grimm-nixos-laptop/modules/auth.nix
2024-05-29 09:47:17 +02:00

132 lines
3.0 KiB
Nix

{
config,
pkgs,
lib,
...
}:
let
inherit (config.serverConfig) vhosts;
inherit (config.networking) domain;
inherit (lib) remove concatStringsSep;
in
{
age.secrets.openldap_admin =
let
inherit (config.services.openldap) user group;
in
{
file = ../secrets/openldap_admin.age;
inherit group;
owner = user;
mode = "0444";
};
age.secrets.keycloak_db_pass = {
file = ../secrets/keycloak_db_pass.age;
group = "keycloak";
owner = "keycloak";
mode = "0444";
};
users.users.keycloak = {
isSystemUser = true;
group = "keycloak";
};
users.groups.keycloak = { };
services.postgresql =
let
inherit (config.services.keycloak.database) name username;
in
{
enable = true;
ensureDatabases = [ name ];
ensureUsers = [
{
name = username;
passFile = config.age.secrets.keycloak_db_pass.path;
ensureDBOwnership = true;
}
];
};
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = false;
username = "keycloak";
passwordFile = config.age.secrets.keycloak_db_pass.path;
};
settings = {
hostname = vhosts.auth_host.host;
http-host = "127.0.0.1";
http-port = vhosts.auth_host.port;
proxy = "edge"; # passthrough";
};
};
services.openldap =
let
localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));
in
{
enable = true;
urlList = [
"ldap:///"
"ldapi:///"
];
# declarativeContents = {
# "${localDc}" = import ./ldapConf.nix { inherit localDc; };
# };
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = localDc;
olcRootDN = "cn=admin,${localDc}";
# olcRootPW.path = config.age.secrets.openldap_admin.path;
olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";
olcAccess = [
# custom access rules for userPassword attributes
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
# allow read on anything else
''
{1}to *
by * read''
];
};
};
};
};
}