From 2e6c044b89480f3751a086fe849e230c0d3c626d Mon Sep 17 00:00:00 2001 From: soraefir Date: Thu, 14 May 2026 15:43:52 +0200 Subject: [PATCH] Ldap WIP --- modules/server/containers/apps/authentik.nix | 2 ++ modules/server/containers/apps/gitea.nix | 14 ++++++++++ modules/server/containers/apps/jellyfin.nix | 13 ++++++--- .../containers/data/authentik/gitea.yaml | 13 +++++++++ .../containers/data/authentik/jellyfin.yaml | 2 -- .../containers/data/authentik/ldap.yaml | 27 +++++++++++++++++++ .../containers/data/authentik/nextcloud.yaml | 1 - modules/server/sops/example.server.yaml | 1 + modules/server/sops/server.yaml | 6 ++--- 9 files changed, 70 insertions(+), 9 deletions(-) create mode 100644 modules/server/containers/data/authentik/gitea.yaml diff --git a/modules/server/containers/apps/authentik.nix b/modules/server/containers/apps/authentik.nix index 9dddff7..6f563b9 100644 --- a/modules/server/containers/apps/authentik.nix +++ b/modules/server/containers/apps/authentik.nix @@ -9,6 +9,7 @@ let AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain)); } // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.hostDomain}";} else {}) + // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.hostDomain}";} else {}) // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";} else {}); }; in { @@ -98,6 +99,7 @@ in { $AK apply_blueprint /blueprints/custom/traefik.yaml $AK apply_blueprint /blueprints/custom/ldap.yaml + ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''} ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''} ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} diff --git a/modules/server/containers/apps/gitea.nix b/modules/server/containers/apps/gitea.nix index 0963105..4882c1e 100644 --- a/modules/server/containers/apps/gitea.nix +++ b/modules/server/containers/apps/gitea.nix @@ -2,6 +2,8 @@ let version = "latest"; serverCfg = config.syscfg.server; + + LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain)); in { sops = true; db = true; @@ -115,6 +117,8 @@ in { $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true + touch ${serverCfg.dataPath}/gitea/data-runner/config.yml + RUNNER_TOKEN=$($GT actions generate-runner-token) $GTR register \ --instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \ @@ -124,6 +128,16 @@ in { --no-interactive + ${lib.optionalString (serverCfg.containers ? authentik) '' + # --port 636 + $GT admin add_ldap --id 1 --name Authentik --host "authentik-ldap" --port 3389 --security-protocol "unencrypted" \ + --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $LDAP_PASSWORD \ + --user-search-base "ou=users,${LDAP_DC_DOMAIN}" --user-filter "(|(username=%s)(email=%s))" \ + --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \ + --synchronize-users + ''} + + echo "Completed Gitea Setup" ''; }; diff --git a/modules/server/containers/apps/jellyfin.nix b/modules/server/containers/apps/jellyfin.nix index d5815b5..32b8ee4 100644 --- a/modules/server/containers/apps/jellyfin.nix +++ b/modules/server/containers/apps/jellyfin.nix @@ -9,7 +9,7 @@ let "jellyfin:x:1000:" ]; }; - image = pkgs.dockerTools.buildImage{#pkgs.dockerTools.streamLayeredImage { # + image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{# name = pkgs.jellyfin.name; tag = pkgs.jellyfin.version; contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ]; @@ -48,8 +48,7 @@ in { containers = { server = builder.mkContainer { subdomain = containerCfg.subdomain; - #imageStream = image; - imageFile = image; + imageStream = image; port = 8096; extraEnv = { HOME = "/config/data"; @@ -147,6 +146,14 @@ in { echo "ERROR: LDAP Plugin Setup Failed." exit 1 fi + + if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \ + -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \ + -H "Content-Length: 0"; then + echo "ERROR: Server failed to accept restart command." + exit 1 + fi + echo "Completed Setup" ''; diff --git a/modules/server/containers/data/authentik/gitea.yaml b/modules/server/containers/data/authentik/gitea.yaml new file mode 100644 index 0000000..570d83a --- /dev/null +++ b/modules/server/containers/data/authentik/gitea.yaml @@ -0,0 +1,13 @@ +version: 1 +metadata: + name: gitea-ldap-setup +entries: + - model: authentik_core.application + id: gitea-app + identifiers: + slug: gitea + attrs: + name: Gitea + provider: + !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]] + launch_url: "@GITEA_DOMAIN@" diff --git a/modules/server/containers/data/authentik/jellyfin.yaml b/modules/server/containers/data/authentik/jellyfin.yaml index 570da77..d5c3b84 100644 --- a/modules/server/containers/data/authentik/jellyfin.yaml +++ b/modules/server/containers/data/authentik/jellyfin.yaml @@ -10,6 +10,4 @@ entries: name: Jellyfin provider: !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]] - open_in_new_tab: false launch_url: "@JELLYFIN_DOMAIN@" - state: present diff --git a/modules/server/containers/data/authentik/ldap.yaml b/modules/server/containers/data/authentik/ldap.yaml index cff0c32..d90931f 100644 --- a/modules/server/containers/data/authentik/ldap.yaml +++ b/modules/server/containers/data/authentik/ldap.yaml @@ -32,3 +32,30 @@ entries: !Find [authentik_core.token, [identifier, ldap-outpost-static-token]] config: log_level: info + + - model: authentik_core.user + state: present + identifiers: + username: "ldap-service" + attrs: + name: "LDAP Bind Service Account" + is_active: true + password: !Env DEFAULT_LDAP_PASSWORD + attributes: + ak_recovery_immutable: true + + - model: authentik_core.group + state: present + identifiers: + name: "LDAP Bind Service Account Group" + attrs: + users: + - !Find [authentik_core.user, [username, ldap-service]] + + - model: authentik_policies.policybinding + state: present + identifiers: + target: + !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]] + permission: "authentik_providers_ldap.search_full_directory" + user: !Find [authentik_core.user, [username, ldap-service]] diff --git a/modules/server/containers/data/authentik/nextcloud.yaml b/modules/server/containers/data/authentik/nextcloud.yaml index 4b8685e..8ca927b 100644 --- a/modules/server/containers/data/authentik/nextcloud.yaml +++ b/modules/server/containers/data/authentik/nextcloud.yaml @@ -85,5 +85,4 @@ entries: name: Nextcloud provider: !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]] - group: "Cloud Services" launch_url: "@NEXTCLOUD_DOMAIN@" diff --git a/modules/server/sops/example.server.yaml b/modules/server/sops/example.server.yaml index 4d21074..e196593 100644 --- a/modules/server/sops/example.server.yaml +++ b/modules/server/sops/example.server.yaml @@ -2,6 +2,7 @@ CUSTOM: | DEFAULT_ADMIN_USERNAME=... DEFAULT_ADMIN_PASSWORD=... DEFAULT_ADMIN_EMAIL=... + DEFAULT_LDAP_PASSWORD=... TRAEFIK: | INFOMANIAK_ACCESS_TOKEN=... AUTHENTIK: | diff --git a/modules/server/sops/server.yaml b/modules/server/sops/server.yaml index 1517047..7ec1827 100644 --- a/modules/server/sops/server.yaml +++ b/modules/server/sops/server.yaml @@ -1,4 +1,4 @@ -CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str] +CUSTOM: ENC[AES256_GCM,data:TXsMI69UrctXA8jnv/qHVm8ljt6APlVZ0iLe7v3gZsojxlu4BG78vXxbR+oZVcOkp3qvI5e1M1EVNwcyL+M1wIkwIaIaXVtdjzJrSBOj9RQ6hos32DW5JYe1lRcXrW4T2ZjP4Ll3oDhMBnpcRweLcqjf9RrrQ3T3PQlH6uh1+wiQo0jhEoUc+k47uhnIi47vPCj2EUIpxeUFNu30pg2vBVDkkvtWdwa8kTySmmnzLQ5zWcsOcQWWWyEgkxPz1bGENSBiTl9Qlhf+gdISWA==,iv:ysPEvNvaxw8P0dYlLoBe7qZIdh5qmIusbuPK4a0lMxE=,tag:4X/eq6gX4h15JfKn+sEHdA==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str] NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str] @@ -29,8 +29,8 @@ sops: S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-13T20:36:20Z" - mac: ENC[AES256_GCM,data:HJ42m/78+Di88AkaekkxPeda344YZsZpM2sOrhqG4JrYkcArAAKaHtZqJH/K+iFfDLUgtKdSHNkjvTth2yaCmXSbu+Desid2FdE3LDa3eER5dzCYZ7RSfL8QJRA5BjtTn6+iC/D+UFrSfIS1bsz2Ycw/6uwCncI4PhE+6i0v9Wk=,iv:iAPGXHPdi9vm6b6TO8ZIoO1RjI3jyItcgXRR8H3GWUI=,tag:Hbu30qFb0mTTHZ7Q6qVbdw==,type:str] + lastmodified: "2026-05-14T13:39:26Z" + mac: ENC[AES256_GCM,data:g9z/gGOuAYs0DbH8YqAQJjtbLmjTv3+EnNTbrbF87kqpB5w/0fYfCAkhgFRYG2y7Ly1CK3F/b7TU6SKF+MB6Kv4tSF5+m/tez32EDG4jWCNAOLBjGftcRzLgWrUxtTLat6HelVSUt38O8hBHJqh3w57tqLk2rl/YEaevJP/ZZTw=,iv:OnkblA4PjwHKhN4boH+NfFU88hL9ADoSzkCLUPa8aUE=,tag:ruEvZXcPRGE2LA9AzOaF1g==,type:str] pgp: - created_at: "2026-05-05T23:46:27Z" enc: |-