Take an internal interface, and allow ldap on ips

2024-06-05 09:20:59 -07:00 · 2024-06-05 09:20:59 -07:00 · 44cc8635e5
parent ef3a826f94
commit 44cc8635e5
1 changed files with 97 additions and 41 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -42,6 +42,11 @@ in {
        default = "ghcr.io/goauthentik/ldap:latest";
      };

+      listen-ips = mkOption {
+        type = str;
+        description = "Address on which to listen for requests.";
+      };
+
      port = mkOption {
        type = port;
        description = "Port on which to listen for LDAP requests.";
@ -97,41 +102,82 @@ in {
    };

    networking = {
-      interface = mkOption {
-        type = str;
-        description = "Parent host interface on which to listen.";
-      };
+      internal = {
+        interface = mkOption {
+          type = str;
+          description =
+            "Parent host interface on which to listen for internal traffic.";
+        };

-      ipv4 = mkOption {
-        type = nullOr (submodule {
-          options = {
-            address = mkOption {
-              type = str;
-              description = "IP address.";
+        ipv4 = mkOption {
+          type = nullOr (submodule {
+            options = {
+              address = mkOption {
+                type = str;
+                description = "IP address.";
+              };
+              prefixLength = mkOption {
+                type = int;
+                description = "Significant bits in the address.";
+              };
            };
-            prefixLength = mkOption {
-              type = int;
-              description = "Significant bits in the address.";
-            };
-          };
-        });
-        default = null;
-      };
+          });
+          default = null;
+        };

-      ipv6 = mkOption {
-        type = nullOr (submodule {
-          options = {
-            address = mkOption {
-              type = str;
-              description = "IP address.";
+        ipv6 = mkOption {
+          type = nullOr (submodule {
+            options = {
+              address = mkOption {
+                type = str;
+                description = "IP address.";
+              };
+              prefixLength = mkOption {
+                type = int;
+                description = "Significant bits in the address.";
+              };
            };
-            prefixLength = mkOption {
-              type = int;
-              description = "Significant bits in the address.";
+          });
+          default = null;
+        };
+      };
+      external = {
+        interface = mkOption {
+          type = str;
+          description = "Parent host interface on which to listen.";
+        };
+
+        ipv4 = mkOption {
+          type = nullOr (submodule {
+            options = {
+              address = mkOption {
+                type = str;
+                description = "IP address.";
+              };
+              prefixLength = mkOption {
+                type = int;
+                description = "Significant bits in the address.";
+              };
            };
-          };
-        });
-        default = null;
+          });
+          default = null;
+        };
+
+        ipv6 = mkOption {
+          type = nullOr (submodule {
+            options = {
+              address = mkOption {
+                type = str;
+                description = "IP address.";
+              };
+              prefixLength = mkOption {
+                type = int;
+                description = "Significant bits in the address.";
+              };
+            };
+          });
+          default = null;
+        };
      };
    };
  };
@ -164,7 +210,8 @@ in {
    virtualisation.oci-containers.containers.paris-ldap-proxy = {
      image = cfg.ldap.image;
      autoStart = true;
-      ports = [ "172.16.31.1:${toString cfg.ldap.port}:389" ];
+      ports =
+        map (ip: "${ip}:${toString cfg.ldap.port}:389") cfg.ldap.listen-ips;
      environmentFiles = [ hostSecrets.parisLdapEnv.target-file ];
    };

@ -255,26 +302,35 @@ in {
          };
        };

-        networking = {
+        networking = let
+          external = cfg.networking.external;
+          internal = cfg.networking.internal;
+        in {
          defaultGateway = {
            address = config.networking.defaultGateway.address;
-            interface = "mv-${cfg.networking.interface}";
+            interface = "mv-${external.interface}";
          };
-          enableIPv6 = !isNull cfg.networking.ipv6;
+          enableIPv6 = !isNull internal.ipv6 || !isNull external.ipv6;
          nameservers = config.networking.nameservers;
          firewall = {
            enable = true;
            allowedTCPPorts = [ 22 ] ++ cfg.ports;
          };
          interfaces = {
-            "mv-${cfg.networking.interface}" = {
-              ipv4.addresses = optional (!isNull cfg.networking.ipv4) {
-                address = cfg.networking.ipv4.address;
-                prefixLength = cfg.networking.ipv4.prefixLength;
+            "mv-${external.interface}" = {
+              ipv4.addresses = optional (!isNull external.ipv4) {
+                inherit (external.ipv4) address prefixLength;
              };
-              ipv6.addresses = optional (!isNull cfg.networking.ipv6) {
-                address = cfg.networking.ipv6.address;
-                prefixLength = cfg.networking.ipv6.prefixLength;
+              ipv6.addresses = optional (!isNull external.ipv6) {
+                inherit (external.ipv6) address prefixLength;
+              };
+            };
+            "mv-${internal.interface}" = {
+              ipv4.addresses = optional (!isNull internal.ipv4) {
+                inherit (internal.ipv4) address prefixLength;
+              };
+              ipv6.addresses = optional (!isNull internal.ipv6) {
+                inherit (internal.ipv6) address prefixLength;
              };
            };
          };