From eb173944dc77852320d77c2c171fffa23955ba50 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 18 Jun 2023 22:49:31 +0100 Subject: [PATCH] feat: new ldap backend api is up and running, with ci as well --- applications/ldap.nix | 45 +++---------- applications/ldap/ldap_backend.nix | 89 +++++++++++++++++++++++++ flake.lock | 103 ++++++++++++++++++++++++++++- flake.nix | 22 +++++- secrets/ldap/self_service.age | Bin 1861 -> 1028 bytes 5 files changed, 218 insertions(+), 41 deletions(-) create mode 100644 applications/ldap/ldap_backend.nix diff --git a/applications/ldap.nix b/applications/ldap.nix index 683e1e9..1d8a373 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -13,6 +13,7 @@ Gonna use a priper nixos module for this ./acme.nix ./dns.nix ./nginx.nix + ./ldap/ldap_backend.nix ]; @@ -60,7 +61,13 @@ Gonna use a priper nixos module for this }; config = mkIf cfg.enable { - # this is athe actual configuration that we need to do + + # passthrough to the backend + services.ldap_backend = { + enable = true; + host.ip = cfg.host.ip; + host.name = cfg.host.name; + }; # after changing teh password openldap.service has to be restarted age.secrets.ldap_pw = { @@ -70,13 +77,6 @@ Gonna use a priper nixos module for this group = "openldap"; }; - # openldap - age.secrets.ldap_self_service = { - file = ../secrets/ldap/self_service.age; - # not ideal but non admins should never be on this system - mode = "444"; - }; - skynet_dns.records.cname = [ "${cfg.domain.sub} CNAME ${cfg.host.name}" ]; @@ -203,34 +203,5 @@ Gonna use a priper nixos module for this }; }; }; - - - services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".proxyPass = "http://localhost:${toString cfg.frontend.port}"; - }; - - virtualisation.arion = { - backend = "docker"; - projects = { - ldap_reset.settings.services.ldap_reset.service = { - user = "root"; - image = "docker.io/ltbproject/self-service-password:1.5.3"; - # setting these here as they arent special - - - # where the config files are stored - volumes = [ - "${config.age.secrets.ldap_self_service.path}:/var/www/conf/config.inc.local.php" - ]; - - ports = [ - "${toString cfg.frontend.port}:80/tcp" - ]; - }; - }; - }; - }; } \ No newline at end of file diff --git a/applications/ldap/ldap_backend.nix b/applications/ldap/ldap_backend.nix new file mode 100644 index 0000000..c6789b1 --- /dev/null +++ b/applications/ldap/ldap_backend.nix @@ -0,0 +1,89 @@ +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.services.ldap_backend; + port_backend = "8087"; + in { + + imports = [ + ../acme.nix + ../dns.nix + ../nginx.nix + ]; + + options.services.ldap_backend = { + enable = mkEnableOption "Skynet LDAP backend server"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "api.sso"; + }; + }; + }; + + config = mkIf cfg.enable { + + #backups = [ "/etc/silver_ul_ical/database.db" ]; + + age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; + + skynet_dns.records.cname = [ + "${cfg.domain.sub} CNAME ${cfg.host.name}" + ]; + + services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/".proxyPass = "http://localhost:${port_backend}"; + }; + + services.skynet_ldap_backend = { + enable = true; + + # contains teh password in env form + envFile = config.age.secrets.ldap_self_service.path; + + ldap = { + host = "ldaps://sso.skynet.ie"; + admin = "cn=admin,dc=skynet,dc=ie"; + }; + + users = { + admin = [ + "silver" + "evanc" + "eoghanconlon73" + ]; + committee = [ + "silver" + "eoghanconlon73" + ]; + lifetime = []; + banned = []; + }; + + host_port = "127.0.0.1:${port_backend}"; + }; + }; +} diff --git a/flake.lock b/flake.lock index b6a960e..a2b03b0 100644 --- a/flake.lock +++ b/flake.lock @@ -122,6 +122,24 @@ "type": "github" } }, + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1686572087, + "narHash": "sha256-jXTut7ZSYqLEgm/nTk7TuVL2ExahTip605bLINklAnQ=", + "owner": "nix-community", + "repo": "naersk", + "rev": "8507af04eb40c5520bd35d9ce6f9d2342cea5ad1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1665732960, @@ -199,13 +217,43 @@ "type": "indirect" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1687011986, + "narHash": "sha256-ZNSi/wBw12d7LO8YcZ4aehIlPp4lgSkKbrHaoF80IKI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2c09e8eb8717e240ef9c5727c1cc9186db9fb309", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1686921029, + "narHash": "sha256-J1bX9plPCFhTSh6E3TWn9XSxggBh/zDD4xigyaIQBy8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c7ff1b9b95620ce8728c0d7bd501c458e6da9e04", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", "arion": "arion", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_3", - "simple-nixos-mailserver": "simple-nixos-mailserver" + "simple-nixos-mailserver": "simple-nixos-mailserver", + "skynet_ldap_backend": "skynet_ldap_backend" } }, "simple-nixos-mailserver": { @@ -231,6 +279,41 @@ "type": "gitlab" } }, + "skynet_ldap_backend": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs_6", + "utils": "utils_2" + }, + "locked": { + "lastModified": 1687123398, + "narHash": "sha256-t3wk/Uwx/qhjoMWh7hll0CgyDoClJkkDEYFScTZgRnc=", + "ref": "refs/heads/main", + "rev": "d4ceea2815c3821943984aaa6d7add5fe6a51b5c", + "revCount": 40, + "type": "git", + "url": "https://gitlab.skynet.ie/compsoc/skynet/ldap/backend.git" + }, + "original": { + "type": "git", + "url": "https://gitlab.skynet.ie/compsoc/skynet/ldap/backend.git" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1605370193, @@ -245,6 +328,24 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 4a59aa8..0d742d0 100644 --- a/flake.nix +++ b/flake.nix @@ -13,16 +13,29 @@ # email simple-nixos-mailserver.url = "gitlab:mweinelt/nixos-mailserver/ldap-support"; + + skynet_ldap_backend.url = "git+https://gitlab.skynet.ie/compsoc/skynet/ldap/backend.git"; }; - outputs = { self, nixpkgs, agenix, arion, simple-nixos-mailserver, ... }: { + outputs = { self, nixpkgs, + # these are the nixos modules from otehr projects + agenix, + arion, + simple-nixos-mailserver, + skynet_ldap_backend, + ... + }: + let + system = "x86_64-linux"; + in { # https://github.com/zhaofengli/colmena # colmena apply --on agentjones # colmena apply --on @dns + # nix flake lock --update-input skynet_ldap_backend colmena = { meta = { nixpkgs = import nixpkgs { - system = "x86_64-linux"; + system = system; overlays = []; }; }; @@ -52,7 +65,10 @@ optimus.imports = [./machines/optimus.nix arion.nixosModules.arion]; # LDAP host - kitt.imports = [./machines/kitt.nix arion.nixosModules.arion]; + kitt.imports = [ + ./machines/kitt.nix + skynet_ldap_backend.nixosModule.${system} + ]; # Gitlab glados = import ./machines/glados.nix; diff --git a/secrets/ldap/self_service.age b/secrets/ldap/self_service.age index 4cfef0d23fa17e4ce0ac6081d82f07ae4a3233c7..9f578339cd128626823ac66a3ba16a0972564c96 100644 GIT binary patch literal 1028 zcmZ9_O{m*+008izml+uwI7A<~my3$VnkH#J%6N|SBj0V>?4P6!dPtizX9cr2zxSy2R|-e1aCv#L8h?BP!J!2yu*ZTA|6B@_<|FB#AX)151iN3+tRK4K~^;(YP@hBq3i)Ri2PDbk{amZ$!AF zDiq_!u3YNSO3#bZ4b;VMxKcpRU`Tz9nL26NO_m3xqmo9{O3jI@$H%u+EEekmPGx1Y zG+Uu(%sSl>LG8B5n903dDUq&Vj*(51ZQ$I-tO^ziUS|!dr;wVEb*ijD$ zfC@#A^259ha(talk8exHl{^pbQ`SW`p_}zgohDUag{Y4q{F3f;HXLuot=1+Y0gVp( zYy&EX3Qez@=CWKZn{!k~S0EcP4F)H3%n9?l!Kr{>n*v6A$2YNJdrKBxMN;Y@2qB07 zF978Sszi_5E~->mfHL!lm+GjcJ1eT|LE2*IjTyP5MhKSX(S}GpjR#w#_JlK)C`FK6-%tL_KdYfwmt)@4~MP4ta6Jn4>o{pnL8tF`oXmHT3Skz& z_Z#7iCn!TsxN6Xpt3jVn)D>>lp=nvvBb}%e-V-)$Yk}j^q%<^aiiVk}=xWlPNhA}P zd{h5_voF=W)U`7gW(lg=so)KqCom>67vu}ThwQN)F1ulDMy{q%B^|~>Y!M?NP^rwl zh~y76hfdKG*T4i>0vdr}TR={iyf21HtU)+2$X#=7jj3J|1{I-AVopq>0IJn$aMrAB zoNoJg#8yiuMuJ6O&PN)86w6s#x@hxLAWj}ED$|4hy0`t=!TvLct%uGkKsh+^$@_m? zf5pH3dTLRcfUWg^XOaOu_s?p9{ZX2@u@rK|GEF%@acD6-TL>_yTtvEE}#Bj zZ||ogtn+!D-43q}E}bCG9I~f`?JEb{)eqlXdE{*I?vlQCj{jwT!`u0`+?S8`q?^xP zeeKWFuea`;`>MP;T0imk+xz#P|E;+7I55sX+*c8{I(qZu8z25E-n{E+7CL@wUY)TvF9ELUbF_d=hX3XuK`%K!H`{kXRxx8bNX`^EmMK{@M zQ`&Y*Qci7IW!Y6k+Md;x$TguX>6~QqROjsedj5j%=Xt(GOK%02Cwi$WP^`;T&@%Z{ z7GQVFA&J>6ljbl@CJ^IND+M5ln4y-UTtb=*#@E0hi^Xim!O=#nI|Yl;7_H&$SU z5NM_*gN#bH!__P%#mRsrrN`Lqx+Jv0}* zr`d5F37V0DBC{PLryA)bDP%MSQ3TU-4O)CAU7%t~4DuYeNuU*p2?(c&PBvmaWF?84 zA}6~bJcet;RJ@9iILR`hjYp9HNWGrM5xZz=GKOzA^7H~5Bs41YBAZJs0T?o#E(PXr zz!4%yEQj+5GB!r-lsO$XfMccToH}i$hQ;HfxFCe(!SP(^;5Od~30}lkgIu~!${-}` zaJlYeshliQaWhE>v_&hxQH*lFMui6i7^wv&&dJjtb)c2OW+SNv83Ur?fJ_?)ZIc2l zoZYPF+i@1AQK6+~U=DWsMtD6kn>1HS!+V^0My5_kB|sp9reG83T9l1|q)|yL8;Kt8IX}DHzTMSPM4m9VIp}%BTUB4u|ecqD#s}>X=y3~ zIakR?iWwvUMaF`orVIx>wkaVW%x^go1x@vA?Z_v{Owv6rP$C)!8neeOoTY{`^`Z9oxj;)Cr? zEs?-Ur>Yrj@*51JtzZ9qYINH0tnynk{X@WvayqH8Ve$__#p=VdUh#$RT5>tJii*h` zAh>F>H~U@Ey<6bE&j|r(ol%d zJX~_|)`a)OXhxL}oR(c`&DIOUlR9-lIM44TpXg5V~4~ z;2dY!vZ3{5gbi(F=-mw(952$(>04Mn7Y%%aF0!sI+@G)MR35#M<$nh_kyyoij;jS` zdWr$dX_a+Y`exHYsPqWQKRb4!diU%(@f>Tkd>U&jTU;Sc>1&EwG8;{0kH5dRk#}*; zvWL5lOvFtk`0U@}{kOJpo}B+C4nCiFg*PK@%ibHe>wwkI^CX}&`@_|n_PJl{6JOj7 zy)AAbjaU7Acf~Pk-_IkDkI>&v+J=4_YxfSC&t z?Tt$4c+v|K|7q)pDL$<0DeBrKh5OCK8J6P0yN?>F+i!Qi4o~nN=po!F^w&#MJM%tt zDqMY%&-?2$#17u|q_qt!04!Yg`ai@tGEYEmfb{A0s34QH69A@CRMxW3JE8eOa;=)5e z{pw^RV(5`a$sl^0Ui8k)0Iy$`1tA`wYW~orEp~IFlB=J56>BO!`nT@bbhGQyqsyCn zOc~f=u>aJ#%?TaHpB`%uHl`YW9o*_$@NICx{7A{YSD$RId-?-qWzqUO@m|!VGuN|_ zcePkwv%9r3P0bBbcYxdG&k#ahEe~I#yi|`#U6`wIdA96m^v-0j>KfQr_TP%N*2dW% z2gXa`U|W@DP!jYw)*P@cuD7qFqxt?r?CV|ZiHP~Lt-=3_c`*3JQ0kL9Ez@y$VlW)N zuKtQ^Rreg{YES{JFnR1c4_B*cZ=T8>GbOCp*I^7aHUF?yu>6B$mQJD$^==ZB96s?L zz|Jz%W3o~I4MyGS!qU}9d;FC|?4hovjp3fqb>5Jb?8tl7nc3HVnH(601vcaF|9$Vd z-IuY!8)Hjm_x;0D#yQ(RH`