glauth: Working

2026-02-09 12:29:19 -08:00 · 2021-09-05 00:03:41 +01:00 · 2021-09-05 00:03:41 +01:00 · acfa259b2a
commit acfa259b2a
parent a1d46f5301
4 changed files with 12 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -113,10 +113,12 @@ See [here][] for additional information on profiles.
 | [filehost][]       | I sling things in here via SSH/SCP.                                      |
 | [fusionpbx][]      | FusionPBX. Fancy PBX.                                                    |
 | [gitea][]          | Self-hosted git with mail support.                                       |
+| [glauth][]         | LDAP server.                                                             |
 | [jellyfin][]       | HTPC/NAS stuff.                                                          |
 | [katsplash][]      | A splash screen for some hosts.                                          |
 | [kattv-ingest][]   | Takes data from kattv, slings to RTMP.                                   |
 | [kattv][]          | Takes data from a webcam, slings to kattv-ingest.                        |
+| [keycloak][]       | Fancy identity stuffs.                                                   |
 | [knot][]           | Knot DNS, authoritative DNS server.                                      |
 | [logrotate][]      | Rotates logs!                                                            |
 | [mail][]           | [nixos-mailserver][].                                                    |
@ -255,10 +257,12 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
  [filehost]: config/services/filehost/default.nix
  [fusionpbx]: config/services/fusionpbx/default.nix
  [gitea]: config/services/gitea/default.nix
+  [glauth]: config/services/glauth
  [jellyfin]: config/services/jellyfin/default.nix
  [katsplash]: config/services/katsplash/default.nix
  [kattv-ingest]: config/services/kattv-ingest/default.nix
  [kattv]: config/services/kattv/default.nix
+  [keycloak]: config/services/keycloak
  [knot]: config/services/knot/default.nix
  [logrotate]: config/services/logrotate/default.nix
  [mail]: config/services/mail/default.nix
--- a/config/modules/nixos/glauth.nix
+++ b/config/modules/nixos/glauth.nix
@ -154,6 +154,7 @@ in
              shopt -s inherit_errexit
              umask u=rwx,g=,o=
              mkdir -p /run/glauth/secrets
+              chown -R glauth:glauth /run/glauth/
              install -T -m 0400 -o glauth -g glauth '${dbcfg.passwordFile}' /run/glauth/secrets/db_password
            '';
            startPre = ''
--- a/config/services/glauth/default.nix
+++ b/config/services/glauth/default.nix
@ -1,6 +1,10 @@
 { config, tf, lib, ... }: with lib; {
  network.firewall.public.tcp.ports = singleton 3984;

+  network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
+  users.groups.domain-auth.members = [ "nginx" "glauth" ];
+  security.acme.certs.domain-auth.group = "domain-auth";
+
  services.glauth = {
    enable = true;
    configFile = config.secrets.files.glauth-config-file.path;
@ -19,8 +23,8 @@
      ldaps = {
        enabled = true;
        listen = "0.0.0.0:3894";
-        cert = "/var/lib/acme/auth.kittywit.ch/fullchain.pem";
-        key = "/var/lib/acme/auth.kittywit.ch/key.pem";
+        cert = "/var/lib/acme/domain-auth/fullchain.pem";
+        key = "/var/lib/acme/domain-auth/key.pem";
      };
      backend = {
        baseDN = "dc=kittywitch,dc=com";
--- a/config/services/keycloak/default.nix
+++ b/config/services/keycloak/default.nix
@ -29,7 +29,7 @@
  };

  services.nginx.virtualHosts."auth.${config.network.dns.domain}" = {
-    enableACME = true;
+    useACMEHost = "domain-auth";
    forceSSL = true;
    locations = { "/".proxyPass = "http://127.0.0.1:8089"; };
  };