From 7abe845c5a8d6d67f22da549c0b2bc5fedccf01b Mon Sep 17 00:00:00 2001 From: materus Date: Sat, 13 Jul 2024 15:44:07 +0200 Subject: [PATCH] waffentrager: config lldap --- .../host/waffentrager/secrets/secrets.yaml | 5 ++- .../waffentrager/services/auth/default.nix | 3 +- .../host/waffentrager/services/auth/lldap.nix | 38 ++++++++++++++++++ .../host/waffentrager/services/elements.nix | 4 ++ .../host/waffentrager/services/samba.nix | 12 ++++++ .../host/waffentrager/services/syncthing.nix | 7 ++++ .../profile/common/private/default.nix | Bin 967 -> 1052 bytes 7 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 configurations/host/waffentrager/services/auth/lldap.nix diff --git a/configurations/host/waffentrager/secrets/secrets.yaml b/configurations/host/waffentrager/secrets/secrets.yaml index 708f09c..fa7459c 100644 --- a/configurations/host/waffentrager/secrets/secrets.yaml +++ b/configurations/host/waffentrager/secrets/secrets.yaml @@ -1,5 +1,6 @@ wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str] +jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] users: materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] @@ -18,8 +19,8 @@ sops: eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-12T11:21:33Z" - mac: ENC[AES256_GCM,data:TbWjHvrJAB55AjFsbOK/IPb7v4wzqL2JGLvnNTr+ah/c2brdlq6DWeAF2+HA3FpLRt2a0MajwMTCsconoe8hW6Am/WO0FJBoYlneLAl/RlAv7BYfyorTD/Vyp9am7ml5T3f2pdYdsw1k/5RSn1ulUg43vSgi5es5Co8CtzC5hPE=,iv:+V48Azrr9yArwqNi3POYh7QaRMfUreCf7Bmv7kjV9qo=,tag:HDcMMCnyfVQRHTQJZB0R3Q==,type:str] + lastmodified: "2024-07-13T12:05:20Z" + mac: ENC[AES256_GCM,data:riF06orRD54Du67YKNk8Onn5s7polwl7Awj7SQptR29LawkSUkSA98PPBJrY581656ooLwo3NbBnQWOxvSYM3Wlt8FlgbjsTwKf3/WVARRkkMLNVL8s0ALK646dKZjhDzzeKAGOSKV96JLqiHr1snBhLw4IvZNuA8c03ieNVEls=,iv:52gnYT23YMWOdc5XhxMkF7V+0qXOctD9cbJEFK1rIWk=,tag:PlgIiNibP5xX2wqnDpZU5Q==,type:str] pgp: - created_at: "2024-03-21T18:15:00Z" enc: |- diff --git a/configurations/host/waffentrager/services/auth/default.nix b/configurations/host/waffentrager/services/auth/default.nix index 7033a18..9bfab8a 100644 --- a/configurations/host/waffentrager/services/auth/default.nix +++ b/configurations/host/waffentrager/services/auth/default.nix @@ -2,9 +2,10 @@ { imports = [ + ./lldap.nix ]; config = { - + waffentragerService.auth.lldap.enable = true; }; } diff --git a/configurations/host/waffentrager/services/auth/lldap.nix b/configurations/host/waffentrager/services/auth/lldap.nix new file mode 100644 index 0000000..753816f --- /dev/null +++ b/configurations/host/waffentrager/services/auth/lldap.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, materusArg, ... }: +{ + options.waffentragerService.auth.lldap.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable lldap"; + config = + let + cfg = config.waffentragerService.auth.lldap; + in + lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + systemd.services.lldap = { + partOf = [ "elements-mount.service" ]; + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + serviceConfig = { + DynamicUser = lib.mkForce false; + WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir; + }; + }; + users.groups.lldap = { }; + users.users.lldap = { + group = "lldap"; + isSystemUser = true; + }; + sops.secrets.jwt = { owner = "lldap"; group = "lldap";}; + services.lldap.enable = true; + services.lldap.environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.jwt.path; + }; + services.lldap.settings = { + ldap_base_dn = "dc=podkos,dc=pl"; + database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc"; + http_url = "http://mamba.podkos.pl"; + ldap_user_dn = "master"; + ldap_user_email = "materus@podkos.pl"; + key_seed = materusArg.waffentrager.lldap.seed; + }; + }; +} diff --git a/configurations/host/waffentrager/services/elements.nix b/configurations/host/waffentrager/services/elements.nix index f7b4dfa..bc09e1c 100644 --- a/configurations/host/waffentrager/services/elements.nix +++ b/configurations/host/waffentrager/services/elements.nix @@ -5,6 +5,7 @@ options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; }; options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; }; options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; }; + options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; }; config = let cfg = config.waffentragerService.elements; @@ -27,6 +28,9 @@ '' + lib.optionalString config.waffentragerService.nextcloud.enable '' mkdir -p ${cfg.nextcloudDir} chown -R nextcloud:nextcloud ${cfg.nextcloudDir} + '' + lib.optionalString config.waffentragerService.auth.lldap.enable '' + mkdir -p ${cfg.lldapDir} + chown -R lldap:lldap ${cfg.lldapDir} '' ; diff --git a/configurations/host/waffentrager/services/samba.nix b/configurations/host/waffentrager/services/samba.nix index fd98ce7..5041e03 100644 --- a/configurations/host/waffentrager/services/samba.nix +++ b/configurations/host/waffentrager/services/samba.nix @@ -7,6 +7,18 @@ cfg = config.waffentragerService.samba; in lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + + systemd.services.samba-nmbd = { + partOf = [ "elements-mount.service" ]; + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; + systemd.services.samba-wsdd = { + partOf = [ "elements-mount.service" ]; + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; services.samba-wsdd.enable = true; services.samba-wsdd.openFirewall = true; services.samba = { diff --git a/configurations/host/waffentrager/services/syncthing.nix b/configurations/host/waffentrager/services/syncthing.nix index 09d7722..986a2a9 100644 --- a/configurations/host/waffentrager/services/syncthing.nix +++ b/configurations/host/waffentrager/services/syncthing.nix @@ -7,8 +7,15 @@ cfg = config.waffentragerService.syncthing; in lib.mkIf cfg.enable { + waffentragerService.elements.enable = true; + networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port]; networking.firewall.allowedUDPPorts = [ 22000 21027 ]; + systemd.services.syncthing = { + partOf = [ "elements-mount.service" ]; + requires = [ "elements-mount.service" ]; + after = [ "elements-mount.service" ]; + }; services = { syncthing = { enable = true; diff --git a/configurations/profile/common/private/default.nix b/configurations/profile/common/private/default.nix index 89ecdb23a52b662b9c556c2fff4ec4eddd216498..e9155cc5e54201e0c878d3980fd0a5bcb63209d4 100644 GIT binary patch literal 1052 zcmV+%1mpVvM@dveQdv+`0Pn1X^p*2k=c^gE3cDoHwF(aAz;LA%$2vPnCje${IQwy@ z@bplxIYQ|kGQ!RX{!b;dtZJc~C~8_mE7a3&f$)F{{FA2pDJLd}!1WZLLR|M38oX!> z=gI^nkgrVqi4bR-(}4-j#3@dEOBBIw=?8>5uYQ@!-a@qp!6CSL3*TwpF$|>ta(Yom z*uJ@t{M(x9_QhK1LDE!M_jfvx6|(<-XOAWRAKy`B`h7zj_V$xnem}WKtm4W)8nB?W z$N%NDN3y#m%gs1u7L13W1OBKZ3ff*N2(R#KaLPDeji^cY$Wcx(IUVVl9oK+Yi;Kb? zJ#-dWT#=o?jmJNmCzAQx)%10kOBb3?zA1l)sq{=`@(wWXffjFxX-IkzZOeEUS{+7w zB<3s2gp=E+72^i9B!B!(>x2_d?c$hqbwbYWPskRR^|~%F?FJ@weO`EfS&L-ZikU3i z10otxZA6o|t42@SE)q*F%PW*HXeZ2jB7}_W65((#p1WSWycwR=q9>DG#guovx7;U8 zmSWTvaWGC-puJEQ&kb=kf<;W64g69T_|n%+7J zQ;9(~xVHMw5SGMOEc~M(?^g!ftOhY(dOs5fGom-J-&`h;e49AD zx`Y>06iUJTrvI#(|Md;Up8uhb9yx#nR$e68Slsr{ei8Ni#(Tbs@#SX!LJXM0Rg2Zz zqo`5xu<%z_>K0SNpHX4fT5y41$Bx&BzV0qfq-VJCF+MpTMapG|Q5(-&rQ;W|HXvW- zqC4%U@!v`Z^in5}@F68i99tGf*_kUM;x>Fb^bnJcEh-!ZZSrD+u7-g+B4R_-;(}?Eu{)L;O!e5^vF=!u2A8k&-$XmKZL0bzLOdv1 zBN6sHi)&hfUD6cj)&?P-lLB_&Iz1`nL0Mi9y2W)1_O547tyEK!m)^dU!ZtVw{`&}5 zMP3{1MAIN`%%OmLGZcU=pG3K>Z)U6M-L~&!uaRY=@2-*<;bMhgi=!2WFOjLu=N_Md W6DzKtI|1OIy2&nogi#6F0CBubx)U4# literal 967 zcmV;&133HuM@dveQdv+`05fhnS?MB!n2S4{mFCkTOi%-MGqL*N5gIL1fS|c!sSaIT@n^6X z<#|f|cSL19LDCAzjnrL2uyWG6zH!4}_qhtRUP5EKp#y9a1p3a8*7c3@<73CJujA)% zKiuVMB56RfpxD!8yrdowL4KN&<^w8rFXWTA)B#nULhN+$EYbThsim{i58TwuW!_KxWthDgi}=%?$&{|xh!)jx|-B!HS=*#u~yUo@{{KvJa51;TSN0vAFhc0Ii1uM(zN) z-=0DoyXiqlxmlNW#yG68GC#Agemk0*!y%tdiODG!2$N0fX(U5KAvJ7B`|mr5ejeg` z&G1M`VV@jdqqHv~i++VHLz#f%!W5Mw9=upAk{R;?K5eSGf0Ae_R`U_bj+zl%eFS)r ziO^10cNxVd<*DuGVxcyvhBb~GtUt{3P%T{dsx(PIs0Uk=^XjOqHm?(NYYQgpzuV~z zcoOxHky3pzG^rR-XgD4hcyk4B1zgBtXxbF4k^7cW8v1`NOsBo zmn@!z^O4Q`jp;Qr*dK4GyMuWV@(ix7*j@p~_>8YqnN3=XuYdBln=r8E^to`Or=2F9f)TYWpCp_e>`K z?-3M#dcBjjj#}oRn_bwqV3zoWz>?1_@54Qu8|V7IGPoafT2b+LsLiZIRMrY8K}Wwn*6a#CDHONcWX$BYx;DH pNdqpK{3r^ifk~~yPXAXon