c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

portunus: manage groups decleratively

This commit is contained in:
Sandro - 2023-07-01 23:43:15 +02:00
parent 808cc29c6c
commit 0221f34859
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
10 changed files with 79 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
config/default.nix
View File

@ -161,12 +161,30 @@
security.ldap.domainComponent = [ "c3d2" "de" ];
services = {
gitea.ldap = {
adminGroup = "gitea-admins";
userGroup = "gitea-users";
};
gnome = {
# less webkitgtk's
evolution-data-server.enable = lib.mkForce false;
gnome-initial-setup.enable = false;
};
hedgedoc.ldap.userGroup = "hedgedoc-users";
hydra.ldap = {
roleMappings = [
{ hydra-admins = "admin"; }
];
userGroup = "hydra-users";
};
mastodon.ldap.userGroup = "mastodon-users";
matrix-synapse.ldap.userGroup = "matrix-users";
nginx = {
appendHttpConfig = ''
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '

34
hosts/auth/default.nix
View File

@ -42,7 +42,39 @@
suffix = "dc=c3d2,dc=de";
tls = true;
};
seedPath = ./seed.json;
removeAddGroup = true;
seedGroups = true;
seedSettings = {
groups = [
{
long_name = "Portunus Administrators";
name = "admins";
dont_manage_members = true;
permissions.portunus.is_admin = true;
}
{
long_name = "Search";
name = "search";
dont_manage_members = true;
permissions.ldap.can_read = true;
}
];
users = [
{
family_name = "Administrator";
given_name = "Initial";
login_name = "admin";
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ];
}
{
email = "search@c3d2.de";
family_name = "-";
given_name = "Search";
login_name = "search";
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ];
}
];
};
};
};

81
hosts/auth/seed.json
View File

@ -1,81 +0,0 @@
{
"groups": [
{
"long_name": "Portunus Administrators",
"name": "admins",
"dont_manage_members": true,
"permissions": {
"portunus": { "is_admin": true }
}
},
{
"long_name": "Search",
"name": "search",
"dont_manage_members": true,
"permissions": {
"ldap": { "can_read": true }
}
},
{
"long_name": "Gitea Administrators",
"name": "gitea-admins",
"dont_manage_members": true,
"permissions": {}
},
{
"long_name": "Grafana Administrators",
"name": "grafana-admins",
"dont_manage_members": true,
"permissions": {}
},
{
"long_name": "Hedgedoc Users",
"name": "hedgedoc-users",
"dont_manage_members": true,
"permissions": {}
},
{
"long_name": "Home-Assistant Users",
"name": "home-assistant-users",
"dont_manage_members": true,
"permissions": {}
},
{
"long_name": "Hydra Administrators",
"name": "hydra-admins",
"dont_manage_members": true,
"permissions": {}
},
{
"long_name": "Mastodon Users",
"name": "mastodon-users",
"dont_manage_members": true,
"permissions": {}
},
{
"long_name": "Matrix Users",
"name": "matrix-users",
"dont_manage_members": true,
"permissions": {}
}
],
"users": [
{
"family_name": "Administrator",
"given_name": "Initial",
"login_name": "admin",
"password": {
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/admin-password" ]
}
},
{
"email": "search@c3d2.de",
"family_name": "-",
"given_name": "Search",
"login_name": "search",
"password": {
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/search-password" ]
}
}
]
}

6
hosts/gitea/default.nix
View File

@ -40,11 +40,7 @@
backupDir = "/var/backup/gitea/";
};
ldap = {
enable = true;
adminGroup = "gitea-admins";
bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
};
ldap.bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
settings = {
# we use drone for internal tasks and don't want people to execute code on our infrastructure

14
hosts/grafana/default.nix
View File

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
ldapGroup = "grafana-admins";
in
{
microvm.mem = 4096;
c3d2.deployment.server = "server10";
@ -58,7 +61,7 @@
icon = "signin";
name = "auth.c3d2.de";
oauth_auto_login = true; # redirect automatically to the only oauth provider
role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
role_attribute_path = "contains(groups[*], '${ldapGroup}') && 'Admin'";
# https://dexidp.io/docs/custom-scopes-claims-clients/
scopes = "openid email groups profile offline_access";
token_url = "https://auth.c3d2.de/dex/token";
@ -105,6 +108,13 @@
};
};
};
portunus.seedingSettings.groups = lib.singleton {
long_name = "Grafana Administrators";
name = ldapGroup;
dont_manage_members = true;
permissions = {};
};
};
sops = {

5
hosts/hedgedoc/default.nix
View File

@ -12,10 +12,7 @@
hedgedoc = {
enable = true;
ldap = {
enable = true;
userFilterGroup = "hedgedoc-users";
};
ldap.enable = true;
settings = {
allowAnonymousEdits = true;
allowFreeURL = true;

16
hosts/home-assistant/default.nix
View File

@ -1,8 +1,8 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
c3d2MacAddress = "00:0b:ad:00:1d:ea";
ldapGroup = "home-assistant-users";
in
{
c3d2.deployment.server = "server10";
@ -93,7 +93,7 @@ in
ATTRS="${ldap.userField}"
CLIENT="ldapsearch"
DEBUG=0
FILTER="${ldap.groupFilter "home-assistant-users"}"
FILTER="${ldap.groupFilter ldapGroup}"
NAME_ATTR="${ldap.userField}"
SCOPE="base"
SERVER="ldaps://${ldap.domainName}"
@ -172,7 +172,15 @@ in
};
};
portunus.addToHosts = true;
portunus = {
addToHosts = true;
seedingSettings.groups = lib.singleton {
long_name = "Home-Assistant Users";
name = ldapGroup;
dont_manage_members = true;
permissions = {};
};
};
};
sops.defaultSopsFile = ./secrets.yaml;

7
hosts/hydra/default.nix
View File

@ -199,12 +199,7 @@ in
"/var/lib/hydra/machines"
];
hydraURL = "https://hydra.hq.c3d2.de";
ldap = {
enable = true;
roleMappings = [
{ hydra-admins = "admin"; }
];
};
ldap.enable = true;
logo = ./c3d2.svg;
minimumDiskFree = 50;
minimumDiskFreeEvaluator = 50;

5
hosts/mastodon/default.nix
View File

@ -115,10 +115,7 @@
enable = true;
configureNginx = true;
elasticsearch.host = "127.0.0.1";
ldap = {
enable = true;
userFilterGroup = "mastodon-users";
};
ldap.enable = true;
extraConfig = {
ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases;
DEFAULT_LOCALE = "de";

1
hosts/matrix/default.nix
View File

@ -36,7 +36,6 @@
ldap = {
enable = true;
bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
userFilter = config.security.ldap.groupFilter "matrix-users";
};
settings = {
admin_contact = "mailto:mail@c3d2.de";