nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Got ldap working on nutboy3 and jabber on legatus

This commit is contained in:
niten 2021-12-10 18:47:20 -08:00
parent 981da8bb98
commit fcf5ed46c9
7 changed files with 182 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/client.nix → config/backplane-client.nix
View File

@ -2,12 +2,12 @@
with lib; with lib;
let let
make-passwd-file = hostname: make-passwd-file = hostname: let
pkgs.lib.passwd.stablerandom-passwd-file name = "backplane-host-${hostname}-client-passwd";
"${hostname}-fudo-client-passwd" seed = "${name}-${config.instance.build-seed}";
config.instance.build-seed; in pkgs.lib.passwd.stablerandom-passwd-file name seed;
secrets = host-secrets =
config.fudo.secrets.host-secrets.${config.instance.hostname}; config.fudo.secrets.host-secrets.${config.instance.hostname};
host-password-files = mapAttrs (hostname: hostOpts: host-password-files = mapAttrs (hostname: hostOpts:
@ -26,7 +26,7 @@ in {
client.dns = { client.dns = {
password-file = password-file =
secrets.backplane-client-passwd.target-file; host-secrets.backplane-client-passwd.target-file;
}; };
backplane.client-hosts = mapAttrs (hostname: hostOpts: { backplane.client-hosts = mapAttrs (hostname: hostOpts: {

5
config/default.nix
View File

@ -3,15 +3,18 @@
{ {
imports = [ imports = [
./aliases.nix ./aliases.nix
./backplane-client.nix
./bash.nix ./bash.nix
./client.nix
./common.nix ./common.nix
./dns.nix ./dns.nix
./groups.nix ./groups.nix
./instance.nix ./instance.nix
./kerberos.nix ./kerberos.nix
./system-users.nix
./users.nix ./users.nix
./user-config.nix ./user-config.nix
./wireless-networks.nix ./wireless-networks.nix
./service/jabber.nix
]; ];
} }

54
config/host-config/legatus.nix
View File

@ -29,6 +29,8 @@ in {
}]; }];
}; };
security.acme.email = "admin@legatus.fudo.org";
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"L /etc/adjtime - - - - /state/etc/adjtime" "L /etc/adjtime - - - - /state/etc/adjtime"
]; ];
@ -57,6 +59,14 @@ in {
fudo = { fudo = {
hosts.legatus.external-interfaces = [ "extif0" ]; hosts.legatus.external-interfaces = [ "extif0" ];
services.jabber = {
enable = true;
hostname = "jabber.test.fudo.org";
ldap.servers = [ "nutboy3.fudo.org" ];
state-directory = "/state/ejabberd";
};
secrets.host-secrets.legatus = let secrets.host-secrets.legatus = let
files = config.fudo.secrets.files; files = config.fudo.secrets.files;
in { in {
@ -72,17 +82,17 @@ in {
# user = config.fudo.git.user; # user = config.fudo.git.user;
# }; # };
heimdal-master-key = { # heimdal-master-key = {
source-file = files.realm-master-keys."FUDO.ORG"; # source-file = files.realm-master-keys."FUDO.ORG";
target-file = "/run/heimdal/master-key"; # target-file = "/run/heimdal/master-key";
user = config.fudo.auth.kdc.user; # user = config.fudo.auth.kdc.user;
}; # };
ipropd-keytab = { # ipropd-keytab = {
source-file = files.service-keytabs.legatus.ipropd; # source-file = files.service-keytabs.legatus.ipropd;
target-file = "/run/heimdal/ipropd.keytab"; # target-file = "/run/heimdal/ipropd.keytab";
user = config.fudo.auth.kdc.user; # user = config.fudo.auth.kdc.user;
}; # };
}; };
client.dns = { client.dns = {
@ -92,18 +102,18 @@ in {
external-interface = "extif0"; external-interface = "extif0";
}; };
auth.kdc = { # auth.kdc = {
enable = true; # enable = true;
realm = "FUDO.ORG"; # realm = "FUDO.ORG";
bind-addresses = [ host-ipv4 "127.0.0.1" ]; # bind-addresses = [ host-ipv4 "127.0.0.1" ];
master-key-file = # master-key-file =
secrets.heimdal-master-key.target-file; # secrets.heimdal-master-key.target-file;
state-directory = "/state/kerberos"; # state-directory = "/state/kerberos";
slave-config = { # slave-config = {
master-host = "france"; # master-host = "france";
ipropd-keytab = secrets.ipropd-keytab.target-file; # ipropd-keytab = secrets.ipropd-keytab.target-file;
}; # };
}; # };
secure-dns-proxy = { secure-dns-proxy = {
enable = true; enable = true;

3
config/host-config/zbox.nix
View File

@ -18,5 +18,8 @@
fcitx5-rime fcitx5-rime
]; ];
}; };
hardware.bluetooth.enable = true;
hardware.xpadneo.enable = true;
}; };
} }

125
config/service/jabber.nix Normal file
View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.services.jabber;
hostname = config.instance.hostname;
host-secrets = config.fudo.secrets.host-secrets.${hostname};
in {
options.fudo.services.jabber = with types; {
enable = mkEnableOption "Enable Jabber server on this host.";
user = mkOption {
type = str;
description = "User as which to run the ejabberd server.";
default = "ejabberd";
};
group = mkOption {
type = str;
description = "Group as which to run the ejabberd server.";
default = "ejabberd";
};
hostname = mkOption {
type = str;
description = "Hostname of the user jabber server.";
default = "jabber.fudo.org";
};
ldap = {
user = mkOption {
type = str;
description = "System user as which to connect to the LDAP server to authenticate users.";
default = "ejabberd-auth";
};
servers = mkOption {
type = listOf str;
description = "List of LDAP servers to use while authenticating users.";
};
};
state-directory = mkOption {
type = str;
description = "Directory at which to store Jabber state. Should be persistent.";
default = "/var/lib/ejabberd";
};
};
config.fudo = let
ejabberd-ldap-auth-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "ejabberd-auth-passwd-file"
"ejabberd-auth-passwd-file-${config.instance.build-seed}";
in {
system-users.${cfg.ldap.user} = {
description = "ejabberd authentication user.";
ldap-hashed-password =
pkgs.lib.passwd.hash-ldap-passwd "ejabberd-ldap-auth-passwd"
ejabberd-ldap-auth-passwd-file;
};
jabber = mkIf cfg.enable {
enable = true;
state-directory = cfg.state-directory;
secret-files = {
"__LDAP_PASSWORD__" = ejabberd-ldap-auth-passwd-file;
};
sites = {
${cfg.hostname} = {
site-config = {
auth_method = "ldap";
ldap_servers = cfg.ldap.servers;
ldap_port = 636;
ldap_rootdn = "cn=${cfg.ldap.user},dc=fudo,dc=org";
ldap_password = "__LDAP_PASSWORD__";
ldap_base = "ou=members,dc=fudo,dc=org";
ldap_filter = "(objectClass=posixAccount)";
ldap_uids = { uid = "%u"; };
modules = {
mod_adhoc = {};
mod_announce = {};
mod_avatar = {};
mod_blocking = {};
mod_caps = {};
mod_carboncopy = {};
mod_client_state = {};
mod_configure = {};
mod_disco = {};
mod_fail2ban = {};
mod_last = {};
mod_offline = {
access_max_user_messages = 5000;
};
mod_ping = {};
mod_privacy = {};
mod_private = {};
mod_pubsub = {
access_createnode = "pubsub_createnode";
ignore_pep_from_offline = true;
last_item_cache = false;
plugins = [
"flat"
"pep"
];
};
mod_roster = {};
mod_stream_mgmt = {};
mod_time = {};
mod_vcard = {
search = false;
};
mod_vcard_xupdate = {};
mod_version = {};
};
};
};
};
};
};
}

22
config/system-users.nix
View File

@ -1,17 +1,15 @@
{ config, lib, pkgs, ... }:
{ {
replicator = { config.fudo.system-users = {
description = "Database Replicator"; auth_reader = {
hashed-password = "{SHA}HpiRMyxLR+0ZFHz/COvG9lcNYyQ="; description = "System Authenticator";
}; ldap-hashed-password = "{SSHA}J4Ihsi1apl3B2kSka8KGDz0tPhO1ipTz";
};
auth_reader = { user_db_reader = {
description = "System Authenticator"; description = "User Database Reader";
hashed-password = "{MD5}N36/kQ64mev1HARddvVk7Q=="; ldap-hashed-password = "{SSHA}IVKhrB+wMOCI/CCzbJW8sNDbH67ZTMBv";
}; };
user_db_reader = {
description = "User Database Reader";
hashed-password = "{SSHA}IVKhrB+wMOCI/CCzbJW8sNDbH67ZTMBv";
}; };
} }

3
flake.nix
View File

@ -16,7 +16,8 @@
}; };
fudo-lib = { fudo-lib = {
url = "git+https://git.fudo.org/fudo-nix/lib.git"; #url = "git+https://git.fudo.org/fudo-nix/lib.git";
url = "path:/state/fudo-lib";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };