hydra: add ldap login

2022-12-06 15:58:17 +01:00 · 2022-12-06 15:58:17 +01:00 · eb21d0bbb3
parent c2337cce40
commit eb21d0bbb3
2 changed files with 75 additions and 10 deletions
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, zentralwerk, ... }:

 let
  cachePort = 5000;
@ -54,11 +54,17 @@ in
  #   };
  # };

-  # networking.nat = {
-  #   enable = true;
-  #   externalInterface = "serv";
-  #   internalInterfaces = [ "ve-hydra-ca" ];
-  # };
+  networking = {
+    hosts = with zentralwerk.lib.config.site.net.serv; {
+      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
+      ${hosts4.auth} = [ "auth.c3d2.de" ];
+    };
+  #   nat = {
+  #     enable = true;
+  #     externalInterface = "serv";
+  #     internalInterfaces = [ "ve-hydra-ca" ];
+  #   };
+  };

  nix = {
    buildMachines = [{
@ -106,16 +112,67 @@ in
          max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
          store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
          upload_logs_to_binary_cache = true
+
+          # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
+          <ldap>
+            <config>
+              <credential>
+                class = Password
+                password_field = password
+                password_type = self_check
+              </credential>
+              <store>
+                class = LDAP
+                ldap_server = auth.c3d2.de
+                <ldap_server_options>
+                  scheme = ldaps
+                  timeout = 10
+                </ldap_server_options>
+                binddn = "uid=search,ou=users,dc=c3d2,dc=de"
+                include ldap-password.conf
+                start_tls = 0
+                <start_tls_options>
+                ciphers = TLS_AES_256_GCM_SHA384
+                sslversion = tlsv1_3
+                # verify = none
+                </start_tls_options>
+                user_basedn = "ou=users,dc=c3d2,dc=de"
+                user_filter = "(&(objectclass=person)(uid=%s))"
+                user_scope = one
+                user_field = uid
+                <user_search_options>
+                  deref = always
+                </user_search_options>
+                # Important for role mappings to work:
+                use_roles = 1
+                role_basedn = "ou=groups,dc=c3d2,dc=de"
+                role_filter = "(&(objectclass=group)(%s))"
+                role_scope = one
+                role_field = cn
+                role_value = dn
+                <role_search_options>
+                  deref = always
+                </role_search_options>
+              </store>
+            </config>
+            <role_mapping>
+              # maps directly to user roles
+              # Make all users in the hydra-admin group Hydra admins
+              hydra-admins = admin
+              # Allow all users in the dev group to restart jobs and cancel builds
+              #dev = restart-jobs
+              #dev = cancel-build
+            </role_mapping>
+          </ldap>
        '';
    };

    # A rust nix binary cache
    harmonia = {
      enable = true;
-
      settings = {
        bind = "127.0.0.1:${toString cachePort}";
-        workers = "20";
+        workers = 20;
        max_connection_rate = 1024;
        priority = 30;
        sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
@ -157,6 +214,12 @@ in
      owner = config.users.users.hydra-queue-runner.name;
      inherit (config.users.users.hydra-queue-runner) group;
    };
+    secrets."ldap/search-user-pw" = {
+      mode = "440";
+      owner = config.users.users.hydra-queue-runner.name;
+      inherit (config.users.users.hydra-queue-runner) group;
+      path = "/var/lib/hydra/ldap-password.conf";
+    };
  };

  systemd.services = {
--- a/hosts/hydra/secrets.yaml
+++ b/hosts/hydra/secrets.yaml
@ -1,5 +1,7 @@
 nix-serve:
    secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
+ldap:
+    search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -24,8 +26,8 @@ sops:
            K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
            O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-25T21:00:25Z"
-    mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str]
+    lastmodified: "2022-12-06T14:25:54Z"
+    mac: ENC[AES256_GCM,data:4cOG88FIG7UhVb/r8Aq1Nme5+qCpEdpjV+BLOISm1Y6MYgxFTDqCzV2FOdKztpVou5Nly9JUvKfz6eiCWbbIbaO5/DYUObiTKZXv6B1x6blnIW8vMtqcdYWOXH62ycHMV+Sha0D41eXmNp3K1Vs+k3OwYZyHK1HFOqqQ2jpy+Ps=,iv:u0O/A/GBBpDTJVFBfiFzDOIIR5o479YI11fgrv0mR0A=,tag:E9OuAAOhfbzPcnA6Ij6LMA==,type:str]
    pgp:
        - created_at: "2022-07-15T23:31:58Z"
          enc: |