more work on ldap bootstrapping

2025-02-02 00:12:38 +01:00 · 2025-02-02 00:12:38 +01:00 · ae3c110e18
commit ae3c110e18
parent 19cd1b3255
10 changed files with 362 additions and 11 deletions
--- a/machines/gerd/services/lldap/test.nix
+++ b/machines/gerd/services/lldap/test.nix
@ -0,0 +1,98 @@
+{ config, lib, ... }:
+
+let
+  mkEmail = name: "${name}@${config.mine.shared.settings.domain}";
+
+  mkUserNormal = name: {
+    user_id = name;
+    member_email = mkEmail name;
+    mail = "env:EMAIL_${lib.toUpper name}";
+    groups = [ "base_member" ];
+    mail_disk_quota = 100*1024*1024; # mb
+  };
+
+  mkUserSystem = name: password_file: {
+    user_id = name;
+    member_email = mkEmail name;
+    password = "file:${password_file}";
+    # TODO: remove base_member in the future, or have
+    # more granular controls for emails and shit
+    groups = [ "base_member" "system_service" ];
+    mail_disk_quota = 10*1024*1024; # mb
+  };
+
+  mkUserAdmin = name: {
+    user_id = name;
+    member_email = mkEmail name;
+    groups = [ "base_member" "lldap_admin" ];
+    mail_disk_quota = 100*1024*1024; # mb
+  };
+in {
+  imports = [
+    ./bootstrap/lldap-state-module.nix
+  ];
+
+  mine.lldap_provision = {
+    enable = true;
+
+    url = config.mine.shared.meta.lldap.url;
+    username = "admin";
+    passwordFile = config.age.secrets.lldap-admin-user-pass.path;
+    # username = "testusername";
+    # passwordFile = ./test.txt;
+
+    group_attributes = {
+      group_foo = {
+        attributeType = "STRING";
+        isEditable = true;
+        isVisible = true;
+      };
+    };
+    user_attributes = {
+      member_email = {
+        attributeType = "STRING";
+        isEditable = false;
+        isVisible = true;
+      };
+      mail_disk_quota = {
+        attributeType = "INTEGER";
+      };
+    };
+
+    groups = let
+      gs = [
+        "base_member"
+        "system_service"
+        "system_email"
+      ];
+    in lib.listToAttrs (lib.forEach gs (v: lib.nameValuePair v { display_name = v; }));
+
+    users = {
+      # normal users
+      testusername = {
+        member_email = "env:USER1_EMAIL";
+      };
+
+      user1 = mkUserNormal "thief420";
+
+      # admin users
+      admin = mkUserAdmin "admin";
+      eyjhb = mkUserAdmin "eyjhb";
+      rasmus = mkUserAdmin "rasmus";
+
+      # system users
+      authelia = mkUserSystem "authelia" config.age.secrets.authelia-smtp-password.path;
+      wger = mkUserSystem "wger" config.age.secrets.wger-ldap-pass.path;
+
+      # bind user
+      bind_user = {
+        groups = [ "lldap_password_manager" "lldap_strict_readonly" ];
+      };
+    };
+  };
+
+  systemd.services.lldapsetup.environment = {
+    USER1_EMAIL = "eyjhbbbbbbb@fricloud.dk";
+    EMAIL_THIEF420 = "someemail@gmail.com";
+  };
+}