materus
/
nixos-config
mirror of https://github.com/materusPL/nixos-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

waffentrager: lldap use postgresql

This commit is contained in:
Mateusz Słodkowicz 2024-07-13 19:02:17 +02:00
parent 7abe845c5a
commit ffa133d894
Signed by: materus
GPG Key ID: 28D140BCA60B4FD1
4 changed files with 41 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configurations/host/waffentrager/secrets/secrets.yaml
View File

@ -1,6 +1,7 @@
wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str] wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str]
nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str]
jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str] jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str]
lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str]
elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
users: users:
materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
@ -19,8 +20,8 @@ sops:
eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-13T12:05:20Z" lastmodified: "2024-07-13T16:21:39Z"
mac: ENC[AES256_GCM,data:riF06orRD54Du67YKNk8Onn5s7polwl7Awj7SQptR29LawkSUkSA98PPBJrY581656ooLwo3NbBnQWOxvSYM3Wlt8FlgbjsTwKf3/WVARRkkMLNVL8s0ALK646dKZjhDzzeKAGOSKV96JLqiHr1snBhLw4IvZNuA8c03ieNVEls=,iv:52gnYT23YMWOdc5XhxMkF7V+0qXOctD9cbJEFK1rIWk=,tag:PlgIiNibP5xX2wqnDpZU5Q==,type:str] mac: ENC[AES256_GCM,data:vVFnPSbCbekww0RVyGdztiUZT/A0VeH+eap3JD96tut7SNJddM2YMVDFYjZROR0qrNEnEFpBNrRZCDJXzBj6qvujDaaSRSjksehyipVKRo3JvHzwj6jqCwAgAJoFYFqKvM/b9Cz88ujKpMW6cm0RKNcf56sITOi06UWtZSGdbxg=,iv:SlFXlEEbgBVIIuhjpR/Eleae34k46Ah3SSsf9fY66NU=,tag:QDqV/vXdhDAPYTTK3x3YTA==,type:str]
pgp: pgp:
- created_at: "2024-03-21T18:15:00Z" - created_at: "2024-03-21T18:15:00Z"
enc: |- enc: |-

42
configurations/host/waffentrager/services/auth/lldap.nix
View File

@ -7,6 +7,30 @@
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
waffentragerService.elements.enable = true; waffentragerService.elements.enable = true;
waffentragerService.nginx.enable = true;
services.nginx.virtualHosts."mamba.podkos.pl" = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:17170";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
allow ${materusArg.ip-masks.wireguard.private};
allow 192.168.100.0/24;
deny all;
'';
};
};
systemd.services.lldap = { systemd.services.lldap = {
partOf = [ "elements-mount.service" ]; partOf = [ "elements-mount.service" ];
requires = [ "elements-mount.service" ]; requires = [ "elements-mount.service" ];
@ -21,15 +45,23 @@
group = "lldap"; group = "lldap";
isSystemUser = true; isSystemUser = true;
}; };
sops.secrets.jwt = { owner = "lldap"; group = "lldap";}; sops.secrets.jwt = { owner = "lldap"; group = "lldap"; };
sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; };
services.lldap.enable = true; services.lldap.enable = true;
services.lldap.environment = { services.lldap.environmentFile = config.sops.templates."lldap.env".file;
LLDAP_JWT_SECRET_FILE = config.sops.secrets.jwt.path; sops.templates."lldap.env" = {
content = ''
LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
LLDAP_DATABASE_URL="postgres://lldap:${config.sops.placeholder."lldap-database"}@%2Fvar%2Frun%2Fpostgresql/lldap"
'';
owner = "lldap";
group = "lldap";
}; };
services.lldap.settings = { services.lldap.settings = {
ldap_base_dn = "dc=podkos,dc=pl"; ldap_base_dn = "dc=podkos,dc=pl";
database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc"; #database_url = "sqlite://${config.waffentragerService.elements.lldapDir}/users.db?mode=rwc";
http_url = "http://mamba.podkos.pl"; http_url = "https://mamba.podkos.pl";
ldap_user_dn = "master"; ldap_user_dn = "master";
ldap_user_email = "materus@podkos.pl"; ldap_user_email = "materus@podkos.pl";
key_seed = materusArg.waffentrager.lldap.seed; key_seed = materusArg.waffentrager.lldap.seed;

1
configurations/host/waffentrager/services/postgresql.nix
View File

@ -17,6 +17,7 @@
services.postgresql.authentication = pkgs.lib.mkOverride 10 '' services.postgresql.authentication = pkgs.lib.mkOverride 10 ''
local all all trust local all all trust
host all all 127.0.0.1/32 scram-sha-256 host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
''; '';
systemd.services.postgresql = { systemd.services.postgresql = {
partOf = [ "elements-mount.service" ]; partOf = [ "elements-mount.service" ];

BIN
configurations/profile/common/private/default.nix
View File

Binary file not shown.