Skynet/nixos
6
1
Fork 0
Code Issues 42 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: Improved config further further

Browse source
This commit is contained in:
silver 2023-11-13 00:54:23 +00:00
parent e810bca085
commit 35f6d63c10
2 changed files with 215 additions and 224 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

408
applications/bitwarden/_bitwarden_sync_module.nix
View file

@ -7,49 +7,26 @@
with lib; let with lib; let
cfg = config.services.bitwarden_directory_connector; cfg = config.services.bitwarden_directory_connector;
ldap_data = builtins.toJSON { ldap_data = builtins.toJSON cfg.ldap;
ssl = cfg.ldap.ssl; sync_data = builtins.toJSON cfg.sync;
startTls = cfg.ldap.startTls;
sslAllowUnauthorized = cfg.ldap.sslAllowUnauthorized;
port = cfg.ldap.port;
currentUser = false;
ad = cfg.ldap.ad;
pagedSearch = true;
password = "to_be_replaced";
hostname = cfg.ldap.hostname;
rootPath = cfg.ldap.root;
username = cfg.ldap.username;
};
sync_data = # coping directly from nix https://github.com/NixOS/nixpkgs/blob/da4024d0ead5d7820f6bd15147d3fe2a0c0cec73/nixos/modules/config/nix.nix#L62C1-L76C49
builtins.toJSON semanticConfType = with types; let
({ confAtom =
removeDisabled = cfg.sync.removeDisabled; nullOr
overwriteExisting = cfg.sync.overwriteExisting; (oneOf [
largeImport = cfg.sync.largeImport; bool
creationDateAttribute = cfg.sync.creationDateAttribute; int
memberAttribute = cfg.sync.memberAttribute; float
interval = 5; str
useEmailPrefixSuffix = cfg.sync.emailPrefixSuffix.enable; path
users = cfg.sync.users.enable; package
groups = cfg.sync.groups.enable; ])
} // {
// optionalAttrs cfg.sync.emailPrefixSuffix.enable { description = "Nix config atom (null, bool, int, float, str, path or package)";
emailPrefixAttribute = cfg.sync.emailPrefixSuffix.prefixAttribute; };
emailSuffix = cfg.sync.emailPrefixSuffix.suffix; in
} attrsOf (either confAtom (listOf confAtom));
// optionalAttrs cfg.sync.users.enable {
userPath = cfg.sync.users.path;
userObjectClass = cfg.sync.users.objectClass;
userEmailAttribute = cfg.sync.users.emailAttribute;
userFilter = cfg.sync.users.filter;
}
// optionalAttrs cfg.sync.groups.enable {
groupPath = cfg.sync.groups.path;
groupObjectClass = cfg.sync.groups.objectClass;
groupNameAttribute = cfg.sync.groups.nameAttribute;
groupFilter = cfg.sync.groups.filter;
});
json_string = string: builtins.replaceStrings ["\""] ["\\\""] string; json_string = string: builtins.replaceStrings ["\""] ["\\\""] string;
in { in {
@ -90,161 +67,184 @@ in {
default = "/etc/bitwarden/bwdc"; default = "/etc/bitwarden/bwdc";
}; };
ldap = { pw_env = mkOption {
ssl = mkOption { type = types.str;
type = types.bool; description = lib.mdDoc "The ENV var that the ldap password is stored.";
default = false; default = "LDAP_PW";
description = lib.mdDoc "Use SSL."; };
}; interval = mkOption {
startTls = mkOption { type = types.str;
type = types.bool; default = "*:0,15,30,45";
default = false; description = lib.mdDoc "When to run the connector, OnCalendar syntax.";
description = lib.mdDoc "Use STARTTLS."; };
};
sslAllowUnauthorized = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Is Active Directory.";
};
port = mkOption {
type = types.int;
default = 389;
description = lib.mdDoc "Port LDAP is accessable on";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessable on.";
example = "ldap.example.com";
};
root = mkOption { ldap = mkOption {
type = types.str; description = lib.mdDoc "Options to configurate LDAP.";
description = lib.mdDoc "Root path for LDAP"; type = types.submodule {
example = "dc=example,dc=com"; freeformType = semanticConfType;
};
username = mkOption { options = {
type = types.str; ssl = mkOption {
description = lib.mdDoc "The user to authenticate as."; type = types.bool;
example = "cn=admin,dc=example,dc=com"; default = false;
}; description = lib.mdDoc "Use SSL.";
pw_env = mkOption { };
type = types.str; startTls = mkOption {
description = lib.mdDoc "The ENV var that the ldap password is stored."; type = types.bool;
default = "LDAP_PW"; default = false;
description = lib.mdDoc "Use STARTTLS.";
};
sslAllowUnauthorized = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "";
};
port = mkOption {
type = types.int;
default = 389;
description = lib.mdDoc "Port LDAP is accessable on";
};
currentUser = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Unknown what this does.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Is Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "The LDAP server paginates search results.";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessable on.";
example = "ldap.example.com";
};
rootPath = mkOption {
type = types.str;
description = lib.mdDoc "Root path for LDAP";
example = "dc=example,dc=com";
};
username = mkOption {
type = types.str;
description = lib.mdDoc "The user to authenticate as.";
example = "cn=admin,dc=example,dc=com";
};
};
}; };
}; };
sync = { sync = mkOption {
interval = mkOption { description = lib.mdDoc "Options to configurate what gets synced.";
type = types.str; type = types.submodule {
default = "*:0,15,30,45"; freeformType = semanticConfType;
description = lib.mdDoc "When to run the connector, OnCalendar syntax.";
};
removeDisabled = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
};
memberAttribute = mkOption { options = {
type = types.str; removeDisabled = mkOption {
description = lib.mdDoc "Attribute that lists members in a LDAP group."; type = types.bool;
example = "uniqueMember"; default = true;
}; description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
};
creationDateAttribute = mkOption { memberAttribute = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Attribute that lists a users creation date."; description = lib.mdDoc "Attribute that lists members in a LDAP group.";
example = "whenCreated"; example = "uniqueMember";
}; };
emailPrefixSuffix = { creationDateAttribute = mkOption {
enable = mkOption { type = types.str;
type = types.bool; description = lib.mdDoc "Attribute that lists a users creation date.";
default = false; example = "whenCreated";
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email."; };
};
prefixAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that has a users username.";
example = "accountName";
};
suffix = mkOption {
type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com.";
example = "@example.com";
};
};
users = { useEmailPrefixSuffix = mkOption {
enable = mkOption { type = types.bool;
type = types.bool; default = false;
default = false; description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
description = lib.mdDoc "Sync users."; };
}; emailPrefixAttribute = mkOption {
path = mkOption { type = types.str;
type = types.str; description = lib.mdDoc "Attribute that has a users username.";
description = lib.mdDoc "User directory, relative to root."; default = "accountName";
example = "ou=users"; };
}; emailSuffix = mkOption {
objectClass = mkOption { type = types.str;
type = types.str; description = lib.mdDoc "Suffix for the email, normally @example.com.";
description = lib.mdDoc "A class that users will have."; default = "@example.com";
example = "inetOrgPerson"; };
};
emailAttribute = mkOption { users = mkOption {
type = types.str; type = types.bool;
description = lib.mdDoc "Attribute for a users email."; default = false;
example = "mail"; description = lib.mdDoc "Sync users.";
}; };
filter = mkOption { userPath = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Filter for users."; description = lib.mdDoc "User directory, relative to root.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)"; default = "ou=users";
}; };
}; userObjectClass = mkOption {
groups = { type = types.str;
enable = mkOption { description = lib.mdDoc "A class that users will have.";
type = types.bool; default = "inetOrgPerson";
default = false; };
description = lib.mdDoc "Sync groups."; userEmailAttribute = mkOption {
}; type = types.str;
path = mkOption { description = lib.mdDoc "Attribute for a users email.";
type = types.str; default = "mail";
description = lib.mdDoc "Group directory, relative to root."; };
example = "ou=groups"; userFilter = mkOption {
}; type = types.str;
objectClass = mkOption { description = lib.mdDoc "Filter for users.";
type = types.str; example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
description = lib.mdDoc "A class that groups will have."; default = "";
example = "groupOfNames"; };
};
nameAttribute = mkOption { groups = mkOption {
type = types.str; type = types.bool;
description = lib.mdDoc "Attribute for a name of group."; default = false;
example = "cn"; description = lib.mdDoc "Sync groups.";
}; };
filter = mkOption { groupPath = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Filter for groups."; description = lib.mdDoc "Group directory, relative to root.";
example = "(cn=sales)"; default = "ou=groups";
};
groupObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that groups will have.";
default = "groupOfNames";
};
groupNameAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a name of group.";
default = "cn";
};
groupFilter = mkOption {
type = types.str;
description = lib.mdDoc "Filter for groups.";
example = "(cn=sales)";
default = "";
};
}; };
}; };
}; };
@ -252,7 +252,7 @@ in {
env = { env = {
ldap = mkOption rec { ldap = mkOption rec {
type = types.str; type = types.str;
description = "Auth for the LDAP, has value defined in {option}`ldap.pw_env"; description = "Auth for the LDAP, has value defined in {option}`pw_env";
}; };
bitwarden = mkOption rec { bitwarden = mkOption rec {
type = types.str; type = types.str;
@ -278,7 +278,7 @@ in {
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
partOf = ["bitwarden_directory_connector.service"]; partOf = ["bitwarden_directory_connector.service"];
timerConfig = { timerConfig = {
OnCalendar = cfg.sync.interval; OnCalendar = cfg.interval;
Unit = "bitwarden_directory_connector.service"; Unit = "bitwarden_directory_connector.service";
Persistent = true; Persistent = true;
}; };
@ -309,27 +309,21 @@ in {
# now login to set credentials # now login to set credentials
${cfg.package}/bin/${cfg.binary_name} login ${cfg.package}/bin/${cfg.binary_name} login
# set the ldap details jq '.authenticatedAccounts[0] as $account
account=$(jq '.authenticatedAccounts[0]?' ${cfg.directory}/data.json) | .[$account].directoryConfigurations.ldap |= $ldap_data
jq ".[$account].directoryConfigurations.ldap |= ${json_string ldap_data}" ${cfg.directory}/data.json > ${cfg.directory}/data1.json | .[$account].directorySettings.organizationId |= $orgID
| .[$account].directorySettings.sync |= $sync_data' \
--argjson ldap_data ${escapeShellArg ldap_data} \
--arg orgID "''${BW_CLIENTID//organization.}" \
--argjson sync_data ${escapeShellArg sync_data} \
${escapeShellArg cfg.directory}/data.json \
> ${escapeShellArg cfg.directory}/data.json.tmp
# remove the original mv -f -- ${escapeShellArg cfg.directory}/data.json.tmp ${escapeShellArg cfg.directory}/data.json
rm -f ${cfg.directory}/data.json
# set the client id
orgID=$(echo $BW_CLIENTID | sed 's/organization\.//g')
jq ".[$account].directorySettings.organizationId |= \"$orgID\" " ${cfg.directory}/data1.json > ${cfg.directory}/data2.json
# and sync data
jq ".[$account].directorySettings.sync |= ${json_string sync_data}" ${cfg.directory}/data2.json > ${cfg.directory}/data.json
# final config # final config
${cfg.package}/bin/${cfg.binary_name} config directory 0 ${cfg.package}/bin/${cfg.binary_name} config directory 0
${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.ldap.pw_env} ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.pw_env}
# cleanup temp files
rm -f ${cfg.directory}/data1.json
rm -f ${cfg.directory}/data2.json
''; '';
ExecStart = ''${cfg.package}/bin/${cfg.binary_name} sync''; ExecStart = ''${cfg.package}/bin/${cfg.binary_name} sync'';

31
applications/bitwarden/bitwarden_sync.nix
View file

@ -22,6 +22,8 @@ in {
package = pkgs.callPackage ./_bitwarden-directory-connector.nix {}; package = pkgs.callPackage ./_bitwarden-directory-connector.nix {};
pw_env = "LDAP_ADMIN_PW";
ldap = { ldap = {
ssl = false; ssl = false;
startTls = false; startTls = false;
@ -29,9 +31,8 @@ in {
ad = false; ad = false;
port = 389; port = 389;
hostname = "account.skynet.ie"; hostname = "account.skynet.ie";
root = "dc=skynet,dc=ie"; rootPath = "dc=skynet,dc=ie";
username = "cn=admin,dc=skynet,dc=ie"; username = "cn=admin,dc=skynet,dc=ie";
pw_env = "LDAP_ADMIN_PW";
}; };
sync = { sync = {
@ -40,21 +41,17 @@ in {
largeImport = false; largeImport = false;
memberAttribute = "member"; memberAttribute = "member";
creationDateAttribute = "skCreated"; creationDateAttribute = "skCreated";
emailPrefixSuffix.enable = false;
users = { users = true;
enable = true; userPath = "ou=users";
path = "ou=users"; userObjectClass = "inetOrgPerson";
objectClass = "inetOrgPerson"; userEmailAttribute = "skMail";
emailAttribute = "skMail"; userFilter = "(|(memberOf=cn=skynet-committee,ou=groups,dc=skynet,dc=ie)(memberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie))";
filter = "(|(memberOf=cn=skynet-committee,ou=groups,dc=skynet,dc=ie)(memberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie))";
}; groups = true;
groups = { groupPath = "ou=groups";
enable = true; groupObjectClass = "groupOfNames";
path = "ou=groups"; groupNameAttribute = "cn";
objectClass = "groupOfNames";
nameAttribute = "cn";
filter = "";
};
}; };
env = { env = {