ldap: a mostly working ldaish setup

2023-05-18 21:59:23 +01:00 · 2023-05-18 21:59:23 +01:00 · 7e380d6932
commit 7e380d6932
parent baa226cacf
3 changed files with 100 additions and 29 deletions
--- a/applications/ldap.nix
+++ b/applications/ldap.nix
@ -2,7 +2,7 @@
 Gonna use a priper nixos module for this
 */

-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
  with lib;
  let
    cfg = config.services.skynet_ldap;
@ -58,6 +58,10 @@ Gonna use a priper nixos module for this
    networking.firewall.allowedTCPPorts = [
      80
      443
+
+      # for ldap
+      389
+      636
    ];


@ -68,18 +72,28 @@ Gonna use a priper nixos module for this
      virtualHosts."${cfg.subdomain}.skynet.ie" = {
        forceSSL = true;
        useACMEHost = "skynet";
-        locations."/".proxyPass = "http://localhost:${port}";
+        locations."/".proxyPass = "http://localhost:${toString cfg.port}";
      };
    };

+     environment.variables = rec {
+        PORTUNUS_DEBUG  = "true";
+        SILVER_TEST  = "true";
+      };

    # finally the actual service we are doing
    services.portunus = {
      enable = true;
-      domain = hostname;
-      port = port;
+      domain = "${cfg.subdomain}.skynet.ie";
+      port = cfg.port;
      # not sure if this will work
-      seedPath = "./ldap/seed.json";
+      # https://nixos.org/manual/nix/stable/language/builtins.html#builtins-toPath
+      seedPath = ./. +"/ldap/seed.json";
+
+      ldap = {
+        #searchUserName = "portunus-service";
+        suffix = "dc=skynet,dc=ie";
+      };
    };
  };
 }
--- a/applications/ldap/seed.json
+++ b/applications/ldap/seed.json
@ -1,10 +1,10 @@
 {
  "groups": [
    {
-      "name": "portunus-team",
+      "name": "admin-portunus",
      "long_name": "Skynet Portunus Administrators",
      "members": [
-        "silver"
+        "portunus_service"
      ],
      "permissions": {
        "portunus": {
@ -13,16 +13,26 @@
        "ldap": {
          "can_read": true
        }
+      }
+    },
+    {
+      "name": "admin-skynet",
+      "long_name": "Skynet admin",
+      "members": [],
+      "permissions": {
+        "portunus": {
+          "is_admin": false
+        },
+        "ldap": {
+          "can_read": false
+        }
      },
      "posix_gid": 101
    },
    {
-      "name": "skynet-user",
+      "name": "user-skynet",
      "long_name": "Skynet users",
-      "members": [
-        "silver",
-        "not_silver"
-      ],
+      "members": [],
      "permissions": {
        "portunus": {
          "is_admin": false
@ -36,23 +46,11 @@
  ],
  "users": [
    {
-      "login_name": "silver",
-      "given_name": "Brendan",
-      "family_name": "Golden",
-      "email": "skynet@brendan.ie",
-      "ssh_public_keys": [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop"
-      ]
-    },
-
-    {
-      "login_name": "not_silver",
-      "given_name": "Not",
-      "family_name": "Silver",
-      "email": "hahahahaaaaa@example.com",
-      "ssh_public_keys": [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico notDesktop"
-      ]
+      "login_name": "portunus_service",
+      "given_name": "Portunus",
+      "family_name": "Service Account",
+      "email": "portunus_service@skynet.ie",
+      "password": "westwood"
    }
  ]
 }
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@ -24,6 +24,9 @@ in {
    ../applications/firewall.nix
    ../applications/dns.nix
    ../applications/games.nix
+
+    # for testing
+    ../applications/ldap.nix
  ];

  deployment = {
@ -50,4 +53,60 @@ in {
    ];
  };

+# we use this to pass in teh relevent infomation to the
+  services.skynet_ldap = {
+    enable = true;
+
+    host = {
+      # pass in teh ip (used for firewall)
+      ip = ip_pub;
+
+      # the name is used for dns
+      name = name;
+    };
+  };
+
+  security.sudo.extraRules = [
+     { groups = [ "admin-skynet" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+  ];
+
+  services.sssd = {
+    enable = true;
+
+    # just for testing purposes, don't put this into the Nix store in production!
+    environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=westwood"}";
+
+    sshAuthorizedKeysIntegration = true;
+
+    config = ''
+      [domain/skynet.ie]
+      id_provider = ldap
+      auth_provider = ldap
+      sudo_provider = ldap
+      ldap_uri = ldap://sso.skynet.ie
+      ldap_search_base = ou=users,dc=skynet,dc=ie
+      ldap_group_search_base = ou=posix-groups,dc=skynet,dc=ie
+      ldap_sudo_search_base = ou=admin-skynet,ou=posix-groups,dc=skynet,dc=ie
+      ldap_default_bind_dn = uid=portunus_service,ou=users,dc=skynet,dc=ie
+      ldap_default_authtok_type = password
+      ldap_default_authtok = $LDAP_BIND_PW
+      cache_credentials = false
+      simple_allow_groups = admin-skynet
+
+      [sssd]
+      config_file_version = 2
+      services = nss, pam, sudo, ssh
+      domains = skynet.ie
+
+      [nss]
+
+      [pam]
+
+      [sudo]
+
+      [autofs]
+
+    '';
+  };
+
 }