ldap: first attempt at ldap

2023-05-16 22:23:04 +01:00 · 2023-05-16 22:23:04 +01:00 · 53696c927e
commit 53696c927e
parent fbbefc1e2a
3 changed files with 198 additions and 0 deletions
--- a/applications/ldap.nix
+++ b/applications/ldap.nix
@ -0,0 +1,85 @@
+/*
+Gonna use a priper nixos module for this
+*/
+
+{ config, pkgs, ... }:
+  with lib;
+  let
+    cfg = config.services.skynet_ldap;
+  in {
+
+  # these are needed for teh program in question
+  imports = [
+    ./acme.nix
+    ./nginx.nix
+  ];
+
+
+  options.services.skynet_ldap = {
+    # options that need to be passed in to make this work
+
+    enable = mkEnableOption "Skynet LDAP service";
+
+    host = {
+      ip = mkOption {
+        type = types.str;
+      };
+
+      name = mkOption {
+        type = types.str;
+      };
+    };
+
+    subdomain = mkOption {
+      type = types.str;
+      default = "sso";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # this is athe actual configuration that we need to do
+
+    # some things first just for skynet
+    skynet_firewall.forward = [
+      "ip daddr ${cfg.host.ip} udp dport 80 counter packets 0 bytes 0 accept"
+      "ip daddr ${cfg.host.ip} udp dport 443 counter packets 0 bytes 0 accept"
+    ];
+
+    skynet_dns.records.cname = [
+      "${cfg.subdomain}  CNAME   ${cfg.host.name}"
+    ];
+
+    # firewall on teh computer itself
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+
+    # finally down to configurating teha ctual service
+
+    # gonna need a reverse proxy set up
+    services.nginx = {
+      virtualHosts."${cfg.subdomain}.skynet.ie" = {
+        forceSSL = true;
+        useACMEHost = "skynet";
+        locations."/".proxyPass = "http://localhost:${port}";
+      };
+    };
+
+
+    # finally the actual service we are doing
+    services.portunus = {
+      enable = true;
+      domain = hostname;
+      port = port;
+      # not sure if this will work
+      seedPath = "./ldap/seed.json";
+    };
+  };
+}
--- a/applications/ldap/seed.json
+++ b/applications/ldap/seed.json
@ -0,0 +1,58 @@
+{
+  "groups": [
+    {
+      "name": "portunus-team",
+      "long_name": "Skynet Portunus Administrators",
+      "members": [
+        "Silver"
+      ],
+      "permissions": {
+        "portunus": {
+          "is_admin": true
+        },
+        "ldap": {
+          "can_read": true
+        }
+      },
+      "posix_gid": 101
+    },
+    {
+      "name": "skynet-user",
+      "long_name": "Skynet users",
+      "members": [
+        "Silver",
+        "NotSilver"
+      ],
+      "permissions": {
+        "portunus": {
+          "is_admin": false
+        },
+        "ldap": {
+          "can_read": false
+        }
+      },
+      "posix_gid": 1001
+    }
+  ],
+  "users": [
+    {
+      "login_name": "Silver",
+      "given_name": "Brendan",
+      "family_name": "Golden",
+      "email": "skynet@brendan.ie",
+      "ssh_public_keys": [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop"
+      ]
+    },
+
+    {
+      "login_name": "NotSilver",
+      "given_name": "Not",
+      "family_name": "Silver",
+      "email": "hahahahaaaaa@example.com",
+      "ssh_public_keys": [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico notDesktop"
+      ]
+    }
+  ]
+}