diff --git a/config/default.nix b/config/default.nix index 0d19b114..c46a7343 100644 --- a/config/default.nix +++ b/config/default.nix @@ -161,12 +161,30 @@ security.ldap.domainComponent = [ "c3d2" "de" ]; services = { + gitea.ldap = { + adminGroup = "gitea-admins"; + userGroup = "gitea-users"; + }; + gnome = { # less webkitgtk's evolution-data-server.enable = lib.mkForce false; gnome-initial-setup.enable = false; }; + hedgedoc.ldap.userGroup = "hedgedoc-users"; + + hydra.ldap = { + roleMappings = [ + { hydra-admins = "admin"; } + ]; + userGroup = "hydra-users"; + }; + + mastodon.ldap.userGroup = "mastodon-users"; + + matrix-synapse.ldap.userGroup = "matrix-users"; + nginx = { appendHttpConfig = '' log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] ' diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix index ace298bf..fc8f8597 100644 --- a/hosts/auth/default.nix +++ b/hosts/auth/default.nix @@ -42,7 +42,39 @@ suffix = "dc=c3d2,dc=de"; tls = true; }; - seedPath = ./seed.json; + removeAddGroup = true; + seedGroups = true; + seedSettings = { + groups = [ + { + long_name = "Portunus Administrators"; + name = "admins"; + dont_manage_members = true; + permissions.portunus.is_admin = true; + } + { + long_name = "Search"; + name = "search"; + dont_manage_members = true; + permissions.ldap.can_read = true; + } + ]; + users = [ + { + family_name = "Administrator"; + given_name = "Initial"; + login_name = "admin"; + password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ]; + } + { + email = "search@c3d2.de"; + family_name = "-"; + given_name = "Search"; + login_name = "search"; + password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ]; + } + ]; + }; }; }; diff --git a/hosts/auth/seed.json b/hosts/auth/seed.json deleted file mode 100644 index bb2f279d..00000000 --- a/hosts/auth/seed.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "groups": [ - { - "long_name": "Portunus Administrators", - "name": "admins", - "dont_manage_members": true, - "permissions": { - "portunus": { "is_admin": true } - } - }, - { - "long_name": "Search", - "name": "search", - "dont_manage_members": true, - "permissions": { - "ldap": { "can_read": true } - } - }, - { - "long_name": "Gitea Administrators", - "name": "gitea-admins", - "dont_manage_members": true, - "permissions": {} - }, - { - "long_name": "Grafana Administrators", - "name": "grafana-admins", - "dont_manage_members": true, - "permissions": {} - }, - { - "long_name": "Hedgedoc Users", - "name": "hedgedoc-users", - "dont_manage_members": true, - "permissions": {} - }, - { - "long_name": "Home-Assistant Users", - "name": "home-assistant-users", - "dont_manage_members": true, - "permissions": {} - }, - { - "long_name": "Hydra Administrators", - "name": "hydra-admins", - "dont_manage_members": true, - "permissions": {} - }, - { - "long_name": "Mastodon Users", - "name": "mastodon-users", - "dont_manage_members": true, - "permissions": {} - }, - { - "long_name": "Matrix Users", - "name": "matrix-users", - "dont_manage_members": true, - "permissions": {} - } - ], - "users": [ - { - "family_name": "Administrator", - "given_name": "Initial", - "login_name": "admin", - "password": { - "from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/admin-password" ] - } - }, - { - "email": "search@c3d2.de", - "family_name": "-", - "given_name": "Search", - "login_name": "search", - "password": { - "from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/search-password" ] - } - } - ] -} diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index e2ff7d86..6efb7228 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -40,11 +40,7 @@ backupDir = "/var/backup/gitea/"; }; - ldap = { - enable = true; - adminGroup = "gitea-admins"; - bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path; - }; + ldap.bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path; settings = { # we use drone for internal tasks and don't want people to execute code on our infrastructure diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index 9764d72c..a1c2abd9 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -1,5 +1,8 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: +let + ldapGroup = "grafana-admins"; +in { microvm.mem = 4096; c3d2.deployment.server = "server10"; @@ -58,7 +61,7 @@ icon = "signin"; name = "auth.c3d2.de"; oauth_auto_login = true; # redirect automatically to the only oauth provider - role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'"; + role_attribute_path = "contains(groups[*], '${ldapGroup}') && 'Admin'"; # https://dexidp.io/docs/custom-scopes-claims-clients/ scopes = "openid email groups profile offline_access"; token_url = "https://auth.c3d2.de/dex/token"; @@ -105,6 +108,13 @@ }; }; }; + + portunus.seedingSettings.groups = lib.singleton { + long_name = "Grafana Administrators"; + name = ldapGroup; + dont_manage_members = true; + permissions = {}; + }; }; sops = { diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix index 6285e3af..2dbfbc94 100644 --- a/hosts/hedgedoc/default.nix +++ b/hosts/hedgedoc/default.nix @@ -12,10 +12,7 @@ hedgedoc = { enable = true; - ldap = { - enable = true; - userFilterGroup = "hedgedoc-users"; - }; + ldap.enable = true; settings = { allowAnonymousEdits = true; allowFreeURL = true; diff --git a/hosts/home-assistant/default.nix b/hosts/home-assistant/default.nix index c65d4811..1a087ac3 100644 --- a/hosts/home-assistant/default.nix +++ b/hosts/home-assistant/default.nix @@ -1,8 +1,8 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let c3d2MacAddress = "00:0b:ad:00:1d:ea"; - + ldapGroup = "home-assistant-users"; in { c3d2.deployment.server = "server10"; @@ -93,7 +93,7 @@ in ATTRS="${ldap.userField}" CLIENT="ldapsearch" DEBUG=0 - FILTER="${ldap.groupFilter "home-assistant-users"}" + FILTER="${ldap.groupFilter ldapGroup}" NAME_ATTR="${ldap.userField}" SCOPE="base" SERVER="ldaps://${ldap.domainName}" @@ -172,7 +172,15 @@ in }; }; - portunus.addToHosts = true; + portunus = { + addToHosts = true; + seedingSettings.groups = lib.singleton { + long_name = "Home-Assistant Users"; + name = ldapGroup; + dont_manage_members = true; + permissions = {}; + }; + }; }; sops.defaultSopsFile = ./secrets.yaml; diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index 21b14995..810faea8 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -199,12 +199,7 @@ in "/var/lib/hydra/machines" ]; hydraURL = "https://hydra.hq.c3d2.de"; - ldap = { - enable = true; - roleMappings = [ - { hydra-admins = "admin"; } - ]; - }; + ldap.enable = true; logo = ./c3d2.svg; minimumDiskFree = 50; minimumDiskFreeEvaluator = 50; diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index f8b4d13b..9790d7f5 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -115,10 +115,7 @@ enable = true; configureNginx = true; elasticsearch.host = "127.0.0.1"; - ldap = { - enable = true; - userFilterGroup = "mastodon-users"; - }; + ldap.enable = true; extraConfig = { ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases; DEFAULT_LOCALE = "de"; diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 785ecc26..ca445ba4 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -36,7 +36,6 @@ ldap = { enable = true; bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path; - userFilter = config.security.ldap.groupFilter "matrix-users"; }; settings = { admin_contact = "mailto:mail@c3d2.de";