Twins
/
server-configuration
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: add dex SSO service

main
LeRoyce Pearson 2024-01-08 00:07:34 -07:00
parent 2086636237
commit af899a7176
1 changed files with 79 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
configuration.nix
View File

@ -130,7 +130,7 @@
};
users = [
{ name = "forgejo_search";
email = "forgejo_search@tsamsehu.perli.casa";
mail = "forgejo_search@tsamsehu.perli.casa";
uidnumber = 993;
primarygroup = 5503;
passappsha256 = [ "8adb23d6e1bd7db026a5784ff84efcbd57e4d9aea0e0798b78740a3ee335282c" ];
@ -140,7 +140,7 @@
];
}
{ name = "jellyfin_search";
email = "jellyfin_search@samsehu.perli.casa";
mail = "jellyfin_search@samsehu.perli.casa";
uidnumber = 994;
primarygroup = 5503;
passappsha256 = [ "21fa12ba3e63cd4cb96f4009720d385f4d52461ae3ab70fac8dedaa6b7917ce9" ];
@ -150,7 +150,7 @@
];
}
{ name = "nextcloud_system_user";
email = "nextcloud@samsehu.perli.casa";
mail = "nextcloud@samsehu.perli.casa";
uidnumber = 988;
primarygroup = 5503;
passappsha256 = [ "0f11783cdf378aa867a2b590e422f8d645fd3d7fab52fb73bac3c62a64d91651" ];
@ -159,17 +159,17 @@
object = "ou=people,dc=samsehu,dc=perli,dc=casa"; }
];
}
{ name = "desttinghim";
mail = "contact@example.com";
uidnumber = 1001;
primarygroup = 5501;
otherGroups = [ 5504 5505 5506 ];
}
{ name = "geemili";
mail = "contact@example.com";
uidnumber = 1000;
primarygroup = 5501;
otherGroups = [ 5504 5505 5506 ];
{ name = "dex";
mail = "dex@samsehu.perli.casa";
uidnumber = 988;
primarygroup = 5503;
passappsha256 = [ "ab473aa297a6f7c919f116a5bf3af6e11905843df0a526ffe005742335e1c9d3" ];
capabilities = [
{ action = "search";
object = "ou=people,dc=samsehu,dc=perli,dc=casa"; }
{ action = "search";
object = "ou=groups,dc=samsehu,dc=perli,dc=casa"; }
];
}
];
groups = [
@ -192,6 +192,63 @@
};
};
users.users.dex = {
isSystemUser = true;
group = "dex";
};
users.groups.dex = {};
services.dex = {
enable = true;
environmentFile = config.age.secrets.DEX_ENVIRONMENT_FILE.path;
settings = {
issuer = "https://dex.samsehu.perli.casa";
storage.type = "memory";
web.http = "127.0.0.1:5556";
# services that can get a token from our dex instance
staticClients = [
{
id = "forgejo";
secret = "forgejo-secret";
name = "Forgejo";
redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ];
}
];
# authentication sources
connectors = [
{
type = "ldap";
id = "glauth";
name = "glauth LDAP";
config = {
host = "127.0.0.1:3893";
insecureNoSSL = true;
insecureSkipVerify = true;
startTLS = false;
bindDN = "cn=dex,ou=apps,dc=samsehu,dc=perli,dc=casa";
bindPW = "$DEX_GLAUTH_BIND_DN_PASSWORD";
userSearch = {
baseDN = "ou=people,dc=samsehu,dc=perli,dc=casa";
username = "cn";
idAttr = "uid";
emailAttr = "mail";
};
groupSearch = {
baseDN = "ou=groups,dc=samsehu,dc=perli,dc=casa";
userMatchers = [
{ userAttr = "cn"; groupAttr = "uniqueMember"; }
];
nameAttr = "ou";
};
};
}
];
};
};
services.blocky = {
enable = true;
settings = {
@ -346,6 +403,7 @@
'';
virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 192.168.0.69
reverse_proxy localhost:8096
'';
@ -368,6 +426,11 @@
bind 100.64.0.3
reverse_proxy localhost:5555
'';
virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3
reverse_proxy localhost:5556
'';
};
# Headscale for access to the network while away from home
@ -394,6 +457,8 @@
{ name = "git.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "nextcloud.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "glauth.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "dex.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
{ name = "jellyfin.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
];
};