From 44cc8635e5aa49bc3420ea03aeb07697a20a5a9d Mon Sep 17 00:00:00 2001 From: niten Date: Wed, 5 Jun 2024 09:20:59 -0700 Subject: [PATCH] Take an internal interface, and allow ldap on ips --- paris-container.nix | 138 +++++++++++++++++++++++++++++++------------- 1 file changed, 97 insertions(+), 41 deletions(-) diff --git a/paris-container.nix b/paris-container.nix index df25516..7fa11f8 100644 --- a/paris-container.nix +++ b/paris-container.nix @@ -42,6 +42,11 @@ in { default = "ghcr.io/goauthentik/ldap:latest"; }; + listen-ips = mkOption { + type = str; + description = "Address on which to listen for requests."; + }; + port = mkOption { type = port; description = "Port on which to listen for LDAP requests."; @@ -97,41 +102,82 @@ in { }; networking = { - interface = mkOption { - type = str; - description = "Parent host interface on which to listen."; - }; + internal = { + interface = mkOption { + type = str; + description = + "Parent host interface on which to listen for internal traffic."; + }; - ipv4 = mkOption { - type = nullOr (submodule { - options = { - address = mkOption { - type = str; - description = "IP address."; + ipv4 = mkOption { + type = nullOr (submodule { + options = { + address = mkOption { + type = str; + description = "IP address."; + }; + prefixLength = mkOption { + type = int; + description = "Significant bits in the address."; + }; }; - prefixLength = mkOption { - type = int; - description = "Significant bits in the address."; - }; - }; - }); - default = null; - }; + }); + default = null; + }; - ipv6 = mkOption { - type = nullOr (submodule { - options = { - address = mkOption { - type = str; - description = "IP address."; + ipv6 = mkOption { + type = nullOr (submodule { + options = { + address = mkOption { + type = str; + description = "IP address."; + }; + prefixLength = mkOption { + type = int; + description = "Significant bits in the address."; + }; }; - prefixLength = mkOption { - type = int; - description = "Significant bits in the address."; + }); + default = null; + }; + }; + external = { + interface = mkOption { + type = str; + description = "Parent host interface on which to listen."; + }; + + ipv4 = mkOption { + type = nullOr (submodule { + options = { + address = mkOption { + type = str; + description = "IP address."; + }; + prefixLength = mkOption { + type = int; + description = "Significant bits in the address."; + }; }; - }; - }); - default = null; + }); + default = null; + }; + + ipv6 = mkOption { + type = nullOr (submodule { + options = { + address = mkOption { + type = str; + description = "IP address."; + }; + prefixLength = mkOption { + type = int; + description = "Significant bits in the address."; + }; + }; + }); + default = null; + }; }; }; }; @@ -164,7 +210,8 @@ in { virtualisation.oci-containers.containers.paris-ldap-proxy = { image = cfg.ldap.image; autoStart = true; - ports = [ "172.16.31.1:${toString cfg.ldap.port}:389" ]; + ports = + map (ip: "${ip}:${toString cfg.ldap.port}:389") cfg.ldap.listen-ips; environmentFiles = [ hostSecrets.parisLdapEnv.target-file ]; }; @@ -255,26 +302,35 @@ in { }; }; - networking = { + networking = let + external = cfg.networking.external; + internal = cfg.networking.internal; + in { defaultGateway = { address = config.networking.defaultGateway.address; - interface = "mv-${cfg.networking.interface}"; + interface = "mv-${external.interface}"; }; - enableIPv6 = !isNull cfg.networking.ipv6; + enableIPv6 = !isNull internal.ipv6 || !isNull external.ipv6; nameservers = config.networking.nameservers; firewall = { enable = true; allowedTCPPorts = [ 22 ] ++ cfg.ports; }; interfaces = { - "mv-${cfg.networking.interface}" = { - ipv4.addresses = optional (!isNull cfg.networking.ipv4) { - address = cfg.networking.ipv4.address; - prefixLength = cfg.networking.ipv4.prefixLength; + "mv-${external.interface}" = { + ipv4.addresses = optional (!isNull external.ipv4) { + inherit (external.ipv4) address prefixLength; }; - ipv6.addresses = optional (!isNull cfg.networking.ipv6) { - address = cfg.networking.ipv6.address; - prefixLength = cfg.networking.ipv6.prefixLength; + ipv6.addresses = optional (!isNull external.ipv6) { + inherit (external.ipv6) address prefixLength; + }; + }; + "mv-${internal.interface}" = { + ipv4.addresses = optional (!isNull internal.ipv4) { + inherit (internal.ipv4) address prefixLength; + }; + ipv6.addresses = optional (!isNull internal.ipv6) { + inherit (internal.ipv6) address prefixLength; }; }; };