2023-07-02 00:03:13 +02:00
{ config , lib , libS , . . . }:
2023-01-17 00:24:52 +01:00
let
2023-07-02 00:03:13 +02:00
cfg = config . services . hydra . ldap ;
2023-01-17 00:24:52 +01:00
inherit ( config . security ) ldap ;
in
{
options = {
services . hydra . ldap = {
2023-01-18 16:28:57 +01:00
enable = lib . mkEnableOption ( lib . mdDoc ''
login only via LDAP .
The bind user password must be placed at ` /var/lib/hydra/ldap-password.conf ` in the format ` bindpw = " P A S S W O R D "
It is recommended to use a password without special characters because the perl config parser has weird escaping rule like that comment characters ` #` must be escape with backslash
'' ) ;
2023-01-17 00:24:52 +01:00
roleMappings = lib . mkOption {
type = with lib . types ; listOf ( attrsOf str ) ;
example = [ { hydra-admins = " a d m i n s " ; } ] ;
default = [ ] ;
2023-07-02 00:03:13 +02:00
description = lib . mdDoc " M a p L D A P g r o u p s t o h y d r a p e r m i s s i o n s . S e e u p s t r e a m d o c , e s p e c i a l l y r o l e _ m a p p i n g . " ;
2023-01-17 00:24:52 +01:00
} ;
2023-07-02 00:03:13 +02:00
userGroup = libS . ldap . mkUserGroupOption ;
2023-01-17 00:24:52 +01:00
} ;
} ;
2023-07-02 00:03:13 +02:00
config . services . hydra . extraConfig = lib . mkIf cfg . enable /* x m l */ ''
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
<ldap>
<config>
<credential>
class = Password
password_field = password
password_type = self_check
< /credential >
<store>
class = LDAP
ldap_server = " ${ ldap . domainName } "
<ldap_server_options>
scheme = ldaps
timeout = 10
< /ldap_server_options >
binddn = " ${ ldap . bindDN } "
include ldap-password . conf
start_tls = 0
<start_tls_options>
ciphers = TLS_AES_256_GCM_SHA384
sslversion = tlsv1_3
< /start_tls_options >
user_basedn = " ${ ldap . userBaseDN } "
2023-07-02 19:36:59 +02:00
user_filter = " ${ ldap . searchFilterWithGroupFilter cfg . userGroup ( ldap . userFilter " % s " ) } "
2023-07-02 00:03:13 +02:00
user_scope = one
user_field = $ { ldap . userField }
<user_search_options>
deref = always
< /user_search_options >
# Important for role mappings to work:
use_roles = 1
role_basedn = " ${ ldap . roleBaseDN } "
role_filter = " ${ ldap . roleFilter } "
role_scope = one
role_field = $ { ldap . roleField }
role_value = $ { ldap . roleValue }
<role_search_options>
deref = always
< /role_search_options >
< /store >
< /config >
<role_mapping>
# Make all users in the hydra-admin group Hydra admins
# hydra-admins = admin
# Allow all users in the dev group to restart jobs and cancel builds
# dev = restart-jobs
# dev = cancel-build
$ { lib . concatStringsSep " \n " ( lib . concatMap ( lib . mapAttrsToList ( name : value : " ${ name } = ${ value } " ) ) cfg . roleMappings ) }
< /role_mapping >
< /ldap >
'' ;
config . services . portunus . seedSettings . groups = [
( lib . mkIf ( cfg . userGroup != null ) {
long_name = " H y d r a U s e r s " ;
name = cfg . userGroup ;
permissions = { } ;
} )
2024-01-08 14:47:38 +01:00
] ++ lib . flatten ( map lib . attrValues ( map
( lib . mapAttrs ( ldapGroup : _ : {
long_name = " H y d r a R o l e ${ ldapGroup } " ;
name = ldapGroup ;
permissions = { } ;
} ) )
cfg . roleMappings ) ) ;
2023-01-17 00:24:52 +01:00
}