From 7e380d6932601fda83ad07f1edf04580085cb0b7 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Thu, 18 May 2023 21:59:23 +0100 Subject: [PATCH] ldap: a mostly working ldaish setup --- applications/ldap.nix | 24 +++++++++++---- applications/ldap/seed.json | 46 ++++++++++++++--------------- machines/optimus.nix | 59 +++++++++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+), 29 deletions(-) diff --git a/applications/ldap.nix b/applications/ldap.nix index a8b88d4..067c2d0 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -2,7 +2,7 @@ Gonna use a priper nixos module for this */ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: with lib; let cfg = config.services.skynet_ldap; @@ -58,6 +58,10 @@ Gonna use a priper nixos module for this networking.firewall.allowedTCPPorts = [ 80 443 + + # for ldap + 389 + 636 ]; @@ -68,18 +72,28 @@ Gonna use a priper nixos module for this virtualHosts."${cfg.subdomain}.skynet.ie" = { forceSSL = true; useACMEHost = "skynet"; - locations."/".proxyPass = "http://localhost:${port}"; + locations."/".proxyPass = "http://localhost:${toString cfg.port}"; }; }; + environment.variables = rec { + PORTUNUS_DEBUG = "true"; + SILVER_TEST = "true"; + }; # finally the actual service we are doing services.portunus = { enable = true; - domain = hostname; - port = port; + domain = "${cfg.subdomain}.skynet.ie"; + port = cfg.port; # not sure if this will work - seedPath = "./ldap/seed.json"; + # https://nixos.org/manual/nix/stable/language/builtins.html#builtins-toPath + seedPath = ./. +"/ldap/seed.json"; + + ldap = { + #searchUserName = "portunus-service"; + suffix = "dc=skynet,dc=ie"; + }; }; }; } \ No newline at end of file diff --git a/applications/ldap/seed.json b/applications/ldap/seed.json index 8387665..7292b17 100644 --- a/applications/ldap/seed.json +++ b/applications/ldap/seed.json @@ -1,10 +1,10 @@ { "groups": [ { - "name": "portunus-team", + "name": "admin-portunus", "long_name": "Skynet Portunus Administrators", "members": [ - "silver" + "portunus_service" ], "permissions": { "portunus": { @@ -13,16 +13,26 @@ "ldap": { "can_read": true } + } + }, + { + "name": "admin-skynet", + "long_name": "Skynet admin", + "members": [], + "permissions": { + "portunus": { + "is_admin": false + }, + "ldap": { + "can_read": false + } }, "posix_gid": 101 }, { - "name": "skynet-user", + "name": "user-skynet", "long_name": "Skynet users", - "members": [ - "silver", - "not_silver" - ], + "members": [], "permissions": { "portunus": { "is_admin": false @@ -36,23 +46,11 @@ ], "users": [ { - "login_name": "silver", - "given_name": "Brendan", - "family_name": "Golden", - "email": "skynet@brendan.ie", - "ssh_public_keys": [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop" - ] - }, - - { - "login_name": "not_silver", - "given_name": "Not", - "family_name": "Silver", - "email": "hahahahaaaaa@example.com", - "ssh_public_keys": [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico notDesktop" - ] + "login_name": "portunus_service", + "given_name": "Portunus", + "family_name": "Service Account", + "email": "portunus_service@skynet.ie", + "password": "westwood" } ] } \ No newline at end of file diff --git a/machines/optimus.nix b/machines/optimus.nix index b10be16..c1f330a 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -24,6 +24,9 @@ in { ../applications/firewall.nix ../applications/dns.nix ../applications/games.nix + + # for testing + ../applications/ldap.nix ]; deployment = { @@ -50,4 +53,60 @@ in { ]; }; +# we use this to pass in teh relevent infomation to the + services.skynet_ldap = { + enable = true; + + host = { + # pass in teh ip (used for firewall) + ip = ip_pub; + + # the name is used for dns + name = name; + }; + }; + + security.sudo.extraRules = [ + { groups = [ "admin-skynet" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + ]; + + services.sssd = { + enable = true; + + # just for testing purposes, don't put this into the Nix store in production! + environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=westwood"}"; + + sshAuthorizedKeysIntegration = true; + + config = '' + [domain/skynet.ie] + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = ldap://sso.skynet.ie + ldap_search_base = ou=users,dc=skynet,dc=ie + ldap_group_search_base = ou=posix-groups,dc=skynet,dc=ie + ldap_sudo_search_base = ou=admin-skynet,ou=posix-groups,dc=skynet,dc=ie + ldap_default_bind_dn = uid=portunus_service,ou=users,dc=skynet,dc=ie + ldap_default_authtok_type = password + ldap_default_authtok = $LDAP_BIND_PW + cache_credentials = false + simple_allow_groups = admin-skynet + + [sssd] + config_file_version = 2 + services = nss, pam, sudo, ssh + domains = skynet.ie + + [nss] + + [pam] + + [sudo] + + [autofs] + + ''; + }; + }