feat(idp): port forwarding

docs/network.adoc

@@ -57,3 +57,4 @@ hakurei::
 * ^UDP:^[.value]##41641##
 * ^UDP:^[.value]##5353##
 * ^TCP:^[.value]##8001##, ^TCP:^[.value]##8003##
+* [.value]##88##, [.value]##464##, ^UDP:^[.value]##4444##

nixos/access/freeipa.nix

@@ -5,27 +5,34 @@
   ...
 }:
 let
-  inherit (lib.options) mkOption;
+  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.modules) mkBefore mkIf mkDefault;
+  inherit (lib.strings) optionalString concatStringsSep;
   inherit (config.services) tailscale;
   inherit (config.services.nginx) virtualHosts;
   access = config.services.nginx.access.freeipa;
   inherit (config.services.nginx.access) ldap;
-  locations = {
+  extraConfig = ''
+    ssl_verify_client optional_no_ca;
+  '';
+  locations' = domain: {
     "/" = {
       proxyPass = mkDefault access.proxyPass;
       recommendedProxySettings = false;
       extraConfig = ''
-        proxy_set_header Host ${access.domain};
+        proxy_set_header Host ${domain};
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Forwarded-Server $host;
-        proxy_redirect https://${access.domain}/ $scheme://$host/;
+        proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
+        proxy_redirect https://${domain}/ $scheme://$host/;
       '';
     };
   };
+  locations = locations' access.domain;
+  caLocations = locations' access.caDomain;
 in {
   imports = let
     inherit (meta) nixos;
@@ -37,6 +44,25 @@ in {
     host = mkOption {
       type = str;
     };
+    kerberos = {
+      enable = mkEnableOption "proxy kerberos" // {
+        default = true;
+      };
+      ports = {
+        ticket = mkOption {
+          type = port;
+          default = 88;
+        };
+        ticket4 = mkOption {
+          type = port;
+          default = 4444;
+        };
+        kpasswd = mkOption {
+          type = port;
+          default = 749;
+        };
+      };
+    };
     proxyPass = mkOption {
       type = str;
       default = let
@@ -47,6 +73,10 @@ in {
       type = str;
       default = "idp.${config.networking.domain}";
     };
+    caDomain = mkOption {
+      type = str;
+      default = "idp-ca.${config.networking.domain}";
+    };
     localDomain = mkOption {
       type = str;
       default = "freeipa.local.${config.networking.domain}";
@@ -76,9 +106,34 @@ in {
         port = mkDefault access.ldapPort;
         useACMEHost = mkDefault access.useACMEHost;
       };
+      streamConfig = mkIf access.kerberos.enable ''
+        server {
+          listen 0.0.0.0:${toString access.kerberos.ports.ticket};
+          listen [::]:${toString access.kerberos.ports.ticket};
+          listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp;
+          listen [::]:${toString access.kerberos.ports.ticket} udp;
+          proxy_pass ${access.host}:${toString access.kerberos.ports.ticket};
+        }
+        server {
+          listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp;
+          listen [::]:${toString access.kerberos.ports.ticket4} udp;
+          proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4};
+        }
+        server {
+          listen 0.0.0.0:${toString access.kerberos.ports.kpasswd};
+          listen [::]:${toString access.kerberos.ports.kpasswd};
+          listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp;
+          listen [::]:${toString access.kerberos.ports.kpasswd} udp;
+          proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
+        }
+      '';
       virtualHosts = {
         ${access.domain} = {
-          inherit locations;
+          inherit locations extraConfig;
+        };
+        ${access.caDomain} = {
+          locations = caLocations;
+          inherit extraConfig;
         };
         ${access.localDomain} = {
           inherit (virtualHosts.${access.domain}) useACMEHost;
@@ -111,11 +166,14 @@ in {
     };
 
     networking.firewall = {
-      interfaces.local.allowedTCPPorts = [
+      allowedTCPPorts = mkIf access.kerberos.enable [
-        389
+        access.kerberos.ports.ticket
+        access.kerberos.ports.kpasswd
       ];
-      allowedTCPPorts = [
+      allowedUDPPorts = mkIf access.kerberos.enable [
-        636
+        access.kerberos.ports.ticket
+        access.kerberos.ports.ticket4
+        access.kerberos.ports.kpasswd
       ];
     };
   };

systems/hakurei/nixos.nix

@@ -100,6 +100,7 @@ in {
       extraDomainNames = mkMerge [
         [
           access.freeipa.localDomain
+          access.freeipa.caDomain
           access.ldap.domain
           access.ldap.localDomain
         ]
@@ -179,6 +180,7 @@ in {
     };
     access.freeipa = {
       host = "idp.local.${config.networking.domain}";
+      kerberos.ports.kpasswd = 464;
     };
     access.freepbx = {
       useACMEHost = access.freepbx.domain;
@@ -198,6 +200,10 @@ in {
         forceSSL = true;
         useACMEHost = access.freeipa.domain;
       };
+      ${access.freeipa.caDomain} = {
+        forceSSL = true;
+        useACMEHost = access.freeipa.domain;
+      };
       ${access.freepbx.domain} = {
         local.enable = true;
       };