From ffa133d894493115fb9f2efe99eeb061930330ac Mon Sep 17 00:00:00 2001 From: materus Date: Sat, 13 Jul 2024 19:02:17 +0200 Subject: [PATCH] waffentrager: lldap use postgresql --- .../host/waffentrager/secrets/secrets.yaml | 5 ++- .../host/waffentrager/services/auth/lldap.nix | 42 +++++++++++++++--- .../host/waffentrager/services/postgresql.nix | 1 + .../profile/common/private/default.nix | Bin 1052 -> 832 bytes 4 files changed, 41 insertions(+), 7 deletions(-) diff --git a/configurations/host/waffentrager/secrets/secrets.yaml b/configurations/host/waffentrager/secrets/secrets.yaml index fa7459c..8f96598 100644 --- a/configurations/host/waffentrager/secrets/secrets.yaml +++ b/configurations/host/waffentrager/secrets/secrets.yaml @@ -1,6 +1,7 @@ wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str] jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str] +lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] users: materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] @@ -19,8 +20,8 @@ sops: eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-13T12:05:20Z" - mac: ENC[AES256_GCM,data:riF06orRD54Du67YKNk8Onn5s7polwl7Awj7SQptR29LawkSUkSA98PPBJrY581656ooLwo3NbBnQWOxvSYM3Wlt8FlgbjsTwKf3/WVARRkkMLNVL8s0ALK646dKZjhDzzeKAGOSKV96JLqiHr1snBhLw4IvZNuA8c03ieNVEls=,iv:52gnYT23YMWOdc5XhxMkF7V+0qXOctD9cbJEFK1rIWk=,tag:PlgIiNibP5xX2wqnDpZU5Q==,type:str] + lastmodified: "2024-07-13T16:21:39Z" + mac: ENC[AES256_GCM,data:vVFnPSbCbekww0RVyGdztiUZT/A0VeH+eap3JD96tut7SNJddM2YMVDFYjZROR0qrNEnEFpBNrRZCDJXzBj6qvujDaaSRSjksehyipVKRo3JvHzwj6jqCwAgAJoFYFqKvM/b9Cz88ujKpMW6cm0RKNcf56sITOi06UWtZSGdbxg=,iv:SlFXlEEbgBVIIuhjpR/Eleae34k46Ah3SSsf9fY66NU=,tag:QDqV/vXdhDAPYTTK3x3YTA==,type:str] pgp: - created_at: "2024-03-21T18:15:00Z" enc: |- diff --git a/configurations/host/waffentrager/services/auth/lldap.nix b/configurations/host/waffentrager/services/auth/lldap.nix index 753816f..6fea603 100644 --- a/configurations/host/waffentrager/services/auth/lldap.nix +++ b/configurations/host/waffentrager/services/auth/lldap.nix @@ -7,6 +7,30 @@ in lib.mkIf cfg.enable { waffentragerService.elements.enable = true; + waffentragerService.nginx.enable = true; + services.nginx.virtualHosts."mamba.podkos.pl" = { + forceSSL = true; + http3 = true; + sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:17170"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + + allow ${materusArg.ip-masks.wireguard.private}; + allow 192.168.100.0/24; + deny all; + ''; + }; + }; + systemd.services.lldap = { partOf = [ "elements-mount.service" ]; requires = [ "elements-mount.service" ]; @@ -21,15 +45,23 @@ group = "lldap"; isSystemUser = true; }; - sops.secrets.jwt = { owner = "lldap"; group = "lldap";}; + sops.secrets.jwt = { owner = "lldap"; group = "lldap"; }; + sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; }; services.lldap.enable = true; - services.lldap.environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.jwt.path; + services.lldap.environmentFile = config.sops.templates."lldap.env".file; + sops.templates."lldap.env" = { + content = '' + LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}" + LLDAP_DATABASE_URL="postgres://lldap:${config.sops.placeholder."lldap-database"}@%2Fvar%2Frun%2Fpostgresql/lldap" + ''; + owner = "lldap"; + group = "lldap"; }; + services.lldap.settings = { ldap_base_dn = "dc=podkos,dc=pl"; - database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc"; - http_url = "http://mamba.podkos.pl"; + #database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc"; + http_url = "https://mamba.podkos.pl"; ldap_user_dn = "master"; ldap_user_email = "materus@podkos.pl"; key_seed = materusArg.waffentrager.lldap.seed; diff --git a/configurations/host/waffentrager/services/postgresql.nix b/configurations/host/waffentrager/services/postgresql.nix index 4e38823..418c94e 100644 --- a/configurations/host/waffentrager/services/postgresql.nix +++ b/configurations/host/waffentrager/services/postgresql.nix @@ -17,6 +17,7 @@ services.postgresql.authentication = pkgs.lib.mkOverride 10 '' local all all trust host all all 127.0.0.1/32 scram-sha-256 + host all all ::1/128 scram-sha-256 ''; systemd.services.postgresql = { partOf = [ "elements-mount.service" ]; diff --git a/configurations/profile/common/private/default.nix b/configurations/profile/common/private/default.nix index e9155cc5e54201e0c878d3980fd0a5bcb63209d4..b8141edc084f1283694ed15d555c21ffee91f0f0 100644 GIT binary patch literal 832 zcmV-G1Hb$LM@dveQdv+`06fJ}I!~EPb-irB&pr&zckr_FrxHF2;}}7H zFR{Mo(4IhlnmBSpHNZQ!=yF%yc5Ihy(HT;UB(x4lYv8NGd=Ug?sne;d`mCK~ug>@bw=ox zyQFq3Okk>7M3_Q%ZR`{*9x<1RHb=%bTv_> zY!0ss;n6{EAC3qch-uO{L4GB11>(6aGy4%;y@y4L?6Tr}A`Km@nZ@Jh@>7y=@|>G{ zbTbWD4sw*eja(Fs*&vDV+lj%FDl?Y8hTYI-42Rm{zqOYzi8^PvqV!hEJi$eLu$b9N zg$6>DnOnS}Hs5Fp_qt-SwJ9%(0xKm?1q!iXL~U24nCR&J0{D4IBkjoqM5hQ2#&I;+ zU&b2*aooBt{seeOWr+d<%=T*f2i$htlgITP_JQEK?jM&VLn}=w#i1TUl0w)Cg$6Dg zF}fjF4pdN~!?>|9a>Md-M^_x(H|$D;j4DBW87m5_0Q;UkG3E=yh04j<>5ooWK>b2n z18=pHt5w5rmFvXbf$P_0@#?;hZ4%ymDY*l^(tIT+MBAhP?8w~tWp$YwyIRDJ+H2Y{ z7#%-n&X~?hm(e%F48#gG5;o%P=hwxVi{5V$_2(1Nz_VphR-_Hq{*HmJEz^2M7yh1B zbkX+4#;f=KRGSF>7{uVRni(jy)>mg%-OzCkI=oirpRNGoGum^$wOj z=gI^nkgrVqi4bR-(}4-j#3@dEOBBIw=?8>5uYQ@!-a@qp!6CSL3*TwpF$|>ta(Yom z*uJ@t{M(x9_QhK1LDE!M_jfvx6|(<-XOAWRAKy`B`h7zj_V$xnem}WKtm4W)8nB?W z$N%NDN3y#m%gs1u7L13W1OBKZ3ff*N2(R#KaLPDeji^cY$Wcx(IUVVl9oK+Yi;Kb? zJ#-dWT#=o?jmJNmCzAQx)%10kOBb3?zA1l)sq{=`@(wWXffjFxX-IkzZOeEUS{+7w zB<3s2gp=E+72^i9B!B!(>x2_d?c$hqbwbYWPskRR^|~%F?FJ@weO`EfS&L-ZikU3i z10otxZA6o|t42@SE)q*F%PW*HXeZ2jB7}_W65((#p1WSWycwR=q9>DG#guovx7;U8 zmSWTvaWGC-puJEQ&kb=kf<;W64g69T_|n%+7J zQ;9(~xVHMw5SGMOEc~M(?^g!ftOhY(dOs5fGom-J-&`h;e49AD zx`Y>06iUJTrvI#(|Md;Up8uhb9yx#nR$e68Slsr{ei8Ni#(Tbs@#SX!LJXM0Rg2Zz zqo`5xu<%z_>K0SNpHX4fT5y41$Bx&BzV0qfq-VJCF+MpTMapG|Q5(-&rQ;W|HXvW- zqC4%U@!v`Z^in5}@F68i99tGf*_kUM;x>Fb^bnJcEh-!ZZSrD+u7-g+B4R_-;(}?Eu{)L;O!e5^vF=!u2A8k&-$XmKZL0bzLOdv1 zBN6sHi)&hfUD6cj)&?P-lLB_&Iz1`nL0Mi9y2W)1_O547tyEK!m)^dU!ZtVw{`&}5 zMP3{1MAIN`%%OmLGZcU=pG3K>Z)U6M-L~&!uaRY=@2-*<;bMhgi=!2WFOjLu=N_Md W6DzKtI|1OIy2&nogi#6F0CBubx)U4#