From 5d43079309ee95ca7ab56cea487717a604c5051d Mon Sep 17 00:00:00 2001 From: eyjhb Date: Sat, 10 Aug 2024 19:23:45 +0200 Subject: [PATCH] gerd.forgejo: will now automatically add/update ldap source from config --- machines/gerd/services/forgejo.nix | 74 ++++++++++++++++++++---------- 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/machines/gerd/services/forgejo.nix b/machines/gerd/services/forgejo.nix index a5d4990..b8bec0e 100644 --- a/machines/gerd/services/forgejo.nix +++ b/machines/gerd/services/forgejo.nix @@ -1,6 +1,52 @@ -{ config, ... }: +{ config, lib, pkgs, ... }: -{ +let + scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" '' + #!/usr/bin/env sh + FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}" + FORGEJO_AUTH_LDAP_NAME="lldap" + + # get lldap id if any + FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_LDAP_NAME" | cut -d$'\t' -f1) + + ACTION="" + EXTRA_ARG="" + if [ -n "''${FORGEJO_AUTH_ID}" ]; then + echo "PRERUN-LDAP: Authentication source exists, updating..." + ACTION="update-ldap" + EXTRA_ARG="--id $FORGEJO_AUTH_ID" + else + echo "PRERUN-LDAP: Authentication source does not exists, adding..." + ACTION="add-ldap" + fi + + BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)" + + gitea \ + --work-path /srv/forgejo/ \ + admin auth "$ACTION" $EXTRA_ARG \ + --name "$FORGEJO_AUTH_LDAP_NAME" \ + --active \ + --security-protocol unencrypted \ + --skip-tls-verify \ + --host localhost \ + --port 3890 \ + --bind-dn "uid=bind_user,ou=people,dc=fricloud,dc=dk" \ + --bind-password "$BIND_USERPASS" \ + --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \ + --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \ + --username-attribute uid \ + --firstname-attribute givenName \ + --surname-attribute sn \ + --email-attribute mail \ + --avatar-attribute jpegPhoto \ + --synchronize-users \ + --user-search-base 'ou=people,dc=fricloud,dc=dk' \ + + echo "PRERUN-LDAP: Finished adding/updating..." + ''; + +in { services.forgejo = { enable = true; @@ -24,27 +70,9 @@ }; }; - # test = pkgs.writeScriptBin "test" '' - # gitea \ - # --work-path /srv/forgejo/ \ - # admin auth add-ldap \ - # --name lldap \ - # --active \ - # --security-protocol unencrypted \ - # --skip-tls-verify \ - # --host localhost \ - # --port 3890 \ - # --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \ - # --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \ - # --username-attribute uid \ - # --firstname-attribute givenName \ - # --surname-attribute sn \ - # --email-attribute mail \ - # --avatar-attribute jpegPhoto \ - # --synchronize-users \ - # --user-search-base 'ou=people,dc=fricloud,dc=dk' \ - # ''; - + # add script to add/update ldap source (+ place credential into the service) + systemd.services.forgejo.preStart = lib.mkAfter (builtins.toString scriptAddLDAPAuth); + systemd.services.forgejo.serviceConfig.LoadCredential = "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}"; # TODO(eyJhb): remove after our ban expires (and nginx config) # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z