public
/
paris-container
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Take an internal interface, and allow ldap on ips

This commit is contained in:
niten 2024-06-05 09:20:59 -07:00
parent ef3a826f94
commit 44cc8635e5
1 changed files with 97 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
paris-container.nix
View File

@ -42,6 +42,11 @@ in {
default = "ghcr.io/goauthentik/ldap:latest"; default = "ghcr.io/goauthentik/ldap:latest";
}; };
listen-ips = mkOption {
type = str;
description = "Address on which to listen for requests.";
};
port = mkOption { port = mkOption {
type = port; type = port;
description = "Port on which to listen for LDAP requests."; description = "Port on which to listen for LDAP requests.";
@ -97,41 +102,82 @@ in {
}; };
networking = { networking = {
interface = mkOption { internal = {
type = str; interface = mkOption {
description = "Parent host interface on which to listen."; type = str;
}; description =
"Parent host interface on which to listen for internal traffic.";
};
ipv4 = mkOption { ipv4 = mkOption {
type = nullOr (submodule { type = nullOr (submodule {
options = { options = {
address = mkOption { address = mkOption {
type = str; type = str;
description = "IP address."; description = "IP address.";
};
prefixLength = mkOption {
type = int;
description = "Significant bits in the address.";
};
}; };
prefixLength = mkOption { });
type = int; default = null;
description = "Significant bits in the address."; };
};
};
});
default = null;
};
ipv6 = mkOption { ipv6 = mkOption {
type = nullOr (submodule { type = nullOr (submodule {
options = { options = {
address = mkOption { address = mkOption {
type = str; type = str;
description = "IP address."; description = "IP address.";
};
prefixLength = mkOption {
type = int;
description = "Significant bits in the address.";
};
}; };
prefixLength = mkOption { });
type = int; default = null;
description = "Significant bits in the address."; };
};
external = {
interface = mkOption {
type = str;
description = "Parent host interface on which to listen.";
};
ipv4 = mkOption {
type = nullOr (submodule {
options = {
address = mkOption {
type = str;
description = "IP address.";
};
prefixLength = mkOption {
type = int;
description = "Significant bits in the address.";
};
}; };
}; });
}); default = null;
default = null; };
ipv6 = mkOption {
type = nullOr (submodule {
options = {
address = mkOption {
type = str;
description = "IP address.";
};
prefixLength = mkOption {
type = int;
description = "Significant bits in the address.";
};
};
});
default = null;
};
}; };
}; };
}; };
@ -164,7 +210,8 @@ in {
virtualisation.oci-containers.containers.paris-ldap-proxy = { virtualisation.oci-containers.containers.paris-ldap-proxy = {
image = cfg.ldap.image; image = cfg.ldap.image;
autoStart = true; autoStart = true;
ports = [ "172.16.31.1:${toString cfg.ldap.port}:389" ]; ports =
map (ip: "${ip}:${toString cfg.ldap.port}:389") cfg.ldap.listen-ips;
environmentFiles = [ hostSecrets.parisLdapEnv.target-file ]; environmentFiles = [ hostSecrets.parisLdapEnv.target-file ];
}; };
@ -255,26 +302,35 @@ in {
}; };
}; };
networking = { networking = let
external = cfg.networking.external;
internal = cfg.networking.internal;
in {
defaultGateway = { defaultGateway = {
address = config.networking.defaultGateway.address; address = config.networking.defaultGateway.address;
interface = "mv-${cfg.networking.interface}"; interface = "mv-${external.interface}";
}; };
enableIPv6 = !isNull cfg.networking.ipv6; enableIPv6 = !isNull internal.ipv6 || !isNull external.ipv6;
nameservers = config.networking.nameservers; nameservers = config.networking.nameservers;
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 22 ] ++ cfg.ports; allowedTCPPorts = [ 22 ] ++ cfg.ports;
}; };
interfaces = { interfaces = {
"mv-${cfg.networking.interface}" = { "mv-${external.interface}" = {
ipv4.addresses = optional (!isNull cfg.networking.ipv4) { ipv4.addresses = optional (!isNull external.ipv4) {
address = cfg.networking.ipv4.address; inherit (external.ipv4) address prefixLength;
prefixLength = cfg.networking.ipv4.prefixLength;
}; };
ipv6.addresses = optional (!isNull cfg.networking.ipv6) { ipv6.addresses = optional (!isNull external.ipv6) {
address = cfg.networking.ipv6.address; inherit (external.ipv6) address prefixLength;
prefixLength = cfg.networking.ipv6.prefixLength; };
};
"mv-${internal.interface}" = {
ipv4.addresses = optional (!isNull internal.ipv4) {
inherit (internal.ipv4) address prefixLength;
};
ipv6.addresses = optional (!isNull internal.ipv6) {
inherit (internal.ipv6) address prefixLength;
}; };
}; };
}; };