Skynet/nixos
6
1
Fork 0
Code Issues 42 Pull requests 1 Projects Releases Packages Wiki Activity Actions

ldap: first attempt at ldap

Browse source
This commit is contained in:
silver 2023-05-16 22:23:04 +01:00
parent fbbefc1e2a
commit 53696c927e
3 changed files with 198 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
applications/ldap.nix Normal file
View file

@ -0,0 +1,85 @@
/*
Gonna use a priper nixos module for this
*/
{ config, pkgs, ... }:
with lib;
let
cfg = config.services.skynet_ldap;
in {
# these are needed for teh program in question
imports = [
./acme.nix
./nginx.nix
];
options.services.skynet_ldap = {
# options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP service";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
subdomain = mkOption {
type = types.str;
default = "sso";
};
port = mkOption {
type = types.port;
default = 8080;
};
};
config = mkIf cfg.enable {
# this is athe actual configuration that we need to do
# some things first just for skynet
skynet_firewall.forward = [
"ip daddr ${cfg.host.ip} udp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${cfg.host.ip} udp dport 443 counter packets 0 bytes 0 accept"
];
skynet_dns.records.cname = [
"${cfg.subdomain} CNAME ${cfg.host.name}"
];
# firewall on teh computer itself
networking.firewall.allowedTCPPorts = [
80
443
];
# finally down to configurating teha ctual service
# gonna need a reverse proxy set up
services.nginx = {
virtualHosts."${cfg.subdomain}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:${port}";
};
};
# finally the actual service we are doing
services.portunus = {
enable = true;
domain = hostname;
port = port;
# not sure if this will work
seedPath = "./ldap/seed.json";
};
};
}

58
applications/ldap/seed.json Normal file
View file

@ -0,0 +1,58 @@
{
"groups": [
{
"name": "portunus-team",
"long_name": "Skynet Portunus Administrators",
"members": [
"Silver"
],
"permissions": {
"portunus": {
"is_admin": true
},
"ldap": {
"can_read": true
}
},
"posix_gid": 101
},
{
"name": "skynet-user",
"long_name": "Skynet users",
"members": [
"Silver",
"NotSilver"
],
"permissions": {
"portunus": {
"is_admin": false
},
"ldap": {
"can_read": false
}
},
"posix_gid": 1001
}
],
"users": [
{
"login_name": "Silver",
"given_name": "Brendan",
"family_name": "Golden",
"email": "skynet@brendan.ie",
"ssh_public_keys": [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop"
]
},
{
"login_name": "NotSilver",
"given_name": "Not",
"family_name": "Silver",
"email": "hahahahaaaaa@example.com",
"ssh_public_keys": [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico notDesktop"
]
}
]
}

55
machines/kitt.nix Normal file
View file

@ -0,0 +1,55 @@
/*
Name: https://en.wikipedia.org/wiki/KITT
Why: Kitt used to have this role before (as well as email and dns)
Type: VM
Hardware: -
From: 2023
Role: LDAP Server
Notes:
*/
{ pkgs, lib, nodes, ... }: ip_address:
let
# name of the server, sets teh hostname and record for it
name = "kitt";
ip_pub = "193.1.99.74";
ip_priv = "172.20.20.5";
hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# required imports
../applications/firewall.nix
../applications/dns.nix
# whats running on teh server
../applications/ldap.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# add this server to dns
skynet_dns.records.external = [
"${name} A ${ip_pub}"
];
# we use this to pass in teh relevent infomation to the
services.skynet_ldap = {
enable = true;
host = {
# pass in teh ip (used for firewall)
ip = ip_pub;
# the name is used for dns
name = name;
};
};
}