fricloud/server-configs
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

more work on ldap bootstrapping

Browse source
This commit is contained in:
eyjhb 2025-02-02 00:12:38 +01:00
parent 19cd1b3255
commit ae3c110e18
Signed by: eyjhb
GPG key ID: 609F508E3239F920
10 changed files with 362 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

148
machines/gerd/services/lldap/bootstrap/lldap-state-module.nix Normal file
View file

@ -0,0 +1,148 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) types;
cfg = config.mine.lldap_provision;
# helpers
_configFile = {
user_attributes = lib.mapAttrsToList (n: v: v) cfg.user_attributes;
group_attributes = lib.mapAttrsToList (n: v: v) cfg.group_attributes;
users = lib.mapAttrsToList (n: v: v // {
user_id = if v ? user_id then v.user_id else n;
}) cfg.users;
groups = lib.mapAttrsToList (n: v: v // {
display_name = if v ? display_name then v.display_name else n;
}) cfg.groups;
};
configFile = (pkgs.formats.json {}).generate "lldap-declarative.json" _configFile;
# opts
optsAttributes = { name, config, ... }: {
options = {
name = lib.mkOption {
type = types.str;
default = name;
description = "The name of the attribute";
};
attributeType = lib.mkOption {
type = types.enum [ "STRING" "INTEGER" "JPEG_PHOTO" "DATE_TIME" ];
description = "Type of the attribute";
};
isList = lib.mkOption {
type = types.bool;
default = false;
description = "Is this attribute a list (multiple values for this attribute)";
};
isEditable = lib.mkOption {
type = types.bool;
default = false;
description = "Should the user be able to edit this value?";
};
isVisible = lib.mkOption {
type = types.bool;
default = false;
description = "Should the user be able to see this value?";
};
};
};
in {
options = {
mine.lldap_provision = {
enable = lib.mkEnableOption "LLDAP declarative setup";
url = lib.mkOption {
type = types.str;
default = config.services.lldap.settings.http_url;
description = "URL for the LLDAP instance";
};
username = lib.mkOption {
type = types.str;
description = "Username to use when signing into lldap";
};
passwordFile = lib.mkOption {
type = types.path;
description = "Path for the password file to authenticate the user";
};
group_attributes = lib.mkOption {
type = types.attrsOf (types.submodule optsAttributes);
default = {};
};
user_attributes = lib.mkOption {
type = types.attrsOf (types.submodule optsAttributes);
default = {};
};
users = lib.mkOption {
type = types.attrsOf types.anything;
default = {};
example = {
user1 = {
password = "env:LLDAP_USER1_PASSWORD";
mail = "something@something.dk";
foo = "value for user attribute foo";
bar = "value for user attribute bar";
groups = [ "group1" "group2" ];
};
user2 = { user_id = "superuserawesome"; };
};
};
groups = lib.mkOption {
type = types.attrsOf types.anything;
default = {};
example = {
base_member = {
foo = "value for group attribute foo";
bar = "value for group attribute bar";
};
system = {
display_name = "system_service - override display_name";
};
testgroup = {};
};
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.lldapsetup = {
description = "setup lldap declaratively";
wantedBy = [ config.systemd.services.lldap.name "multi-user.target" ];
after = [ config.systemd.services.lldap.name ];
environment = {
LLDAP_URL = cfg.url;
LLDAP_USERNAME = cfg.username;
LLDAP_PASSWORD = "file:${cfg.passwordFile}";
};
path = with pkgs; [
lldap
];
script = let
pythonEnv = pkgs.python3.withPackages(ps: with ps; [ gql aiohttp requests ]);
pythonDir = pkgs.runCommand "lldap-bootstrap" {} ''
mkdir -p $out/bootstrap
cp -a ${./.}/. $out/bootstrap
'';
in ''
cd ${pythonDir}
${pythonEnv}/bin/python -m bootstrap.main ${configFile}
'';
};
};
}