132 lines
3.0 KiB
Nix
132 lines
3.0 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (config.serverConfig) vhosts;
|
|
inherit (config.networking) domain;
|
|
inherit (lib) remove concatStringsSep;
|
|
in
|
|
{
|
|
age.secrets.openldap_admin =
|
|
let
|
|
inherit (config.services.openldap) user group;
|
|
in
|
|
{
|
|
file = ../secrets/openldap_admin.age;
|
|
inherit group;
|
|
owner = user;
|
|
mode = "0444";
|
|
};
|
|
|
|
age.secrets.keycloak_db_pass = {
|
|
file = ../secrets/keycloak_db_pass.age;
|
|
group = "keycloak";
|
|
owner = "keycloak";
|
|
mode = "0444";
|
|
};
|
|
|
|
users.users.keycloak = {
|
|
isSystemUser = true;
|
|
group = "keycloak";
|
|
};
|
|
users.groups.keycloak = { };
|
|
|
|
services.postgresql =
|
|
let
|
|
inherit (config.services.keycloak.database) name username;
|
|
in
|
|
{
|
|
enable = true;
|
|
ensureDatabases = [ name ];
|
|
ensureUsers = [
|
|
{
|
|
name = username;
|
|
passFile = config.age.secrets.keycloak_db_pass.path;
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
services.keycloak = {
|
|
enable = true;
|
|
|
|
database = {
|
|
type = "postgresql";
|
|
createLocally = false;
|
|
|
|
username = "keycloak";
|
|
passwordFile = config.age.secrets.keycloak_db_pass.path;
|
|
};
|
|
|
|
settings = {
|
|
hostname = vhosts.auth_host.host;
|
|
http-host = "127.0.0.1";
|
|
http-port = vhosts.auth_host.port;
|
|
proxy = "edge"; # passthrough";
|
|
};
|
|
};
|
|
|
|
services.openldap =
|
|
let
|
|
localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));
|
|
in
|
|
{
|
|
enable = true;
|
|
urlList = [
|
|
"ldap:///"
|
|
"ldapi:///"
|
|
];
|
|
|
|
# declarativeContents = {
|
|
# "${localDc}" = import ./ldapConf.nix { inherit localDc; };
|
|
# };
|
|
|
|
settings = {
|
|
attrs = {
|
|
olcLogLevel = "conns config";
|
|
};
|
|
|
|
children = {
|
|
"cn=schema".includes = [
|
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
|
];
|
|
|
|
"olcDatabase={1}mdb".attrs = {
|
|
objectClass = [
|
|
"olcDatabaseConfig"
|
|
"olcMdbConfig"
|
|
];
|
|
|
|
olcDatabase = "{1}mdb";
|
|
olcDbDirectory = "/var/lib/openldap/data";
|
|
|
|
olcSuffix = localDc;
|
|
|
|
olcRootDN = "cn=admin,${localDc}";
|
|
# olcRootPW.path = config.age.secrets.openldap_admin.path;
|
|
olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";
|
|
|
|
olcAccess = [
|
|
# custom access rules for userPassword attributes
|
|
''
|
|
{0}to attrs=userPassword
|
|
by self write
|
|
by anonymous auth
|
|
by * none''
|
|
|
|
# allow read on anything else
|
|
''
|
|
{1}to *
|
|
by * read''
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|