diff --git a/applications/ldap.nix b/applications/ldap.nix index 683e1e9..1d8a373 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -13,6 +13,7 @@ Gonna use a priper nixos module for this ./acme.nix ./dns.nix ./nginx.nix + ./ldap/ldap_backend.nix ]; @@ -60,7 +61,13 @@ Gonna use a priper nixos module for this }; config = mkIf cfg.enable { - # this is athe actual configuration that we need to do + + # passthrough to the backend + services.ldap_backend = { + enable = true; + host.ip = cfg.host.ip; + host.name = cfg.host.name; + }; # after changing teh password openldap.service has to be restarted age.secrets.ldap_pw = { @@ -70,13 +77,6 @@ Gonna use a priper nixos module for this group = "openldap"; }; - # openldap - age.secrets.ldap_self_service = { - file = ../secrets/ldap/self_service.age; - # not ideal but non admins should never be on this system - mode = "444"; - }; - skynet_dns.records.cname = [ "${cfg.domain.sub} CNAME ${cfg.host.name}" ]; @@ -203,34 +203,5 @@ Gonna use a priper nixos module for this }; }; }; - - - services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".proxyPass = "http://localhost:${toString cfg.frontend.port}"; - }; - - virtualisation.arion = { - backend = "docker"; - projects = { - ldap_reset.settings.services.ldap_reset.service = { - user = "root"; - image = "docker.io/ltbproject/self-service-password:1.5.3"; - # setting these here as they arent special - - - # where the config files are stored - volumes = [ - "${config.age.secrets.ldap_self_service.path}:/var/www/conf/config.inc.local.php" - ]; - - ports = [ - "${toString cfg.frontend.port}:80/tcp" - ]; - }; - }; - }; - }; } \ No newline at end of file diff --git a/applications/ldap/ldap_backend.nix b/applications/ldap/ldap_backend.nix new file mode 100644 index 0000000..c6789b1 --- /dev/null +++ b/applications/ldap/ldap_backend.nix @@ -0,0 +1,89 @@ +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.services.ldap_backend; + port_backend = "8087"; + in { + + imports = [ + ../acme.nix + ../dns.nix + ../nginx.nix + ]; + + options.services.ldap_backend = { + enable = mkEnableOption "Skynet LDAP backend server"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "api.sso"; + }; + }; + }; + + config = mkIf cfg.enable { + + #backups = [ "/etc/silver_ul_ical/database.db" ]; + + age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; + + skynet_dns.records.cname = [ + "${cfg.domain.sub} CNAME ${cfg.host.name}" + ]; + + services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/".proxyPass = "http://localhost:${port_backend}"; + }; + + services.skynet_ldap_backend = { + enable = true; + + # contains teh password in env form + envFile = config.age.secrets.ldap_self_service.path; + + ldap = { + host = "ldaps://sso.skynet.ie"; + admin = "cn=admin,dc=skynet,dc=ie"; + }; + + users = { + admin = [ + "silver" + "evanc" + "eoghanconlon73" + ]; + committee = [ + "silver" + "eoghanconlon73" + ]; + lifetime = []; + banned = []; + }; + + host_port = "127.0.0.1:${port_backend}"; + }; + }; +} diff --git a/flake.lock b/flake.lock index b6a960e..a2b03b0 100644 --- a/flake.lock +++ b/flake.lock @@ -122,6 +122,24 @@ "type": "github" } }, + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1686572087, + "narHash": "sha256-jXTut7ZSYqLEgm/nTk7TuVL2ExahTip605bLINklAnQ=", + "owner": "nix-community", + "repo": "naersk", + "rev": "8507af04eb40c5520bd35d9ce6f9d2342cea5ad1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1665732960, @@ -199,13 +217,43 @@ "type": "indirect" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1687011986, + "narHash": "sha256-ZNSi/wBw12d7LO8YcZ4aehIlPp4lgSkKbrHaoF80IKI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2c09e8eb8717e240ef9c5727c1cc9186db9fb309", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1686921029, + "narHash": "sha256-J1bX9plPCFhTSh6E3TWn9XSxggBh/zDD4xigyaIQBy8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c7ff1b9b95620ce8728c0d7bd501c458e6da9e04", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", "arion": "arion", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_3", - "simple-nixos-mailserver": "simple-nixos-mailserver" + "simple-nixos-mailserver": "simple-nixos-mailserver", + "skynet_ldap_backend": "skynet_ldap_backend" } }, "simple-nixos-mailserver": { @@ -231,6 +279,41 @@ "type": "gitlab" } }, + "skynet_ldap_backend": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs_6", + "utils": "utils_2" + }, + "locked": { + "lastModified": 1687123398, + "narHash": "sha256-t3wk/Uwx/qhjoMWh7hll0CgyDoClJkkDEYFScTZgRnc=", + "ref": "refs/heads/main", + "rev": "d4ceea2815c3821943984aaa6d7add5fe6a51b5c", + "revCount": 40, + "type": "git", + "url": "https://gitlab.skynet.ie/compsoc/skynet/ldap/backend.git" + }, + "original": { + "type": "git", + "url": "https://gitlab.skynet.ie/compsoc/skynet/ldap/backend.git" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1605370193, @@ -245,6 +328,24 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 4a59aa8..0d742d0 100644 --- a/flake.nix +++ b/flake.nix @@ -13,16 +13,29 @@ # email simple-nixos-mailserver.url = "gitlab:mweinelt/nixos-mailserver/ldap-support"; + + skynet_ldap_backend.url = "git+https://gitlab.skynet.ie/compsoc/skynet/ldap/backend.git"; }; - outputs = { self, nixpkgs, agenix, arion, simple-nixos-mailserver, ... }: { + outputs = { self, nixpkgs, + # these are the nixos modules from otehr projects + agenix, + arion, + simple-nixos-mailserver, + skynet_ldap_backend, + ... + }: + let + system = "x86_64-linux"; + in { # https://github.com/zhaofengli/colmena # colmena apply --on agentjones # colmena apply --on @dns + # nix flake lock --update-input skynet_ldap_backend colmena = { meta = { nixpkgs = import nixpkgs { - system = "x86_64-linux"; + system = system; overlays = []; }; }; @@ -52,7 +65,10 @@ optimus.imports = [./machines/optimus.nix arion.nixosModules.arion]; # LDAP host - kitt.imports = [./machines/kitt.nix arion.nixosModules.arion]; + kitt.imports = [ + ./machines/kitt.nix + skynet_ldap_backend.nixosModule.${system} + ]; # Gitlab glados = import ./machines/glados.nix; diff --git a/secrets/ldap/self_service.age b/secrets/ldap/self_service.age index 4cfef0d..9f57833 100644 Binary files a/secrets/ldap/self_service.age and b/secrets/ldap/self_service.age differ