Skynet/nixos
7
1
Fork 0
Code Issues 45 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: added a formatter and some instructions

Browse source
This commit is contained in:
silver 2023-09-17 20:51:08 +01:00
parent 14ae0a9065
commit 7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
Download patch file Download diff file Expand all files Collapse all files

648
applications/ldap/backend.nix
View file

@ -1,10 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
cfg = config.services.ldap_backend;
port_backend = "8087";
in {
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.ldap_backend;
port_backend = "8087";
in {
imports = [
../acme.nix
../dns.nix
@ -44,7 +48,6 @@
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
@ -56,7 +59,11 @@
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
@ -64,9 +71,9 @@
useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:${port_backend}";
# extraConfig = ''
# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}";
# '';
# extraConfig = ''
# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}";
# '';
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
'';
@ -99,315 +106,316 @@
];
lifetime = [];
banned = [];
restricted = [
# usernames folks arent allowed to use
"contact"
"dnsadm"
"president"
"treasurer"
"secretary"
"pro"
"sysadmin"
"root"
] ++ [
# basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444
# start off with compsoc stuff first
"competition_www"
"demo1"
"demouser"
"ftp"
"lost+found"
"postfix"
"skynews.old"
"system_backup"
"test"
"test12"
"test20202"
"test20203"
"tmp"
"webadm"
] ++ [
# clubs and socs (as far as I can tell
"aerosoc"
"aikido"
"anfocal"
"bics"
"boarding"
"cns"
"dev"
"filmsoc"
"gaa"
"german"
"golfsoc"
"handball"
"hispanic"
"history"
"hockey"
"home"
"legosoc"
"lifesave"
"mens_gfc"
"musicsoc"
"pagansoc"
"peacesoc"
"physics"
"poker"
"prolife"
"radio"
"ragweek"
"sinnfein"
"soccer"
"ulbs"
"ulcamogie"
"ulcc"
"ulgaa"
"ulils"
"ulladiesfootball"
"ullaughinsoc"
"ulrfc"
"ulriders"
"ulssc"
"ultennis"
"viking"
] ++ [
# remaining, most likely usernames
"_9thwonder"
"abc"
"activate"
"aiesec"
"air"
"aladdin"
"alaric"
"aldozzie"
"allenli"
"amg"
"amgl"
"annette"
"annlad"
"ards_backup"
"arisquez"
"arthur"
"austin"
"beta"
"bh"
"bigdave"
"bios"
"bizarroal"
"bmacaree"
"boardy"
"boddah"
"bogus.anime.fakh"
"bogus.bhudt.dacf"
"bogus.citoge.baym"
"bogus.electro.ba0a"
"bogus.fencing.baw5"
"bogus.harry.ba8f"
"bogus.hui.hong.baci"
"bogus.ironman.baqib"
"bogus.joe.bach"
"bogus.kenny.bas6"
"bogus.kerswin.baybb"
"bogus.kravmaga.ba0w"
"bogus.methi.baq5"
"bogus.nelsonmw.bauc"
"bogus.poshea.ba0m"
"bogus.redwolf.bawn"
"bogus.romanov.baat"
"bogus.ryan.bae-"
"bogus.rynnea.bask"
"bogus.sea.af"
"bogus.shane.c.ba8z"
"bogus.t1000.baggb"
"bogus.ullrugby.ba8p"
"brendan"
"bubba"
"c_material_removed"
"ca_worm"
"cactus"
"carticus"
"cathalc"
"cathald-broken"
"cdschedule"
"celtic"
"christine"
"cian"
"ciara"
"ciaran"
"colin"
"cosmo"
"counsel"
"creosote"
"crew"
"cues"
"cur"
"cwhelan"
"dac"
"daktulu"
"datacore"
"davec"
"daverus"
"deano"
"deccy"
"declanmu"
"deiji"
"dermotmc"
"derrick"
"deshocks"
"diarmuid"
"dippy"
"djraptor"
"dmackey"
"dmir"
"dom"
"dom_mckay"
"donie"
"donnacha"
"dos30"
"drazhar"
"duffman"
"eas"
"electal"
"emc"
"emilia"
"emma"
"emmag"
"ents"
"envcom"
"eoinh95"
"epgriffin"
"equest"
"fiacc"
"fint"
"flanno"
"fmannix"
"foodcoop"
"gamenet"
"ganainm"
"gar"
"ger88"
"ghama"
"ging"
"goborobo"
"gooner"
"greekweek"
"hawking"
"hb"
"homer"
"hoshi"
"ian"
"ianrice"
"ilug"
"infinity"
"ingenuus"
"internat"
"jamessy"
"jamiebarry"
"jbravo"
"jdonegan"
"joedredd"
"johann"
"jokill"
"jsoccer"
"jules"
"kate"
"katie"
"kellyj"
"kiely"
"koo"
"l_d_ablo"
"lakes"
"laura"
"lebowski"
"liabraid"
"lynn"
"mal"
"manuel"
"maraz"
"marieke"
"marky"
"mature"
"mbyrne"
"meanturtle"
"mickaful"
"mickasul"
"mikado"
"mikeh"
"mikkel"
"mixiezme"
"mmc"
"molly"
"moochie"
"moonser"
"mopic"
"mp"
"nastros"
"neutrino"
"new"
"nezzy"
"nkdc"
"nmcenroy"
"noelle"
"nugget"
"ob"
"omega"
"oneillbeano"
"pamela"
"peterj"
"photyl"
"plake"
"pmcg1986"
"pyro"
"qubeat"
"rachel"
"rachelg"
"ralmeida"
"raymond"
"razzlero"
"red"
"rmacm"
"rmorrissey"
"robson"
"selena"
"shark"
"shayscannell"
"shazlove"
"shelley"
"shelly"
"silver.old"
"sirhc"
"sithlord"
"sk"
"sligoer"
"slowey"
"smallp"
"smurfy"
"sordfish"
"soul98"
"soular"
"st"
"stefanovich"
"svp"
"szczerba"
"tangsoodo"
"tc"
"tenfor"
"teslacut"
"theematt"
"thomasl"
"tockman"
"ugm"
"vanzan"
"volleyb"
"warren"
"weather"
"wiles"
"yvonne"
"zrahman"
];
restricted =
[
# usernames folks arent allowed to use
"contact"
"dnsadm"
"president"
"treasurer"
"secretary"
"pro"
"sysadmin"
"root"
]
++ [
# basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444
# start off with compsoc stuff first
"competition_www"
"demo1"
"demouser"
"ftp"
"lost+found"
"postfix"
"skynews.old"
"system_backup"
"test"
"test12"
"test20202"
"test20203"
"tmp"
"webadm"
]
++ [
# clubs and socs (as far as I can tell
"aerosoc"
"aikido"
"anfocal"
"bics"
"boarding"
"cns"
"dev"
"filmsoc"
"gaa"
"german"
"golfsoc"
"handball"
"hispanic"
"history"
"hockey"
"home"
"legosoc"
"lifesave"
"mens_gfc"
"musicsoc"
"pagansoc"
"peacesoc"
"physics"
"poker"
"prolife"
"radio"
"ragweek"
"sinnfein"
"soccer"
"ulbs"
"ulcamogie"
"ulcc"
"ulgaa"
"ulils"
"ulladiesfootball"
"ullaughinsoc"
"ulrfc"
"ulriders"
"ulssc"
"ultennis"
"viking"
]
++ [
# remaining, most likely usernames
"_9thwonder"
"abc"
"activate"
"aiesec"
"air"
"aladdin"
"alaric"
"aldozzie"
"allenli"
"amg"
"amgl"
"annette"
"annlad"
"ards_backup"
"arisquez"
"arthur"
"austin"
"beta"
"bh"
"bigdave"
"bios"
"bizarroal"
"bmacaree"
"boardy"
"boddah"
"bogus.anime.fakh"
"bogus.bhudt.dacf"
"bogus.citoge.baym"
"bogus.electro.ba0a"
"bogus.fencing.baw5"
"bogus.harry.ba8f"
"bogus.hui.hong.baci"
"bogus.ironman.baqib"
"bogus.joe.bach"
"bogus.kenny.bas6"
"bogus.kerswin.baybb"
"bogus.kravmaga.ba0w"
"bogus.methi.baq5"
"bogus.nelsonmw.bauc"
"bogus.poshea.ba0m"
"bogus.redwolf.bawn"
"bogus.romanov.baat"
"bogus.ryan.bae-"
"bogus.rynnea.bask"
"bogus.sea.af"
"bogus.shane.c.ba8z"
"bogus.t1000.baggb"
"bogus.ullrugby.ba8p"
"brendan"
"bubba"
"c_material_removed"
"ca_worm"
"cactus"
"carticus"
"cathalc"
"cathald-broken"
"cdschedule"
"celtic"
"christine"
"cian"
"ciara"
"ciaran"
"colin"
"cosmo"
"counsel"
"creosote"
"crew"
"cues"
"cur"
"cwhelan"
"dac"
"daktulu"
"datacore"
"davec"
"daverus"
"deano"
"deccy"
"declanmu"
"deiji"
"dermotmc"
"derrick"
"deshocks"
"diarmuid"
"dippy"
"djraptor"
"dmackey"
"dmir"
"dom"
"dom_mckay"
"donie"
"donnacha"
"dos30"
"drazhar"
"duffman"
"eas"
"electal"
"emc"
"emilia"
"emma"
"emmag"
"ents"
"envcom"
"eoinh95"
"epgriffin"
"equest"
"fiacc"
"fint"
"flanno"
"fmannix"
"foodcoop"
"gamenet"
"ganainm"
"gar"
"ger88"
"ghama"
"ging"
"goborobo"
"gooner"
"greekweek"
"hawking"
"hb"
"homer"
"hoshi"
"ian"
"ianrice"
"ilug"
"infinity"
"ingenuus"
"internat"
"jamessy"
"jamiebarry"
"jbravo"
"jdonegan"
"joedredd"
"johann"
"jokill"
"jsoccer"
"jules"
"kate"
"katie"
"kellyj"
"kiely"
"koo"
"l_d_ablo"
"lakes"
"laura"
"lebowski"
"liabraid"
"lynn"
"mal"
"manuel"
"maraz"
"marieke"
"marky"
"mature"
"mbyrne"
"meanturtle"
"mickaful"
"mickasul"
"mikado"
"mikeh"
"mikkel"
"mixiezme"
"mmc"
"molly"
"moochie"
"moonser"
"mopic"
"mp"
"nastros"
"neutrino"
"new"
"nezzy"
"nkdc"
"nmcenroy"
"noelle"
"nugget"
"ob"
"omega"
"oneillbeano"
"pamela"
"peterj"
"photyl"
"plake"
"pmcg1986"
"pyro"
"qubeat"
"rachel"
"rachelg"
"ralmeida"
"raymond"
"razzlero"
"red"
"rmacm"
"rmorrissey"
"robson"
"selena"
"shark"
"shayscannell"
"shazlove"
"shelley"
"shelly"
"silver.old"
"sirhc"
"sithlord"
"sk"
"sligoer"
"slowey"
"smallp"
"smurfy"
"sordfish"
"soul98"
"soular"
"st"
"stefanovich"
"svp"
"szczerba"
"tangsoodo"
"tc"
"tenfor"
"teslacut"
"theematt"
"thomasl"
"tockman"
"ugm"
"vanzan"
"volleyb"
"warren"
"weather"
"wiles"
"yvonne"
"zrahman"
];
};
};
};
}

96
applications/ldap/client.nix
View file

@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.skynet_ldap_client;
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access
create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);
# always ensure the admin group has access
create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = (x: concatStringsSep "" x);
# thought you could escape racket?
create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
in {
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
in {
# these are needed for teh program in question
imports = [];
@ -46,7 +51,6 @@
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
};
config = mkIf cfg.enable {
@ -54,10 +58,17 @@
security.sudo.extraRules = [
# admin group has sudo access
{ groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
{
groups = ["skynet-admins-linux"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# give users a home dir
security.pam.services.sshd.makeHomeDir = true;
@ -68,7 +79,7 @@
# tell users where tehy cna setup their ssh key
banner = ''
If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
'';
'';
};
services.sssd = {
@ -77,41 +88,40 @@
sshAuthorizedKeysIntegration = true;
config = ''
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://${cfg.address}:636
ldap_uri = ldaps://${cfg.address}:636
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_group_nesting_level = 5
ldap_group_nesting_level = 5
cache_credentials = false
entry_cache_timeout = 1
cache_credentials = false
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf
ldap_user_member_of = skMemberOf
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[nss]
# override_homedir = /home/%u
[nss]
# override_homedir = /home/%u
[pam]
[pam]
[sudo]
[sudo]
[autofs]
[autofs]
'';
};
};
}
}

99
applications/ldap/server.nix
View file

@ -1,13 +1,16 @@
/*
Gonna use a priper nixos module for this
*/
{ config, pkgs, lib, inputs, ... }:
with lib;
let
cfg = config.services.skynet_ldap;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_ldap;
in {
# these are needed for teh program in question
imports = [
../acme.nix
@ -16,7 +19,6 @@ Gonna use a priper nixos module for this
./backend.nix
];
options.services.skynet_ldap = {
# options that need to be passed in to make this work
@ -61,7 +63,6 @@ Gonna use a priper nixos module for this
};
config = mkIf cfg.enable {
# passthrough to the backend
services.ldap_backend = {
enable = true;
@ -82,7 +83,11 @@ Gonna use a priper nixos module for this
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
# firewall on teh computer itself
@ -111,25 +116,29 @@ Gonna use a priper nixos module for this
# using https://nixos.wiki/wiki/OpenLDAP for base config
systemd.services.openldap = {
wants = [ "acme-${cfg.domain.base}.service" ];
after = [ "acme-${cfg.domain.base}.service" ];
wants = ["acme-${cfg.domain.base}.service"];
after = ["acme-${cfg.domain.base}.service"];
};
users.groups.acme.members = [ "openldap" ];
users.groups.acme.members = ["openldap"];
services.openldap = {
# backup /var/lib/openldap/slapd.d
enable = true;
/* enable plain and secure connections */
urlList = [ "ldap:///" "ldaps:///" ];
/*
enable plain and secure connections
*/
urlList = ["ldap:///" "ldaps:///"];
settings = {
attrs = {
olcLogLevel = "conns config";
/* settings for acme ssl */
/*
settings for acme ssl
*/
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
@ -154,67 +163,70 @@ Gonna use a priper nixos module for this
./skMemberOf.ldif
];
"cn=modules".attrs = {
objectClass = [ "olcModuleList" ];
cn = "modules";
objectClass = ["olcModuleList"];
cn = "modules";
olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
};
"olcDatabase={-1}frontend".attrs = {
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
objectClass = ["olcDatabaseConfig" "olcFrontendConfig"];
olcPasswordHash = "{SSHA512}";
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = cfg.base;
/* your admin account, do not use writeText on a production system */
/*
your admin account, do not use writeText on a production system
*/
olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path;
#olcOverlay = "memberof";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by anonymous auth
by * none''
/*
custom access rules for userPassword attributes
*/
'' {0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by anonymous auth
by * none''
''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by * read''
'' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by * read''
/* allow read on anything else */
''{2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read''
/*
allow read on anything else
*/
'' {2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read''
];
};
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
children = {
"olcOverlay=dynlist".attrs = {
objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
olcOverlay = "dynlist";
objectClass = ["olcOverlayConfig" "olcDynamicList"];
olcOverlay = "dynlist";
olcDlAttrSet = "skPerson labeledURI skMemberOf";
};
"olcOverlay=memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ];
olcOverlay = "memberof";
objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"];
olcOverlay = "memberof";
olcMemberOfDangling = "ignore";
olcMemberOfRefInt = "TRUE";
@ -223,10 +235,7 @@ Gonna use a priper nixos module for this
olcMemberOfMemberOfAD = "memberOf";
};
};
};
};
};
};