From a81432f8abdb212998513b8b7f3f416572375268 Mon Sep 17 00:00:00 2001 From: kat witch Date: Wed, 22 Sep 2021 03:32:25 +0100 Subject: [PATCH] services/jellyfin: LDAP + marisa proxy: --- config/hosts/marisa.nix | 1 + config/services/access.nix | 24 +++++++++++++++++++++ config/services/jellyfin.nix | 13 ++++++++---- config/services/openldap/default.nix | 31 +++++++++++++++++++++++++--- 4 files changed, 62 insertions(+), 7 deletions(-) create mode 100644 config/services/access.nix diff --git a/config/hosts/marisa.nix b/config/hosts/marisa.nix index 58daff89..2860f36f 100644 --- a/config/hosts/marisa.nix +++ b/config/hosts/marisa.nix @@ -4,6 +4,7 @@ services.dnscrypt-proxy profiles.network services.nginx + services.access users.kat.server ]; diff --git a/config/services/access.nix b/config/services/access.nix new file mode 100644 index 00000000..ee481994 --- /dev/null +++ b/config/services/access.nix @@ -0,0 +1,24 @@ +{ config, lib, meta, ... }: { + deploy.tf.dns.records.services_media_forward = { + inherit (config.network.dns) zone; + domain = "media"; + cname = { inherit (config.network.addresses.public) target; }; + }; + + services.nginx.virtualHosts = { + "media.${config.network.dns.domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/jellyfin/".proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/"; + "/jellyfin/socket" = { + proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/"; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + }; + }; + }; +} diff --git a/config/services/jellyfin.nix b/config/services/jellyfin.nix index 2d8c01fd..42e4f649 100644 --- a/config/services/jellyfin.nix +++ b/config/services/jellyfin.nix @@ -20,10 +20,15 @@ from = 32768; to = 60999; }]; - private.tcp.ranges = [{ - from = 32768; - to = 60999; - }]; + private.tcp = { + ports = [ + 8096 + ]; + ranges = [{ + from = 32768; + to = 60999; + }]; + }; }; services.jellyfin.enable = true; diff --git a/config/services/openldap/default.nix b/config/services/openldap/default.nix index d5b26aee..0af3ab94 100644 --- a/config/services/openldap/default.nix +++ b/config/services/openldap/default.nix @@ -14,6 +14,12 @@ olcTLSCertificateKeyFile = "/var/lib/acme/domain-auth/key.pem"; }; children = { + "cn=module" = { + attrs = { + objectClass = "olcModuleList"; + olcModuleLoad = "memberof"; + }; + }; "cn=schema" = { attrs = { cn = "schema"; @@ -26,6 +32,21 @@ "${pkgs.openldap}/etc/schema/nis.ldif" ]; }; + "olcOverlay=memberof,olcDatabase={1}mdb" = { + attrs = { + objectClass = [ + "olcOverlayConfig" + "olcMemberOf" + "olcConfig" + ]; + olcOverlay = "memberof"; + olcMemberOfDangling = "ignore"; + olcMemberOfGroupOC = "groupOfNames"; + olcMemberOfMemberAD = "member"; + olcMemberOfMemberOfAD = "memberOf"; + olcMemberOfRefint = "TRUE"; + }; + }; "olcDatabase={-1}frontend" = { attrs = { objectClass = [ @@ -76,9 +97,13 @@ ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch" by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read by dn.subtree="ou=services,dc=kittywit,dc=ch" read - by * none'' - ''{4}to attrs=mail by self read'' - ''{5}to * by * read'' + by * none'' + ''{4}to dn.subtree="ou=groups,dc=kittywit,dc=ch" + by dn.subtree="ou=users,dc=kittywit,dc=ch" read + by dn.subtree="ou=services,dc=kittywit,dc=ch" read + by * none'' + ''{5}to attrs=mail by self read'' + ''{6}to * by * read'' ]; }; };