From 6216f0bb4c0e6d2bf2d224d28e4d2b566e31b565 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Mon, 11 Mar 2024 22:02:39 -0700 Subject: [PATCH] feat(idp): port forwarding --- docs/network.adoc | 1 + nixos/access/freeipa.nix | 78 ++++++++++++++++++++++++++++++++++----- systems/hakurei/nixos.nix | 6 +++ 3 files changed, 75 insertions(+), 10 deletions(-) diff --git a/docs/network.adoc b/docs/network.adoc index 9715c774..88e596eb 100644 --- a/docs/network.adoc +++ b/docs/network.adoc @@ -57,3 +57,4 @@ hakurei:: * ^UDP:^[.value]##41641## * ^UDP:^[.value]##5353## * ^TCP:^[.value]##8001##, ^TCP:^[.value]##8003## +* [.value]##88##, [.value]##464##, ^UDP:^[.value]##4444## diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix index e4ded7e0..69f18c74 100644 --- a/nixos/access/freeipa.nix +++ b/nixos/access/freeipa.nix @@ -5,27 +5,34 @@ ... }: let - inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkDefault; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkBefore mkIf mkDefault; + inherit (lib.strings) optionalString concatStringsSep; inherit (config.services) tailscale; inherit (config.services.nginx) virtualHosts; access = config.services.nginx.access.freeipa; inherit (config.services.nginx.access) ldap; - locations = { + extraConfig = '' + ssl_verify_client optional_no_ca; + ''; + locations' = domain: { "/" = { proxyPass = mkDefault access.proxyPass; recommendedProxySettings = false; extraConfig = '' - proxy_set_header Host ${access.domain}; + proxy_set_header Host ${domain}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; - proxy_redirect https://${access.domain}/ $scheme://$host/; + proxy_set_header X-SSL-CERT $ssl_client_escaped_cert; + proxy_redirect https://${domain}/ $scheme://$host/; ''; }; }; + locations = locations' access.domain; + caLocations = locations' access.caDomain; in { imports = let inherit (meta) nixos; @@ -37,6 +44,25 @@ in { host = mkOption { type = str; }; + kerberos = { + enable = mkEnableOption "proxy kerberos" // { + default = true; + }; + ports = { + ticket = mkOption { + type = port; + default = 88; + }; + ticket4 = mkOption { + type = port; + default = 4444; + }; + kpasswd = mkOption { + type = port; + default = 749; + }; + }; + }; proxyPass = mkOption { type = str; default = let @@ -47,6 +73,10 @@ in { type = str; default = "idp.${config.networking.domain}"; }; + caDomain = mkOption { + type = str; + default = "idp-ca.${config.networking.domain}"; + }; localDomain = mkOption { type = str; default = "freeipa.local.${config.networking.domain}"; @@ -76,9 +106,34 @@ in { port = mkDefault access.ldapPort; useACMEHost = mkDefault access.useACMEHost; }; + streamConfig = mkIf access.kerberos.enable '' + server { + listen 0.0.0.0:${toString access.kerberos.ports.ticket}; + listen [::]:${toString access.kerberos.ports.ticket}; + listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp; + listen [::]:${toString access.kerberos.ports.ticket} udp; + proxy_pass ${access.host}:${toString access.kerberos.ports.ticket}; + } + server { + listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp; + listen [::]:${toString access.kerberos.ports.ticket4} udp; + proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4}; + } + server { + listen 0.0.0.0:${toString access.kerberos.ports.kpasswd}; + listen [::]:${toString access.kerberos.ports.kpasswd}; + listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp; + listen [::]:${toString access.kerberos.ports.kpasswd} udp; + proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd}; + } + ''; virtualHosts = { ${access.domain} = { - inherit locations; + inherit locations extraConfig; + }; + ${access.caDomain} = { + locations = caLocations; + inherit extraConfig; }; ${access.localDomain} = { inherit (virtualHosts.${access.domain}) useACMEHost; @@ -111,11 +166,14 @@ in { }; networking.firewall = { - interfaces.local.allowedTCPPorts = [ - 389 + allowedTCPPorts = mkIf access.kerberos.enable [ + access.kerberos.ports.ticket + access.kerberos.ports.kpasswd ]; - allowedTCPPorts = [ - 636 + allowedUDPPorts = mkIf access.kerberos.enable [ + access.kerberos.ports.ticket + access.kerberos.ports.ticket4 + access.kerberos.ports.kpasswd ]; }; }; diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 68923445..452130e9 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -100,6 +100,7 @@ in { extraDomainNames = mkMerge [ [ access.freeipa.localDomain + access.freeipa.caDomain access.ldap.domain access.ldap.localDomain ] @@ -179,6 +180,7 @@ in { }; access.freeipa = { host = "idp.local.${config.networking.domain}"; + kerberos.ports.kpasswd = 464; }; access.freepbx = { useACMEHost = access.freepbx.domain; @@ -198,6 +200,10 @@ in { forceSSL = true; useACMEHost = access.freeipa.domain; }; + ${access.freeipa.caDomain} = { + forceSSL = true; + useACMEHost = access.freeipa.domain; + }; ${access.freepbx.domain} = { local.enable = true; };