msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f3a6960e1818475557b3ce985523a922d1fa4b1
sydnix/modules/nixos/deertopia/lldap.nix
Madeleine Sydney a55aae8568 wip(lldap): Consultant
2025-02-20 11:33:58 -07:00

102 lines
3.2 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let cfg = config.sydnix.deertopia.lldap;
in {
options.sydnix.deertopia.lldap = {
enable = lib.mkEnableOption ''
Deertopia's lldap, a lightweight authentication server that provides an
opinionated, simplified LDAP interface for authentication.
'';
};
config = lib.mkIf cfg.enable {
# HACK: Why doesn't the lldap module do this? Sops-nix fails to set the
# secrets' owner as the user does not yet exist.
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
users.groups.lldap = {};
sydnix.sops.secrets =
let e = {
mode = "0600";
owner = "lldap";
group = "lldap";
};
in {
lldap-ldap-user-pass = e;
lldap-jwt-secret = e;
lldap-secret-env = {};
};
networking.firewall.allowedTCPPorts = [
config.services.lldap.settings.http_port
config.services.lldap.settings.ldap_port
];
services.lldap = {
enable = true;
environment = {
LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
};
environmentFile = "/run/secrets/lldap-secret-env";
settings = {
ldap_base_dn = "dc=identify,dc=deertopia,dc=net";
ldap_user_dn = "lain";
ldap_user_email = "lain@deertopia.net";
};
};
sydnix.deertopia.nginx.vhosts."identify".vhost = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
let port = builtins.toString config.services.lldap.settings.http_port;
in "http://localhost:${port}";
};
};
services.nginx.proxyCachePath."cache/" = {
enable = true;
keysZoneName = "auth_cache";
};
sydnix.deertopia.nginx.vhosts."ldap".vhost =
let consultant = "http://localhost:9090";
port = builtins.toString config.services.lldap.settings.http_port;
base-dn = config.services.lldap.settings.ldap_base_dn;
nginx-bind-user = "nginx-bind-user";
in {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
auth_request /auth-proxy;
error_page 401 =200 /login;
proxy_pass ${consultant};
'';
locations."/login".extraConfig = ''
proxy_pass ${consultant}/login;
proxy_set_header X-Target $request_uri;
'';
locations."= /auth-proxy".extraConfig = ''
internal;
proxy_pass ${consultant};
proxy_pass_request_body off;
proxy_pass_request_headers off;
proxy_set_header Content-Length "";
proxy_cache auth_cache;
proxy_cache_valid 200 10m;
proxy_cache_key "$http_authorization$cookie_nginxauth";
# proxy_set_header X-Ldap-URL "ldap://localhost:${port}";
# proxy_set_header X-Ldap-BaseDN "cn=people,${base-dn}";
# proxy_set_header X-Ldap-BindDN "cn=${nginx-bind-user},${base-dn}";
# proxy_set_header X-Ldap-BindPass "secret123";
# proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink