waffentrager: lldap changes

configurations/host/waffentrager/secrets/secrets.yaml

@@ -1,5 +1,7 @@
 wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str]
+jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str]
+lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str]
 elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
 users:
     materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
@@ -18,8 +20,8 @@ sops:
             eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
             ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-12T11:21:33Z"
-    mac: ENC[AES256_GCM,data:TbWjHvrJAB55AjFsbOK/IPb7v4wzqL2JGLvnNTr+ah/c2brdlq6DWeAF2+HA3FpLRt2a0MajwMTCsconoe8hW6Am/WO0FJBoYlneLAl/RlAv7BYfyorTD/Vyp9am7ml5T3f2pdYdsw1k/5RSn1ulUg43vSgi5es5Co8CtzC5hPE=,iv:+V48Azrr9yArwqNi3POYh7QaRMfUreCf7Bmv7kjV9qo=,tag:HDcMMCnyfVQRHTQJZB0R3Q==,type:str]
+    lastmodified: "2024-07-13T16:21:39Z"
+    mac: ENC[AES256_GCM,data:vVFnPSbCbekww0RVyGdztiUZT/A0VeH+eap3JD96tut7SNJddM2YMVDFYjZROR0qrNEnEFpBNrRZCDJXzBj6qvujDaaSRSjksehyipVKRo3JvHzwj6jqCwAgAJoFYFqKvM/b9Cz88ujKpMW6cm0RKNcf56sITOi06UWtZSGdbxg=,iv:SlFXlEEbgBVIIuhjpR/Eleae34k46Ah3SSsf9fY66NU=,tag:QDqV/vXdhDAPYTTK3x3YTA==,type:str]
     pgp:
         - created_at: "2024-03-21T18:15:00Z"
           enc: |-

configurations/host/waffentrager/services/auth/default.nix

@@ -2,9 +2,10 @@
 {
   imports =
     [
+      ./lldap.nix
     ];
   config = 
     {
-
+      waffentragerService.auth.lldap.enable = true;
     };
 }

configurations/host/waffentrager/services/auth/lldap.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, materusArg, ... }:
+{
+  options.waffentragerService.auth.lldap.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable lldap";
+  config =
+    let
+      cfg = config.waffentragerService.auth.lldap;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+      waffentragerService.nginx.enable = true;
+      services.nginx.virtualHosts."mamba.podkos.pl" = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:17170";
+          extraConfig = ''
+            proxy_set_header    Host                $host;
+            proxy_set_header    X-Real-IP           $remote_addr;
+            proxy_set_header    X-Forwarded-Ssl     on;
+            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto   $scheme;
+
+
+            allow ${materusArg.ip-masks.wireguard.private};
+            allow 192.168.100.0/24;
+            deny all;
+          '';
+        };
+      };
+
+      systemd.services.lldap = {
+        partOf = [ "elements-mount.service" ];
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+        serviceConfig = {
+          DynamicUser = lib.mkForce false;
+          WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir;
+        };
+      };
+      users.groups.lldap = { };
+      users.users.lldap = {
+        group = "lldap";
+        isSystemUser = true;
+      };
+      sops.secrets.jwt = { owner = "lldap"; group = "lldap"; };
+      sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; };
+      services.lldap.enable = true;
+      services.lldap.environmentFile = config.sops.templates."lldap.env".path;
+      sops.templates."lldap.env" = {
+        content = ''
+          LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
+          LLDAP_DATABASE_URL="postgres://lldap:${config.sops.placeholder."lldap-database"}@%2Fvar%2Frun%2Fpostgresql/lldap"
+        '';
+        owner = "lldap";
+        group = "lldap";
+      };
+
+      services.lldap.settings = {
+        ldap_base_dn = "dc=podkos,dc=pl";
+        http_url = "https://mamba.podkos.pl";
+        ldap_user_dn = "master";
+        ldap_user_email = "materus@podkos.pl";
+        key_seed = materusArg.waffentrager.lldap.seed;
+      };
+    };
+}

configurations/host/waffentrager/services/elements.nix

@@ -5,6 +5,7 @@
   options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
   options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
   options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
+  options.waffentragerService.elements.lldapDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/lldap"; };
   config =
     let
       cfg = config.waffentragerService.elements;
@@ -27,6 +28,9 @@
         '' + lib.optionalString config.waffentragerService.nextcloud.enable ''
           mkdir -p ${cfg.nextcloudDir}
           chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
+        '' + lib.optionalString config.waffentragerService.auth.lldap.enable ''
+          mkdir -p ${cfg.lldapDir}
+          chown -R lldap:lldap ${cfg.lldapDir}
         ''
 
         ;

configurations/host/waffentrager/services/postgresql.nix

@@ -17,6 +17,7 @@
       services.postgresql.authentication = pkgs.lib.mkOverride 10 ''
         local all all trust
         host all all 127.0.0.1/32 scram-sha-256
+        host all all ::1/128 scram-sha-256
       '';
       systemd.services.postgresql = {
         partOf = [ "elements-mount.service" ];

configurations/host/waffentrager/services/samba.nix

@@ -7,6 +7,18 @@
       cfg = config.waffentragerService.samba;
     in
     lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+
+      systemd.services.samba-nmbd = {
+        partOf = [ "elements-mount.service" ];
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
+      systemd.services.samba-wsdd = {
+        partOf = [ "elements-mount.service" ];
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
       services.samba-wsdd.enable = true;
       services.samba-wsdd.openFirewall = true;
       services.samba = {

configurations/host/waffentrager/services/syncthing.nix

@@ -7,8 +7,15 @@
       cfg = config.waffentragerService.syncthing;
     in
     lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+
       networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
       networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+      systemd.services.syncthing = {
+        partOf = [ "elements-mount.service" ];
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+      };
       services = {
         syncthing = {
             enable = true;