diff --git a/machines/gerd/services/authelia/authelia.nix b/machines/gerd/services/authelia/authelia.nix index 291e327..1c22c97 100644 --- a/machines/gerd/services/authelia/authelia.nix +++ b/machines/gerd/services/authelia/authelia.nix @@ -47,7 +47,15 @@ in { base_dn = config.mine.shared.settings.ldap.dc; additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}"; additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}"; - users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"; + users_filter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib: + llib.mkAnd [ + (llib.mkOC lconfig.oc.person) + (llib.mkOr [ + (llib.mkSearch "{username_attribute}" "{input}") + (llib.mkSearch "{mail_attribute}" "{input}") + ]) + ] + ); groups_filter = "(member={dn})"; diff --git a/machines/gerd/services/forgejo/auth_sources.nix b/machines/gerd/services/forgejo/auth_sources.nix index 5c69bec..9ea6fcc 100644 --- a/machines/gerd/services/forgejo/auth_sources.nix +++ b/machines/gerd/services/forgejo/auth_sources.nix @@ -34,8 +34,8 @@ let --port ${builtins.toString config.mine.shared.settings.ldap.port} \ --bind-dn "${config.mine.shared.settings.ldap.bind_dn}" \ --bind-password "$BIND_USERPASS" \ - --user-filter '(&${config.mine.shared.settings.ldap.user_filter}(|(${config.mine.shared.settings.ldap.attr.uid}=%[1]s)(${config.mine.shared.settings.ldap.attr.email}=%[1]s)))' \ - --admin-filter '${config.mine.shared.settings.ldap.admin_filter}' \ + --user-filter '${config.mine.shared.settings.ldap.user_filter "%[1]s"}' \ + --admin-filter '${config.mine.shared.lib.ldap.mkScope (lconfig: llib: llib.mkGroup lconfig.groups.admin)}' \ --username-attribute ${config.mine.shared.settings.ldap.attr.uid} \ --firstname-attribute ${config.mine.shared.settings.ldap.attr.firstname} \ --surname-attribute ${config.mine.shared.settings.ldap.attr.lastname} \ diff --git a/machines/gerd/services/hedgedoc.nix b/machines/gerd/services/hedgedoc.nix index 59dda07..594cb1d 100644 --- a/machines/gerd/services/hedgedoc.nix +++ b/machines/gerd/services/hedgedoc.nix @@ -28,12 +28,14 @@ in { # setup ldap # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md - ldap = { - url = config.mine.shared.settings.ldap.url; - bindDn = config.mine.shared.settings.ldap.bind_dn; - searchBase = config.mine.shared.settings.ldap.search_base; - searchFilter = "(&${config.mine.shared.settings.ldap.user_filter}(|(${config.mine.shared.settings.ldap.attr.uid}={{username}})(${config.mine.shared.settings.ldap.attr.email}={{username}})))"; - useridField = config.mine.shared.settings.ldap.attr.uid; + ldap = let + lconfig = config.mine.shared.settings.ldap; + in { + url = lconfig.url; + bindDn = lconfig.bind_dn; + searchBase = lconfig.search_base; + searchFilter = lconfig.user_filter "{{username}}"; + useridField = lconfig.attr.uid; }; }; }; diff --git a/machines/gerd/services/lldap.nix b/machines/gerd/services/lldap.nix index 737e461..c5a005f 100644 --- a/machines/gerd/services/lldap.nix +++ b/machines/gerd/services/lldap.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: let svc_domain = "ldap.${config.mine.shared.settings.domain}"; @@ -56,8 +56,20 @@ in { dc = "dc=${config.mine.shared.settings.domain_sld},dc=${config.mine.shared.settings.domain_tld}"; bind_dn = "uid=${users.bind},ou=${ou.users},${dc}"; search_base = "ou=${ou.users},${dc}"; - user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})"; - admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})"; + user_filter = ph: let + attrs = [ attr.uid attr.email ]; + in config.mine.shared.lib.ldap.mkFilter (lconfig: llib: + llib.mkAnd [ + (llib.mkGroup lconfig.groups.member) + (llib.mkOr (lib.forEach attrs (v: llib.mkSearch v ph))) + ] + ); + + oc = { + person = "person"; + mailAccount = "mailAccount"; + groupOfUniqueNames = "groupOfUniqueNames"; + }; users = { admin = "admin"; @@ -86,6 +98,33 @@ in { age_secret = config.age.secrets.lldap-bind-user-pass.path; }; + mine.shared.lib.ldap = rec { + mkGroup = group_name: "memberof=cn=${group_name},ou=${config.mine.shared.settings.ldap.ou.groups},${config.mine.shared.settings.ldap.dc}"; + mkOC = object_class_name: "objectclass=${object_class_name}"; + mkSearch = attribute: ph: "${attribute}=${ph}"; + + mkFilterAdvanced = expr: let + isExpr = value: if value ? type then true else false; + + __mkExpr = value: if isExpr value then mkFilterAdvanced value else "(${value})"; + _mkExpr = op: value: "(${op}" + (builtins.concatStringsSep "" (lib.forEach value (v: __mkExpr v))) + ")"; + mkExpr = expr: assert isExpr expr; if expr.type == "and" then _mkExpr "&" expr.values else _mkExpr "|" expr.values; + in mkExpr expr; + + mkAndOr = andExprs: orExprs: mkFilterAdvanced { + type = "and"; + values = andExprs ++ [ + { type = "or"; values = orExprs; } + ]; + }; + + mkFilter = t: mkFilterAdvanced (t config.mine.shared.settings.ldap config.mine.shared.lib.ldap); + mkScope = t: t config.mine.shared.settings.ldap config.mine.shared.lib.ldap; + + mkAnd = v: { type = "and"; values = v; }; + mkOr = v: { type = "or"; values = v; }; + }; + mine.shared.meta.lldap = { name = "LDAP"; description = "We host our own LDAP server, you can use it to change your displayname, name, password, etc."; diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix index bf21d03..9dcda64 100644 --- a/machines/gerd/services/nextcloud.nix +++ b/machines/gerd/services/nextcloud.nix @@ -26,20 +26,34 @@ let ldapHost = "localhost"; ldapPort = 3890; ldapAgentName = config.mine.shared.settings.ldap.bind_dn; - # ldapAgentPassword = "n$dYTi7@!3v#sTbF2AV7mW7szS2Z$oFV"; + # ldapAgentPassword = ""; - # EDIT: Base DN ldapBase = config.mine.shared.settings.ldap.dc; ldapBaseUsers = config.mine.shared.settings.ldap.dc; ldapBaseGroups = config.mine.shared.settings.ldap.dc; - ldapLoginFilter = "(&(objectclass=person)(${config.mine.shared.settings.ldap.attr.uid}=%uid))"; - + ldapLoginFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib: + llib.mkAnd [ + (llib.mkOC lconfig.oc.person) + (llib.mkSearch lconfig.attr.uid "%uid") + ] + ); + # EDIT: nextcloud_users group, contains the users who can login to Nextcloud - ldapUserFilter = "(&(objectclass=person)${config.mine.shared.settings.ldap.user_filter})"; - ldapUserFilterObjectclass = "person"; - ldapGroupFilter = "(&(objectclass=groupOfUniqueNames)(|(cn=${config.mine.shared.settings.ldap.groups.admin})(cn=${config.mine.shared.settings.ldap.groups.member})))"; + ldapUserFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib: + llib.mkAnd [ + (llib.mkOC lconfig.oc.person) + (llib.mkGroup lconfig.groups.member) + ] + ); + ldapUserFilterObjectclass = config.mine.shared.settings.ldap.oc.person; + ldapGroupFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib: + llib.mkAnd [ + (llib.mkOC lconfig.oc.groupOfUniqueNames) + (llib.mkOr [ "cn=${lconfig.groups.admin}" "cn=${lconfig.groups.member}"]) + ] + ); ldapGroupFilterGroups = "admin;user"; - ldapGroupFilterObjectclass = "groupOfUniqueNames"; + ldapGroupFilterObjectclass = config.mine.shared.settings.ldap.oc.groupOfUniqueNames; ldapGroupMemberAssocAttr = "uniqueMember"; ldapEmailAttribute = config.mine.shared.settings.ldap.attr.email; ldapUserFilterMode = 1;