parent
c46903e3a0
commit
032072374b
35 changed files with 511 additions and 324 deletions
|
|
@ -1,39 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
systemd.services.lldap-bootstrap = {
|
||||
description = "Bootstraps LLDAP users";
|
||||
requires = ["lldap.service"];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Type = "oneshot";
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
PrivateUsers = true;
|
||||
PrivateTmp = true;
|
||||
LoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";
|
||||
CacheDirectory = "inadyn";
|
||||
ExecStart = ''
|
||||
export LLDAP_URL=http://localhost:8080
|
||||
export LLDAP_ADMIN_USERNAME=admin
|
||||
export LLDAP_ADMIN_PASSWORD=changeme
|
||||
export USER_CONFIGS_DIR="$(realpath ./configs/user)"
|
||||
export GROUP_CONFIGS_DIR="$(realpath ./configs/group)"
|
||||
export USER_SCHEMAS_DIR="$(realpath ./configs/user-schema)"
|
||||
export GROUP_SCHEMAS_DIR="$(realpath ./configs/group-schema)"
|
||||
export LLDAP_SET_PASSWORD_PATH="$(realpath ./lldap_set_password)"
|
||||
export DO_CLEANUP=false
|
||||
./bootstrap.sh
|
||||
|
||||
${pkgs.inadyn}/bin/inadyn \
|
||||
--foreground \
|
||||
--syslog \
|
||||
--once \
|
||||
--cache-dir ''${CACHE_DIRECTORY} \
|
||||
--config ''${CREDENTIALS_DIRECTORY}/inadyn.conf
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,12 +1,24 @@
|
|||
{config, ...}: {
|
||||
{
|
||||
sops.templates."default-groups.json" = {
|
||||
content = ''
|
||||
{
|
||||
"name": "mail"
|
||||
}
|
||||
{
|
||||
"name": "git-user"
|
||||
}
|
||||
{
|
||||
"name": "git-admin"
|
||||
}
|
||||
{
|
||||
"name": "media-user"
|
||||
}
|
||||
{
|
||||
"name": "media-admin"
|
||||
}
|
||||
{
|
||||
"name": "server-admin"
|
||||
}
|
||||
'';
|
||||
path = "/bootstrap/group-configs/default-groups.json";
|
||||
owner = "lldap";
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
cfg = config.services.lldapBootstrap;
|
||||
in {
|
||||
imports = [
|
||||
./service-accounts.nix
|
||||
./user-configs.nix
|
||||
./group-configs.nix
|
||||
];
|
||||
|
|
|
|||
51
machines/auth/bootstrap/service-accounts.nix
Normal file
51
machines/auth/bootstrap/service-accounts.nix
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
{config, ...}: {
|
||||
sops.secrets."service_accounts/authelia/password" = {};
|
||||
sops.secrets."service_accounts/forgejo/password" = {};
|
||||
sops.secrets."service_accounts/jellyfin/password" = {};
|
||||
sops.secrets."service_accounts/mail/password" = {};
|
||||
sops.templates."service-accounts.json" = {
|
||||
content = ''
|
||||
{
|
||||
"id": "authelia",
|
||||
"email": "authelia@procopius.dk",
|
||||
"password": "${config.sops.placeholder."service_accounts/authelia/password"}",
|
||||
"displayName": "Authelia",
|
||||
"groups": [
|
||||
"lldap_password_manager",
|
||||
"mail"
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "forgejo",
|
||||
"email": "forgejo@procopius.dk",
|
||||
"password": "${config.sops.placeholder."service_accounts/forgejo/password"}",
|
||||
"displayName": "Forgejo",
|
||||
"groups": [
|
||||
"lldap_password_manager",
|
||||
"mail"
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "jellyfin",
|
||||
"email": "jellyfin@procopius.dk",
|
||||
"password": "${config.sops.placeholder."service_accounts/jellyfin/password"}",
|
||||
"displayName": "Jellyfin",
|
||||
"groups": [
|
||||
"lldap_password_manager"
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "mail",
|
||||
"email": "mail@procopius.dk",
|
||||
"password": "${config.sops.placeholder."service_accounts/mail/password"}",
|
||||
"displayName": "NixOS Mailserver",
|
||||
"groups": [
|
||||
"lldap_password_manager",
|
||||
"mail"
|
||||
]
|
||||
}
|
||||
'';
|
||||
path = "/bootstrap/user-configs/service-accounts.json";
|
||||
owner = "lldap";
|
||||
};
|
||||
}
|
||||
|
|
@ -1,28 +1,47 @@
|
|||
{config, ...}: {
|
||||
sops.secrets."service_accounts/authelia/password" = {};
|
||||
sops.secrets."service_accounts/forgejo/password" = {};
|
||||
sops.templates."service-accounts.json" = {
|
||||
{
|
||||
sops.templates."user-configs.json" = {
|
||||
content = ''
|
||||
{
|
||||
"id": "authelia",
|
||||
"email": "authelia@procopius.dk",
|
||||
"password": "${config.sops.placeholder."service_accounts/authelia/password"}",
|
||||
"displayName": "Authelia",
|
||||
"id": "plasmagoat",
|
||||
"email": "david.mikael@proton.me",
|
||||
"displayName": "David",
|
||||
"groups": [
|
||||
"lldap_password_manager"
|
||||
"media-user",
|
||||
"media-admin",
|
||||
"git-user",
|
||||
"git-admin",
|
||||
"server-admin"
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "forgejo",
|
||||
"email": "forgejo@procopius.dk",
|
||||
"password": "${config.sops.placeholder."service_accounts/forgejo/password"}",
|
||||
"displayName": "Forgejo",
|
||||
"id": "kurisudanoda",
|
||||
"email": "iluvmizuki@gmail.com",
|
||||
"displayName": "Noda",
|
||||
"groups": [
|
||||
"lldap_password_manager"
|
||||
"media-user",
|
||||
"git-user"
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "dannydannydanny",
|
||||
"email": "powerhouseplayer@gmail.com",
|
||||
"displayName": "Danny",
|
||||
"groups": [
|
||||
"media-user",
|
||||
"git-user"
|
||||
]
|
||||
}
|
||||
{
|
||||
"id": "stocksking",
|
||||
"email": "ethanstocks9@gmail.com",
|
||||
"displayName": "Ethan",
|
||||
"groups": [
|
||||
"media-user",
|
||||
"git-user"
|
||||
]
|
||||
}
|
||||
'';
|
||||
path = "/bootstrap/user-configs/service-accounts.json";
|
||||
path = "/bootstrap/user-configs/user-configs.json";
|
||||
owner = "lldap";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue