15:28:28Z"
|
lastmodified: "2022-12-17T17:42:18Z"
|
||||||
mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str]
|
mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2022-11-18T16:37:48Z"
|
- created_at: "2022-11-18T16:37:48Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
potential security risk
should be nix path