portunus: manage groups decleratively
This commit is contained in:
parent
808cc29c6c
commit
0221f34859
|
@ -161,12 +161,30 @@
|
|||
security.ldap.domainComponent = [ "c3d2" "de" ];
|
||||
|
||||
services = {
|
||||
gitea.ldap = {
|
||||
adminGroup = "gitea-admins";
|
||||
userGroup = "gitea-users";
|
||||
};
|
||||
|
||||
gnome = {
|
||||
# less webkitgtk's
|
||||
evolution-data-server.enable = lib.mkForce false;
|
||||
gnome-initial-setup.enable = false;
|
||||
};
|
||||
|
||||
hedgedoc.ldap.userGroup = "hedgedoc-users";
|
||||
|
||||
hydra.ldap = {
|
||||
roleMappings = [
|
||||
{ hydra-admins = "admin"; }
|
||||
];
|
||||
userGroup = "hydra-users";
|
||||
};
|
||||
|
||||
mastodon.ldap.userGroup = "mastodon-users";
|
||||
|
||||
matrix-synapse.ldap.userGroup = "matrix-users";
|
||||
|
||||
nginx = {
|
||||
appendHttpConfig = ''
|
||||
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
||||
|
|
|
@ -42,7 +42,39 @@
|
|||
suffix = "dc=c3d2,dc=de";
|
||||
tls = true;
|
||||
};
|
||||
seedPath = ./seed.json;
|
||||
removeAddGroup = true;
|
||||
seedGroups = true;
|
||||
seedSettings = {
|
||||
groups = [
|
||||
{
|
||||
long_name = "Portunus Administrators";
|
||||
name = "admins";
|
||||
dont_manage_members = true;
|
||||
permissions.portunus.is_admin = true;
|
||||
}
|
||||
{
|
||||
long_name = "Search";
|
||||
name = "search";
|
||||
dont_manage_members = true;
|
||||
permissions.ldap.can_read = true;
|
||||
}
|
||||
];
|
||||
users = [
|
||||
{
|
||||
family_name = "Administrator";
|
||||
given_name = "Initial";
|
||||
login_name = "admin";
|
||||
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ];
|
||||
}
|
||||
{
|
||||
email = "search@c3d2.de";
|
||||
family_name = "-";
|
||||
given_name = "Search";
|
||||
login_name = "search";
|
||||
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,81 +0,0 @@
|
|||
{
|
||||
"groups": [
|
||||
{
|
||||
"long_name": "Portunus Administrators",
|
||||
"name": "admins",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {
|
||||
"portunus": { "is_admin": true }
|
||||
}
|
||||
},
|
||||
{
|
||||
"long_name": "Search",
|
||||
"name": "search",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {
|
||||
"ldap": { "can_read": true }
|
||||
}
|
||||
},
|
||||
{
|
||||
"long_name": "Gitea Administrators",
|
||||
"name": "gitea-admins",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
},
|
||||
{
|
||||
"long_name": "Grafana Administrators",
|
||||
"name": "grafana-admins",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
},
|
||||
{
|
||||
"long_name": "Hedgedoc Users",
|
||||
"name": "hedgedoc-users",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
},
|
||||
{
|
||||
"long_name": "Home-Assistant Users",
|
||||
"name": "home-assistant-users",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
},
|
||||
{
|
||||
"long_name": "Hydra Administrators",
|
||||
"name": "hydra-admins",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
},
|
||||
{
|
||||
"long_name": "Mastodon Users",
|
||||
"name": "mastodon-users",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
},
|
||||
{
|
||||
"long_name": "Matrix Users",
|
||||
"name": "matrix-users",
|
||||
"dont_manage_members": true,
|
||||
"permissions": {}
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"family_name": "Administrator",
|
||||
"given_name": "Initial",
|
||||
"login_name": "admin",
|
||||
"password": {
|
||||
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/admin-password" ]
|
||||
}
|
||||
},
|
||||
{
|
||||
"email": "search@c3d2.de",
|
||||
"family_name": "-",
|
||||
"given_name": "Search",
|
||||
"login_name": "search",
|
||||
"password": {
|
||||
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/search-password" ]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -40,11 +40,7 @@
|
|||
backupDir = "/var/backup/gitea/";
|
||||
};
|
||||
|
||||
ldap = {
|
||||
enable = true;
|
||||
adminGroup = "gitea-admins";
|
||||
bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
|
||||
};
|
||||
ldap.bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
|
||||
|
||||
settings = {
|
||||
# we use drone for internal tasks and don't want people to execute code on our infrastructure
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
ldapGroup = "grafana-admins";
|
||||
in
|
||||
{
|
||||
microvm.mem = 4096;
|
||||
c3d2.deployment.server = "server10";
|
||||
|
@ -58,7 +61,7 @@
|
|||
icon = "signin";
|
||||
name = "auth.c3d2.de";
|
||||
oauth_auto_login = true; # redirect automatically to the only oauth provider
|
||||
role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
|
||||
role_attribute_path = "contains(groups[*], '${ldapGroup}') && 'Admin'";
|
||||
# https://dexidp.io/docs/custom-scopes-claims-clients/
|
||||
scopes = "openid email groups profile offline_access";
|
||||
token_url = "https://auth.c3d2.de/dex/token";
|
||||
|
@ -105,6 +108,13 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
portunus.seedingSettings.groups = lib.singleton {
|
||||
long_name = "Grafana Administrators";
|
||||
name = ldapGroup;
|
||||
dont_manage_members = true;
|
||||
permissions = {};
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
|
|
|
@ -12,10 +12,7 @@
|
|||
|
||||
hedgedoc = {
|
||||
enable = true;
|
||||
ldap = {
|
||||
enable = true;
|
||||
userFilterGroup = "hedgedoc-users";
|
||||
};
|
||||
ldap.enable = true;
|
||||
settings = {
|
||||
allowAnonymousEdits = true;
|
||||
allowFreeURL = true;
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
c3d2MacAddress = "00:0b:ad:00:1d:ea";
|
||||
|
||||
ldapGroup = "home-assistant-users";
|
||||
in
|
||||
{
|
||||
c3d2.deployment.server = "server10";
|
||||
|
@ -93,7 +93,7 @@ in
|
|||
ATTRS="${ldap.userField}"
|
||||
CLIENT="ldapsearch"
|
||||
DEBUG=0
|
||||
FILTER="${ldap.groupFilter "home-assistant-users"}"
|
||||
FILTER="${ldap.groupFilter ldapGroup}"
|
||||
NAME_ATTR="${ldap.userField}"
|
||||
SCOPE="base"
|
||||
SERVER="ldaps://${ldap.domainName}"
|
||||
|
@ -172,7 +172,15 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
portunus.addToHosts = true;
|
||||
portunus = {
|
||||
addToHosts = true;
|
||||
seedingSettings.groups = lib.singleton {
|
||||
long_name = "Home-Assistant Users";
|
||||
name = ldapGroup;
|
||||
dont_manage_members = true;
|
||||
permissions = {};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
|
|
|
@ -199,12 +199,7 @@ in
|
|||
"/var/lib/hydra/machines"
|
||||
];
|
||||
hydraURL = "https://hydra.hq.c3d2.de";
|
||||
ldap = {
|
||||
enable = true;
|
||||
roleMappings = [
|
||||
{ hydra-admins = "admin"; }
|
||||
];
|
||||
};
|
||||
ldap.enable = true;
|
||||
logo = ./c3d2.svg;
|
||||
minimumDiskFree = 50;
|
||||
minimumDiskFreeEvaluator = 50;
|
||||
|
|
|
@ -115,10 +115,7 @@
|
|||
enable = true;
|
||||
configureNginx = true;
|
||||
elasticsearch.host = "127.0.0.1";
|
||||
ldap = {
|
||||
enable = true;
|
||||
userFilterGroup = "mastodon-users";
|
||||
};
|
||||
ldap.enable = true;
|
||||
extraConfig = {
|
||||
ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases;
|
||||
DEFAULT_LOCALE = "de";
|
||||
|
|
|
@ -36,7 +36,6 @@
|
|||
ldap = {
|
||||
enable = true;
|
||||
bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
|
||||
userFilter = config.security.ldap.groupFilter "matrix-users";
|
||||
};
|
||||
settings = {
|
||||
admin_contact = "mailto:mail@c3d2.de";
|
||||
|
|
Loading…
Reference in New Issue