waffentrager: lldap use postgresql

This commit is contained in:
2024-07-13 19:02:17 +02:00
parent 7abe845c5a
commit ffa133d894
4 changed files with 41 additions and 7 deletions
@@ -7,6 +7,30 @@
in
lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
waffentragerService.nginx.enable = true;
services.nginx.virtualHosts."mamba.podkos.pl" = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:17170";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
allow ${materusArg.ip-masks.wireguard.private};
allow 192.168.100.0/24;
deny all;
'';
};
};
systemd.services.lldap = {
partOf = [ "elements-mount.service" ];
requires = [ "elements-mount.service" ];
@@ -21,15 +45,23 @@
group = "lldap";
isSystemUser = true;
};
sops.secrets.jwt = { owner = "lldap"; group = "lldap";};
sops.secrets.jwt = { owner = "lldap"; group = "lldap"; };
sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; };
services.lldap.enable = true;
services.lldap.environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.jwt.path;
services.lldap.environmentFile = config.sops.templates."lldap.env".file;
sops.templates."lldap.env" = {
content = ''
LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
LLDAP_DATABASE_URL="postgres://lldap:${config.sops.placeholder."lldap-database"}@%2Fvar%2Frun%2Fpostgresql/lldap"
'';
owner = "lldap";
group = "lldap";
};
services.lldap.settings = {
ldap_base_dn = "dc=podkos,dc=pl";
database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc";
http_url = "http://mamba.podkos.pl";
#database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc";
http_url = "https://mamba.podkos.pl";
ldap_user_dn = "master";
ldap_user_email = "materus@podkos.pl";
key_seed = materusArg.waffentrager.lldap.seed;
@@ -17,6 +17,7 @@
services.postgresql.authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
'';
systemd.services.postgresql = {
partOf = [ "elements-mount.service" ];