services/keycloak: Working. services/openldap: Init

config/hosts/daiyousei.nix

@@ -5,7 +5,8 @@
     profiles.network
     services.nginx
     services.keycloak
-    services.glauth
+    services.openldap
+    services.dnscrypt-proxy
   ];
 
   kw.oci = {

config/hosts/ran.nix

@@ -76,7 +76,6 @@ with lib;
   network.firewall = {
     public = {
       interfaces = singleton "enp1s0";
-      tcp.ports = [ 9981 9982 ];
     };
   };
 

config/modules/nixos/network.nix

@@ -137,7 +137,8 @@ in
               ipv4.address = mkIf (cfg.addresses.${network}.nixos.ipv4.enable) cfg.addresses.${network}.nixos.ipv4.address;
               ipv6.address = mkIf (cfg.addresses.${network}.nixos.ipv6.enable) cfg.addresses.${network}.nixos.ipv6.address;
             };
-          })) // {
+          })))
+          (mkIf cfg.tf.enable {
             public = {
               tf = {
                 ipv4.address = mkIf (cfg.tf.ipv4_attr != null) (tf.resources.${config.networking.hostName}.refAttr cfg.tf.ipv4_attr);

config/services/glauth/default.nix

@@ -1,8 +1,8 @@
 { config, tf, lib, ... }: with lib; {
-  network.firewall.public.tcp.ports = [ 3984 ];
+  network.firewall.public.tcp.ports = [ 636 ];
 
   network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
-  users.groups.domain-auth.members = [ "nginx" "glauth" ];
+  users.groups.domain-auth.members = [ "nginx" "glauth" "keycloak" ];
   security.acme.certs.domain-auth.group = "domain-auth";
 
   services.glauth = {
@@ -22,7 +22,7 @@
       };
       ldaps = {
         enabled = true;
-        listen = "0.0.0.0:3894";
+        listen = "0.0.0.0:636";
         cert = "/var/lib/acme/domain-auth/fullchain.pem";
         key = "/var/lib/acme/domain-auth/key.pem";
       };
@@ -32,21 +32,32 @@
       users = [
         {
           name = "kat";
+          mail = "kat@kittywit.ch";
+          loginshell="/usr/bin/env zsh";
+          homedirectory="/home/kat";
           passsha256 = tf.variables.glauth-password-hash.ref;
           uidnumber = 1000;
           primarygroup = 1500;
+          givenname = "kat";
+          sn = "witch";
         }
         {
           name = "kc";
           passsha256 = tf.variables.glauth-kc-password-hash.ref;
-          uidnumber = 1001;
-          primarygroup = 1500;
+          uidnumber = 999;
+          primarygroup = 1499;
+        }
+      ];
+      groups = [
+        {
+          name = "admins";
+          gidnumber = 1499;
+        }
+        {
+          name = "users";
+          gidnumber = 1500;
         }
       ];
-      groups = [{
-        name = "admins";
-        gidnumber = 1500;
-      }];
     };
   };
 

config/services/keycloak/default.nix

@@ -1,6 +1,11 @@
-{ config, lib, tf, ... }: with lib; {
+{ config, pkgs, lib, tf, ... }: with lib; let
+  keystore-pass = "zZX3eS";
+in {
   services.keycloak = {
     enable = true;
+    package = (pkgs.keycloak.override {
+      jre = pkgs.openjdk11;
+    });
     bindAddress = "127.0.0.1";
     httpPort = "8089";
     httpsPort = "8445";
@@ -8,6 +13,37 @@
     forceBackendUrlToFrontendUrl = true;
     frontendUrl = "https://auth.${config.network.dns.domain}/auth";
     database.passwordFile = config.secrets.files.keycloak-postgres-file.path;
+    extraConfig = {
+    "subsystem=undertow" = {
+      "server=default-server" = {
+        "http-listener=default" = {
+          "proxy-address-forwarding" = true;
+        };
+      };
+    };
+    "subsystem=keycloak-server" = {
+        "spi=truststore" = {
+          "provider=file" = {
+            enabled = true;
+            properties.password = keystore-pass;
+            properties.file = "/var/lib/acme/domain-auth/trust-store.jks";
+            properties.hostname-verification-policy = "WILDCARD";
+            properties.disabled = false;
+          };
+        };
+      };
+    };
+  };
+
+
+  network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
+  users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ];
+  security.acme.certs.domain-auth = {
+    group = "domain-auth";
+    postRun = ''
+      ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
+      chown acme:domain-auth ./trust-store.jks
+    '';
   };
 
   users.groups.keycloak = { };

config/services/openldap/default.nix

@@ -0,0 +1,90 @@
+{ config, pkgs, tf, lib, ... }: with lib; {
+  network.firewall.public.tcp.ports = [ 636 ];
+
+  services.openldap = {
+    enable = true;
+    urlList = [ "ldap:///" "ldapi:///" "ldaps:///" ];
+    settings = {
+      attrs = {
+        objectClass = "olcGlobal";
+        cn = "config";
+        olcPidFile = "/run/slapd/slapd.pid";
+        olcTLSCACertificateFile = "/var/lib/acme/domain-auth/fullchain.pem";
+        olcTLSCertificateFile = "/var/lib/acme/domain-auth/cert.pem";
+        olcTLSCertificateKeyFile = "/var/lib/acme/domain-auth/key.pem";
+      };
+      children = {
+        "cn=schema" = {
+          attrs = {
+            cn = "schema";
+            objectClass = "olcSchemaConfig";
+          };
+          includes = [
+          "${pkgs.openldap}/etc/schema/core.ldif"
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+          "${pkgs.openldap}/etc/schema/nis.ldif"
+          ];
+        };
+        "olcDatabase={-1}frontend" = {
+          attrs = {
+            objectClass = [
+              "olcDatabaseConfig"
+              "olcFrontendConfig"
+            ];
+            olcDatabase = "{-1}frontend";
+            olcAccess = [
+              "{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break"
+              "{1}to dn.exact=\"\" by * read"
+              "{2}to dn.base=\"cn=Subschema\" by * read"
+            ];
+          };
+        };
+        "olcDatabase={0}config" = {
+          attrs = {
+            objectClass = "olcDatabaseConfig";
+            olcDatabase = "{0}config";
+            olcAccess = [ "{0}to * by * none break" ];
+          };
+        };
+        "olcDatabase={1}mdb" = {
+          attrs = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/var/db/ldap";
+            olcSuffix = "dc=kittywit,dc=ch";
+            olcRootDN = "cn=root,dc=kittywit,dc=ch";
+            olcRootPW.path = config.secrets.files.openldap-root-password-file.path;
+            olcAccess = [
+              "{0}to attrs=userPassword
+                by anonymous auth
+                by self write
+                by * none"
+              "{1}to *
+                by dn.children=\"ou=users,dc=kittywit,dc=ch\" write
+                by self read by * none"
+              "{2}to dn.subtree=\"dc=example,dc=com\"
+              by dn.exact=\"cn=root,dc=kittywit,dc=ch\" manage"
+            ];
+          };
+        };
+      };
+    };
+  };
+
+
+  kw.secrets.variables = mapListToAttrs
+    (field:
+      nameValuePair "openldap-${field}" {
+        path = "services/openldap";
+        inherit field;
+      }) [ "password" ];
+
+  secrets.files = {
+    openldap-root-password-file = {
+      text = tf.variables.openldap-password.ref;
+      owner = "openldap";
+      group = "openldap";
+    };
+  };
+}

config/services/openldap/kw.ldif

@@ -0,0 +1,5 @@
+dn: dc=kittywit, dc=ch
+dc: kittywit
+o: kittywitch
+objectclass: organization
+objectclass: dcObject

config/services/openldap/users.ldif

@@ -0,0 +1,5 @@
+dn: ou=users,dc=kittywit,dc=ch
+objectClass: top
+objectClass: organizationalUnit
+description: kittywitch
+ou: users