Ldap WIP

2026-05-14 15:43:52 +02:00
parent 252373f956
commit 2e6c044b89
9 changed files with 70 additions and 9 deletions
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -9,6 +9,7 @@ let
      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
    } 
    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.hostDomain}";} else {})
+    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.hostDomain}";} else {})
    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";} else {});
  };
 in {
@@ -98,6 +99,7 @@ in {
      $AK apply_blueprint /blueprints/custom/traefik.yaml
      $AK apply_blueprint /blueprints/custom/ldap.yaml

+      ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
      ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}

--- a/modules/server/containers/apps/gitea.nix
+++ b/modules/server/containers/apps/gitea.nix
@@ -2,6 +2,8 @@
 let 
  version = "latest";
  serverCfg = config.syscfg.server;
+
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
 in {
  sops = true;
  db = true;
@@ -115,6 +117,8 @@ in {

      $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true

+      touch ${serverCfg.dataPath}/gitea/data-runner/config.yml
+      
      RUNNER_TOKEN=$($GT actions generate-runner-token)
      $GTR register \
        --instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
@@ -124,6 +128,16 @@ in {
        --no-interactive


+      ${lib.optionalString (serverCfg.containers ? authentik) ''
+      # --port 636 
+      $GT admin add_ldap --id 1 --name Authentik --host "authentik-ldap" --port 3389 --security-protocol "unencrypted" \
+          --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $LDAP_PASSWORD \
+          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" --user-filter "(|(username=%s)(email=%s))" \
+          --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
+          --synchronize-users
+      ''}
+
+
      echo "Completed Gitea Setup"
      '';
  };
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -9,7 +9,7 @@ let
      "jellyfin:x:1000:"
    ];
  };
-  image = pkgs.dockerTools.buildImage{#pkgs.dockerTools.streamLayeredImage { # 
+  image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
    name = pkgs.jellyfin.name;
    tag = pkgs.jellyfin.version;  
    contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
@@ -48,8 +48,7 @@ in {
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
-      #imageStream = image;
-      imageFile = image;
+      imageStream = image;
      port = 8096;
      extraEnv = {
        HOME = "/config/data";
@@ -147,6 +146,14 @@ in {
        echo "ERROR: LDAP Plugin Setup Failed."
        exit 1
      fi
+
+      if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
+          -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+          -H "Content-Length: 0"; then
+        echo "ERROR: Server failed to accept restart command."
+        exit 1
+      fi
+
      echo "Completed Setup"

    '';
--- a/modules/server/containers/data/authentik/gitea.yaml
+++ b/modules/server/containers/data/authentik/gitea.yaml
@@ -0,0 +1,13 @@
+version: 1
+metadata:
+  name: gitea-ldap-setup
+entries:
+  - model: authentik_core.application
+    id: gitea-app
+    identifiers:
+      slug: gitea
+    attrs:
+      name: Gitea
+      provider:
+        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+      launch_url: "@GITEA_DOMAIN@"
--- a/modules/server/containers/data/authentik/jellyfin.yaml
+++ b/modules/server/containers/data/authentik/jellyfin.yaml
@@ -10,6 +10,4 @@ entries:
      name: Jellyfin
      provider:
        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
-      open_in_new_tab: false
      launch_url: "@JELLYFIN_DOMAIN@"
-    state: present
--- a/modules/server/containers/data/authentik/ldap.yaml
+++ b/modules/server/containers/data/authentik/ldap.yaml
@@ -32,3 +32,30 @@ entries:
        !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
      config:
        log_level: info
+
+  - model: authentik_core.user
+    state: present
+    identifiers:
+      username: "ldap-service"
+    attrs:
+      name: "LDAP Bind Service Account"
+      is_active: true
+      password: !Env DEFAULT_LDAP_PASSWORD
+      attributes:
+        ak_recovery_immutable: true
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "LDAP Bind Service Account Group"
+    attrs:
+      users:
+        - !Find [authentik_core.user, [username, ldap-service]]
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      target:
+        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+      permission: "authentik_providers_ldap.search_full_directory"
+      user: !Find [authentik_core.user, [username, ldap-service]]
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -85,5 +85,4 @@ entries:
      name: Nextcloud
      provider:
        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
-      group: "Cloud Services"
      launch_url: "@NEXTCLOUD_DOMAIN@"