From eb21d0bbb34a797166c12e98766e0b41366392fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Tue, 6 Dec 2022 15:58:17 +0100
Subject: [PATCH] hydra: add ldap login

---
 hosts/hydra/hydra.nix    | 79 ++++++++++++++++++++++++++++++++++++----
 hosts/hydra/secrets.yaml |  6 ++-
 2 files changed, 75 insertions(+), 10 deletions(-)

diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix
index 10b54c9c..25bb9c5b 100644
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, zentralwerk, ... }:
 
 let
   cachePort = 5000;
@@ -54,11 +54,17 @@ in
   #   };
   # };
 
-  # networking.nat = {
-  #   enable = true;
-  #   externalInterface = "serv";
-  #   internalInterfaces = [ "ve-hydra-ca" ];
-  # };
+  networking = {
+    hosts = with zentralwerk.lib.config.site.net.serv; {
+      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
+      ${hosts4.auth} = [ "auth.c3d2.de" ];
+    };
+  #   nat = {
+  #     enable = true;
+  #     externalInterface = "serv";
+  #     internalInterfaces = [ "ve-hydra-ca" ];
+  #   };
+  };
 
   nix = {
     buildMachines = [{
@@ -106,16 +112,67 @@ in
           max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
           store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
           upload_logs_to_binary_cache = true
+
+          # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
+          <ldap>
+            <config>
+              <credential>
+                class = Password
+                password_field = password
+                password_type = self_check
+              </credential>
+              <store>
+                class = LDAP
+                ldap_server = auth.c3d2.de
+                <ldap_server_options>
+                  scheme = ldaps
+                  timeout = 10
+                </ldap_server_options>
+                binddn = "uid=search,ou=users,dc=c3d2,dc=de"
+                include ldap-password.conf
+                start_tls = 0
+                <start_tls_options>
+                ciphers = TLS_AES_256_GCM_SHA384
+                sslversion = tlsv1_3
+                # verify = none
+                </start_tls_options>
+                user_basedn = "ou=users,dc=c3d2,dc=de"
+                user_filter = "(&(objectclass=person)(uid=%s))"
+                user_scope = one
+                user_field = uid
+                <user_search_options>
+                  deref = always
+                </user_search_options>
+                # Important for role mappings to work:
+                use_roles = 1
+                role_basedn = "ou=groups,dc=c3d2,dc=de"
+                role_filter = "(&(objectclass=group)(%s))"
+                role_scope = one
+                role_field = cn
+                role_value = dn
+                <role_search_options>
+                  deref = always
+                </role_search_options>
+              </store>
+            </config>
+            <role_mapping>
+              # maps directly to user roles
+              # Make all users in the hydra-admin group Hydra admins
+              hydra-admins = admin
+              # Allow all users in the dev group to restart jobs and cancel builds
+              #dev = restart-jobs
+              #dev = cancel-build
+            </role_mapping>
+          </ldap>
         '';
     };
 
     # A rust nix binary cache
     harmonia = {
       enable = true;
-
       settings = {
         bind = "127.0.0.1:${toString cachePort}";
-        workers = "20";
+        workers = 20;
         max_connection_rate = 1024;
         priority = 30;
         sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
@@ -157,6 +214,12 @@ in
       owner = config.users.users.hydra-queue-runner.name;
       inherit (config.users.users.hydra-queue-runner) group;
     };
+    secrets."ldap/search-user-pw" = {
+      mode = "440";
+      owner = config.users.users.hydra-queue-runner.name;
+      inherit (config.users.users.hydra-queue-runner) group;
+      path = "/var/lib/hydra/ldap-password.conf";
+    };
   };
 
   systemd.services = {
diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml
index 49d9552e..0d7a1dcf 100644
--- a/hosts/hydra/secrets.yaml
+++ b/hosts/hydra/secrets.yaml
@@ -1,5 +1,7 @@
 nix-serve:
     secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
+ldap:
+    search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +26,8 @@ sops:
             K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
             O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-25T21:00:25Z"
-    mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str]
+    lastmodified: "2022-12-06T14:25:54Z"
+    mac: ENC[AES256_GCM,data:4cOG88FIG7UhVb/r8Aq1Nme5+qCpEdpjV+BLOISm1Y6MYgxFTDqCzV2FOdKztpVou5Nly9JUvKfz6eiCWbbIbaO5/DYUObiTKZXv6B1x6blnIW8vMtqcdYWOXH62ycHMV+Sha0D41eXmNp3K1Vs+k3OwYZyHK1HFOqqQ2jpy+Ps=,iv:u0O/A/GBBpDTJVFBfiFzDOIIR5o479YI11fgrv0mR0A=,tag:E9OuAAOhfbzPcnA6Ij6LMA==,type:str]
     pgp:
         - created_at: "2022-07-15T23:31:58Z"
           enc: |