nixos/applications/ldap/server.nix

249 lines
6.4 KiB
Nix
Raw Normal View History

2023-05-16 21:23:04 +00:00
/*
Gonna use a priper nixos module for this
*/
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_ldap;
2023-10-22 13:39:35 +00:00
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
2023-05-16 21:23:04 +00:00
# these are needed for teh program in question
imports = [
../acme.nix
../dns.nix
../nginx.nix
./backend.nix
2023-05-16 21:23:04 +00:00
];
options.services.skynet_ldap = {
# options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP service";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
2023-05-21 11:08:26 +00:00
domain = {
2023-05-21 11:17:06 +00:00
tld = mkOption {
type = types.str;
default = "ie";
};
2023-05-21 11:08:26 +00:00
base = mkOption {
type = types.str;
2023-05-21 11:17:06 +00:00
default = "skynet";
2023-05-21 11:08:26 +00:00
};
sub = mkOption {
type = types.str;
default = "account";
2023-05-21 11:08:26 +00:00
};
2023-05-16 21:23:04 +00:00
};
2023-05-21 11:05:19 +00:00
frontend.port = mkOption {
2023-05-16 21:23:04 +00:00
type = types.port;
2023-05-21 11:05:19 +00:00
default = 8888;
2023-05-16 21:23:04 +00:00
};
2023-05-21 11:02:52 +00:00
base = mkOption {
type = types.str;
default = "dc=skynet,dc=ie";
};
2023-05-16 21:23:04 +00:00
};
config = mkIf cfg.enable {
# passthrough to the backend
services.ldap_backend = {
enable = true;
host.ip = cfg.host.ip;
host.name = cfg.host.name;
};
2023-05-16 21:23:04 +00:00
# after changing teh password openldap.service has to be restarted
age.secrets.ldap_pw = {
file = ../../secrets/ldap/pw.age;
mode = "440";
owner = "openldap";
group = "openldap";
};
services.skynet.acme.domains = [
2023-10-22 13:39:35 +00:00
domain
];
services.skynet.dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
2023-05-16 21:23:04 +00:00
];
# firewall on teh computer itself
networking.firewall.allowedTCPPorts = [
2023-05-18 20:59:23 +00:00
389
2023-05-21 11:17:06 +00:00
636
2023-05-16 21:23:04 +00:00
];
2023-07-27 18:33:28 +00:00
services.nginx.virtualHosts = {
2023-10-22 13:39:35 +00:00
${domain} = {
2023-07-27 18:33:28 +00:00
forceSSL = true;
useACMEHost = "skynet";
2023-07-30 05:34:55 +00:00
locations."/" = {
root = "${inputs.skynet_ldap_frontend.defaultPackage."x86_64-linux"}";
# https://stackoverflow.com/a/38238001
extraConfig = ''
if ($request_uri ~ ^/(.*)\.html) {
return 302 /$1;
}
try_files $uri $uri.html $uri/ =404;
'';
};
2023-07-27 18:33:28 +00:00
};
};
2023-05-21 11:17:06 +00:00
# using https://nixos.wiki/wiki/OpenLDAP for base config
systemd.services.openldap = {
wants = ["acme-${cfg.domain.base}.service"];
after = ["acme-${cfg.domain.base}.service"];
2023-05-21 11:17:06 +00:00
};
users.groups.acme.members = ["openldap"];
2023-05-21 11:17:06 +00:00
services.openldap = {
2023-05-26 23:30:39 +00:00
# backup /var/lib/openldap/slapd.d
enable = true;
2023-05-16 21:23:04 +00:00
/*
enable plain and secure connections
*/
urlList = ["ldap:///" "ldaps:///"];
2023-05-16 21:23:04 +00:00
settings = {
attrs = {
olcLogLevel = "conns config";
2023-05-21 11:17:06 +00:00
/*
settings for acme ssl
*/
2023-05-21 11:17:06 +00:00
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
2023-05-21 21:45:20 +00:00
# got teh ciphers from https://access.redhat.com/articles/1474813
# the ones provided on the nixos page didnt work
olcTLSCipherSuite = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL";
2023-05-21 11:17:06 +00:00
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
2023-05-21 21:45:20 +00:00
olcTLSProtocolMin = "3.3";
2023-07-16 20:28:03 +00:00
# make it so it can return up to 2000 results ar once, more than twice our total records for users
olcSizeLimit = "2000";
};
2023-05-16 21:23:04 +00:00
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
./openssh-lpk.ldif
./skMemberOf.ldif
];
"cn=modules".attrs = {
objectClass = ["olcModuleList"];
cn = "modules";
olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
};
"olcDatabase={-1}frontend".attrs = {
objectClass = ["olcDatabaseConfig" "olcFrontendConfig"];
2023-05-26 09:21:14 +00:00
olcPasswordHash = "{SSHA512}";
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
2023-05-21 11:02:52 +00:00
olcSuffix = cfg.base;
/*
your admin account, do not use writeText on a production system
*/
2023-05-21 11:02:52 +00:00
olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path;
olcAccess = [
/*
custom access rules for userPassword attributes
*/
2023-10-22 13:39:35 +00:00
''
{0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by anonymous auth
by * none
''
''
{1}to attrs=mail,sshPublicKey,cn,sn
2023-10-22 13:39:35 +00:00
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by * read
''
/*
allow read on anything else
*/
2023-10-22 13:39:35 +00:00
''
{2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read
''
];
};
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
children = {
"olcOverlay=dynlist".attrs = {
objectClass = ["olcOverlayConfig" "olcDynamicList"];
olcOverlay = "dynlist";
olcDlAttrSet = "skPerson labeledURI skMemberOf";
};
"olcOverlay=memberof".attrs = {
objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"];
olcOverlay = "memberof";
olcMemberOfDangling = "ignore";
olcMemberOfRefInt = "TRUE";
2023-06-16 17:51:24 +00:00
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
};
};
};
2023-05-18 20:59:23 +00:00
};
2023-05-16 21:23:04 +00:00
};
};
}