fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

gerd.forgejo: will now automatically add/update ldap source from config

Browse source
This commit is contained in:
eyjhb 2024-08-10 19:23:45 +02:00
parent 17fb88a8b4
commit 5d43079309
No known key found for this signature in database
GPG key ID: 609F508E3239F920
1 changed files with 51 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
machines/gerd/services/forgejo.nix
View file

@ -1,6 +1,52 @@
{ config, ... }: { config, lib, pkgs, ... }:
{ let
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
#!/usr/bin/env sh
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
FORGEJO_AUTH_LDAP_NAME="lldap"
# get lldap id if any
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_LDAP_NAME" | cut -d$'\t' -f1)
ACTION=""
EXTRA_ARG=""
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
echo "PRERUN-LDAP: Authentication source exists, updating..."
ACTION="update-ldap"
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
else
echo "PRERUN-LDAP: Authentication source does not exists, adding..."
ACTION="add-ldap"
fi
BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
gitea \
--work-path /srv/forgejo/ \
admin auth "$ACTION" $EXTRA_ARG \
--name "$FORGEJO_AUTH_LDAP_NAME" \
--active \
--security-protocol unencrypted \
--skip-tls-verify \
--host localhost \
--port 3890 \
--bind-dn "uid=bind_user,ou=people,dc=fricloud,dc=dk" \
--bind-password "$BIND_USERPASS" \
--user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \
--admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \
--username-attribute uid \
--firstname-attribute givenName \
--surname-attribute sn \
--email-attribute mail \
--avatar-attribute jpegPhoto \
--synchronize-users \
--user-search-base 'ou=people,dc=fricloud,dc=dk' \
echo "PRERUN-LDAP: Finished adding/updating..."
'';
in {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
@ -24,27 +70,9 @@
}; };
}; };
# test = pkgs.writeScriptBin "test" '' # add script to add/update ldap source (+ place credential into the service)
# gitea \ systemd.services.forgejo.preStart = lib.mkAfter (builtins.toString scriptAddLDAPAuth);
# --work-path /srv/forgejo/ \ systemd.services.forgejo.serviceConfig.LoadCredential = "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}";
# admin auth add-ldap \
# --name lldap \
# --active \
# --security-protocol unencrypted \
# --skip-tls-verify \
# --host localhost \
# --port 3890 \
# --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \
# --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \
# --username-attribute uid \
# --firstname-attribute givenName \
# --surname-attribute sn \
# --email-attribute mail \
# --avatar-attribute jpegPhoto \
# --synchronize-users \
# --user-search-base 'ou=people,dc=fricloud,dc=dk' \
# '';
# TODO(eyJhb): remove after our ban expires (and nginx config) # TODO(eyJhb): remove after our ban expires (and nginx config)
# already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z