From 689e012a1414ee7136f1f7548fe1277a4ff2c1f6 Mon Sep 17 00:00:00 2001
From: kat witch <kat@kittywit.ch>
Date: Sun, 5 Sep 2021 03:44:19 +0100
Subject: [PATCH] README stuff, glauth

---
 README.md                          | 59 ++----------------------------
 config/modules/nixos/glauth.nix    | 29 ++++++++-------
 config/services/glauth/default.nix | 28 +++++++++-----
 config/services/mail/default.nix   |  2 +-
 4 files changed, 39 insertions(+), 79 deletions(-)

diff --git a/README.md b/README.md
index c393db7f..9e199f2c 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,6 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
 
 ## Contents
 
--   [To-do][]
 -   [Nodes][2]
 -   [Profiles][]
 -   [User Profiles][]
@@ -20,53 +19,6 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
 -   [Dependencies][]
 -   [Commands][]
 
-## To-do
-
--   [ ] Write my own Dynamic DNS updater to replace the removed Glauca one using [knsupdate][].
--   [ ] Consider reworking [kittywitch/nixexprs][] and [kittywitch/nixfiles-base][].
-    -   [x] In-housed [kittywitch/nixexprs][] as [exprs][].
-    -   [x] Merged my local changes with [exprs][].
-    -   [ ] Prioritise modules reusability.
--   [ ] Expand [kittywitch/anicca][] to be a module that helps with impermanence, too.
-    -   [x] Host impermanence enablement check.
-    -   [ ] Break anicca-migrator into interface modules.
-    -   [ ] Bind mount status list.
-    -   [ ] Bind mount start/enabler script.
--   [ ] Migrate any nodes that can be impermanent to impermanence.
-    -   [ ] yule
-    -   [ ] beltane
-    -   [ ] athame’s successor
--   [ ] Move to using [arcnmx/screenstub][] without any patches.
-    -   [ ] Check new config options, port current patch to new config options.
--   [ ] Move waybar modules to using signals.
--   [ ] Make waybar module for gammastep toggle.
--   [ ] Investigate how to fix Yule’s PCI-E issues.
--   [ ] Migrate boline to NixOS.
-    -   [x] Look into ARM cross-compilation w/ nixpkgs.
-    -   [x] Look into existing binary caches.
-    -   [ ] Write packages & services for DHT22 exporter + the socat.
--   [ ] Migrate [athame][] to OCI.
-    -   [x] Look into ARM cross-compilation w/ nixpkgs.
-    -   [x] Look into existing binary caches.
-    -   [ ] Do backups, figure out per-service backup system for state.
-    -   [x] Create a replacement box before any migration on OCI.
--   [ ] Look into alternatives to Yggdrasil and move to them.
--   [ ] Set up IPv6 network handling for my hosts.
-    -   [x] Fix network module tf-nix integrations.
-    -   [x] Rinnosuke IPv6.
-    -   [ ] Local node IPv6 configuration.
--   [ ] Add CI building and caching for required architectures.
-    -   [x] aarch64 specific implementation
-    -   [x] ARMv6 specific implementation
-    -   [ ] Generalised emulated compiles.
--   [ ] Imports structure refactor.
-    -   [x] Work on the readTree-like modList replacement.
-    -   [ ] Eventually refactor recursiveMod to be sane.
-    -   [ ] Extend recursiveMod to allow for merging of structures.
-    -   [ ] Create a “lite” base profile for devices like shinmyoumaru.
-    -   [x] Add a shared profile that adds user imports.
-    -   [x] Migrate some of shinmyoumaru’s configuration into profiles.hardware.raspi
-
 ## Nodes
 
 | Node             | Purpose                                                  |
@@ -210,7 +162,6 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
   [1]: https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml
   [This repository on my self hosted git.]: https://git.kittywit.ch/kat/nixfiles
   [This repository on GitHub.]: https://github.com/kittywitch/nixfiles
-  [To-do]: #to-do
   [2]: #nodes
   [Profiles]: #profiles
   [User Profiles]: #user-profiles
@@ -219,12 +170,6 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
   [CI]: #ci
   [Dependencies]: #dependencies
   [Commands]: #commands
-  [knsupdate]: https://www.knot-dns.cz/docs/2.4/html/man_knsupdate.html
-  [kittywitch/nixexprs]: https://github.com/kittywitch/nixexprs
-  [kittywitch/nixfiles-base]: https://github.com/kittywitch/nixfiles-base
-  [exprs]: overlays/exprs
-  [kittywitch/anicca]: https://github.com/kittywitch/anicca
-  [arcnmx/screenstub]: https://github.com/arcnmx/screenstub
   [athame]: config/hosts/athame
   [daiyousei]: config/hosts/daiyousei
   [rinnosuke]: config/hosts/rinnosuke
@@ -240,6 +185,7 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
   [shared]: config/profiles/shared.nix
   [vfio]: config/profiles/vfio
   [arcnmx/nixexprs]: https://github.com/arcnmx/nixexprs
+  [arcnmx/screenstub]: https://github.com/arcnmx/screenstub
   [hardware]: config/profiles/hardware
   [cross]: config/profiles/cross
   [3]: config/users/kat/base
@@ -283,8 +229,11 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
   [xmpp]: config/services/xmpp/default.nix
   [zfs]: config/services/zfs/default.nix
   [znc]: config/services/znc/default.nix
+  [kittywitch/nixexprs]: https://github.com/kittywitch/nixexprs
+  [exprs]: overlays/exprs
   [arcnmx/tf-nix]: https://github.com/arcnmx/tf-nix
   [nix-community/impermanence]: https://github.com/nix-community/impermanence
+  [kittywitch/anicca]: https://github.com/kittywitch/anicca
   [arcnmx/ci]: https://github.com/arcnmx/ci
   [6]: ci/nodes.nix
   [niv-cron]: ci/niv-cron.nix
diff --git a/config/modules/nixos/glauth.nix b/config/modules/nixos/glauth.nix
index 13afade4..9cbaeedd 100644
--- a/config/modules/nixos/glauth.nix
+++ b/config/modules/nixos/glauth.nix
@@ -50,7 +50,17 @@ in
     };
     settings = mkOption {
       type = json.types.attrs;
-      default = mkIf cfg.database.enable {
+      default = {};
+    };
+  };
+  config =
+    let
+      localCheck = dbcfg.local && dbcfg.enable && dbcfg.host == "localhost";
+      postgresCheck = localCheck && dbcfg.type == "postgres";
+      mysqlCheck = localCheck && dbcfg.type == "mysql";
+    in
+    mkIf cfg.enable {
+      services.glauth.settings = mkIf cfg.database.enable {
         backend =
           let
             pluginHandlers = {
@@ -61,27 +71,20 @@ in
           in
           {
             datastore = "plugin";
-            plugin = "bin/${cfg.database.type}.so";
+            plugin = "${cfg.package}/bin/plugin_${dbcfg.type}";
             pluginhandler = pluginHandlers.${dbcfg.type};
             database = if (dbcfg.type != "sqlite") then (builtins.replaceStrings (singleton "\n") (singleton " ") ''
               host=${dbcfg.host}
-              port=${dbcfg.port}
+              port=${toString dbcfg.port}
               dbname=glauth
               username=${dbcfg.username}
               password=@db-password@
               sslmode=${if dbcfg.ssl then "enable" else "disable"}
             '') else "database = \"gl.db\"";
           };
-      };
-    };
-  };
-  config =
-    let
-      localCheck = dbcfg.local && dbcfg.enable && dbcfg.host == "localhost";
-      postgresCheck = localCheck && dbcfg.type == "postgres";
-      mysqlCheck = localCheck && dbcfg.type == "mysql";
-    in
-    mkIf cfg.enable {
+        };
+
+
     systemd.services.glauthPostgreSQLInit = lib.mkIf postgresCheck {
       after = [ "postgresql.service" ];
       before = [ "glauth.service" ];
diff --git a/config/services/glauth/default.nix b/config/services/glauth/default.nix
index d15d75b1..d37ec626 100644
--- a/config/services/glauth/default.nix
+++ b/config/services/glauth/default.nix
@@ -1,5 +1,5 @@
 { config, tf, lib, ... }: with lib; {
-  network.firewall.public.tcp.ports = singleton 3984;
+  network.firewall.public.tcp.ports = [ 3983 3984 ];
 
   network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
   users.groups.domain-auth.members = [ "nginx" "glauth" ];
@@ -17,7 +17,7 @@
     settings = {
       syslog = true;
       ldap = {
-        enable = false;
+        enabled = true;
         listen = "0.0.0.0:3893";
       };
       ldaps = {
@@ -27,14 +27,22 @@
         key = "/var/lib/acme/domain-auth/key.pem";
       };
       backend = {
-        baseDN = "dc=kittywitch,dc=com";
+        baseDN = "dc=kittywitc,dc=ch";
       };
-      users = [{
-        name = "kat";
-        passsha256 = tf.variables.glauth-password-hash.ref;
-        uidnumber = 1000;
-        primarygroup = 1500;
-      }];
+      users = [
+        {
+          name = "kat";
+          passsha256 = tf.variables.glauth-password-hash.ref;
+          uidnumber = 1000;
+          primarygroup = 1500;
+        }
+        {
+          name = "kc";
+          passsha256 = tf.variables.glauth-kc-password-hash.ref;
+          uidnumber = 1001;
+          primarygroup = 1500;
+        }
+      ];
       groups = [{
         name = "admins";
         gidnumber = 1500;
@@ -46,7 +54,7 @@
     nameValuePair "glauth-${field}" {
       path = "services/glauth";
       inherit field;
-    }) ["password-hash" "postgres"];
+    }) ["password-hash" "kc-password-hash" "postgres"];
 
   secrets.files = {
     glauth-postgres-file = {
diff --git a/config/services/mail/default.nix b/config/services/mail/default.nix
index 51c86a8a..0eee267c 100644
--- a/config/services/mail/default.nix
+++ b/config/services/mail/default.nix
@@ -61,7 +61,7 @@ in
     (user:
       nameValuePair "mail-${user}-hash" {
         text = ''
-          ${tf.variables.mail-kat-hash.ref}
+          ${tf.variables."mail-${user}-hash".ref}
         '';
       })
     users);