gerd.forgejo: will now automatically add/update ldap source from config

2024-08-10 19:23:45 +02:00 · 2024-08-10 19:23:45 +02:00 · 5d43079309
commit 5d43079309
parent 17fb88a8b4
1 changed files with 51 additions and 23 deletions
--- a/machines/gerd/services/forgejo.nix
+++ b/machines/gerd/services/forgejo.nix
@ -1,6 +1,52 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:

-{
+let
+  scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
+    #!/usr/bin/env sh
+    FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
+    FORGEJO_AUTH_LDAP_NAME="lldap"
+    
+    # get lldap id if any
+    FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_LDAP_NAME" | cut -d$'\t' -f1)
+    
+    ACTION=""
+    EXTRA_ARG=""
+    if [ -n "''${FORGEJO_AUTH_ID}" ]; then
+        echo "PRERUN-LDAP: Authentication source exists, updating..."
+        ACTION="update-ldap"
+        EXTRA_ARG="--id $FORGEJO_AUTH_ID"
+    else
+        echo "PRERUN-LDAP: Authentication source does not exists, adding..."
+        ACTION="add-ldap"
+    fi
+
+    BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
+    
+    gitea \
+      --work-path /srv/forgejo/ \
+      admin auth "$ACTION" $EXTRA_ARG \
+      --name "$FORGEJO_AUTH_LDAP_NAME" \
+      --active \
+      --security-protocol unencrypted \
+      --skip-tls-verify \
+      --host localhost \
+      --port 3890 \
+      --bind-dn "uid=bind_user,ou=people,dc=fricloud,dc=dk" \
+      --bind-password "$BIND_USERPASS" \
+      --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \
+      --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \
+      --username-attribute uid \
+      --firstname-attribute givenName  \
+      --surname-attribute sn \
+      --email-attribute mail \
+      --avatar-attribute jpegPhoto \
+      --synchronize-users \
+      --user-search-base 'ou=people,dc=fricloud,dc=dk' \
+
+    echo "PRERUN-LDAP: Finished adding/updating..."
+  '';
+
+in {
  services.forgejo = {
    enable = true;

@ -24,27 +70,9 @@
    };
  };

-  # test = pkgs.writeScriptBin "test" ''
-  #   gitea \
-  #     --work-path /srv/forgejo/ \
-  #     admin auth add-ldap \
-  #     --name lldap \
-  #     --active \
-  #     --security-protocol unencrypted \
-  #     --skip-tls-verify \
-  #     --host localhost \
-  #     --port 3890 \
-  #     --user-filter '(&(memberof=cn=user,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \
-  #     --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \
-  #     --username-attribute uid \
-  #     --firstname-attribute givenName  \
-  #     --surname-attribute sn \
-  #     --email-attribute mail \
-  #     --avatar-attribute jpegPhoto \
-  #     --synchronize-users \
-  #     --user-search-base 'ou=people,dc=fricloud,dc=dk' \
-  # '';
-
+  # add script to add/update ldap source (+ place credential into the service)
+  systemd.services.forgejo.preStart = lib.mkAfter (builtins.toString scriptAddLDAPAuth);
+  systemd.services.forgejo.serviceConfig.LoadCredential = "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}";

  # TODO(eyJhb): remove after our ban expires (and nginx config)
  # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z