nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Got ldap working on nutboy3 and jabber on legatus

This commit is contained in:
niten 2021-12-10 18:47:20 -08:00
parent 981da8bb98
commit fcf5ed46c9
7 changed files with 182 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/client.nix → config/backplane-client.nix
View File

@ -2,12 +2,12 @@
with lib;
let
make-passwd-file = hostname:
pkgs.lib.passwd.stablerandom-passwd-file
"${hostname}-fudo-client-passwd"
config.instance.build-seed;
make-passwd-file = hostname: let
name = "backplane-host-${hostname}-client-passwd";
seed = "${name}-${config.instance.build-seed}";
in pkgs.lib.passwd.stablerandom-passwd-file name seed;
secrets =
host-secrets =
config.fudo.secrets.host-secrets.${config.instance.hostname};
host-password-files = mapAttrs (hostname: hostOpts:
@ -26,7 +26,7 @@ in {
client.dns = {
password-file =
secrets.backplane-client-passwd.target-file;
host-secrets.backplane-client-passwd.target-file;
};
backplane.client-hosts = mapAttrs (hostname: hostOpts: {

5
config/default.nix
View File

@ -3,15 +3,18 @@
{
imports = [
./aliases.nix
./backplane-client.nix
./bash.nix
./client.nix
./common.nix
./dns.nix
./groups.nix
./instance.nix
./kerberos.nix
./system-users.nix
./users.nix
./user-config.nix
./wireless-networks.nix
./service/jabber.nix
];
}

54
config/host-config/legatus.nix
View File

@ -29,6 +29,8 @@ in {
}];
};
security.acme.email = "admin@legatus.fudo.org";
systemd.tmpfiles.rules = [
"L /etc/adjtime - - - - /state/etc/adjtime"
];
@ -57,6 +59,14 @@ in {
fudo = {
hosts.legatus.external-interfaces = [ "extif0" ];
services.jabber = {
enable = true;
hostname = "jabber.test.fudo.org";
ldap.servers = [ "nutboy3.fudo.org" ];
state-directory = "/state/ejabberd";
};
secrets.host-secrets.legatus = let
files = config.fudo.secrets.files;
in {
@ -72,17 +82,17 @@ in {
# user = config.fudo.git.user;
# };
heimdal-master-key = {
source-file = files.realm-master-keys."FUDO.ORG";
target-file = "/run/heimdal/master-key";
user = config.fudo.auth.kdc.user;
};
# heimdal-master-key = {
# source-file = files.realm-master-keys."FUDO.ORG";
# target-file = "/run/heimdal/master-key";
# user = config.fudo.auth.kdc.user;
# };
ipropd-keytab = {
source-file = files.service-keytabs.legatus.ipropd;
target-file = "/run/heimdal/ipropd.keytab";
user = config.fudo.auth.kdc.user;
};
# ipropd-keytab = {
# source-file = files.service-keytabs.legatus.ipropd;
# target-file = "/run/heimdal/ipropd.keytab";
# user = config.fudo.auth.kdc.user;
# };
};
client.dns = {
@ -92,18 +102,18 @@ in {
external-interface = "extif0";
};
auth.kdc = {
enable = true;
realm = "FUDO.ORG";
bind-addresses = [ host-ipv4 "127.0.0.1" ];
master-key-file =
secrets.heimdal-master-key.target-file;
state-directory = "/state/kerberos";
slave-config = {
master-host = "france";
ipropd-keytab = secrets.ipropd-keytab.target-file;
};
};
# auth.kdc = {
# enable = true;
# realm = "FUDO.ORG";
# bind-addresses = [ host-ipv4 "127.0.0.1" ];
# master-key-file =
# secrets.heimdal-master-key.target-file;
# state-directory = "/state/kerberos";
# slave-config = {
# master-host = "france";
# ipropd-keytab = secrets.ipropd-keytab.target-file;
# };
# };
secure-dns-proxy = {
enable = true;

3
config/host-config/zbox.nix
View File

@ -18,5 +18,8 @@
fcitx5-rime
];
};
hardware.bluetooth.enable = true;
hardware.xpadneo.enable = true;
};
}

125
config/service/jabber.nix Normal file
View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.services.jabber;
hostname = config.instance.hostname;
host-secrets = config.fudo.secrets.host-secrets.${hostname};
in {
options.fudo.services.jabber = with types; {
enable = mkEnableOption "Enable Jabber server on this host.";
user = mkOption {
type = str;
description = "User as which to run the ejabberd server.";
default = "ejabberd";
};
group = mkOption {
type = str;
description = "Group as which to run the ejabberd server.";
default = "ejabberd";
};
hostname = mkOption {
type = str;
description = "Hostname of the user jabber server.";
default = "jabber.fudo.org";
};
ldap = {
user = mkOption {
type = str;
description = "System user as which to connect to the LDAP server to authenticate users.";
default = "ejabberd-auth";
};
servers = mkOption {
type = listOf str;
description = "List of LDAP servers to use while authenticating users.";
};
};
state-directory = mkOption {
type = str;
description = "Directory at which to store Jabber state. Should be persistent.";
default = "/var/lib/ejabberd";
};
};
config.fudo = let
ejabberd-ldap-auth-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "ejabberd-auth-passwd-file"
"ejabberd-auth-passwd-file-${config.instance.build-seed}";
in {
system-users.${cfg.ldap.user} = {
description = "ejabberd authentication user.";
ldap-hashed-password =
pkgs.lib.passwd.hash-ldap-passwd "ejabberd-ldap-auth-passwd"
ejabberd-ldap-auth-passwd-file;
};
jabber = mkIf cfg.enable {
enable = true;
state-directory = cfg.state-directory;
secret-files = {
"__LDAP_PASSWORD__" = ejabberd-ldap-auth-passwd-file;
};
sites = {
${cfg.hostname} = {
site-config = {
auth_method = "ldap";
ldap_servers = cfg.ldap.servers;
ldap_port = 636;
ldap_rootdn = "cn=${cfg.ldap.user},dc=fudo,dc=org";
ldap_password = "__LDAP_PASSWORD__";
ldap_base = "ou=members,dc=fudo,dc=org";
ldap_filter = "(objectClass=posixAccount)";
ldap_uids = { uid = "%u"; };
modules = {
mod_adhoc = {};
mod_announce = {};
mod_avatar = {};
mod_blocking = {};
mod_caps = {};
mod_carboncopy = {};
mod_client_state = {};
mod_configure = {};
mod_disco = {};
mod_fail2ban = {};
mod_last = {};
mod_offline = {
access_max_user_messages = 5000;
};
mod_ping = {};
mod_privacy = {};
mod_private = {};
mod_pubsub = {
access_createnode = "pubsub_createnode";
ignore_pep_from_offline = true;
last_item_cache = false;
plugins = [
"flat"
"pep"
];
};
mod_roster = {};
mod_stream_mgmt = {};
mod_time = {};
mod_vcard = {
search = false;
};
mod_vcard_xupdate = {};
mod_version = {};
};
};
};
};
};
};
}

12
config/system-users.nix
View File

@ -1,17 +1,15 @@
{ config, lib, pkgs, ... }:
{
replicator = {
description = "Database Replicator";
hashed-password = "{SHA}HpiRMyxLR+0ZFHz/COvG9lcNYyQ=";
};
config.fudo.system-users = {
auth_reader = {
description = "System Authenticator";
hashed-password = "{MD5}N36/kQ64mev1HARddvVk7Q==";
ldap-hashed-password = "{SSHA}J4Ihsi1apl3B2kSka8KGDz0tPhO1ipTz";
};
user_db_reader = {
description = "User Database Reader";
hashed-password = "{SSHA}IVKhrB+wMOCI/CCzbJW8sNDbH67ZTMBv";
ldap-hashed-password = "{SSHA}IVKhrB+wMOCI/CCzbJW8sNDbH67ZTMBv";
};
};
}

3
flake.nix
View File

@ -16,7 +16,8 @@
};
fudo-lib = {
url = "git+https://git.fudo.org/fudo-nix/lib.git";
#url = "git+https://git.fudo.org/fudo-nix/lib.git";
url = "path:/state/fudo-lib";
inputs.nixpkgs.follows = "nixpkgs";
};