sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Ldap WIP

Browse Source
This commit is contained in:
soraefir
2026-05-14 15:43:52 +02:00
parent 252373f956
commit 2e6c044b89
9 changed files with 70 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/server/containers/apps/authentik.nix
View File

@@ -9,6 +9,7 @@ let
AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain)); AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
} }
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.hostDomain}";} else {}) // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.hostDomain}";} else {})
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.hostDomain}";} else {})
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";} else {}); // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";} else {});
}; };
in { in {
@@ -98,6 +99,7 @@ in {
$AK apply_blueprint /blueprints/custom/traefik.yaml $AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml $AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''} ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}

14
modules/server/containers/apps/gitea.nix
View File

@@ -2,6 +2,8 @@
let let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
in { in {
sops = true; sops = true;
db = true; db = true;
@@ -115,6 +117,8 @@ in {
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true $GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
touch ${serverCfg.dataPath}/gitea/data-runner/config.yml
RUNNER_TOKEN=$($GT actions generate-runner-token) RUNNER_TOKEN=$($GT actions generate-runner-token)
$GTR register \ $GTR register \
--instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \ --instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
@@ -124,6 +128,16 @@ in {
--no-interactive --no-interactive
${lib.optionalString (serverCfg.containers ? authentik) ''
# --port 636
$GT admin add_ldap --id 1 --name Authentik --host "authentik-ldap" --port 3389 --security-protocol "unencrypted" \
--bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $LDAP_PASSWORD \
--user-search-base "ou=users,${LDAP_DC_DOMAIN}" --user-filter "(|(username=%s)(email=%s))" \
--username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
--synchronize-users
''}
echo "Completed Gitea Setup" echo "Completed Gitea Setup"
''; '';
}; };

13
modules/server/containers/apps/jellyfin.nix
View File

@@ -9,7 +9,7 @@ let
"jellyfin:x:1000:" "jellyfin:x:1000:"
]; ];
}; };
image = pkgs.dockerTools.buildImage{#pkgs.dockerTools.streamLayeredImage { # image = pkgs.dockerTools.streamLayeredImage { # pkgs.dockerTools.buildImage{#
name = pkgs.jellyfin.name; name = pkgs.jellyfin.name;
tag = pkgs.jellyfin.version; tag = pkgs.jellyfin.version;
contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ]; contents = [ pkgs.cacert nss pkgs.jellyfin pkgs.bashInteractive ];
@@ -48,8 +48,7 @@ in {
containers = { containers = {
server = builder.mkContainer { server = builder.mkContainer {
subdomain = containerCfg.subdomain; subdomain = containerCfg.subdomain;
#imageStream = image; imageStream = image;
imageFile = image;
port = 8096; port = 8096;
extraEnv = { extraEnv = {
HOME = "/config/data"; HOME = "/config/data";
@@ -147,6 +146,14 @@ in {
echo "ERROR: LDAP Plugin Setup Failed." echo "ERROR: LDAP Plugin Setup Failed."
exit 1 exit 1
fi fi
if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/System/Restart" \
-H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
-H "Content-Length: 0"; then
echo "ERROR: Server failed to accept restart command."
exit 1
fi
echo "Completed Setup" echo "Completed Setup"
''; '';

13
modules/server/containers/data/authentik/gitea.yaml Normal file
View File

@@ -0,0 +1,13 @@
version: 1
metadata:
name: gitea-ldap-setup
entries:
- model: authentik_core.application
id: gitea-app
identifiers:
slug: gitea
attrs:
name: Gitea
provider:
!Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
launch_url: "@GITEA_DOMAIN@"

2
modules/server/containers/data/authentik/jellyfin.yaml
View File

@@ -10,6 +10,4 @@ entries:
name: Jellyfin name: Jellyfin
provider: provider:
!Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]] !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
open_in_new_tab: false
launch_url: "@JELLYFIN_DOMAIN@" launch_url: "@JELLYFIN_DOMAIN@"
state: present

27
modules/server/containers/data/authentik/ldap.yaml
View File

@@ -32,3 +32,30 @@ entries:
!Find [authentik_core.token, [identifier, ldap-outpost-static-token]] !Find [authentik_core.token, [identifier, ldap-outpost-static-token]]
config: config:
log_level: info log_level: info
- model: authentik_core.user
state: present
identifiers:
username: "ldap-service"
attrs:
name: "LDAP Bind Service Account"
is_active: true
password: !Env DEFAULT_LDAP_PASSWORD
attributes:
ak_recovery_immutable: true
- model: authentik_core.group
state: present
identifiers:
name: "LDAP Bind Service Account Group"
attrs:
users:
- !Find [authentik_core.user, [username, ldap-service]]
- model: authentik_policies.policybinding
state: present
identifiers:
target:
!Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
permission: "authentik_providers_ldap.search_full_directory"
user: !Find [authentik_core.user, [username, ldap-service]]

1
modules/server/containers/data/authentik/nextcloud.yaml
View File

@@ -85,5 +85,4 @@ entries:
name: Nextcloud name: Nextcloud
provider: provider:
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]] !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
group: "Cloud Services"
launch_url: "@NEXTCLOUD_DOMAIN@" launch_url: "@NEXTCLOUD_DOMAIN@"

1
modules/server/sops/example.server.yaml
View File

@@ -2,6 +2,7 @@ CUSTOM: |
DEFAULT_ADMIN_USERNAME=... DEFAULT_ADMIN_USERNAME=...
DEFAULT_ADMIN_PASSWORD=... DEFAULT_ADMIN_PASSWORD=...
DEFAULT_ADMIN_EMAIL=... DEFAULT_ADMIN_EMAIL=...
DEFAULT_LDAP_PASSWORD=...
TRAEFIK: | TRAEFIK: |
INFOMANIAK_ACCESS_TOKEN=... INFOMANIAK_ACCESS_TOKEN=...
AUTHENTIK: | AUTHENTIK: |

6
modules/server/sops/server.yaml
View File

@@ -1,4 +1,4 @@
CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str] CUSTOM: ENC[AES256_GCM,data:TXsMI69UrctXA8jnv/qHVm8ljt6APlVZ0iLe7v3gZsojxlu4BG78vXxbR+oZVcOkp3qvI5e1M1EVNwcyL+M1wIkwIaIaXVtdjzJrSBOj9RQ6hos32DW5JYe1lRcXrW4T2ZjP4Ll3oDhMBnpcRweLcqjf9RrrQ3T3PQlH6uh1+wiQo0jhEoUc+k47uhnIi47vPCj2EUIpxeUFNu30pg2vBVDkkvtWdwa8kTySmmnzLQ5zWcsOcQWWWyEgkxPz1bGENSBiTl9Qlhf+gdISWA==,iv:ysPEvNvaxw8P0dYlLoBe7qZIdh5qmIusbuPK4a0lMxE=,tag:4X/eq6gX4h15JfKn+sEHdA==,type:str]
TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str] NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -29,8 +29,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-13T20:36:20Z" lastmodified: "2026-05-14T13:39:26Z"
mac: ENC[AES256_GCM,data:HJ42m/78+Di88AkaekkxPeda344YZsZpM2sOrhqG4JrYkcArAAKaHtZqJH/K+iFfDLUgtKdSHNkjvTth2yaCmXSbu+Desid2FdE3LDa3eER5dzCYZ7RSfL8QJRA5BjtTn6+iC/D+UFrSfIS1bsz2Ycw/6uwCncI4PhE+6i0v9Wk=,iv:iAPGXHPdi9vm6b6TO8ZIoO1RjI3jyItcgXRR8H3GWUI=,tag:Hbu30qFb0mTTHZ7Q6qVbdw==,type:str] mac: ENC[AES256_GCM,data:g9z/gGOuAYs0DbH8YqAQJjtbLmjTv3+EnNTbrbF87kqpB5w/0fYfCAkhgFRYG2y7Ly1CK3F/b7TU6SKF+MB6Kv4tSF5+m/tez32EDG4jWCNAOLBjGftcRzLgWrUxtTLat6HelVSUt38O8hBHJqh3w57tqLk2rl/YEaevJP/ZZTw=,iv:OnkblA4PjwHKhN4boH+NfFU88hL9ADoSzkCLUPa8aUE=,tag:ruEvZXcPRGE2LA9AzOaF1g==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-