materus
/
nixos-config
mirror of https://github.com/materusPL/nixos-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

waffentrager: config lldap

This commit is contained in:
Mateusz Słodkowicz 2024-07-13 15:44:07 +02:00
parent 6a1700f0b7
commit 7abe845c5a
Signed by: materus
GPG Key ID: 28D140BCA60B4FD1
7 changed files with 66 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configurations/host/waffentrager/secrets/secrets.yaml
View File

@ -1,5 +1,6 @@
wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str] wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str]
nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str]
jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str]
elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
users: users:
materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
@ -18,8 +19,8 @@ sops:
eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-12T11:21:33Z" lastmodified: "2024-07-13T12:05:20Z"
mac: ENC[AES256_GCM,data:TbWjHvrJAB55AjFsbOK/IPb7v4wzqL2JGLvnNTr+ah/c2brdlq6DWeAF2+HA3FpLRt2a0MajwMTCsconoe8hW6Am/WO0FJBoYlneLAl/RlAv7BYfyorTD/Vyp9am7ml5T3f2pdYdsw1k/5RSn1ulUg43vSgi5es5Co8CtzC5hPE=,iv:+V48Azrr9yArwqNi3POYh7QaRMfUreCf7Bmv7kjV9qo=,tag:HDcMMCnyfVQRHTQJZB0R3Q==,type:str] mac: ENC[AES256_GCM,data:riF06orRD54Du67YKNk8Onn5s7polwl7Awj7SQptR29LawkSUkSA98PPBJrY581656ooLwo3NbBnQWOxvSYM3Wlt8FlgbjsTwKf3/WVARRkkMLNVL8s0ALK646dKZjhDzzeKAGOSKV96JLqiHr1snBhLw4IvZNuA8c03ieNVEls=,iv:52gnYT23YMWOdc5XhxMkF7V+0qXOctD9cbJEFK1rIWk=,tag:PlgIiNibP5xX2wqnDpZU5Q==,type:str]
pgp: pgp:
- created_at: "2024-03-21T18:15:00Z" - created_at: "2024-03-21T18:15:00Z"
enc: |- enc: |-

3
configurations/host/waffentrager/services/auth/default.nix
View File

@ -2,9 +2,10 @@
{ {
imports = imports =
[ [
./lldap.nix
]; ];
config = config =
{ {
waffentragerService.auth.lldap.enable = true;
}; };
} }

38
configurations/host/waffentrager/services/auth/lldap.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, pkgs, lib, materusArg, ... }:
{
options.waffentragerService.auth.lldap.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable lldap";
config =
let
cfg = config.waffentragerService.auth.lldap;
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
systemd.services.lldap = {
partOf = [ "elements-mount.service" ];
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
serviceConfig = {
DynamicUser = lib.mkForce false;
WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir;
};
};
users.groups.lldap = { };
users.users.lldap = {
group = "lldap";
isSystemUser = true;
};
sops.secrets.jwt = { owner = "lldap"; group = "lldap";};
services.lldap.enable = true;
services.lldap.environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.jwt.path;
};
services.lldap.settings = {
ldap_base_dn = "dc=podkos,dc=pl";
database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc";
http_url = "http://mamba.podkos.pl";
ldap_user_dn = "master";
ldap_user_email = "materus@podkos.pl";
key_seed = materusArg.waffentrager.lldap.seed;
};
};
}

4
configurations/host/waffentrager/services/elements.nix
View File

@ -5,6 +5,7 @@
options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; }; options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; }; options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; }; options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; };
config = config =
let let
cfg = config.waffentragerService.elements; cfg = config.waffentragerService.elements;
@ -27,6 +28,9 @@
'' + lib.optionalString config.waffentragerService.nextcloud.enable '' '' + lib.optionalString config.waffentragerService.nextcloud.enable ''
mkdir -p ${cfg.nextcloudDir} mkdir -p ${cfg.nextcloudDir}
chown -R nextcloud:nextcloud ${cfg.nextcloudDir} chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
'' + lib.optionalString config.waffentragerService.auth.lldap.enable ''
mkdir -p ${cfg.lldapDir}
chown -R lldap:lldap ${cfg.lldapDir}
'' ''
; ;

12
configurations/host/waffentrager/services/samba.nix
View File

@ -7,6 +7,18 @@
cfg = config.waffentragerService.samba; cfg = config.waffentragerService.samba;
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
systemd.services.samba-nmbd = {
partOf = [ "elements-mount.service" ];
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
systemd.services.samba-wsdd = {
partOf = [ "elements-mount.service" ];
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
services.samba-wsdd.enable = true; services.samba-wsdd.enable = true;
services.samba-wsdd.openFirewall = true; services.samba-wsdd.openFirewall = true;
services.samba = { services.samba = {

7
configurations/host/waffentrager/services/syncthing.nix
View File

@ -7,8 +7,15 @@
cfg = config.waffentragerService.syncthing; cfg = config.waffentragerService.syncthing;
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port]; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
networking.firewall.allowedUDPPorts = [ 22000 21027 ]; networking.firewall.allowedUDPPorts = [ 22000 21027 ];
systemd.services.syncthing = {
partOf = [ "elements-mount.service" ];
requires = [ "elements-mount.service" ];
after = [ "elements-mount.service" ];
};
services = { services = {
syncthing = { syncthing = {
enable = true; enable = true;

BIN
configurations/profile/common/private/default.nix
View File

Binary file not shown.