From af899a71762c309b40653babef1c421b63455247 Mon Sep 17 00:00:00 2001 From: geemili Date: Mon, 8 Jan 2024 00:07:34 -0700 Subject: [PATCH] feat: add dex SSO service --- configuration.nix | 93 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 14 deletions(-) diff --git a/configuration.nix b/configuration.nix index 3446bce..a761b9e 100644 --- a/configuration.nix +++ b/configuration.nix @@ -130,7 +130,7 @@ }; users = [ { name = "forgejo_search"; - email = "forgejo_search@tsamsehu.perli.casa"; + mail = "forgejo_search@tsamsehu.perli.casa"; uidnumber = 993; primarygroup = 5503; passappsha256 = [ "8adb23d6e1bd7db026a5784ff84efcbd57e4d9aea0e0798b78740a3ee335282c" ]; @@ -140,7 +140,7 @@ ]; } { name = "jellyfin_search"; - email = "jellyfin_search@samsehu.perli.casa"; + mail = "jellyfin_search@samsehu.perli.casa"; uidnumber = 994; primarygroup = 5503; passappsha256 = [ "21fa12ba3e63cd4cb96f4009720d385f4d52461ae3ab70fac8dedaa6b7917ce9" ]; @@ -150,7 +150,7 @@ ]; } { name = "nextcloud_system_user"; - email = "nextcloud@samsehu.perli.casa"; + mail = "nextcloud@samsehu.perli.casa"; uidnumber = 988; primarygroup = 5503; passappsha256 = [ "0f11783cdf378aa867a2b590e422f8d645fd3d7fab52fb73bac3c62a64d91651" ]; @@ -159,17 +159,17 @@ object = "ou=people,dc=samsehu,dc=perli,dc=casa"; } ]; } - { name = "desttinghim"; - mail = "contact@example.com"; - uidnumber = 1001; - primarygroup = 5501; - otherGroups = [ 5504 5505 5506 ]; - } - { name = "geemili"; - mail = "contact@example.com"; - uidnumber = 1000; - primarygroup = 5501; - otherGroups = [ 5504 5505 5506 ]; + { name = "dex"; + mail = "dex@samsehu.perli.casa"; + uidnumber = 988; + primarygroup = 5503; + passappsha256 = [ "ab473aa297a6f7c919f116a5bf3af6e11905843df0a526ffe005742335e1c9d3" ]; + capabilities = [ + { action = "search"; + object = "ou=people,dc=samsehu,dc=perli,dc=casa"; } + { action = "search"; + object = "ou=groups,dc=samsehu,dc=perli,dc=casa"; } + ]; } ]; groups = [ @@ -192,6 +192,63 @@ }; }; + users.users.dex = { + isSystemUser = true; + group = "dex"; + }; + users.groups.dex = {}; + services.dex = { + enable = true; + environmentFile = config.age.secrets.DEX_ENVIRONMENT_FILE.path; + settings = { + issuer = "https://dex.samsehu.perli.casa"; + storage.type = "memory"; + web.http = "127.0.0.1:5556"; + + # services that can get a token from our dex instance + staticClients = [ + { + id = "forgejo"; + secret = "forgejo-secret"; + name = "Forgejo"; + redirectURIs = [ "https://git.samsehu.perli.casa/user/oauth2/dex/callback" ]; + } + ]; + + # authentication sources + connectors = [ + { + type = "ldap"; + id = "glauth"; + name = "glauth LDAP"; + config = { + host = "127.0.0.1:3893"; + insecureNoSSL = true; + insecureSkipVerify = true; + startTLS = false; + bindDN = "cn=dex,ou=apps,dc=samsehu,dc=perli,dc=casa"; + bindPW = "$DEX_GLAUTH_BIND_DN_PASSWORD"; + + userSearch = { + baseDN = "ou=people,dc=samsehu,dc=perli,dc=casa"; + username = "cn"; + idAttr = "uid"; + emailAttr = "mail"; + }; + + groupSearch = { + baseDN = "ou=groups,dc=samsehu,dc=perli,dc=casa"; + userMatchers = [ + { userAttr = "cn"; groupAttr = "uniqueMember"; } + ]; + nameAttr = "ou"; + }; + }; + } + ]; + }; + }; + services.blocky = { enable = true; settings = { @@ -346,6 +403,7 @@ ''; virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = '' + bind 100.64.0.3 192.168.0.69 reverse_proxy localhost:8096 ''; @@ -368,6 +426,11 @@ bind 100.64.0.3 reverse_proxy localhost:5555 ''; + + virtualHosts."dex.samsehu.perli.casa".extraConfig = '' + bind 100.64.0.3 + reverse_proxy localhost:5556 + ''; }; # Headscale for access to the network while away from home @@ -394,6 +457,8 @@ { name = "git.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "nextcloud.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } { name = "glauth.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } + { name = "dex.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } + { name = "jellyfin.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } ]; };