feat: new ldap backend api is up and running, with ci as well

2023-06-18 22:49:31 +01:00 · 2023-06-18 22:49:31 +01:00 · eb173944dc
commit eb173944dc
parent e742447357
5 changed files with 218 additions and 41 deletions
--- a/applications/ldap.nix
+++ b/applications/ldap.nix
@ -13,6 +13,7 @@ Gonna use a priper nixos module for this
    ./acme.nix
    ./dns.nix
    ./nginx.nix
+    ./ldap/ldap_backend.nix
  ];


@ -60,7 +61,13 @@ Gonna use a priper nixos module for this
  };

  config = mkIf cfg.enable {
-    # this is athe actual configuration that we need to do
+
+    # passthrough to the backend
+    services.ldap_backend = {
+      enable = true;
+      host.ip = cfg.host.ip;
+      host.name = cfg.host.name;
+    };

    # after changing teh password openldap.service has to be restarted
    age.secrets.ldap_pw = {
@ -70,13 +77,6 @@ Gonna use a priper nixos module for this
      group = "openldap";
    };

-    # openldap
-    age.secrets.ldap_self_service = {
-      file = ../secrets/ldap/self_service.age;
-      # not ideal but non admins should never be on this system
-      mode = "444";
-    };
-
    skynet_dns.records.cname = [
      "${cfg.domain.sub}  CNAME   ${cfg.host.name}"
    ];
@ -203,34 +203,5 @@ Gonna use a priper nixos module for this
        };
      };
    };
-
-
-    services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
-      forceSSL = true;
-      useACMEHost = "skynet";
-      locations."/".proxyPass = "http://localhost:${toString cfg.frontend.port}";
-    };
-
-    virtualisation.arion = {
-      backend = "docker";
-      projects = {
-        ldap_reset.settings.services.ldap_reset.service = {
-          user = "root";
-          image = "docker.io/ltbproject/self-service-password:1.5.3";
-            # setting these here as they arent special
-
-
-            # where the config files are stored
-            volumes = [
-              "${config.age.secrets.ldap_self_service.path}:/var/www/conf/config.inc.local.php"
-            ];
-
-            ports = [
-              "${toString cfg.frontend.port}:80/tcp"
-            ];
-        };
-      };
-    };
-
  };
 }
--- a/applications/ldap/ldap_backend.nix
+++ b/applications/ldap/ldap_backend.nix
@ -0,0 +1,89 @@
+{ config, pkgs, lib, ... }:
+  with lib;
+  let
+    cfg = config.services.ldap_backend;
+    port_backend = "8087";
+  in {
+
+  imports = [
+    ../acme.nix
+    ../dns.nix
+    ../nginx.nix
+  ];
+
+  options.services.ldap_backend = {
+    enable = mkEnableOption "Skynet LDAP backend server";
+
+    host = {
+      ip = mkOption {
+        type = types.str;
+      };
+
+      name = mkOption {
+        type = types.str;
+      };
+    };
+
+    domain = {
+      tld = mkOption {
+        type = types.str;
+        default = "ie";
+      };
+
+      base = mkOption {
+        type = types.str;
+        default = "skynet";
+      };
+
+      sub = mkOption {
+        type = types.str;
+        default = "api.sso";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    #backups = [ "/etc/silver_ul_ical/database.db" ];
+
+    age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age;
+
+    skynet_dns.records.cname = [
+      "${cfg.domain.sub} CNAME ${cfg.host.name}"
+    ];
+
+    services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
+      forceSSL = true;
+      useACMEHost = "skynet";
+      locations."/".proxyPass = "http://localhost:${port_backend}";
+    };
+
+    services.skynet_ldap_backend = {
+      enable = true;
+
+      # contains teh password in env form
+      envFile = config.age.secrets.ldap_self_service.path;
+
+      ldap  = {
+        host = "ldaps://sso.skynet.ie";
+        admin = "cn=admin,dc=skynet,dc=ie";
+      };
+
+      users = {
+        admin = [
+          "silver"
+          "evanc"
+          "eoghanconlon73"
+        ];
+        committee = [
+          "silver"
+          "eoghanconlon73"
+        ];
+        lifetime = [];
+        banned = [];
+      };
+
+      host_port = "127.0.0.1:${port_backend}";
+    };
+  };
+}