hydra: add ldap login
This commit is contained in:
parent
c2337cce40
commit
eb21d0bbb3
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, zentralwerk, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cachePort = 5000;
|
cachePort = 5000;
|
||||||
|
@ -54,11 +54,17 @@ in
|
||||||
# };
|
# };
|
||||||
# };
|
# };
|
||||||
|
|
||||||
# networking.nat = {
|
networking = {
|
||||||
# enable = true;
|
hosts = with zentralwerk.lib.config.site.net.serv; {
|
||||||
# externalInterface = "serv";
|
${hosts6.up4.auth} = [ "auth.c3d2.de" ];
|
||||||
# internalInterfaces = [ "ve-hydra-ca" ];
|
${hosts4.auth} = [ "auth.c3d2.de" ];
|
||||||
# };
|
};
|
||||||
|
# nat = {
|
||||||
|
# enable = true;
|
||||||
|
# externalInterface = "serv";
|
||||||
|
# internalInterfaces = [ "ve-hydra-ca" ];
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
buildMachines = [{
|
buildMachines = [{
|
||||||
|
@ -106,16 +112,67 @@ in
|
||||||
max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
|
max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
|
||||||
store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
|
store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
|
||||||
upload_logs_to_binary_cache = true
|
upload_logs_to_binary_cache = true
|
||||||
|
|
||||||
|
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
|
||||||
|
<ldap>
|
||||||
|
<config>
|
||||||
|
<credential>
|
||||||
|
class = Password
|
||||||
|
password_field = password
|
||||||
|
password_type = self_check
|
||||||
|
</credential>
|
||||||
|
<store>
|
||||||
|
class = LDAP
|
||||||
|
ldap_server = auth.c3d2.de
|
||||||
|
<ldap_server_options>
|
||||||
|
scheme = ldaps
|
||||||
|
timeout = 10
|
||||||
|
</ldap_server_options>
|
||||||
|
binddn = "uid=search,ou=users,dc=c3d2,dc=de"
|
||||||
|
include ldap-password.conf
|
||||||
|
start_tls = 0
|
||||||
|
<start_tls_options>
|
||||||
|
ciphers = TLS_AES_256_GCM_SHA384
|
||||||
|
sslversion = tlsv1_3
|
||||||
|
# verify = none
|
||||||
|
</start_tls_options>
|
||||||
|
user_basedn = "ou=users,dc=c3d2,dc=de"
|
||||||
|
user_filter = "(&(objectclass=person)(uid=%s))"
|
||||||
|
user_scope = one
|
||||||
|
user_field = uid
|
||||||
|
<user_search_options>
|
||||||
|
deref = always
|
||||||
|
</user_search_options>
|
||||||
|
# Important for role mappings to work:
|
||||||
|
use_roles = 1
|
||||||
|
role_basedn = "ou=groups,dc=c3d2,dc=de"
|
||||||
|
role_filter = "(&(objectclass=group)(%s))"
|
||||||
|
role_scope = one
|
||||||
|
role_field = cn
|
||||||
|
role_value = dn
|
||||||
|
<role_search_options>
|
||||||
|
deref = always
|
||||||
|
</role_search_options>
|
||||||
|
</store>
|
||||||
|
</config>
|
||||||
|
<role_mapping>
|
||||||
|
# maps directly to user roles
|
||||||
|
# Make all users in the hydra-admin group Hydra admins
|
||||||
|
hydra-admins = admin
|
||||||
|
# Allow all users in the dev group to restart jobs and cancel builds
|
||||||
|
#dev = restart-jobs
|
||||||
|
#dev = cancel-build
|
||||||
|
</role_mapping>
|
||||||
|
</ldap>
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# A rust nix binary cache
|
# A rust nix binary cache
|
||||||
harmonia = {
|
harmonia = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
bind = "127.0.0.1:${toString cachePort}";
|
bind = "127.0.0.1:${toString cachePort}";
|
||||||
workers = "20";
|
workers = 20;
|
||||||
max_connection_rate = 1024;
|
max_connection_rate = 1024;
|
||||||
priority = 30;
|
priority = 30;
|
||||||
sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
|
sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
|
||||||
|
@ -157,6 +214,12 @@ in
|
||||||
owner = config.users.users.hydra-queue-runner.name;
|
owner = config.users.users.hydra-queue-runner.name;
|
||||||
inherit (config.users.users.hydra-queue-runner) group;
|
inherit (config.users.users.hydra-queue-runner) group;
|
||||||
};
|
};
|
||||||
|
secrets."ldap/search-user-pw" = {
|
||||||
|
mode = "440";
|
||||||
|
owner = config.users.users.hydra-queue-runner.name;
|
||||||
|
inherit (config.users.users.hydra-queue-runner) group;
|
||||||
|
path = "/var/lib/hydra/ldap-password.conf";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
nix-serve:
|
nix-serve:
|
||||||
secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
|
secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
|
||||||
|
ldap:
|
||||||
|
search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -24,8 +26,8 @@ sops:
|
||||||
K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
|
K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
|
||||||
O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
|
O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-09-25T21:00:25Z"
|
lastmodified: "2022-12-06T14:25:54Z"
|
||||||
mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str]
|
mac: ENC[AES256_GCM,data:4cOG88FIG7UhVb/r8Aq1Nme5+qCpEdpjV+BLOISm1Y6MYgxFTDqCzV2FOdKztpVou5Nly9JUvKfz6eiCWbbIbaO5/DYUObiTKZXv6B1x6blnIW8vMtqcdYWOXH62ycHMV+Sha0D41eXmNp3K1Vs+k3OwYZyHK1HFOqqQ2jpy+Ps=,iv:u0O/A/GBBpDTJVFBfiFzDOIIR5o479YI11fgrv0mR0A=,tag:E9OuAAOhfbzPcnA6Ij6LMA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2022-07-15T23:31:58Z"
|
- created_at: "2022-07-15T23:31:58Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
Loading…
Reference in New Issue