diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index 2681a62a..6ffbf331 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -127,6 +127,12 @@ in "/var/lib/hydra/machines" ]; hydraURL = "https://hydra.hq.c3d2.de"; + ldap = { + enable = true; + roleMappings = [ + { hydra-admins = "admin"; } + ]; + }; logo = ./c3d2.svg; minimumDiskFree = 50; minimumDiskFreeEvaluator = 50; @@ -144,59 +150,6 @@ in max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd upload_logs_to_binary_cache = true - - # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional - - - - class = Password - password_field = password - password_type = self_check - - - class = LDAP - ldap_server = auth.c3d2.de - - scheme = ldaps - timeout = 10 - - binddn = "uid=search,ou=users,dc=c3d2,dc=de" - include ldap-password.conf - start_tls = 0 - - ciphers = TLS_AES_256_GCM_SHA384 - sslversion = tlsv1_3 - # verify = none - - user_basedn = "ou=users,dc=c3d2,dc=de" - user_filter = "(&(objectclass=person)(uid=%s))" - user_scope = one - user_field = uid - - deref = always - - # Important for role mappings to work: - use_roles = 1 - role_basedn = "ou=groups,dc=c3d2,dc=de" - role_filter = "(&(objectclass=groupOfNames)(cn=hydra-admins))" - role_scope = one - role_field = cn - role_value = dn - - deref = always - - - - - # maps directly to user roles - # Make all users in the hydra-admin group Hydra admins - # IMPORTANT: if new groups are used, they need to be added to the role_filter above - hydra-admins = admin - # Allow all users in the dev group to restart jobs and cancel builds - #dev = restart-jobs - #dev = cancel-build - - ''; };