grimm-nixos-laptop/modules/auth.nix

{
  config,
  pkgs,
  lib,
  ...
}:
let
  inherit (config.serverConfig) vhosts;
  inherit (config.networking) domain;
  inherit (lib) remove concatStringsSep;
in
{
  age.secrets.openldap_admin =
    let
      inherit (config.services.openldap) user group;
    in
    {
      file = ../secrets/openldap_admin.age;
      inherit group;
      owner = user;
      mode = "0444";
    };

  age.secrets.keycloak_db_pass = {
    file = ../secrets/keycloak_db_pass.age;
    group = "keycloak";
    owner = "keycloak";
    mode = "0444";
  };

  users.users.keycloak = {
    isSystemUser = true;
    group = "keycloak";
  };
  users.groups.keycloak = { };

  services.postgresql =
    let
      inherit (config.services.keycloak.database) name username;
    in
    {
      enable = true;
      ensureDatabases = [ name ];
      ensureUsers = [
        {
          name = username;
          passFile = config.age.secrets.keycloak_db_pass.path;
          ensureDBOwnership = true;
        }
      ];
    };

  services.keycloak = {
    enable = true;

    database = {
      type = "postgresql";
      createLocally = false;

      username = "keycloak";
      passwordFile = config.age.secrets.keycloak_db_pass.path;
    };

    settings = {
      hostname = vhosts.auth_host.host;
      http-host = "127.0.0.1";
      http-port = vhosts.auth_host.port;
      proxy = "edge"; # passthrough";
    };
  };

  services.openldap =
    let
      localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));
    in
    {
      enable = true;
      urlList = [
        "ldap:///"
        "ldapi:///"
      ];

      #      declarativeContents = {
      #        "${localDc}" = import ./ldapConf.nix { inherit localDc; };
      #      };

      settings = {
        attrs = {
          olcLogLevel = "conns config";
        };

        children = {
          "cn=schema".includes = [
            "${pkgs.openldap}/etc/schema/core.ldif"
            "${pkgs.openldap}/etc/schema/cosine.ldif"
            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          ];

          "olcDatabase={1}mdb".attrs = {
            objectClass = [
              "olcDatabaseConfig"
              "olcMdbConfig"
            ];

            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";

            olcSuffix = localDc;

            olcRootDN = "cn=admin,${localDc}";
            #            olcRootPW.path = config.age.secrets.openldap_admin.path;
            olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";

            olcAccess = [
              # custom access rules for userPassword attributes
              ''
                {0}to attrs=userPassword
                                by self write
                                by anonymous auth
                                by * none''

              # allow read on anything else
              ''
                {1}to *
                                by * read''
            ];
          };
        };
      };
    };
}
preliminary auth 2024-05-25 21:50:51 +02:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
update tooling 2024-05-11 11:37:59 +02:00			`let`
clean up some scopes 2024-05-11 22:55:59 +02:00			`inherit (config.serverConfig) vhosts;`
authentik part 1 2024-05-10 16:59:38 +02:00			`inherit (config.networking) domain;`
preliminary auth 2024-05-25 21:50:51 +02:00			`inherit (lib) remove concatStringsSep;`
			`in`
			`{`
			`age.secrets.openldap_admin =`
			`let`
			`inherit (config.services.openldap) user group;`
			`in`
			`{`
			`file = ../secrets/openldap_admin.age;`
			`inherit group;`
			`owner = user;`
			`mode = "0444";`
			`};`

			`age.secrets.keycloak_db_pass = {`
			`file = ../secrets/keycloak_db_pass.age;`
			`group = "keycloak";`
			`owner = "keycloak";`
			`mode = "0444";`
			`};`

			`users.users.keycloak = {`
			`isSystemUser = true;`
			`group = "keycloak";`
			`};`
			`users.groups.keycloak = { };`

			`services.postgresql =`
			`let`
			`inherit (config.services.keycloak.database) name username;`
			`in`
			`{`
			`enable = true;`
			`ensureDatabases = [ name ];`
			`ensureUsers = [`
			`{`
			`name = username;`
			`passFile = config.age.secrets.keycloak_db_pass.path;`
			`ensureDBOwnership = true;`
			`}`
			`];`
			`};`

			`services.keycloak = {`
fix misc 2024-05-12 10:39:52 +02:00			`enable = true;`
authentik part 1 2024-05-10 16:59:38 +02:00
preliminary auth 2024-05-25 21:50:51 +02:00			`database = {`
			`type = "postgresql";`
			`createLocally = false;`

			`username = "keycloak";`
			`passwordFile = config.age.secrets.keycloak_db_pass.path;`
			`};`

			`settings = {`
			`hostname = vhosts.auth_host.host;`
			`http-host = "127.0.0.1";`
			`http-port = vhosts.auth_host.port;`
			`proxy = "edge"; # passthrough";`
			`};`
authentik part 1 2024-05-10 16:59:38 +02:00			`};`
preliminary auth 2024-05-25 21:50:51 +02:00
			`services.openldap =`
			`let`
			`localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));`
			`in`
			`{`
			`enable = true;`
factorio overlay 2024-05-29 09:47:17 +02:00			`urlList = [`
			`"ldap:///"`
			`"ldapi:///"`
			`];`
preliminary auth 2024-05-25 21:50:51 +02:00
factorio overlay 2024-05-29 09:47:17 +02:00			`# declarativeContents = {`
			`# "${localDc}" = import ./ldapConf.nix { inherit localDc; };`
			`# };`
preliminary auth 2024-05-25 21:50:51 +02:00
			`settings = {`
			`attrs = {`
			`olcLogLevel = "conns config";`
			`};`

			`children = {`
			`"cn=schema".includes = [`
			`"${pkgs.openldap}/etc/schema/core.ldif"`
			`"${pkgs.openldap}/etc/schema/cosine.ldif"`
			`"${pkgs.openldap}/etc/schema/inetorgperson.ldif"`
			`];`

			`"olcDatabase={1}mdb".attrs = {`
			`objectClass = [`
			`"olcDatabaseConfig"`
			`"olcMdbConfig"`
			`];`

			`olcDatabase = "{1}mdb";`
			`olcDbDirectory = "/var/lib/openldap/data";`

			`olcSuffix = localDc;`

			`olcRootDN = "cn=admin,${localDc}";`
factorio overlay 2024-05-29 09:47:17 +02:00			`# olcRootPW.path = config.age.secrets.openldap_admin.path;`
preliminary auth 2024-05-25 21:50:51 +02:00			`olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";`

			`olcAccess = [`
			`# custom access rules for userPassword attributes`
			`''`
			`{0}to attrs=userPassword`
			`by self write`
			`by anonymous auth`
			`by * none''`

			`# allow read on anything else`
			`''`
			`{1}to *`
			`by * read''`
			`];`
			`};`
			`};`
			`};`
			`};`
authentik part 1 2024-05-10 16:59:38 +02:00			`}`