ldap: made ldap library, changed methods around, etc. etc.

just read it and feel cursed.

machines/gerd/services/authelia/authelia.nix

@@ -47,7 +47,15 @@ in {
           base_dn = config.mine.shared.settings.ldap.dc;
           additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";
           additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";
-          users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
+          users_filter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
+            llib.mkAnd [
+              (llib.mkOC lconfig.oc.person)
+              (llib.mkOr [
+                (llib.mkSearch "{username_attribute}" "{input}")
+                (llib.mkSearch "{mail_attribute}" "{input}")
+              ])
+            ]
+          );
           groups_filter = "(member={dn})";
 
 

machines/gerd/services/forgejo/auth_sources.nix

@@ -34,8 +34,8 @@ let
       --port ${builtins.toString config.mine.shared.settings.ldap.port} \
       --bind-dn "${config.mine.shared.settings.ldap.bind_dn}" \
       --bind-password "$BIND_USERPASS" \
-      --user-filter '(&${config.mine.shared.settings.ldap.user_filter}(|(${config.mine.shared.settings.ldap.attr.uid}=%[1]s)(${config.mine.shared.settings.ldap.attr.email}=%[1]s)))' \
+      --user-filter '${config.mine.shared.settings.ldap.user_filter "%[1]s"}' \
-      --admin-filter '${config.mine.shared.settings.ldap.admin_filter}' \
+      --admin-filter '${config.mine.shared.lib.ldap.mkScope (lconfig: llib: llib.mkGroup lconfig.groups.admin)}' \
       --username-attribute ${config.mine.shared.settings.ldap.attr.uid} \
       --firstname-attribute ${config.mine.shared.settings.ldap.attr.firstname}  \
       --surname-attribute ${config.mine.shared.settings.ldap.attr.lastname} \

machines/gerd/services/hedgedoc.nix

@@ -28,12 +28,14 @@ in {
 
       # setup ldap
       # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
-      ldap = {
+      ldap = let
-        url = config.mine.shared.settings.ldap.url;
+        lconfig = config.mine.shared.settings.ldap;
-        bindDn = config.mine.shared.settings.ldap.bind_dn;
+      in {
-        searchBase = config.mine.shared.settings.ldap.search_base;
+        url = lconfig.url;
-        searchFilter = "(&${config.mine.shared.settings.ldap.user_filter}(|(${config.mine.shared.settings.ldap.attr.uid}={{username}})(${config.mine.shared.settings.ldap.attr.email}={{username}})))";
+        bindDn = lconfig.bind_dn;
-        useridField = config.mine.shared.settings.ldap.attr.uid;
+        searchBase = lconfig.search_base;
+        searchFilter = lconfig.user_filter "{{username}}";
+        useridField = lconfig.attr.uid;
       };
     };
   };

machines/gerd/services/lldap.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 
 let
   svc_domain = "ldap.${config.mine.shared.settings.domain}";
@@ -56,8 +56,20 @@ in {
     dc = "dc=${config.mine.shared.settings.domain_sld},dc=${config.mine.shared.settings.domain_tld}";
     bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
     search_base = "ou=${ou.users},${dc}";
-    user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
+    user_filter = ph: let
-    admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})";
+      attrs = [ attr.uid attr.email ];
+    in config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
+      llib.mkAnd [
+        (llib.mkGroup lconfig.groups.member)
+        (llib.mkOr (lib.forEach attrs (v: llib.mkSearch v ph)))
+      ]
+    );
+
+    oc = {
+      person = "person";
+      mailAccount = "mailAccount";
+      groupOfUniqueNames = "groupOfUniqueNames";
+    };
 
     users = {
       admin = "admin";
@@ -86,6 +98,33 @@ in {
     age_secret = config.age.secrets.lldap-bind-user-pass.path;
   };
 
+  mine.shared.lib.ldap = rec {
+    mkGroup = group_name: "memberof=cn=${group_name},ou=${config.mine.shared.settings.ldap.ou.groups},${config.mine.shared.settings.ldap.dc}";
+    mkOC = object_class_name: "objectclass=${object_class_name}";
+    mkSearch = attribute: ph: "${attribute}=${ph}";
+
+    mkFilterAdvanced = expr: let
+      isExpr = value: if value ? type then true else false;
+
+      __mkExpr = value: if isExpr value then mkFilterAdvanced value else "(${value})";
+      _mkExpr = op: value: "(${op}" + (builtins.concatStringsSep "" (lib.forEach value (v: __mkExpr v))) + ")";
+      mkExpr = expr: assert isExpr expr; if expr.type == "and" then _mkExpr "&" expr.values else _mkExpr "|" expr.values;
+    in mkExpr expr;
+
+    mkAndOr = andExprs: orExprs: mkFilterAdvanced {
+      type = "and";
+      values = andExprs ++ [
+        { type = "or"; values = orExprs; }
+      ];
+    };
+
+    mkFilter = t: mkFilterAdvanced (t config.mine.shared.settings.ldap config.mine.shared.lib.ldap);
+    mkScope = t: t config.mine.shared.settings.ldap config.mine.shared.lib.ldap;
+
+    mkAnd = v: { type = "and"; values = v; };
+    mkOr = v: { type = "or"; values = v; };
+  };
+
   mine.shared.meta.lldap = {
     name = "LDAP";
     description = "We host our own LDAP server, you can use it to change your displayname, name, password, etc.";

machines/gerd/services/nextcloud.nix

@@ -26,20 +26,34 @@ let
       ldapHost = "localhost";
       ldapPort = 3890;
       ldapAgentName = config.mine.shared.settings.ldap.bind_dn;
-      # ldapAgentPassword = "n$dYTi7@!3v#sTbF2AV7mW7szS2Z$oFV";
+      # ldapAgentPassword = "<insert-from-secret-env>";
 
-      # EDIT: Base DN
       ldapBase = config.mine.shared.settings.ldap.dc;
       ldapBaseUsers = config.mine.shared.settings.ldap.dc;
       ldapBaseGroups = config.mine.shared.settings.ldap.dc;
-      ldapLoginFilter = "(&(objectclass=person)(${config.mine.shared.settings.ldap.attr.uid}=%uid))";
+      ldapLoginFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
+        llib.mkAnd [
+          (llib.mkOC lconfig.oc.person)
+          (llib.mkSearch lconfig.attr.uid "%uid")
+        ]
+      );
 
       # EDIT: nextcloud_users group, contains the users who can login to Nextcloud
-      ldapUserFilter = "(&(objectclass=person)${config.mine.shared.settings.ldap.user_filter})";
+      ldapUserFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
-      ldapUserFilterObjectclass = "person";
+        llib.mkAnd [
-      ldapGroupFilter = "(&(objectclass=groupOfUniqueNames)(|(cn=${config.mine.shared.settings.ldap.groups.admin})(cn=${config.mine.shared.settings.ldap.groups.member})))";
+          (llib.mkOC lconfig.oc.person)
+          (llib.mkGroup lconfig.groups.member)
+        ]
+      );
+      ldapUserFilterObjectclass = config.mine.shared.settings.ldap.oc.person;
+      ldapGroupFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
+        llib.mkAnd [
+          (llib.mkOC lconfig.oc.groupOfUniqueNames)
+          (llib.mkOr [ "cn=${lconfig.groups.admin}" "cn=${lconfig.groups.member}"])
+        ]
+      );
       ldapGroupFilterGroups = "admin;user";
-      ldapGroupFilterObjectclass = "groupOfUniqueNames";
+      ldapGroupFilterObjectclass = config.mine.shared.settings.ldap.oc.groupOfUniqueNames;
       ldapGroupMemberAssocAttr = "uniqueMember";
       ldapEmailAttribute = config.mine.shared.settings.ldap.attr.email;
       ldapUserFilterMode = 1;