diff --git a/agenix-config-module.nix b/agenix-config-module.nix index 6375348..676a20b 100644 --- a/agenix-config-module.nix +++ b/agenix-config-module.nix @@ -4,8 +4,8 @@ owner = "dynamicdns"; group = "dynamicdns"; }; - age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD = { - file = ./secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age; + age.secrets.LLDAP_ADMIN_PASSWORD = { + file = ./secrets/samsehu_LLDAP_ADMIN_PASSWORD.age; owner = "lldap"; group = "lldap"; }; diff --git a/configuration.nix b/configuration.nix index 7c93fd7..35ce265 100644 --- a/configuration.nix +++ b/configuration.nix @@ -65,7 +65,6 @@ git juanfont-headscale.headscale # install to allow debugging/control of headscale using the CLI - pkgs.glauth # Plugins for cockpit cockpit-tailscale @@ -178,94 +177,10 @@ ipAdresses = [ "127.0.0.1" "::1" ]; }; - services.glauth = { - enable = true; - settings = { - debug = false; - ldap = { - enabled = true; - listen = "127.0.0.1:3893"; - tls = false; - }; - ldaps.enabled = false; - backends = [ - { - datastore = "config"; - baseDN = "dc=samsehu,dc=perli,dc=casa"; - nameFormat = "cn"; - groupFormat = "ou"; - } - # Local database - { - datastore = "plugin"; - plugin = "${pkgs.glauth-sqlite}/bin/sqlite.so"; - pluginhandler = "NewSQLiteHandler"; - database = "/var/lib/glauth/users.db"; - baseDN = "dc=samsehu,dc=perli,dc=casa"; - nameFormat = "cn"; - groupFormat = "ou"; - } - ]; - api = { - enabled = true; - tls = false; - listen = "127.0.0.1:5555"; - }; - users = [ - { name = "forgejo_search"; - mail = "forgejo_search@tsamsehu.perli.casa"; - uidnumber = 993; - primarygroup = 5503; - passappsha256 = [ "8adb23d6e1bd7db026a5784ff84efcbd57e4d9aea0e0798b78740a3ee335282c" ]; - capabilities = [ - { action = "search"; - object = "ou=forgejo_user,dc=samsehu,dc=perli,dc=casa"; } - ]; - } - { name = "jellyfin_search"; - mail = "jellyfin_search@samsehu.perli.casa"; - uidnumber = 994; - primarygroup = 5503; - passappsha256 = [ "21fa12ba3e63cd4cb96f4009720d385f4d52461ae3ab70fac8dedaa6b7917ce9" ]; - capabilities = [ - { action = "search"; - object = "ou=jellyfin_user,dc=samsehu,dc=perli,dc=casa"; } - ]; - } - { name = "nextcloud_system_user"; - mail = "nextcloud@samsehu.perli.casa"; - uidnumber = 988; - primarygroup = 5503; - passappsha256 = [ "0f11783cdf378aa867a2b590e422f8d645fd3d7fab52fb73bac3c62a64d91651" ]; - capabilities = [ - { action = "search"; - object = "ou=nextcloud_user,dc=samsehu,dc=perli,dc=casa"; } - ]; - } - { name = "dex"; - mail = "dex@samsehu.perli.casa"; - uidnumber = 988; - primarygroup = 5503; - passappsha256 = [ "ab473aa297a6f7c919f116a5bf3af6e11905843df0a526ffe005742335e1c9d3" ]; - capabilities = [ - { action = "search"; - object = "ou=people,dc=samsehu,dc=perli,dc=casa"; } - { action = "search"; - object = "ou=groups,dc=samsehu,dc=perli,dc=casa"; } - ]; - } - ]; - groups = [ - { name = "apps"; - gidnumber = 5503; - } - ]; - }; - }; - users.users.dex = { isSystemUser = true; group = "dex"; + home = "/var/lib/dex/"; }; users.groups.dex = {}; services.dex = { @@ -273,9 +188,13 @@ environmentFile = config.age.secrets.DEX_ENVIRONMENT_FILE.path; settings = { issuer = "https://dex.samsehu.perli.casa"; - storage.type = "memory"; web.http = "127.0.0.1:5556"; + storage = { + type = "sqlite"; + config.file = "/var/lib/dex/dex.db"; + }; + # services that can get a token from our dex instance staticClients = [ { @@ -302,29 +221,32 @@ connectors = [ { type = "ldap"; - id = "glauth"; - name = "glauth LDAP"; + id = "lldap"; + name = "LLDAP"; config = { - host = "127.0.0.1:3893"; + host = "127.0.0.1:3890"; insecureNoSSL = true; insecureSkipVerify = true; startTLS = false; - bindDN = "cn=dex,ou=apps,dc=samsehu,dc=perli,dc=casa"; - bindPW = "$DEX_GLAUTH_BIND_DN_PASSWORD"; + bindDN = "cn=Immovable1809,ou=apps,dc=samsehu,dc=perli,dc=casa"; + bindPW = "$LLDAP_ADMIN_PASSWORD"; userSearch = { baseDN = "ou=people,dc=samsehu,dc=perli,dc=casa"; - username = "cn"; + username = "uid"; idAttr = "uid"; emailAttr = "mail"; + nameAttr = "displayName"; + preferredUsernameAttr = "uid"; }; groupSearch = { baseDN = "ou=groups,dc=samsehu,dc=perli,dc=casa"; + filter = "(objectClass=groupOfUniqueNames)"; userMatchers = [ - { userAttr = "cn"; groupAttr = "uniqueMember"; } + { userAttr = "DN"; groupAttr = "member"; } ]; - nameAttr = "ou"; + nameAttr = "cn"; }; }; } @@ -400,11 +322,11 @@ settings = { ldap_base_dn = "dc=samsehu,dc=perli,dc=casa"; # Sets the root administrator's user name - ldap_user_dn = "admin"; + ldap_user_dn = "Immovable1809"; http_host = "127.0.0.1"; }; environment = { - LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD.path; + LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_ADMIN_PASSWORD.path; }; }; @@ -550,14 +472,6 @@ respond 403 ''; - virtualHosts."glauth.samsehu.perli.casa".extraConfig = '' - @connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 - handle @connected_via_tailscale { - reverse_proxy localhost:5555 - } - respond 403 - ''; - virtualHosts."dex.samsehu.perli.casa".extraConfig = '' reverse_proxy localhost:5556 ''; @@ -650,7 +564,6 @@ { name = "cockpit.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "git.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "nextcloud.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } - { name = "glauth.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "lldap.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "dex.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "jellyfin.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } diff --git a/pkgs/glauth.nix b/pkgs/glauth.nix deleted file mode 100644 index 7f279e8..0000000 --- a/pkgs/glauth.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ lib -, fetchFromGitHub -, buildGoModule -, oath-toolkit -, openldap -}: - -buildGoModule rec { - pname = "glauth"; - version = "2.3.0"; - - src = fetchFromGitHub { - owner = "glauth"; - repo = "glauth"; - rev = "v${version}"; - hash = "sha256-XYNNR3bVLNtAl+vbGRv0VhbLf+em8Ay983jqcW7KDFU="; - }; - - vendorHash = "sha256-SFmGgxDokIbVl3ANDPMCqrB0ck8Wyva2kSV2mgNRogo="; - - nativeCheckInputs = [ - oath-toolkit - openldap - ]; - - modRoot = "v2"; - - # Disable go workspaces to fix build. - env.GOWORK = "off"; - - # Fix this build error: - # main module (github.com/glauth/glauth/v2) does not contain package github.com/glauth/glauth/v2/vendored/toml - excludedPackages = [ "vendored/toml" ]; - - # Based on ldflags in /Makefile. - ldflags = [ - "-s" - "-w" - "-X main.GitClean=1" - "-X main.LastGitTag=v${version}" - "-X main.GitTagIsCommit=1" - ]; - - # Tests fail in the sandbox. - doCheck = false; - - meta = with lib; { - description = "A lightweight LDAP server for development, home use, or CI"; - homepage = "https://github.com/glauth/glauth"; - license = licenses.mit; - maintainers = with maintainers; [ bjornfor ]; - mainProgram = "glauth"; - }; -} diff --git a/secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age b/secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age deleted file mode 100644 index e3b34b5..0000000 Binary files a/secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age and /dev/null differ diff --git a/secrets/samsehu_DEX_ENVIRONMENT_FILE.age b/secrets/samsehu_DEX_ENVIRONMENT_FILE.age index 8b1affe..78d86c8 100644 Binary files a/secrets/samsehu_DEX_ENVIRONMENT_FILE.age and b/secrets/samsehu_DEX_ENVIRONMENT_FILE.age differ diff --git a/secrets/samsehu_LLDAP_ADMIN_PASSWORD.age b/secrets/samsehu_LLDAP_ADMIN_PASSWORD.age new file mode 100644 index 0000000..e3e2a18 --- /dev/null +++ b/secrets/samsehu_LLDAP_ADMIN_PASSWORD.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 yXNDbw Juf0JMdCTwIPaPdK2llGdbtWG/4m5sD9iIuuvjM8HgM +EhOuE1WJjVHcf7UZYxCdT0sa78n5bzh6kH7e08oY6x4 +-> ssh-ed25519 BTX+xA qBEbn6EWkOEO9PDmJCcYIWrEk652RumOCbaqIt4mVgU +kCFkAXKya+lQctHK+i6f66zemcuqKmI9+cwuJKOpBLg +--- cGf7Y9c6vyaFzKoZubiC3SelLhhm+r/iWAxqjLZWmRw +œLÇqáÅÄÞ° +DCëb‡ÖÐ3ÜßÉß(jÄ„œ&íxWÏn’2ÜŸP› )—z†‘œoK]>B6•yYÒ…õvw•%r«jKÇ7 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 72f8903..8b8cf45 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,8 +6,8 @@ let in { "samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ]; - "LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ]; "samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ]; "samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ]; "samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ]; + "samsehu_LLDAP_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ]; }