ldap: remove glauth, switch back to only lldap

2024-01-11 21:15:40 -07:00 · 2024-01-11 21:15:40 -07:00 · 38468921ad
parent 77153bc647
commit 38468921ad
7 changed files with 30 additions and 163 deletions
--- a/agenix-config-module.nix
+++ b/agenix-config-module.nix
@ -4,8 +4,8 @@
    owner = "dynamicdns";
    group = "dynamicdns";
  };
-  age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD = {
+  age.secrets.LLDAP_ADMIN_PASSWORD = {
-    file = ./secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age;
+    file = ./secrets/samsehu_LLDAP_ADMIN_PASSWORD.age;
    owner = "lldap";
    group = "lldap";
  };
--- a/configuration.nix
+++ b/configuration.nix
@ -65,7 +65,6 @@
    git
    juanfont-headscale.headscale # install to allow debugging/control of headscale using the CLI
    pkgs.glauth
    # Plugins for cockpit
    cockpit-tailscale
@ -178,94 +177,10 @@
    ipAdresses = [ "127.0.0.1" "::1" ];
  };
  services.glauth = {
    enable = true;
    settings = {
      debug = false;
      ldap = {
        enabled = true;
        listen = "127.0.0.1:3893";
        tls = false;
      };
      ldaps.enabled = false;
      backends = [
        {
          datastore = "config";
          baseDN = "dc=samsehu,dc=perli,dc=casa";
          nameFormat = "cn";
          groupFormat = "ou";
        }
        # Local database
        {
          datastore = "plugin";
          plugin = "${pkgs.glauth-sqlite}/bin/sqlite.so";
          pluginhandler = "NewSQLiteHandler";
          database = "/var/lib/glauth/users.db";
          baseDN = "dc=samsehu,dc=perli,dc=casa";
          nameFormat = "cn";
          groupFormat = "ou";
        }
      ];
      api = {
        enabled = true;
        tls = false;
        listen = "127.0.0.1:5555";
      };
      users = [
        { name = "forgejo_search";
          mail = "forgejo_search@tsamsehu.perli.casa";
          uidnumber = 993;
          primarygroup = 5503;
          passappsha256 = [ "8adb23d6e1bd7db026a5784ff84efcbd57e4d9aea0e0798b78740a3ee335282c" ];
          capabilities = [
            { action = "search";
              object = "ou=forgejo_user,dc=samsehu,dc=perli,dc=casa"; }
          ];
        }
        { name = "jellyfin_search";
          mail = "jellyfin_search@samsehu.perli.casa";
          uidnumber = 994;
          primarygroup = 5503;
          passappsha256 = [ "21fa12ba3e63cd4cb96f4009720d385f4d52461ae3ab70fac8dedaa6b7917ce9" ];
          capabilities = [
            { action = "search";
              object = "ou=jellyfin_user,dc=samsehu,dc=perli,dc=casa"; }
          ];
        }
        { name = "nextcloud_system_user";
          mail = "nextcloud@samsehu.perli.casa";
          uidnumber = 988;
          primarygroup = 5503;
          passappsha256 = [ "0f11783cdf378aa867a2b590e422f8d645fd3d7fab52fb73bac3c62a64d91651" ];
          capabilities = [
            { action = "search";
              object = "ou=nextcloud_user,dc=samsehu,dc=perli,dc=casa"; }
          ];
        }
        { name = "dex";
          mail = "dex@samsehu.perli.casa";
          uidnumber = 988;
          primarygroup = 5503;
          passappsha256 = [ "ab473aa297a6f7c919f116a5bf3af6e11905843df0a526ffe005742335e1c9d3" ];
          capabilities = [
            { action = "search";
              object = "ou=people,dc=samsehu,dc=perli,dc=casa"; }
            { action = "search";
              object = "ou=groups,dc=samsehu,dc=perli,dc=casa"; }
          ];
        }
      ];
      groups = [ 
        { name = "apps";
          gidnumber = 5503;
        }
      ];
    };
  };
  users.users.dex = {
    isSystemUser = true;
    group = "dex";
    home = "/var/lib/dex/";
  };
  users.groups.dex = {};
  services.dex = {
@ -273,9 +188,13 @@
    environmentFile = config.age.secrets.DEX_ENVIRONMENT_FILE.path;
    settings = {
      issuer = "https://dex.samsehu.perli.casa";
      storage.type = "memory";
      web.http = "127.0.0.1:5556";
      storage = {
        type = "sqlite";
        config.file = "/var/lib/dex/dex.db";
      };
      # services that can get a token from our dex instance
      staticClients = [
        {
@ -302,29 +221,32 @@
      connectors = [
        {
          type = "ldap";
-          id = "glauth";
+          id = "lldap";
-          name = "glauth LDAP";
+          name = "LLDAP";
          config = {
-            host = "127.0.0.1:3893";
+            host = "127.0.0.1:3890";
            insecureNoSSL = true;
            insecureSkipVerify = true;
            startTLS = false;
-            bindDN = "cn=dex,ou=apps,dc=samsehu,dc=perli,dc=casa";
+            bindDN = "cn=Immovable1809,ou=apps,dc=samsehu,dc=perli,dc=casa";
-            bindPW = "$DEX_GLAUTH_BIND_DN_PASSWORD";
+            bindPW = "$LLDAP_ADMIN_PASSWORD";
            userSearch = {
              baseDN = "ou=people,dc=samsehu,dc=perli,dc=casa";
-              username = "cn";
+              username = "uid";
              idAttr = "uid";
              emailAttr = "mail";
              nameAttr = "displayName";
              preferredUsernameAttr = "uid";
            };
            groupSearch = {
              baseDN = "ou=groups,dc=samsehu,dc=perli,dc=casa";
              filter = "(objectClass=groupOfUniqueNames)";
              userMatchers = [
-                { userAttr = "cn"; groupAttr = "uniqueMember"; }
+                { userAttr = "DN"; groupAttr = "member"; }
              ];
-              nameAttr = "ou";
+              nameAttr = "cn";
            };
          };
        }
@ -400,11 +322,11 @@
    settings = {
      ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
      # Sets the root administrator's user name
-      ldap_user_dn = "admin";
+      ldap_user_dn = "Immovable1809";
      http_host = "127.0.0.1";
    };
    environment = {
-      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD.path;
+      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_ADMIN_PASSWORD.path;
    };
  };
@ -550,14 +472,6 @@
      respond 403
    '';
    virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
      @connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
      handle @connected_via_tailscale {
        reverse_proxy localhost:5555
      }
      respond 403
    '';
    virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
      reverse_proxy localhost:5556
    '';
@ -650,7 +564,6 @@
          { name = "cockpit.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
          { name = "git.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
          { name = "nextcloud.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
          { name = "glauth.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
          { name = "lldap.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
          { name = "dex.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
          { name = "jellyfin.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
--- a/pkgs/glauth.nix
+++ b/pkgs/glauth.nix
@ -1,54 +0,0 @@
 { lib
 , fetchFromGitHub
 , buildGoModule
 , oath-toolkit
 , openldap
 }:
 buildGoModule rec {
  pname = "glauth";
  version = "2.3.0";
  src = fetchFromGitHub {
    owner = "glauth";
    repo = "glauth";
    rev = "v${version}";
    hash = "sha256-XYNNR3bVLNtAl+vbGRv0VhbLf+em8Ay983jqcW7KDFU=";
  };
  vendorHash = "sha256-SFmGgxDokIbVl3ANDPMCqrB0ck8Wyva2kSV2mgNRogo=";
  nativeCheckInputs = [
    oath-toolkit
    openldap
  ];
  modRoot = "v2";
  # Disable go workspaces to fix build.
  env.GOWORK = "off";
  # Fix this build error:
  #   main module (github.com/glauth/glauth/v2) does not contain package github.com/glauth/glauth/v2/vendored/toml
  excludedPackages = [ "vendored/toml" ];
  # Based on ldflags in <glauth>/Makefile.
  ldflags = [
    "-s"
    "-w"
    "-X main.GitClean=1"
    "-X main.LastGitTag=v${version}"
    "-X main.GitTagIsCommit=1"
  ];
  # Tests fail in the sandbox.
  doCheck = false;
  meta = with lib; {
    description = "A lightweight LDAP server for development, home use, or CI";
    homepage = "https://github.com/glauth/glauth";
    license = licenses.mit;
    maintainers = with maintainers; [ bjornfor ];
    mainProgram = "glauth";
  };
 }
--- a/secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age
+++ b/secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age
--- a/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
+++ b/secrets/samsehu_DEX_ENVIRONMENT_FILE.age
--- a/secrets/samsehu_LLDAP_ADMIN_PASSWORD.age
+++ b/secrets/samsehu_LLDAP_ADMIN_PASSWORD.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 yXNDbw Juf0JMdCTwIPaPdK2llGdbtWG/4m5sD9iIuuvjM8HgM
 EhOuE1WJjVHcf7UZYxCdT0sa78n5bzh6kH7e08oY6x4
 -> ssh-ed25519 BTX+xA qBEbn6EWkOEO9PDmJCcYIWrEk652RumOCbaqIt4mVgU
 kCFkAXKya+lQctHK+i6f66zemcuqKmI9+cwuJKOpBLg
 --- cGf7Y9c6vyaFzKoZubiC3SelLhhm+r/iWAxqjLZWmRw
 œLÇqáÅÄÞ°
 DCëb‡ÖÐ3ÜßÉß(jÄ„œ&íxWÏn’2ÜŸP› )—z†‘œoK]>B6•yYÒ…õvw•%r«jKÇ7
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -6,8 +6,8 @@ let
 in
 {
  "samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
  "LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
  "samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
  "samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
  "samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
  "samsehu_LLDAP_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
 }