From a2d6b08af13fa526a3ac578fe06cb443abb5da28 Mon Sep 17 00:00:00 2001 From: kat witch Date: Fri, 10 Sep 2021 02:23:24 +0100 Subject: [PATCH] services/keycloak: Working. services/openldap: Init --- config/hosts/daiyousei.nix | 3 +- config/hosts/ran.nix | 1 - config/modules/nixos/network.nix | 3 +- config/services/glauth/default.nix | 29 ++++++--- config/services/keycloak/default.nix | 38 +++++++++++- config/services/openldap/default.nix | 90 ++++++++++++++++++++++++++++ config/services/openldap/kw.ldif | 5 ++ config/services/openldap/users.ldif | 5 ++ 8 files changed, 161 insertions(+), 13 deletions(-) create mode 100644 config/services/openldap/default.nix create mode 100644 config/services/openldap/kw.ldif create mode 100644 config/services/openldap/users.ldif diff --git a/config/hosts/daiyousei.nix b/config/hosts/daiyousei.nix index cac676a2..20dd8217 100644 --- a/config/hosts/daiyousei.nix +++ b/config/hosts/daiyousei.nix @@ -5,7 +5,8 @@ profiles.network services.nginx services.keycloak - services.glauth + services.openldap + services.dnscrypt-proxy ]; kw.oci = { diff --git a/config/hosts/ran.nix b/config/hosts/ran.nix index aa4361a0..785fd929 100644 --- a/config/hosts/ran.nix +++ b/config/hosts/ran.nix @@ -76,7 +76,6 @@ with lib; network.firewall = { public = { interfaces = singleton "enp1s0"; - tcp.ports = [ 9981 9982 ]; }; }; diff --git a/config/modules/nixos/network.nix b/config/modules/nixos/network.nix index 52038e4b..72a34dd8 100644 --- a/config/modules/nixos/network.nix +++ b/config/modules/nixos/network.nix @@ -137,7 +137,8 @@ in ipv4.address = mkIf (cfg.addresses.${network}.nixos.ipv4.enable) cfg.addresses.${network}.nixos.ipv4.address; ipv6.address = mkIf (cfg.addresses.${network}.nixos.ipv6.enable) cfg.addresses.${network}.nixos.ipv6.address; }; - })) // { + }))) + (mkIf cfg.tf.enable { public = { tf = { ipv4.address = mkIf (cfg.tf.ipv4_attr != null) (tf.resources.${config.networking.hostName}.refAttr cfg.tf.ipv4_attr); diff --git a/config/services/glauth/default.nix b/config/services/glauth/default.nix index 5fd1a296..49e9e83e 100644 --- a/config/services/glauth/default.nix +++ b/config/services/glauth/default.nix @@ -1,8 +1,8 @@ { config, tf, lib, ... }: with lib; { - network.firewall.public.tcp.ports = [ 3984 ]; + network.firewall.public.tcp.ports = [ 636 ]; network.extraCerts.domain-auth = "auth.${config.network.dns.domain}"; - users.groups.domain-auth.members = [ "nginx" "glauth" ]; + users.groups.domain-auth.members = [ "nginx" "glauth" "keycloak" ]; security.acme.certs.domain-auth.group = "domain-auth"; services.glauth = { @@ -22,7 +22,7 @@ }; ldaps = { enabled = true; - listen = "0.0.0.0:3894"; + listen = "0.0.0.0:636"; cert = "/var/lib/acme/domain-auth/fullchain.pem"; key = "/var/lib/acme/domain-auth/key.pem"; }; @@ -32,21 +32,32 @@ users = [ { name = "kat"; + mail = "kat@kittywit.ch"; + loginshell="/usr/bin/env zsh"; + homedirectory="/home/kat"; passsha256 = tf.variables.glauth-password-hash.ref; uidnumber = 1000; primarygroup = 1500; + givenname = "kat"; + sn = "witch"; } { name = "kc"; passsha256 = tf.variables.glauth-kc-password-hash.ref; - uidnumber = 1001; - primarygroup = 1500; + uidnumber = 999; + primarygroup = 1499; + } + ]; + groups = [ + { + name = "admins"; + gidnumber = 1499; + } + { + name = "users"; + gidnumber = 1500; } ]; - groups = [{ - name = "admins"; - gidnumber = 1500; - }]; }; }; diff --git a/config/services/keycloak/default.nix b/config/services/keycloak/default.nix index 30396aad..c29eb6f2 100644 --- a/config/services/keycloak/default.nix +++ b/config/services/keycloak/default.nix @@ -1,6 +1,11 @@ -{ config, lib, tf, ... }: with lib; { +{ config, pkgs, lib, tf, ... }: with lib; let + keystore-pass = "zZX3eS"; +in { services.keycloak = { enable = true; + package = (pkgs.keycloak.override { + jre = pkgs.openjdk11; + }); bindAddress = "127.0.0.1"; httpPort = "8089"; httpsPort = "8445"; @@ -8,6 +13,37 @@ forceBackendUrlToFrontendUrl = true; frontendUrl = "https://auth.${config.network.dns.domain}/auth"; database.passwordFile = config.secrets.files.keycloak-postgres-file.path; + extraConfig = { + "subsystem=undertow" = { + "server=default-server" = { + "http-listener=default" = { + "proxy-address-forwarding" = true; + }; + }; + }; + "subsystem=keycloak-server" = { + "spi=truststore" = { + "provider=file" = { + enabled = true; + properties.password = keystore-pass; + properties.file = "/var/lib/acme/domain-auth/trust-store.jks"; + properties.hostname-verification-policy = "WILDCARD"; + properties.disabled = false; + }; + }; + }; + }; + }; + + + network.extraCerts.domain-auth = "auth.${config.network.dns.domain}"; + users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ]; + security.acme.certs.domain-auth = { + group = "domain-auth"; + postRun = '' + ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem + chown acme:domain-auth ./trust-store.jks + ''; }; users.groups.keycloak = { }; diff --git a/config/services/openldap/default.nix b/config/services/openldap/default.nix new file mode 100644 index 00000000..7d38a7fc --- /dev/null +++ b/config/services/openldap/default.nix @@ -0,0 +1,90 @@ +{ config, pkgs, tf, lib, ... }: with lib; { + network.firewall.public.tcp.ports = [ 636 ]; + + services.openldap = { + enable = true; + urlList = [ "ldap:///" "ldapi:///" "ldaps:///" ]; + settings = { + attrs = { + objectClass = "olcGlobal"; + cn = "config"; + olcPidFile = "/run/slapd/slapd.pid"; + olcTLSCACertificateFile = "/var/lib/acme/domain-auth/fullchain.pem"; + olcTLSCertificateFile = "/var/lib/acme/domain-auth/cert.pem"; + olcTLSCertificateKeyFile = "/var/lib/acme/domain-auth/key.pem"; + }; + children = { + "cn=schema" = { + attrs = { + cn = "schema"; + objectClass = "olcSchemaConfig"; + }; + includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + }; + "olcDatabase={-1}frontend" = { + attrs = { + objectClass = [ + "olcDatabaseConfig" + "olcFrontendConfig" + ]; + olcDatabase = "{-1}frontend"; + olcAccess = [ + "{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" + "{1}to dn.exact=\"\" by * read" + "{2}to dn.base=\"cn=Subschema\" by * read" + ]; + }; + }; + "olcDatabase={0}config" = { + attrs = { + objectClass = "olcDatabaseConfig"; + olcDatabase = "{0}config"; + olcAccess = [ "{0}to * by * none break" ]; + }; + }; + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/db/ldap"; + olcSuffix = "dc=kittywit,dc=ch"; + olcRootDN = "cn=root,dc=kittywit,dc=ch"; + olcRootPW.path = config.secrets.files.openldap-root-password-file.path; + olcAccess = [ + "{0}to attrs=userPassword + by anonymous auth + by self write + by * none" + "{1}to * + by dn.children=\"ou=users,dc=kittywit,dc=ch\" write + by self read by * none" + "{2}to dn.subtree=\"dc=example,dc=com\" + by dn.exact=\"cn=root,dc=kittywit,dc=ch\" manage" + ]; + }; + }; + }; + }; + }; + + + kw.secrets.variables = mapListToAttrs + (field: + nameValuePair "openldap-${field}" { + path = "services/openldap"; + inherit field; + }) [ "password" ]; + + secrets.files = { + openldap-root-password-file = { + text = tf.variables.openldap-password.ref; + owner = "openldap"; + group = "openldap"; + }; + }; +} diff --git a/config/services/openldap/kw.ldif b/config/services/openldap/kw.ldif new file mode 100644 index 00000000..e177a31b --- /dev/null +++ b/config/services/openldap/kw.ldif @@ -0,0 +1,5 @@ +dn: dc=kittywit, dc=ch +dc: kittywit +o: kittywitch +objectclass: organization +objectclass: dcObject diff --git a/config/services/openldap/users.ldif b/config/services/openldap/users.ldif new file mode 100644 index 00000000..da6a35c3 --- /dev/null +++ b/config/services/openldap/users.ldif @@ -0,0 +1,5 @@ +dn: ou=users,dc=kittywit,dc=ch +objectClass: top +objectClass: organizationalUnit +description: kittywitch +ou: users