Twins
/
server-configuration
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ldap: remove glauth, switch back to only lldap

main
LeRoyce Pearson 2024-01-11 21:15:40 -07:00
parent 77153bc647
commit 38468921ad
7 changed files with 30 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
agenix-config-module.nix
View File

@ -4,8 +4,8 @@
owner = "dynamicdns";
group = "dynamicdns";
};
age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD = {
file = ./secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age;
age.secrets.LLDAP_ADMIN_PASSWORD = {
file = ./secrets/samsehu_LLDAP_ADMIN_PASSWORD.age;
owner = "lldap";
group = "lldap";
};

125
configuration.nix
View File

@ -65,7 +65,6 @@
git
juanfont-headscale.headscale # install to allow debugging/control of headscale using the CLI
pkgs.glauth
# Plugins for cockpit
cockpit-tailscale
@ -178,94 +177,10 @@
ipAdresses = [ "127.0.0.1" "::1" ];
};
services.glauth = {
enable = true;
settings = {
debug = false;
ldap = {
enabled = true;
listen = "127.0.0.1:3893";
tls = false;
};
ldaps.enabled = false;
backends = [
{
datastore = "config";
baseDN = "dc=samsehu,dc=perli,dc=casa";
nameFormat = "cn";
groupFormat = "ou";
}
# Local database
{
datastore = "plugin";
plugin = "${pkgs.glauth-sqlite}/bin/sqlite.so";
pluginhandler = "NewSQLiteHandler";
database = "/var/lib/glauth/users.db";
baseDN = "dc=samsehu,dc=perli,dc=casa";
nameFormat = "cn";
groupFormat = "ou";
}
];
api = {
enabled = true;
tls = false;
listen = "127.0.0.1:5555";
};
users = [
{ name = "forgejo_search";
mail = "forgejo_search@tsamsehu.perli.casa";
uidnumber = 993;
primarygroup = 5503;
passappsha256 = [ "8adb23d6e1bd7db026a5784ff84efcbd57e4d9aea0e0798b78740a3ee335282c" ];
capabilities = [
{ action = "search";
object = "ou=forgejo_user,dc=samsehu,dc=perli,dc=casa"; }
];
}
{ name = "jellyfin_search";
mail = "jellyfin_search@samsehu.perli.casa";
uidnumber = 994;
primarygroup = 5503;
passappsha256 = [ "21fa12ba3e63cd4cb96f4009720d385f4d52461ae3ab70fac8dedaa6b7917ce9" ];
capabilities = [
{ action = "search";
object = "ou=jellyfin_user,dc=samsehu,dc=perli,dc=casa"; }
];
}
{ name = "nextcloud_system_user";
mail = "nextcloud@samsehu.perli.casa";
uidnumber = 988;
primarygroup = 5503;
passappsha256 = [ "0f11783cdf378aa867a2b590e422f8d645fd3d7fab52fb73bac3c62a64d91651" ];
capabilities = [
{ action = "search";
object = "ou=nextcloud_user,dc=samsehu,dc=perli,dc=casa"; }
];
}
{ name = "dex";
mail = "dex@samsehu.perli.casa";
uidnumber = 988;
primarygroup = 5503;
passappsha256 = [ "ab473aa297a6f7c919f116a5bf3af6e11905843df0a526ffe005742335e1c9d3" ];
capabilities = [
{ action = "search";
object = "ou=people,dc=samsehu,dc=perli,dc=casa"; }
{ action = "search";
object = "ou=groups,dc=samsehu,dc=perli,dc=casa"; }
];
}
];
groups = [
{ name = "apps";
gidnumber = 5503;
}
];
};
};
users.users.dex = {
isSystemUser = true;
group = "dex";
home = "/var/lib/dex/";
};
users.groups.dex = {};
services.dex = {
@ -273,9 +188,13 @@
environmentFile = config.age.secrets.DEX_ENVIRONMENT_FILE.path;
settings = {
issuer = "https://dex.samsehu.perli.casa";
storage.type = "memory";
web.http = "127.0.0.1:5556";
storage = {
type = "sqlite";
config.file = "/var/lib/dex/dex.db";
};
# services that can get a token from our dex instance
staticClients = [
{
@ -302,29 +221,32 @@
connectors = [
{
type = "ldap";
id = "glauth";
name = "glauth LDAP";
id = "lldap";
name = "LLDAP";
config = {
host = "127.0.0.1:3893";
host = "127.0.0.1:3890";
insecureNoSSL = true;
insecureSkipVerify = true;
startTLS = false;
bindDN = "cn=dex,ou=apps,dc=samsehu,dc=perli,dc=casa";
bindPW = "$DEX_GLAUTH_BIND_DN_PASSWORD";
bindDN = "cn=Immovable1809,ou=apps,dc=samsehu,dc=perli,dc=casa";
bindPW = "$LLDAP_ADMIN_PASSWORD";
userSearch = {
baseDN = "ou=people,dc=samsehu,dc=perli,dc=casa";
username = "cn";
username = "uid";
idAttr = "uid";
emailAttr = "mail";
nameAttr = "displayName";
preferredUsernameAttr = "uid";
};
groupSearch = {
baseDN = "ou=groups,dc=samsehu,dc=perli,dc=casa";
filter = "(objectClass=groupOfUniqueNames)";
userMatchers = [
{ userAttr = "cn"; groupAttr = "uniqueMember"; }
{ userAttr = "DN"; groupAttr = "member"; }
];
nameAttr = "ou";
nameAttr = "cn";
};
};
}
@ -400,11 +322,11 @@
settings = {
ldap_base_dn = "dc=samsehu,dc=perli,dc=casa";
# Sets the root administrator's user name
ldap_user_dn = "admin";
ldap_user_dn = "Immovable1809";
http_host = "127.0.0.1";
};
environment = {
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD.path;
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_ADMIN_PASSWORD.path;
};
};
@ -550,14 +472,6 @@
respond 403
'';
virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
@connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
handle @connected_via_tailscale {
reverse_proxy localhost:5555
}
respond 403
'';
virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
reverse_proxy localhost:5556
'';
@ -650,7 +564,6 @@
{ name = "cockpit.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "git.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "nextcloud.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "glauth.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "lldap.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "dex.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "jellyfin.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }

54
pkgs/glauth.nix
View File

@ -1,54 +0,0 @@
{ lib
, fetchFromGitHub
, buildGoModule
, oath-toolkit
, openldap
}:
buildGoModule rec {
pname = "glauth";
version = "2.3.0";
src = fetchFromGitHub {
owner = "glauth";
repo = "glauth";
rev = "v${version}";
hash = "sha256-XYNNR3bVLNtAl+vbGRv0VhbLf+em8Ay983jqcW7KDFU=";
};
vendorHash = "sha256-SFmGgxDokIbVl3ANDPMCqrB0ck8Wyva2kSV2mgNRogo=";
nativeCheckInputs = [
oath-toolkit
openldap
];
modRoot = "v2";
# Disable go workspaces to fix build.
env.GOWORK = "off";
# Fix this build error:
# main module (github.com/glauth/glauth/v2) does not contain package github.com/glauth/glauth/v2/vendored/toml
excludedPackages = [ "vendored/toml" ];
# Based on ldflags in <glauth>/Makefile.
ldflags = [
"-s"
"-w"
"-X main.GitClean=1"
"-X main.LastGitTag=v${version}"
"-X main.GitTagIsCommit=1"
];
# Tests fail in the sandbox.
doCheck = false;
meta = with lib; {
description = "A lightweight LDAP server for development, home use, or CI";
homepage = "https://github.com/glauth/glauth";
license = licenses.mit;
maintainers = with maintainers; [ bjornfor ];
mainProgram = "glauth";
};
}

BIN
secrets/LLDAP_DEFAULT_ADMIN_PASSWORD.age
View File

Binary file not shown.

BIN
secrets/samsehu_DEX_ENVIRONMENT_FILE.age
View File

Binary file not shown.

8
secrets/samsehu_LLDAP_ADMIN_PASSWORD.age Normal file
View File

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 yXNDbw Juf0JMdCTwIPaPdK2llGdbtWG/4m5sD9iIuuvjM8HgM
EhOuE1WJjVHcf7UZYxCdT0sa78n5bzh6kH7e08oY6x4
-> ssh-ed25519 BTX+xA qBEbn6EWkOEO9PDmJCcYIWrEk652RumOCbaqIt4mVgU
kCFkAXKya+lQctHK+i6f66zemcuqKmI9+cwuJKOpBLg
--- cGf7Y9c6vyaFzKoZubiC3SelLhhm+r/iWAxqjLZWmRw
œLÇqáÅÄÞ°
DCëb‡ÖÐ3ÜßÉß(jÄ„œ&íxWÏn2ÜŸP )—z†œoK]>B6•yYÒ…õvw•%r«jKÇ7

2
secrets/secrets.nix
View File

@ -6,8 +6,8 @@ let
in
{
"samsehu_DUCK_DNS_TOKEN.age".publicKeys = geemili ++ [ samsehu ];
"LLDAP_DEFAULT_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
"samsehu_DEX_ENVIRONMENT_FILE.age".publicKeys = geemili ++ [ samsehu ];
"samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
"samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
"samsehu_LLDAP_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
}