waffentrager: updates to use ldap and postgres, fix samba characters

This commit is contained in:
2024-07-22 15:31:57 +02:00
parent f833382298
commit 3dc734957e
9 changed files with 127 additions and 33 deletions
@@ -0,0 +1,80 @@
{ config, pkgs, lib, materusArg, ... }:
{
options.waffentragerService.auth.authelia.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable authelia";
config =
let
cfg = config.waffentragerService.auth.authelia;
port = 9091;
in
lib.mkIf cfg.enable {
sops.secrets."authelia-storagekey" = { owner = "authelia"; };
sops.secrets."authelia-database" = { owner = "authelia"; };
sops.secrets."ldap-master" = { owner = "authelia"; };
users.users.authelia = {
group = "lldap";
isSystemUser = true;
};
services.authelia.instances.main = {
enable = true;
user = "authelia";
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path;
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path;
};
secrets = {
jwtSecretFile = config.sops.secrets.jwt.path;
storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path;
};
settings = {
access_control = {
default_policy = "one_factor";
};
authentication_backend = {
ldap.url = "ldap://127.0.0.1:3890";
ldap.implementation = "custom";
ldap.base_dn = config.services.lldap.settings.ldap_base_dn;
ldap.user = "CN=master,ou=people,DC=podkos,DC=pl";
ldap.additional_users_dn = "OU=people";
ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))";
ldap.additional_groups_dn = "OU=groups";
ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
};
storage = {
postgres.host = "/var/run/postgresql";
postgres.port = "5432";
postgres.database = "authelia";
postgres.username = "authelia";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/tmp/test_notification.txt";
};
session = {
name = "materus-session";
domain = "materus.pl";
};
default_redirection_url = "https://materus.pl";
server.port = port;
};
};
services.nginx.virtualHosts."gatekeeper.materus.pl" = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
}
@@ -3,9 +3,11 @@
imports =
[
./lldap.nix
./authelia.nix
];
config =
{
waffentragerService.auth.lldap.enable = true;
waffentragerService.auth.authelia.enable = true;
};
}
@@ -45,7 +45,7 @@
group = "lldap";
isSystemUser = true;
};
sops.secrets.jwt = { owner = "lldap"; group = "lldap"; };
sops.secrets.jwt = { owner = "lldap"; group = "lldap"; mode = "0440"; };
sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; };
services.lldap.enable = true;
services.lldap.environmentFile = config.sops.templates."lldap.env".path;
@@ -60,6 +60,8 @@
services.lldap.settings = {
ldap_base_dn = "dc=podkos,dc=pl";
ldap_host = "127.0.0.1";
http_url = "https://mamba.podkos.pl";
ldap_user_dn = "master";
ldap_user_email = "materus@podkos.pl";
@@ -25,11 +25,11 @@
package = pkgs.nextcloud29;
hostName = "waffentrager.materus.pl";
home = config.waffentragerService.elements.nextcloudDir;
config.adminuser = "master";
config.adminuser = "nextcloud-master";
config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
config.dbtype = "pgsql";
extraAppsEnable = true;
maxUploadSize = "4G";
maxUploadSize = "8G";
https = true;
enableImagemagick = true;
configureRedis = true;
@@ -35,6 +35,9 @@
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
mangled names = no
dos charset = CP850
unix charset = UTF-8
'';
shares = {
materus = {
@@ -42,10 +45,10 @@
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"create mask" = "0770";
"directory mask" = "0770";
"force user" = "materus";
"force group" = "users";
"force group" = "nextcloud";
};
};
};
@@ -7,9 +7,7 @@
cfg = config.waffentragerService.syncthing;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
waffentragerService.elements.enable = true; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
systemd.services.syncthing = {
partOf = [ "elements-mount.service" ];
@@ -20,6 +18,7 @@
syncthing = {
enable = true;
user = "materus";
group = "nextcloud";
dataDir = "${config.waffentragerService.elements.path}/storage/materus";
configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";
};