nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Start adding fudo services 

Starting with auth & jabber
This commit is contained in:
niten 2021-12-12 16:49:47 -08:00
parent fcf5ed46c9
commit 5a0b508ecc
5 changed files with 175 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/default.nix
View File

@ -9,12 +9,13 @@
./dns.nix ./dns.nix
./groups.nix ./groups.nix
./instance.nix ./instance.nix
./kerberos.nix # ./kerberos.nix
./system-users.nix ./system-users.nix
./users.nix ./users.nix
./user-config.nix ./user-config.nix
./wireless-networks.nix ./wireless-networks.nix
./service/auth.nix
./service/jabber.nix ./service/jabber.nix
]; ];
} }

34
config/host-config/legatus.nix
View File

@ -60,12 +60,22 @@ in {
fudo = { fudo = {
hosts.legatus.external-interfaces = [ "extif0" ]; hosts.legatus.external-interfaces = [ "extif0" ];
services.jabber = { services = {
jabber = {
enable = true; enable = true;
hostname = "jabber.test.fudo.org"; hostname = "jabber.fudo.org";
ldap.servers = [ "nutboy3.fudo.org" ]; ldap.servers = [ "nutboy3.fudo.org" ];
state-directory = "/state/ejabberd"; state-directory = "/state/ejabberd";
}; };
auth = {
ldap.state-directory = "/state/auth/ldap";
kerberos = {
state-directory = "/state/auth/kerberos";
master-key-file = host-secrets.heimdal-master-key.target-file;
ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file;
};
};
};
secrets.host-secrets.legatus = let secrets.host-secrets.legatus = let
files = config.fudo.secrets.files; files = config.fudo.secrets.files;
@ -82,17 +92,17 @@ in {
# user = config.fudo.git.user; # user = config.fudo.git.user;
# }; # };
# heimdal-master-key = { heimdal-master-key = {
# source-file = files.realm-master-keys."FUDO.ORG"; source-file = files.realm-master-keys."FUDO.ORG";
# target-file = "/run/heimdal/master-key"; target-file = "/run/heimdal/master-key";
# user = config.fudo.auth.kdc.user; user = config.fudo.auth.kdc.user;
# }; };
# ipropd-keytab = { hemidal-ipropd-keytab = {
# source-file = files.service-keytabs.legatus.ipropd; source-file = files.service-keytabs.legatus.ipropd;
# target-file = "/run/heimdal/ipropd.keytab"; target-file = "/run/heimdal/ipropd.keytab";
# user = config.fudo.auth.kdc.user; user = config.fudo.auth.kdc.user;
# }; };
}; };
client.dns = { client.dns = {

33
config/host-config/nutboy3.nix
View File

@ -89,34 +89,11 @@ in {
external-interface = "extif0"; external-interface = "extif0";
}; };
auth = { services.auth = {
ldap-server = let ldap.state-directory = "/state/auth/ldap";
ldap-copy = acme-copies.${host-fqdn}.local-copies.openldap; kerberos = {
in { state-directory = "/state/auth/kerberos";
enable = true; master-key-file = host-secrets.heimdal-master-key.target-file;
base = "dc=fudo,dc=org";
organization = "Fudo";
kerberos-host = host-fqdn;
kerberos-keytab = secrets.ldap-keytab.target-file;
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///"];
required-services = [ ldap-copy.service ];
users = config.fudo.users;
groups = config.fudo.groups;
system-users = config.fudo.system-users;
state-directory = "/state/openldap";
ssl-chain = ldap-copy.chain;
ssl-certificate = ldap-copy.certificate;
ssl-private-key = ldap-copy.private-key;
ssl-ca-certificate = "${pkgs.letsencrypt-ca}";
};
kdc = {
master-key-file =
secrets.heimdal-master-key.target-file;
state-directory = "/state/kerberos";
}; };
}; };

141
config/service/fudo-auth.nix Normal file
View File

@ -0,0 +1,141 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
domain-name = config.instance.local-domain;
domain = config.fudo.domains.${domain-name};
ldap-server = elem hostname domain.ldap-servers;
kerberos-master = hostname == domain.kerberos-master;
kerberos-slave = elem hostname domain.kerberos-slaves;
kerberized-domain = domain.kerberos-master != null;
in {
options.fudo.services.auth = with types; {
ldap = {
hostname = mkOption {
type = str;
description = "Fully-qualified (and public-addressable) domain name of this host.";
default = config.instance.host-fqdn;
};
state-directory = mkOption {
type = str;
description = "Directory at which to store peristent ldap-related data.";
};
};
kerberos = {
hostname = mkOption {
type = str;
description = "Fully-qualified (and public-addressable) domain name of this host.";
default = config.instance.host-fqdn;
};
state-directory = mkOption {
type = str;
description = "Directory at which to store peristent KDC-related data.";
};
master-key-file = mkOption {
type = str;
description = "Path (on the build server) to the KDC master key file.";
};
};
};
config.fudo = {
acme.host-domains.${hostname} = mkIf (ldap-server) {
${cfg.hostname}.local-copies.openldap = {
user = config.services.openldap.user;
part-of = [ config.fudo.auth.ldap-server.systemd-target ];
};
};
auth = {
ldap-server = mkIf (ldap-server)
(let
ldap-cert-copy =
config.fudo.acme.host-domains.${hostname}.${cfg.hostname}.local-copies.openldap;
in {
enable = ldap-server;
base = "dc=fudo,dc=org";
organization = "Fudo";
listen-uris = [ "ldap:///" "ldaps:///" ];
required-services = [ ldap-cert-copy.service ];
# TODO: Maybe filter to Fudo-only?
users = config.fudo.users;
groups = config.fudo.groups;
system-users = config.fudo.system-users;
state-directory = "${cfg.state-directory}/ldap";
ssl-chain = ldap-cert-copy.chain;
ssl-certificate = ldap-cert-copy.certificate;
ssl-private-key = ldap-cert-copy.private-key;
ssl-ca-certificate = "${pkgs.letsencrypt-ca}";
});
kdc = mkIf (kerberos-master || kerberos-slave) {
enable = true;
realm = domain.gssapi-realm;
bind-addresses =
(pkgs.lib.network.host-ips config hostname) ++
[ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1");
master-config = mkIf (kerberos-master) {
acl = let
admin-entries = genAttrs cfg.local-admins
(admin: {
perms = [ "add" "change-password" "list" ];
});
in admin-entries // {
"*/root".perms = [ "all" ];
};
};
slave-config = mkIf (kerberos-slave) {
master-host = domain.kerberos-master;
# TODO: Provide the keytab yourself...
};
};
};
dns.domains.${domain-name} = let
make-srv-record = port: hostname: {
port = port;
host = hostname;
};
get-fqdn = host:
"${host}.${config.fudo.hosts.${host}.domain}";
kerberos-masters = optional (kerberized-domain)
domain.kerberos-master;
kerberos-servers = map get-fqdn
(kerberos-masters ++ domain.kerberos-slaves);
master-servers = map get-fqdn kerberos-masters;
ldap-servers = map get-fqdn domain.ldap-servers;
in {
zone-definition.srv-records = {
tcp = {
kerberos = map (create-srv-record 88) kerberos-servers;
kerberos-adm = map (create-srv-record 749) kerberos-masters;
ldap = map (create-srv-record 389) ldap-servers;
ldaps = map (create-srv-record 636) ldap-servers;
};
udp = {
kerberos = map (create-srv-record 88) kerberos-servers;
kerberos-master = map (create-srv-record 88) kerberos-masters;
kpasswd = map (create-srv-record 464) kerberos-masters;
};
};
};
};
}

2
config/service/jabber.nix
View File

@ -80,6 +80,8 @@ in {
ldap_base = "ou=members,dc=fudo,dc=org"; ldap_base = "ou=members,dc=fudo,dc=org";
ldap_filter = "(objectClass=posixAccount)"; ldap_filter = "(objectClass=posixAccount)";
ldap_uids = { uid = "%u"; }; ldap_uids = { uid = "%u"; };
ldap_tls_cacertfile = "${pkgs.letsencrypt-ca}";
ldap_tls_verify = "false";
modules = { modules = {
mod_adhoc = {}; mod_adhoc = {};