From 5a0b508eccdfb906f5b24270aa62887820f0fd1f Mon Sep 17 00:00:00 2001 From: niten Date: Sun, 12 Dec 2021 16:49:47 -0800 Subject: [PATCH] Start adding fudo services Starting with auth & jabber --- config/default.nix | 3 +- config/host-config/legatus.nix | 40 ++++++---- config/host-config/nutboy3.nix | 33 ++------ config/service/fudo-auth.nix | 141 +++++++++++++++++++++++++++++++++ config/service/jabber.nix | 2 + 5 files changed, 175 insertions(+), 44 deletions(-) create mode 100644 config/service/fudo-auth.nix diff --git a/config/default.nix b/config/default.nix index 20cbb16..bf7a76a 100644 --- a/config/default.nix +++ b/config/default.nix @@ -9,12 +9,13 @@ ./dns.nix ./groups.nix ./instance.nix - ./kerberos.nix + # ./kerberos.nix ./system-users.nix ./users.nix ./user-config.nix ./wireless-networks.nix + ./service/auth.nix ./service/jabber.nix ]; } diff --git a/config/host-config/legatus.nix b/config/host-config/legatus.nix index 6a41927..e1b8ff9 100644 --- a/config/host-config/legatus.nix +++ b/config/host-config/legatus.nix @@ -60,11 +60,21 @@ in { fudo = { hosts.legatus.external-interfaces = [ "extif0" ]; - services.jabber = { - enable = true; - hostname = "jabber.test.fudo.org"; - ldap.servers = [ "nutboy3.fudo.org" ]; - state-directory = "/state/ejabberd"; + services = { + jabber = { + enable = true; + hostname = "jabber.fudo.org"; + ldap.servers = [ "nutboy3.fudo.org" ]; + state-directory = "/state/ejabberd"; + }; + auth = { + ldap.state-directory = "/state/auth/ldap"; + kerberos = { + state-directory = "/state/auth/kerberos"; + master-key-file = host-secrets.heimdal-master-key.target-file; + ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file; + }; + }; }; secrets.host-secrets.legatus = let @@ -82,17 +92,17 @@ in { # user = config.fudo.git.user; # }; - # heimdal-master-key = { - # source-file = files.realm-master-keys."FUDO.ORG"; - # target-file = "/run/heimdal/master-key"; - # user = config.fudo.auth.kdc.user; - # }; + heimdal-master-key = { + source-file = files.realm-master-keys."FUDO.ORG"; + target-file = "/run/heimdal/master-key"; + user = config.fudo.auth.kdc.user; + }; - # ipropd-keytab = { - # source-file = files.service-keytabs.legatus.ipropd; - # target-file = "/run/heimdal/ipropd.keytab"; - # user = config.fudo.auth.kdc.user; - # }; + hemidal-ipropd-keytab = { + source-file = files.service-keytabs.legatus.ipropd; + target-file = "/run/heimdal/ipropd.keytab"; + user = config.fudo.auth.kdc.user; + }; }; client.dns = { diff --git a/config/host-config/nutboy3.nix b/config/host-config/nutboy3.nix index 838cfee..e534e7d 100644 --- a/config/host-config/nutboy3.nix +++ b/config/host-config/nutboy3.nix @@ -89,34 +89,11 @@ in { external-interface = "extif0"; }; - auth = { - ldap-server = let - ldap-copy = acme-copies.${host-fqdn}.local-copies.openldap; - in { - enable = true; - base = "dc=fudo,dc=org"; - organization = "Fudo"; - kerberos-host = host-fqdn; - kerberos-keytab = secrets.ldap-keytab.target-file; - listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///"]; - required-services = [ ldap-copy.service ]; - - users = config.fudo.users; - groups = config.fudo.groups; - system-users = config.fudo.system-users; - - state-directory = "/state/openldap"; - - ssl-chain = ldap-copy.chain; - ssl-certificate = ldap-copy.certificate; - ssl-private-key = ldap-copy.private-key; - ssl-ca-certificate = "${pkgs.letsencrypt-ca}"; - }; - - kdc = { - master-key-file = - secrets.heimdal-master-key.target-file; - state-directory = "/state/kerberos"; + services.auth = { + ldap.state-directory = "/state/auth/ldap"; + kerberos = { + state-directory = "/state/auth/kerberos"; + master-key-file = host-secrets.heimdal-master-key.target-file; }; }; diff --git a/config/service/fudo-auth.nix b/config/service/fudo-auth.nix new file mode 100644 index 0000000..f041beb --- /dev/null +++ b/config/service/fudo-auth.nix @@ -0,0 +1,141 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.instance.hostname; + domain-name = config.instance.local-domain; + domain = config.fudo.domains.${domain-name}; + + ldap-server = elem hostname domain.ldap-servers; + + kerberos-master = hostname == domain.kerberos-master; + kerberos-slave = elem hostname domain.kerberos-slaves; + + kerberized-domain = domain.kerberos-master != null; + +in { + options.fudo.services.auth = with types; { + ldap = { + hostname = mkOption { + type = str; + description = "Fully-qualified (and public-addressable) domain name of this host."; + default = config.instance.host-fqdn; + }; + + state-directory = mkOption { + type = str; + description = "Directory at which to store peristent ldap-related data."; + }; + }; + + kerberos = { + hostname = mkOption { + type = str; + description = "Fully-qualified (and public-addressable) domain name of this host."; + default = config.instance.host-fqdn; + }; + + state-directory = mkOption { + type = str; + description = "Directory at which to store peristent KDC-related data."; + }; + + master-key-file = mkOption { + type = str; + description = "Path (on the build server) to the KDC master key file."; + }; + }; + }; + + config.fudo = { + acme.host-domains.${hostname} = mkIf (ldap-server) { + ${cfg.hostname}.local-copies.openldap = { + user = config.services.openldap.user; + part-of = [ config.fudo.auth.ldap-server.systemd-target ]; + }; + }; + + auth = { + ldap-server = mkIf (ldap-server) + (let + ldap-cert-copy = + config.fudo.acme.host-domains.${hostname}.${cfg.hostname}.local-copies.openldap; + in { + enable = ldap-server; + base = "dc=fudo,dc=org"; + organization = "Fudo"; + listen-uris = [ "ldap:///" "ldaps:///" ]; + required-services = [ ldap-cert-copy.service ]; + + # TODO: Maybe filter to Fudo-only? + users = config.fudo.users; + groups = config.fudo.groups; + system-users = config.fudo.system-users; + + state-directory = "${cfg.state-directory}/ldap"; + + ssl-chain = ldap-cert-copy.chain; + ssl-certificate = ldap-cert-copy.certificate; + ssl-private-key = ldap-cert-copy.private-key; + ssl-ca-certificate = "${pkgs.letsencrypt-ca}"; + }); + + kdc = mkIf (kerberos-master || kerberos-slave) { + enable = true; + realm = domain.gssapi-realm; + bind-addresses = + (pkgs.lib.network.host-ips config hostname) ++ + [ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1"); + master-config = mkIf (kerberos-master) { + acl = let + admin-entries = genAttrs cfg.local-admins + (admin: { + perms = [ "add" "change-password" "list" ]; + }); + in admin-entries // { + "*/root".perms = [ "all" ]; + }; + }; + slave-config = mkIf (kerberos-slave) { + master-host = domain.kerberos-master; + # TODO: Provide the keytab yourself... + }; + }; + }; + + dns.domains.${domain-name} = let + make-srv-record = port: hostname: { + port = port; + host = hostname; + }; + + get-fqdn = host: + "${host}.${config.fudo.hosts.${host}.domain}"; + + kerberos-masters = optional (kerberized-domain) + domain.kerberos-master; + + kerberos-servers = map get-fqdn + (kerberos-masters ++ domain.kerberos-slaves); + + master-servers = map get-fqdn kerberos-masters; + + ldap-servers = map get-fqdn domain.ldap-servers; + in { + zone-definition.srv-records = { + tcp = { + kerberos = map (create-srv-record 88) kerberos-servers; + kerberos-adm = map (create-srv-record 749) kerberos-masters; + ldap = map (create-srv-record 389) ldap-servers; + ldaps = map (create-srv-record 636) ldap-servers; + }; + + udp = { + kerberos = map (create-srv-record 88) kerberos-servers; + kerberos-master = map (create-srv-record 88) kerberos-masters; + kpasswd = map (create-srv-record 464) kerberos-masters; + }; + }; + }; + }; +} diff --git a/config/service/jabber.nix b/config/service/jabber.nix index 619d66e..f86b685 100644 --- a/config/service/jabber.nix +++ b/config/service/jabber.nix @@ -80,6 +80,8 @@ in { ldap_base = "ou=members,dc=fudo,dc=org"; ldap_filter = "(objectClass=posixAccount)"; ldap_uids = { uid = "%u"; }; + ldap_tls_cacertfile = "${pkgs.letsencrypt-ca}"; + ldap_tls_verify = "false"; modules = { mod_adhoc = {};