portunus: manage groups decleratively
This commit is contained in:
parent
808cc29c6c
commit
0221f34859
|
@ -161,12 +161,30 @@
|
||||||
security.ldap.domainComponent = [ "c3d2" "de" ];
|
security.ldap.domainComponent = [ "c3d2" "de" ];
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
gitea.ldap = {
|
||||||
|
adminGroup = "gitea-admins";
|
||||||
|
userGroup = "gitea-users";
|
||||||
|
};
|
||||||
|
|
||||||
gnome = {
|
gnome = {
|
||||||
# less webkitgtk's
|
# less webkitgtk's
|
||||||
evolution-data-server.enable = lib.mkForce false;
|
evolution-data-server.enable = lib.mkForce false;
|
||||||
gnome-initial-setup.enable = false;
|
gnome-initial-setup.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
hedgedoc.ldap.userGroup = "hedgedoc-users";
|
||||||
|
|
||||||
|
hydra.ldap = {
|
||||||
|
roleMappings = [
|
||||||
|
{ hydra-admins = "admin"; }
|
||||||
|
];
|
||||||
|
userGroup = "hydra-users";
|
||||||
|
};
|
||||||
|
|
||||||
|
mastodon.ldap.userGroup = "mastodon-users";
|
||||||
|
|
||||||
|
matrix-synapse.ldap.userGroup = "matrix-users";
|
||||||
|
|
||||||
nginx = {
|
nginx = {
|
||||||
appendHttpConfig = ''
|
appendHttpConfig = ''
|
||||||
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
||||||
|
|
|
@ -42,7 +42,39 @@
|
||||||
suffix = "dc=c3d2,dc=de";
|
suffix = "dc=c3d2,dc=de";
|
||||||
tls = true;
|
tls = true;
|
||||||
};
|
};
|
||||||
seedPath = ./seed.json;
|
removeAddGroup = true;
|
||||||
|
seedGroups = true;
|
||||||
|
seedSettings = {
|
||||||
|
groups = [
|
||||||
|
{
|
||||||
|
long_name = "Portunus Administrators";
|
||||||
|
name = "admins";
|
||||||
|
dont_manage_members = true;
|
||||||
|
permissions.portunus.is_admin = true;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
long_name = "Search";
|
||||||
|
name = "search";
|
||||||
|
dont_manage_members = true;
|
||||||
|
permissions.ldap.can_read = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
users = [
|
||||||
|
{
|
||||||
|
family_name = "Administrator";
|
||||||
|
given_name = "Initial";
|
||||||
|
login_name = "admin";
|
||||||
|
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
email = "search@c3d2.de";
|
||||||
|
family_name = "-";
|
||||||
|
given_name = "Search";
|
||||||
|
login_name = "search";
|
||||||
|
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,81 +0,0 @@
|
||||||
{
|
|
||||||
"groups": [
|
|
||||||
{
|
|
||||||
"long_name": "Portunus Administrators",
|
|
||||||
"name": "admins",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {
|
|
||||||
"portunus": { "is_admin": true }
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Search",
|
|
||||||
"name": "search",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {
|
|
||||||
"ldap": { "can_read": true }
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Gitea Administrators",
|
|
||||||
"name": "gitea-admins",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Grafana Administrators",
|
|
||||||
"name": "grafana-admins",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Hedgedoc Users",
|
|
||||||
"name": "hedgedoc-users",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Home-Assistant Users",
|
|
||||||
"name": "home-assistant-users",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Hydra Administrators",
|
|
||||||
"name": "hydra-admins",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Mastodon Users",
|
|
||||||
"name": "mastodon-users",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"long_name": "Matrix Users",
|
|
||||||
"name": "matrix-users",
|
|
||||||
"dont_manage_members": true,
|
|
||||||
"permissions": {}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"users": [
|
|
||||||
{
|
|
||||||
"family_name": "Administrator",
|
|
||||||
"given_name": "Initial",
|
|
||||||
"login_name": "admin",
|
|
||||||
"password": {
|
|
||||||
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/admin-password" ]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"email": "search@c3d2.de",
|
|
||||||
"family_name": "-",
|
|
||||||
"given_name": "Search",
|
|
||||||
"login_name": "search",
|
|
||||||
"password": {
|
|
||||||
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/search-password" ]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -40,11 +40,7 @@
|
||||||
backupDir = "/var/backup/gitea/";
|
backupDir = "/var/backup/gitea/";
|
||||||
};
|
};
|
||||||
|
|
||||||
ldap = {
|
ldap.bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
|
||||||
enable = true;
|
|
||||||
adminGroup = "gitea-admins";
|
|
||||||
bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
|
|
||||||
};
|
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
# we use drone for internal tasks and don't want people to execute code on our infrastructure
|
# we use drone for internal tasks and don't want people to execute code on our infrastructure
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
ldapGroup = "grafana-admins";
|
||||||
|
in
|
||||||
{
|
{
|
||||||
microvm.mem = 4096;
|
microvm.mem = 4096;
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
@ -58,7 +61,7 @@
|
||||||
icon = "signin";
|
icon = "signin";
|
||||||
name = "auth.c3d2.de";
|
name = "auth.c3d2.de";
|
||||||
oauth_auto_login = true; # redirect automatically to the only oauth provider
|
oauth_auto_login = true; # redirect automatically to the only oauth provider
|
||||||
role_attribute_path = "contains(groups[*], 'grafana-admins') && 'Admin'";
|
role_attribute_path = "contains(groups[*], '${ldapGroup}') && 'Admin'";
|
||||||
# https://dexidp.io/docs/custom-scopes-claims-clients/
|
# https://dexidp.io/docs/custom-scopes-claims-clients/
|
||||||
scopes = "openid email groups profile offline_access";
|
scopes = "openid email groups profile offline_access";
|
||||||
token_url = "https://auth.c3d2.de/dex/token";
|
token_url = "https://auth.c3d2.de/dex/token";
|
||||||
|
@ -105,6 +108,13 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
portunus.seedingSettings.groups = lib.singleton {
|
||||||
|
long_name = "Grafana Administrators";
|
||||||
|
name = ldapGroup;
|
||||||
|
dont_manage_members = true;
|
||||||
|
permissions = {};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops = {
|
sops = {
|
||||||
|
|
|
@ -12,10 +12,7 @@
|
||||||
|
|
||||||
hedgedoc = {
|
hedgedoc = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ldap = {
|
ldap.enable = true;
|
||||||
enable = true;
|
|
||||||
userFilterGroup = "hedgedoc-users";
|
|
||||||
};
|
|
||||||
settings = {
|
settings = {
|
||||||
allowAnonymousEdits = true;
|
allowAnonymousEdits = true;
|
||||||
allowFreeURL = true;
|
allowFreeURL = true;
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
c3d2MacAddress = "00:0b:ad:00:1d:ea";
|
c3d2MacAddress = "00:0b:ad:00:1d:ea";
|
||||||
|
ldapGroup = "home-assistant-users";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
c3d2.deployment.server = "server10";
|
c3d2.deployment.server = "server10";
|
||||||
|
@ -93,7 +93,7 @@ in
|
||||||
ATTRS="${ldap.userField}"
|
ATTRS="${ldap.userField}"
|
||||||
CLIENT="ldapsearch"
|
CLIENT="ldapsearch"
|
||||||
DEBUG=0
|
DEBUG=0
|
||||||
FILTER="${ldap.groupFilter "home-assistant-users"}"
|
FILTER="${ldap.groupFilter ldapGroup}"
|
||||||
NAME_ATTR="${ldap.userField}"
|
NAME_ATTR="${ldap.userField}"
|
||||||
SCOPE="base"
|
SCOPE="base"
|
||||||
SERVER="ldaps://${ldap.domainName}"
|
SERVER="ldaps://${ldap.domainName}"
|
||||||
|
@ -172,7 +172,15 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
portunus.addToHosts = true;
|
portunus = {
|
||||||
|
addToHosts = true;
|
||||||
|
seedingSettings.groups = lib.singleton {
|
||||||
|
long_name = "Home-Assistant Users";
|
||||||
|
name = ldapGroup;
|
||||||
|
dont_manage_members = true;
|
||||||
|
permissions = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
|
|
|
@ -199,12 +199,7 @@ in
|
||||||
"/var/lib/hydra/machines"
|
"/var/lib/hydra/machines"
|
||||||
];
|
];
|
||||||
hydraURL = "https://hydra.hq.c3d2.de";
|
hydraURL = "https://hydra.hq.c3d2.de";
|
||||||
ldap = {
|
ldap.enable = true;
|
||||||
enable = true;
|
|
||||||
roleMappings = [
|
|
||||||
{ hydra-admins = "admin"; }
|
|
||||||
];
|
|
||||||
};
|
|
||||||
logo = ./c3d2.svg;
|
logo = ./c3d2.svg;
|
||||||
minimumDiskFree = 50;
|
minimumDiskFree = 50;
|
||||||
minimumDiskFreeEvaluator = 50;
|
minimumDiskFreeEvaluator = 50;
|
||||||
|
|
|
@ -115,10 +115,7 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
configureNginx = true;
|
configureNginx = true;
|
||||||
elasticsearch.host = "127.0.0.1";
|
elasticsearch.host = "127.0.0.1";
|
||||||
ldap = {
|
ldap.enable = true;
|
||||||
enable = true;
|
|
||||||
userFilterGroup = "mastodon-users";
|
|
||||||
};
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases;
|
ALTERNATE_DOMAINS = lib.concatStringsSep "," config.services.nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases;
|
||||||
DEFAULT_LOCALE = "de";
|
DEFAULT_LOCALE = "de";
|
||||||
|
|
|
@ -36,7 +36,6 @@
|
||||||
ldap = {
|
ldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
|
bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
|
||||||
userFilter = config.security.ldap.groupFilter "matrix-users";
|
|
||||||
};
|
};
|
||||||
settings = {
|
settings = {
|
||||||
admin_contact = "mailto:mail@c3d2.de";
|
admin_contact = "mailto:mail@c3d2.de";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user