Use security.ldap for ldap login

2023-01-17 00:26:49 +01:00 · 2023-01-17 00:26:49 +01:00 · 547ad2e011
parent 0fb9607021
commit 547ad2e011
1 changed files with 6 additions and 53 deletions
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -127,6 +127,12 @@ in
        "/var/lib/hydra/machines"
      ];
      hydraURL = "https://hydra.hq.c3d2.de";
+      ldap = {
+        enable = true;
+        roleMappings = [
+          { hydra-admins = "admin"; }
+        ];
+      };
      logo = ./c3d2.svg;
      minimumDiskFree = 50;
      minimumDiskFreeEvaluator = 50;
@ -144,59 +150,6 @@ in
          max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
          store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
          upload_logs_to_binary_cache = true
-
-          # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
-          <ldap>
-            <config>
-              <credential>
-                class = Password
-                password_field = password
-                password_type = self_check
-              </credential>
-              <store>
-                class = LDAP
-                ldap_server = auth.c3d2.de
-                <ldap_server_options>
-                  scheme = ldaps
-                  timeout = 10
-                </ldap_server_options>
-                binddn = "uid=search,ou=users,dc=c3d2,dc=de"
-                include ldap-password.conf
-                start_tls = 0
-                <start_tls_options>
-                ciphers = TLS_AES_256_GCM_SHA384
-                sslversion = tlsv1_3
-                # verify = none
-                </start_tls_options>
-                user_basedn = "ou=users,dc=c3d2,dc=de"
-                user_filter = "(&(objectclass=person)(uid=%s))"
-                user_scope = one
-                user_field = uid
-                <user_search_options>
-                  deref = always
-                </user_search_options>
-                # Important for role mappings to work:
-                use_roles = 1
-                role_basedn = "ou=groups,dc=c3d2,dc=de"
-                role_filter = "(&(objectclass=groupOfNames)(cn=hydra-admins))"
-                role_scope = one
-                role_field = cn
-                role_value = dn
-                <role_search_options>
-                  deref = always
-                </role_search_options>
-              </store>
-            </config>
-            <role_mapping>
-              # maps directly to user roles
-              # Make all users in the hydra-admin group Hydra admins
-              # IMPORTANT: if new groups are used, they need to be added to the role_filter above
-              hydra-admins = admin
-              # Allow all users in the dev group to restart jobs and cancel builds
-              #dev = restart-jobs
-              #dev = cancel-build
-            </role_mapping>
-          </ldap>
        '';
    };