preliminary auth

2024-05-25 21:50:51 +02:00 · 2024-05-25 21:50:51 +02:00 · 65b39ce021
commit 65b39ce021
parent 6cb15ad29e
11 changed files with 232 additions and 51 deletions
--- a/common/databases/default.nix
+++ b/common/databases/default.nix
@ -0,0 +1 @@
+{ imports = [ ./postgres.nix ]; }
--- a/common/databases/postgres.nix
+++ b/common/databases/postgres.nix
@ -0,0 +1,72 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    types
+    concatLines
+    optionalString
+    mkOption
+    ;
+
+  createPasswords = pkgs.writeText "psql-password-def" (
+    concatLines (
+      map (
+        s:
+        optionalString (!isNull s.passFile) ''
+          DO $$
+          DECLARE password TEXT;
+          BEGIN
+            password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password);
+          END $$;
+        ''
+      ) config.services.postgresql.ensureUsers
+    )
+  );
+in
+{
+  config = {
+    systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}";
+
+    services.postgresql = {
+      package = pkgs.postgresql_15;
+
+      authentication = pkgs.lib.mkOverride 10 ''
+              #type database  DBuser  auth-method
+        local   all             all           peer map=superuser_map
+        local   all             all                                     peer
+        host    all             all             127.0.0.1/32            md5
+        host    all             all             ::1/128                 md5
+        local   replication     all                                     peer
+        host    replication     all             127.0.0.1/32            md5
+        host    replication     all             ::1/128                 md5
+      '';
+      identMap = ''
+        # ArbitraryMapName systemUser DBUser
+           superuser_map      root postgres
+           superuser_map      matrix-synapse synapse
+           superuser_map      postgres-exporter postgres
+           # Let other names login as themselves
+           superuser_map      /^(.*)$   \1
+      '';
+    };
+  };
+
+  options.services.postgresql.ensureUsers = mkOption {
+    type = types.listOf (
+      types.submodule {
+        options = {
+          passFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "path to a password file containing the password to be set";
+          };
+        };
+      }
+    );
+  };
+}
--- a/common/default.nix
+++ b/common/default.nix
@ -17,5 +17,6 @@ with lib;
    ./firefox.nix
    ./cloudsync.nix
    ./hardware
+    ./databases
  ];
 }
--- a/modules/auth.nix
+++ b/modules/auth.nix
@ -1,10 +1,128 @@
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
  inherit (config.serverConfig) vhosts;
  inherit (config.networking) domain;
-in {
-  services.openldap = {
+  inherit (lib) remove concatStringsSep;
+in
+{
+  age.secrets.openldap_admin =
+    let
+      inherit (config.services.openldap) user group;
+    in
+    {
+      file = ../secrets/openldap_admin.age;
+      inherit group;
+      owner = user;
+      mode = "0444";
+    };
+
+  age.secrets.keycloak_db_pass = {
+    file = ../secrets/keycloak_db_pass.age;
+    group = "keycloak";
+    owner = "keycloak";
+    mode = "0444";
+  };
+
+  users.users.keycloak = {
+    isSystemUser = true;
+    group = "keycloak";
+  };
+  users.groups.keycloak = { };
+
+  services.postgresql =
+    let
+      inherit (config.services.keycloak.database) name username;
+    in
+    {
+      enable = true;
+      ensureDatabases = [ name ];
+      ensureUsers = [
+        {
+          name = username;
+          passFile = config.age.secrets.keycloak_db_pass.path;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+  services.keycloak = {
    enable = true;

+    database = {
+      type = "postgresql";
+      createLocally = false;
+
+      username = "keycloak";
+      passwordFile = config.age.secrets.keycloak_db_pass.path;
+    };
+
+    settings = {
+      hostname = vhosts.auth_host.host;
+      http-host = "127.0.0.1";
+      http-port = vhosts.auth_host.port;
+      proxy = "edge"; # passthrough";
+    };
  };
+
+  services.openldap =
+    let
+      localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));
+    in
+    {
+      enable = true;
+      urlList = [ "ldap:///" "ldapi:///" ];
+
+#      declarativeContents = {
+#        "${localDc}" = import ./ldapConf.nix { inherit localDc; };
+#      };
+
+      settings = {
+        attrs = {
+          olcLogLevel = "conns config";
+        };
+
+        children = {
+          "cn=schema".includes = [
+            "${pkgs.openldap}/etc/schema/core.ldif"
+            "${pkgs.openldap}/etc/schema/cosine.ldif"
+            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+          ];
+
+          "olcDatabase={1}mdb".attrs = {
+            objectClass = [
+              "olcDatabaseConfig"
+              "olcMdbConfig"
+            ];
+
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/var/lib/openldap/data";
+
+            olcSuffix = localDc;
+
+            olcRootDN = "cn=admin,${localDc}";
+#            olcRootPW.path = config.age.secrets.openldap_admin.path;
+            olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";
+
+            olcAccess = [
+              # custom access rules for userPassword attributes
+              ''
+                {0}to attrs=userPassword
+                                by self write
+                                by anonymous auth
+                                by * none''
+
+              # allow read on anything else
+              ''
+                {1}to *
+                                by * read''
+            ];
+          };
+        };
+      };
+    };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -187,11 +187,11 @@ in
        nix_cache_host = {
          host = "nixcache.${domain}";
          port = 5000;
-          accessType = "proxy"; 
+          accessType = "proxy";
        };
        auth_host = {
          host = "auth.${domain}";
-          port = 9443;
+          port = 38080;
          accessType = "proxy";
        };
      };
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -11,53 +11,16 @@ in
 {
  services.postgresql = {
    enable = true;
-    # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
    ensureDatabases = [ "synapse" ];
-    package = pkgs.postgresql_15;
    ensureUsers = [
      {
        name = "synapse";
+        passFile = config.age.secrets.synapse_db_pass.path;
        ensureDBOwnership = true;
      }
    ];
-    authentication = pkgs.lib.mkOverride 10 ''
-            #type database  DBuser  auth-method
-      local   all             postgres                                peer
-      local   all             all                                     peer
-      host    all             all             127.0.0.1/32            md5
-      host    synapse         matrix-synapse         ::1/128                 md5
-      host    nextcloud       nextcloud       ::1/128                 md5
-      host    all             all             ::1/128                 md5
-      local   replication     all                                     peer
-      host    replication     all             127.0.0.1/32            md5
-      host    replication     all             ::1/128                 md5
-    '';
-    identMap = ''
-      # ArbitraryMapName systemUser DBUser
-         superuser_map      root      postgres
-         superuser_map      matrix-synapse synapse
-         superuser_map      nextcloud nextcloud
-         superuser_map      postgres  postgres
-         # Let other names login as themselves
-         superuser_map      /^(.*)$   \1
-    '';
  };

-  systemd.services.postgresql.postStart =
-    let
-      password_file_path = config.age.secrets.synapse_db_pass.path;
-    in
-    ''
-      $PSQL -tA <<'EOF'
-        DO $$
-        DECLARE password TEXT;
-        BEGIN
-          password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
-        END $$;
-      EOF
-    '';
-
  services.matrix-synapse-next = {
    enable = true;

--- a/modules/prometheus.nix
+++ b/modules/prometheus.nix
@ -14,11 +14,7 @@ in
          {
            targets =
              let
-                inherit (lib)
-                  filter
-                  isAttrs
-                  attrValues
-                  ;
+                inherit (lib) filter isAttrs attrValues;
              in
              map (v: "127.0.0.1:${builtins.toString v.port}") (
                filter (v: (isAttrs v) && v.enable) (attrValues config.services.prometheus.exporters)
--- a/secrets/keycloak_db_pass.age
+++ b/secrets/keycloak_db_pass.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+bYI5XiBLSBsLCsBlAwXZqtVlJ662v5Wb2ugK8BiMAT81lKWVUCYiunki5HKRixnq
+GqpETIGLKS3H4aqY8t2CoRU9AlIVkDEgHOF1pF8WGKlsyA0A7NIr3VzlPZdER3Cv
+6bP2YK90Ec0OGePaQJEcDS2EvjgqxgPMQh/QZSVG4ka4ChDkTN3CqKOzoVA1+T2Q
+jWC3ODefhGm81mXSFHVgJaAxK3EKXOgj/4pPqAZPAaHhxMjth3wvo6oB9UKPP03a
+yoaD6nYzLA9ow2z2PYgRHRKSt80Y8EvOy77C0sfyZxkfQy0TziZXigfTosUw8IsL
+5WJaqXzyt3yZSj+cG5LQowYR63UOQms2eYiXdO96vfxATdQOyLZxlD3EzwSUgamy
+czxIbL1kUnYSQR6Dq1v9gRxW/+5PwTqREYz+8lK3ljt01e6bav8hk4Zh8vpwy06U
+E8eYtUpWdnsw6ZgMjECfWmd2UGVtd2aZhUoMrPfvxCwJyeQ9UuOcdvPeYc86gy0Y
+xzGQpHxVVhE64NlCmnTCqsu+bojaOZ8hNHU6683yOMFGNWrwjnY6IimNUz8IJI9Z
+YU8tXenk/9HOf2nIxUsmWu+/pWK+8e2pI5IyWm0bJryeh3UPmyMcjetjiWIMCxB0
+jHdrs5WRzwA9tV0ChshkO7gHgq4xeRKmKfr2tLFbFmA
+--- 6TjSc9yvPIuT88DsMWAWZhU5zeO8DqxBlvaAvBxTsq4
+šF7·LÛ=$ó q^êMxh¸ç<C2B8>@jÄIâ.Ù:¾l¸‚®ç§yö6ð3×?/TNõÙˆdhYIó÷ç›¼xo˜Gô’!/úU0
--- a/secrets/openldap_admin.age
+++ b/secrets/openldap_admin.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+CgH6gIYLzGuMLxrYlB/jCfzkteSN5SX4HFl905ys12Vtlr0eoD57KvMM5RzhBVyL
+a8yxi09qAlhf6fekjMmOJ9veX2ueN2eb8JOMjArZd+Fas7GN6wv2YaMlbI2jsfQh
+e/Q+DeyLkWJKdaApJnHkVko84Om/6C2nqhE7iaAdpFbXMXcxYiIhGkoH2eMNJI/w
+mn+eF5W45+jA+Ips1+LMHewAyKxaEQpuOUOV/xj8IQKui1buLOW9Y61N9CSSTSse
+8kr9rXm4t7a0foEkXk+C9lrO3y4hjfnF/JOMaU5DNUgF36d8zDthTaf71mkMgbnS
+ULdCr/XoudHMWGOy/8Q6zz8n9tvIkjNNleHccE6FVW7i2uxWeABPk4EVHr4y+/91
+QNjhK8LLXQ4ZtJWaX08I+SpZk9h4xInf8MbNQNQlK7upua3bJM4qdDLh772enO78
+DHa7Se4G0Jl8ALUwY3+/H2tZrbvXvBEQbH+ErS014raJOSu/cgkFw54SlI2X3b6+
+4LaUxjb5rxItORLGbGsquCBVSB/qxsSR6LJjrSYnBKvUYvqR57X5f9SO+6dbt70n
+Z5y7jZZ6JMW9uqgLJ3/pR8uIxnYjr+B+O+zlubGsywWadQaShWL4Ukf0kEmEFqEP
+LXJro1ntCQcFmAhEvLc2gsVRxbwwzlFOmymvjcnN7Bk
+--- TzABYKP2llgfeMeGMDK9kb1TuGzKxVbCR5xqOVwhUjU
+ú^ÈÉ›ÜmþyÑâ|iŠÇ~(}C–rÚê4Í._Y¯;+¶nÍ<6E>ŠŠ1wß÷q‹ÎvdÃË\rWÛÈšâU]	>ë‹žùí—6gçš‚
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -13,6 +13,8 @@ in

  # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
  "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
+  "openldap_admin.age".publicKeys = [ contabo_nix_pub ];
+  "keycloak_db_pass.age".publicKeys = [ contabo_nix_pub ];

  "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
  "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
--- a/specific/grimm-nixos-laptop/configuration.nix
+++ b/specific/grimm-nixos-laptop/configuration.nix
@ -53,9 +53,7 @@

  system.stateVersion = "23.05";

-  nix.settings.extra-substituters = [
-    "https://nixcache.grimmauld.de"
-  ];
+  nix.settings.extra-substituters = [ "https://nixcache.grimmauld.de" ];

  nix.settings.trusted-public-keys = [
    "nixcache.grimmauld.de:LFBlakr8RYIuVb9I1S0+L9JGyB2THcfbPa0W6srghqo="