2023-05-16 21:23:04 +00:00
|
|
|
/*
|
|
|
|
|
Gonna use a priper nixos module for this
|
|
|
|
|
*/
|
|
|
|
|
|
2023-05-18 20:59:23 +00:00
|
|
|
{ config, pkgs, lib, ... }:
|
2023-05-16 21:23:04 +00:00
|
|
|
with lib;
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.skynet_ldap;
|
|
|
|
|
in {
|
|
|
|
|
|
|
|
|
|
# these are needed for teh program in question
|
|
|
|
|
imports = [
|
|
|
|
|
./acme.nix
|
2023-05-24 15:51:15 +00:00
|
|
|
./dns.nix
|
2023-05-16 21:23:04 +00:00
|
|
|
./nginx.nix
|
2023-06-18 21:49:31 +00:00
|
|
|
./ldap/ldap_backend.nix
|
2023-05-16 21:23:04 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
options.services.skynet_ldap = {
|
|
|
|
|
# options that need to be passed in to make this work
|
|
|
|
|
|
|
|
|
|
enable = mkEnableOption "Skynet LDAP service";
|
|
|
|
|
|
|
|
|
|
host = {
|
|
|
|
|
ip = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
name = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2023-05-21 11:08:26 +00:00
|
|
|
domain = {
|
2023-05-21 11:17:06 +00:00
|
|
|
tld = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "ie";
|
|
|
|
|
};
|
|
|
|
|
|
2023-05-21 11:08:26 +00:00
|
|
|
base = mkOption {
|
|
|
|
|
type = types.str;
|
2023-05-21 11:17:06 +00:00
|
|
|
default = "skynet";
|
2023-05-21 11:08:26 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sub = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "sso";
|
|
|
|
|
};
|
2023-05-16 21:23:04 +00:00
|
|
|
};
|
|
|
|
|
|
2023-05-21 11:05:19 +00:00
|
|
|
frontend.port = mkOption {
|
2023-05-16 21:23:04 +00:00
|
|
|
type = types.port;
|
2023-05-21 11:05:19 +00:00
|
|
|
default = 8888;
|
2023-05-16 21:23:04 +00:00
|
|
|
};
|
2023-05-21 11:02:52 +00:00
|
|
|
|
|
|
|
|
base = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "dc=skynet,dc=ie";
|
|
|
|
|
};
|
2023-05-16 21:23:04 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2023-06-18 21:49:31 +00:00
|
|
|
|
|
|
|
|
# passthrough to the backend
|
|
|
|
|
services.ldap_backend = {
|
|
|
|
|
enable = true;
|
|
|
|
|
host.ip = cfg.host.ip;
|
|
|
|
|
host.name = cfg.host.name;
|
|
|
|
|
};
|
2023-05-16 21:23:04 +00:00
|
|
|
|
2023-05-20 23:19:20 +00:00
|
|
|
# after changing teh password openldap.service has to be restarted
|
|
|
|
|
age.secrets.ldap_pw = {
|
|
|
|
|
file = ../secrets/ldap/pw.age;
|
|
|
|
|
mode = "440";
|
|
|
|
|
owner = "openldap";
|
|
|
|
|
group = "openldap";
|
|
|
|
|
};
|
|
|
|
|
|
2023-07-16 00:53:21 +00:00
|
|
|
skynet_dns.records = [
|
|
|
|
|
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
2023-05-16 21:23:04 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# firewall on teh computer itself
|
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
2023-05-18 20:59:23 +00:00
|
|
|
389
|
2023-05-21 11:17:06 +00:00
|
|
|
636
|
2023-05-16 21:23:04 +00:00
|
|
|
];
|
|
|
|
|
|
2023-05-21 11:17:06 +00:00
|
|
|
# using https://nixos.wiki/wiki/OpenLDAP for base config
|
|
|
|
|
|
|
|
|
|
systemd.services.openldap = {
|
|
|
|
|
wants = [ "acme-${cfg.domain.base}.service" ];
|
|
|
|
|
after = [ "acme-${cfg.domain.base}.service" ];
|
|
|
|
|
};
|
|
|
|
|
|
2023-05-21 21:45:20 +00:00
|
|
|
users.groups.acme.members = [ "openldap" ];
|
2023-05-21 11:17:06 +00:00
|
|
|
|
2023-05-20 02:08:30 +00:00
|
|
|
services.openldap = {
|
2023-05-26 23:30:39 +00:00
|
|
|
# backup /var/lib/openldap/slapd.d
|
|
|
|
|
|
2023-05-20 02:08:30 +00:00
|
|
|
enable = true;
|
2023-05-16 21:23:04 +00:00
|
|
|
|
2023-05-21 11:17:06 +00:00
|
|
|
/* enable plain and secure connections */
|
|
|
|
|
urlList = [ "ldap:///" "ldaps:///" ];
|
2023-05-16 21:23:04 +00:00
|
|
|
|
2023-05-20 02:08:30 +00:00
|
|
|
settings = {
|
|
|
|
|
attrs = {
|
|
|
|
|
olcLogLevel = "conns config";
|
2023-05-21 11:17:06 +00:00
|
|
|
|
|
|
|
|
/* settings for acme ssl */
|
|
|
|
|
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
|
|
|
|
|
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
|
|
|
|
|
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
|
2023-05-21 21:45:20 +00:00
|
|
|
# got teh ciphers from https://access.redhat.com/articles/1474813
|
|
|
|
|
# the ones provided on the nixos page didnt work
|
2023-05-23 22:30:27 +00:00
|
|
|
olcTLSCipherSuite = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL";
|
2023-05-21 11:17:06 +00:00
|
|
|
olcTLSCRLCheck = "none";
|
|
|
|
|
olcTLSVerifyClient = "never";
|
2023-05-21 21:45:20 +00:00
|
|
|
olcTLSProtocolMin = "3.3";
|
2023-05-20 02:08:30 +00:00
|
|
|
};
|
2023-05-16 21:23:04 +00:00
|
|
|
|
2023-05-20 02:08:30 +00:00
|
|
|
children = {
|
|
|
|
|
"cn=schema".includes = [
|
|
|
|
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
|
|
|
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
|
|
|
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
|
|
|
|
"${pkgs.openldap}/etc/schema/nis.ldif"
|
|
|
|
|
./ldap/openssh-lpk.ldif
|
2023-05-20 14:26:03 +00:00
|
|
|
./ldap/skMemberOf.ldif
|
2023-05-20 02:08:30 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
2023-05-20 14:26:03 +00:00
|
|
|
"cn=modules".attrs = {
|
|
|
|
|
objectClass = [ "olcModuleList" ];
|
|
|
|
|
cn = "modules";
|
2023-06-15 13:29:06 +00:00
|
|
|
olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
|
2023-05-20 14:26:03 +00:00
|
|
|
};
|
|
|
|
|
|
2023-05-24 14:31:58 +00:00
|
|
|
"olcDatabase={-1}frontend".attrs = {
|
|
|
|
|
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
|
|
|
|
|
|
2023-05-26 09:21:14 +00:00
|
|
|
olcPasswordHash = "{SSHA512}";
|
2023-05-24 14:31:58 +00:00
|
|
|
};
|
2023-05-20 14:26:03 +00:00
|
|
|
|
|
|
|
|
"olcDatabase={1}mdb" = {
|
|
|
|
|
attrs = {
|
|
|
|
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
|
|
|
|
|
|
|
|
|
olcDatabase = "{1}mdb";
|
|
|
|
|
olcDbDirectory = "/var/lib/openldap/data";
|
|
|
|
|
|
2023-05-21 11:02:52 +00:00
|
|
|
olcSuffix = cfg.base;
|
2023-05-20 02:08:30 +00:00
|
|
|
|
2023-05-20 14:26:03 +00:00
|
|
|
/* your admin account, do not use writeText on a production system */
|
2023-05-21 11:02:52 +00:00
|
|
|
olcRootDN = "cn=admin,${cfg.base}";
|
2023-05-20 20:33:04 +00:00
|
|
|
olcRootPW.path = config.age.secrets.ldap_pw.path;
|
2023-05-20 02:08:30 +00:00
|
|
|
|
2023-05-20 14:26:03 +00:00
|
|
|
#olcOverlay = "memberof";
|
2023-05-20 02:08:30 +00:00
|
|
|
|
2023-05-20 14:26:03 +00:00
|
|
|
olcAccess = [
|
|
|
|
|
/* custom access rules for userPassword attributes */
|
|
|
|
|
''{0}to attrs=userPassword
|
|
|
|
|
by self write
|
|
|
|
|
by anonymous auth
|
|
|
|
|
by * none''
|
|
|
|
|
|
2023-05-25 21:23:25 +00:00
|
|
|
''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
|
|
|
|
|
by self write
|
|
|
|
|
by * read''
|
|
|
|
|
|
2023-05-20 14:26:03 +00:00
|
|
|
/* allow read on anything else */
|
2023-05-25 21:23:25 +00:00
|
|
|
''{2}to *
|
2023-05-20 14:26:03 +00:00
|
|
|
by * read''
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
|
|
|
|
|
children = {
|
|
|
|
|
"olcOverlay=dynlist".attrs = {
|
|
|
|
|
objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
|
|
|
|
|
olcOverlay = "dynlist";
|
|
|
|
|
olcDlAttrSet = "skPerson labeledURI skMemberOf";
|
|
|
|
|
};
|
2023-06-15 13:29:06 +00:00
|
|
|
|
|
|
|
|
"olcOverlay=memberof".attrs = {
|
|
|
|
|
objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ];
|
|
|
|
|
olcOverlay = "memberof";
|
|
|
|
|
|
|
|
|
|
olcMemberOfDangling = "ignore";
|
|
|
|
|
olcMemberOfRefInt = "TRUE";
|
2023-06-16 17:51:24 +00:00
|
|
|
olcMemberOfGroupOC = "groupOfNames";
|
|
|
|
|
olcMemberOfMemberAD = "member";
|
2023-06-15 13:29:06 +00:00
|
|
|
olcMemberOfMemberOfAD = "memberOf";
|
|
|
|
|
};
|
2023-05-20 14:26:03 +00:00
|
|
|
};
|
2023-05-20 02:08:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
2023-05-20 14:26:03 +00:00
|
|
|
|
2023-05-20 02:08:30 +00:00
|
|
|
};
|
2023-05-18 20:59:23 +00:00
|
|
|
};
|
2023-05-16 21:23:04 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
