Ldap WIP

2026-05-14 15:43:52 +02:00
parent 252373f956
commit 2e6c044b89
9 changed files with 70 additions and 9 deletions
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -9,6 +9,7 @@ let
      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
    } 
    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.hostDomain}";} else {})
+    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.hostDomain}";} else {})
    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";} else {});
  };
 in {
@@ -98,6 +99,7 @@ in {
      $AK apply_blueprint /blueprints/custom/traefik.yaml
      $AK apply_blueprint /blueprints/custom/ldap.yaml

+      ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
      ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}

--- a/modules/server/containers/apps/gitea.nix
+++ b/modules/server/containers/apps/gitea.nix
@@ -2,6 +2,8 @@
 let 
  version = "latest";
  serverCfg = config.syscfg.server;
+
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
 in {
  sops = true;
  db = true;
@@ -115,6 +117,8 @@ in {

      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true

+      touch ${serverCfg.dataPath}/gitea/data-runner/config.yml
+      
      RUNNER_TOKEN=$($GT actions generate-runner-token)
      $GTR register \
        --instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
@@ -124,6 +128,16 @@ in {
        --no-interactive


+      ${lib.optionalString (serverCfg.containers ? authentik) ''
+      # --port 636 
+      $GT admin add_ldap --id 1 --name Authentik --host "authentik-ldap" --port 3389 --security-protocol "unencrypted" \
+          --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $LDAP_PASSWORD \
+          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" --user-filter "(|(username=%s)(email=%s))" \
+          --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
+          --synchronize-users
+      ''}
+
+
      echo "Completed Gitea Setup"
      '';
  };
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -9,7 +9,7 @@ let
      "jellyfin:x:1000:"
    ];
  };
-  image = pkgs.dockerTools.buildImage{#pkgs.dockerTools.streamLayeredImage { # 
+  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
    name = pkgs.jellyfin.name;
    tag = pkgs.jellyfin.version;  
    contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
@@ -48,8 +48,7 @@ in {
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
-      #imageStream = image;
-      imageFile = image;
+      imageStream = image;
      port = 8096;
      extraEnv = {
        HOME = "/config/data";
@@ -147,6 +146,14 @@ in {
        echo "ERROR: LDAP Plugin Setup Failed."
        exit 1
      fi
+
+      if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
+          -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+          -H "Content-Length: 0"; then
+        echo "ERROR: Server failed to accept restart command."
+        exit 1
+      fi
+
      echo "Completed Setup"

    '';
--- a/modules/server/containers/data/authentik/gitea.yaml
+++ b/modules/server/containers/data/authentik/gitea.yaml
@@ -0,0 +1,13 @@
+version: 1
+metadata:
+  name: gitea-ldap-setup
+entries:
+  - model: authentik_core.application
+    id: gitea-app
+    identifiers:
+      slug: gitea
+    attrs:
+      name: Gitea
+      provider:
+        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+      launch_url: "@GITEA_DOMAIN@"
--- a/modules/server/containers/data/authentik/jellyfin.yaml
+++ b/modules/server/containers/data/authentik/jellyfin.yaml
@@ -10,6 +10,4 @@ entries:
      name: Jellyfin
      provider:
        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
-      open_in_new_tab: false
      launch_url: "@JELLYFIN_DOMAIN@"
-    state: present
--- a/modules/server/containers/data/authentik/ldap.yaml
+++ b/modules/server/containers/data/authentik/ldap.yaml
@@ -32,3 +32,30 @@ entries:
        !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
      config:
        log_level: info
+
+  - model: authentik_core.user
+    state: present
+    identifiers:
+      username: "ldap-service"
+    attrs:
+      name: "LDAP Bind Service Account"
+      is_active: true
+      password: !Env DEFAULT_LDAP_PASSWORD
+      attributes:
+        ak_recovery_immutable: true
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "LDAP Bind Service Account Group"
+    attrs:
+      users:
+        - !Find [authentik_core.user, [username, ldap-service]]
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      target:
+        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+      permission: "authentik_providers_ldap.search_full_directory"
+      user: !Find [authentik_core.user, [username, ldap-service]]
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -85,5 +85,4 @@ entries:
      name: Nextcloud
      provider:
        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
-      group: "Cloud Services"
      launch_url: "@NEXTCLOUD_DOMAIN@"
--- a/modules/server/sops/example.server.yaml
+++ b/modules/server/sops/example.server.yaml
@@ -2,6 +2,7 @@ CUSTOM: |
  DEFAULT_ADMIN_USERNAME=...
  DEFAULT_ADMIN_PASSWORD=...
  DEFAULT_ADMIN_EMAIL=...
+  DEFAULT_LDAP_PASSWORD=...
 TRAEFIK: |
  INFOMANIAK_ACCESS_TOKEN=...
 AUTHENTIK: |
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,4 +1,4 @@
-CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str]
+CUSTOM: ENC[AES256_GCM,data:TXsMI69UrctXA8jnv/qHVm8ljt6APlVZ0iLe7v3gZsojxlu4BG78vXxbR+oZVcOkp3qvI5e1M1EVNwcyL+M1wIkwIaIaXVtdjzJrSBOj9RQ6hos32DW5JYe1lRcXrW4T2ZjP4Ll3oDhMBnpcRweLcqjf9RrrQ3T3PQlH6uh1+wiQo0jhEoUc+k47uhnIi47vPCj2EUIpxeUFNu30pg2vBVDkkvtWdwa8kTySmmnzLQ5zWcsOcQWWWyEgkxPz1bGENSBiTl9Qlhf+gdISWA==,iv:ysPEvNvaxw8P0dYlLoBe7qZIdh5qmIusbuPK4a0lMxE=,tag:4X/eq6gX4h15JfKn+sEHdA==,type:str]
 TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
 AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
 NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -29,8 +29,8 @@ sops:
            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-13T20:36:20Z"
-    mac: ENC[AES256_GCM,data:HJ42m/78+Di88AkaekkxPeda344YZsZpM2sOrhqG4JrYkcArAAKaHtZqJH/K+iFfDLUgtKdSHNkjvTth2yaCmXSbu+Desid2FdE3LDa3eER5dzCYZ7RSfL8QJRA5BjtTn6+iC/D+UFrSfIS1bsz2Ycw/6uwCncI4PhE+6i0v9Wk=,iv:iAPGXHPdi9vm6b6TO8ZIoO1RjI3jyItcgXRR8H3GWUI=,tag:Hbu30qFb0mTTHZ7Q6qVbdw==,type:str]
+    lastmodified: "2026-05-14T13:39:26Z"
+    mac: ENC[AES256_GCM,data:g9z/gGOuAYs0DbH8YqAQJjtbLmjTv3+EnNTbrbF87kqpB5w/0fYfCAkhgFRYG2y7Ly1CK3F/b7TU6SKF+MB6Kv4tSF5+m/tez32EDG4jWCNAOLBjGftcRzLgWrUxtTLat6HelVSUt38O8hBHJqh3w57tqLk2rl/YEaevJP/ZZTw=,iv:OnkblA4PjwHKhN4boH+NfFU88hL9ADoSzkCLUPa8aUE=,tag:ruEvZXcPRGE2LA9AzOaF1g==,type:str]
    pgp:
        - created_at: "2026-05-05T23:46:27Z"
          enc: |-