ldap: remove glauth, switch back to only lldap
parent
77153bc647
commit
38468921ad
|
@ -4,8 +4,8 @@
|
|||
owner = "dynamicdns";
|
||||
group = "dynamicdns";
|
||||
};
|
||||
age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD = {
|
||||
file = ./secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age;
|
||||
age.secrets.LLDAP_ADMIN_PASSWORD = {
|
||||
file = ./secrets/samsehu_LLDAP_ADMIN_PASSWORD.age;
|
||||
owner = "lldap";
|
||||
group = "lldap";
|
||||
};
|
||||
|
|
|
@ -65,7 +65,6 @@
|
|||
git
|
||||
|
||||
juanfont-headscale.headscale # install to allow debugging/control of headscale using the CLI
|
||||
pkgs.glauth
|
||||
|
||||
# Plugins for cockpit
|
||||
cockpit-tailscale
|
||||
|
@ -178,94 +177,10 @@
|
|||
ipAdresses = [ "127.0.0.1" "::1" ];
|
||||
};
|
||||
|
||||
services.glauth = {
|
||||
enable = true;
|
||||
settings = {
|
||||
debug = false;
|
||||
ldap = {
|
||||
enabled = true;
|
||||
listen = "127.0.0.1:3893";
|
||||
tls = false;
|
||||
};
|
||||
ldaps.enabled = false;
|
||||
backends = [
|
||||
{
|
||||
datastore = "config";
|
||||
baseDN = "dc=samsehu,dc=perli,dc=casa";
|
||||
nameFormat = "cn";
|
||||
groupFormat = "ou";
|
||||
}
|
||||
# Local database
|
||||
{
|
||||
datastore = "plugin";
|
||||
plugin = "${pkgs.glauth-sqlite}/bin/sqlite.so";
|
||||
pluginhandler = "NewSQLiteHandler";
|
||||
database = "/var/lib/glauth/users.db";
|
||||
baseDN = "dc=samsehu,dc=perli,dc=casa";
|
||||
nameFormat = "cn";
|
||||
groupFormat = "ou";
|
||||
}
|
||||
];
|
||||
api = {
|
||||
enabled = true;
|
||||
tls = false;
|
||||
listen = "127.0.0.1:5555";
|
||||
};
|
||||
users = [
|
||||
{ name = "forgejo_search";
|
||||
mail = "forgejo_search@tsamsehu.perli.casa";
|
||||
uidnumber = 993;
|
||||
primarygroup = 5503;
|
||||
passappsha256 = [ "8adb23d6e1bd7db026a5784ff84efcbd57e4d9aea0e0798b78740a3ee335282c" ];
|
||||
capabilities = [
|
||||
{ action = "search";
|
||||
object = "ou=forgejo_user,dc=samsehu,dc=perli,dc=casa"; }
|
||||
];
|
||||
}
|
||||
{ name = "jellyfin_search";
|
||||
mail = "jellyfin_search@samsehu.perli.casa";
|
||||
uidnumber = 994;
|
||||
primarygroup = 5503;
|
||||
passappsha256 = [ "21fa12ba3e63cd4cb96f4009720d385f4d52461ae3ab70fac8dedaa6b7917ce9" ];
|
||||
capabilities = [
|
||||
{ action = "search";
|
||||
object = "ou=jellyfin_user,dc=samsehu,dc=perli,dc=casa"; }
|
||||
];
|
||||
}
|
||||
{ name = "nextcloud_system_user";
|
||||
mail = "nextcloud@samsehu.perli.casa";
|
||||
uidnumber = 988;
|
||||
primarygroup = 5503;
|
||||
passappsha256 = [ "0f11783cdf378aa867a2b590e422f8d645fd3d7fab52fb73bac3c62a64d91651" ];
|
||||
capabilities = [
|
||||
{ action = "search";
|
||||
object = "ou=nextcloud_user,dc=samsehu,dc=perli,dc=casa"; }
|
||||
];
|
||||
}
|
||||
{ name = "dex";
|
||||
mail = "dex@samsehu.perli.casa";
|
||||
uidnumber = 988;
|
||||
primarygroup = 5503;
|
||||
passappsha256 = [ "ab473aa297a6f7c919f116a5bf3af6e11905843df0a526ffe005742335e1c9d3" ];
|
||||
capabilities = [
|
||||
{ action = "search";
|
||||
object = "ou=people,dc=samsehu,dc=perli,dc=casa"; }
|
||||
{ action = "search";
|
||||
object = "ou=groups,dc=samsehu,dc=perli,dc=casa"; }
|
||||
];
|
||||
}
|
||||
];
|
||||
groups = [
|
||||
{ name = "apps";
|
||||
gidnumber = 5503;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.users.dex = {
|
||||
isSystemUser = true;
|
||||
group = "dex";
|
||||
home = "/var/lib/dex/";
|
||||
};
|
||||
users.groups.dex = {};
|
||||
services.dex = {
|
||||
|
@ -273,9 +188,13 @@
|
|||
environmentFile = config.age.secrets.DEX_ENVIRONMENT_FILE.path;
|
||||
settings = {
|
||||
issuer = "https://dex.samsehu.perli.casa";
|
||||
storage.type = "memory";
|
||||
web.http = "127.0.0.1:5556";
|
||||
|
||||
storage = {
|
||||
type = "sqlite";
|
||||
config.file = "/var/lib/dex/dex.db";
|
||||
};
|
||||
|
||||
# services that can get a token from our dex instance
|
||||
staticClients = [
|
||||
{
|
||||
|
@ -302,29 +221,32 @@
|
|||
connectors = [
|
||||
{
|
||||
type = "ldap";
|
||||
id = "glauth";
|
||||
name = "glauth LDAP";
|
||||
id = "lldap";
|
||||
name = "LLDAP";
|
||||
config = {
|
||||
host = "127.0.0.1:3893";
|
||||
host = "127.0.0.1:3890";
|
||||
insecureNoSSL = true;
|
||||
insecureSkipVerify = true;
|
||||
startTLS = false;
|
||||
bindDN = "cn=dex,ou=apps,dc=samsehu,dc=perli,dc=casa";
|
||||
bindPW = "$DEX_GLAUTH_BIND_DN_PASSWORD";
|
||||
bindDN = "cn=Immovable1809,ou=apps,dc=samsehu,dc=perli,dc=casa";
|
||||
bindPW = "$LLDAP_ADMIN_PASSWORD";
|
||||
|
||||
userSearch = {
|
||||
baseDN = "ou=people,dc=samsehu,dc=perli,dc=casa";
|
||||
username = "cn";
|
||||
username = "uid";
|
||||
idAttr = "uid";
|
||||
emailAttr = "mail";
|
||||
nameAttr = "displayName";
|
||||
preferredUsernameAttr = "uid";
|
||||
};
|
||||
|
||||
groupSearch = {
|
||||
baseDN = "ou=groups,dc=samsehu,dc=perli,dc=casa";
|
||||
filter = "(objectClass=groupOfUniqueNames)";
|
||||
userMatchers = [
|
||||
{ userAttr = "cn"; groupAttr = "uniqueMember"; }
|
||||
{ userAttr = "DN"; groupAttr = "member"; }
|
||||
];
|
||||
nameAttr = "ou";
|
||||
nameAttr = "cn";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -400,11 +322,11 @@
|
|||
settings = {
|
||||
ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
|
||||
# Sets the root administrator's user name
|
||||
ldap_user_dn = "admin";
|
||||
ldap_user_dn = "Immovable1809";
|
||||
http_host = "127.0.0.1";
|
||||
};
|
||||
environment = {
|
||||
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD.path;
|
||||
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_ADMIN_PASSWORD.path;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -550,14 +472,6 @@
|
|||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
|
||||
@connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:5555
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
|
||||
reverse_proxy localhost:5556
|
||||
'';
|
||||
|
@ -650,7 +564,6 @@
|
|||
{ name = "cockpit.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "git.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "nextcloud.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "glauth.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "lldap.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "dex.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
{ name = "jellyfin.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
|
||||
|
|
|
@ -1,54 +0,0 @@
|
|||
{ lib
|
||||
, fetchFromGitHub
|
||||
, buildGoModule
|
||||
, oath-toolkit
|
||||
, openldap
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "glauth";
|
||||
version = "2.3.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "glauth";
|
||||
repo = "glauth";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-XYNNR3bVLNtAl+vbGRv0VhbLf+em8Ay983jqcW7KDFU=";
|
||||
};
|
||||
|
||||
vendorHash = "sha256-SFmGgxDokIbVl3ANDPMCqrB0ck8Wyva2kSV2mgNRogo=";
|
||||
|
||||
nativeCheckInputs = [
|
||||
oath-toolkit
|
||||
openldap
|
||||
];
|
||||
|
||||
modRoot = "v2";
|
||||
|
||||
# Disable go workspaces to fix build.
|
||||
env.GOWORK = "off";
|
||||
|
||||
# Fix this build error:
|
||||
# main module (github.com/glauth/glauth/v2) does not contain package github.com/glauth/glauth/v2/vendored/toml
|
||||
excludedPackages = [ "vendored/toml" ];
|
||||
|
||||
# Based on ldflags in <glauth>/Makefile.
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X main.GitClean=1"
|
||||
"-X main.LastGitTag=v${version}"
|
||||
"-X main.GitTagIsCommit=1"
|
||||
];
|
||||
|
||||
# Tests fail in the sandbox.
|
||||
doCheck = false;
|
||||
|
||||
meta = with lib; {
|
||||
description = "A lightweight LDAP server for development, home use, or CI";
|
||||
homepage = "https://github.com/glauth/glauth";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ bjornfor ];
|
||||
mainProgram = "glauth";
|
||||
};
|
||||
}
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,8 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 yXNDbw Juf0JMdCTwIPaPdK2llGdbtWG/4m5sD9iIuuvjM8HgM
|
||||
EhOuE1WJjVHcf7UZYxCdT0sa78n5bzh6kH7e08oY6x4
|
||||
-> ssh-ed25519 BTX+xA qBEbn6EWkOEO9PDmJCcYIWrEk652RumOCbaqIt4mVgU
|
||||
kCFkAXKya+lQctHK+i6f66zemcuqKmI9+cwuJKOpBLg
|
||||
--- cGf7Y9c6vyaFzKoZubiC3SelLhhm+r/iWAxqjLZWmRw
|
||||
œLÇqáÅÄÞ°
|
||||
DCëb‡ÖÐ3ÜßÉß(jÄ„œ&íxWÏn’2ÜŸP› )—z†‘œoK]>B6•yYÒ…õvw•%r«jKÇ7
|
|
@ -6,8 +6,8 @@ let
|
|||
in
|
||||
{
|
||||
"samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
|
||||
"samsehu_LLDAP_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue