diff options
| author | Sandro <sandro.jaeckel@gmail.com> | 2024-01-27 16:08:41 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-27 16:08:41 +0100 |
| commit | 8219e2c1bc61831236d8427fea90d639f2bd3042 (patch) | |
| tree | e6cb855df59436d2e8d4b3300e51693dd09171b7 /nixos | |
| parent | 5d3f0d66ffa38468b6dc3d8fad38df2dfb84ee1f (diff) | |
| parent | fd199bdc5b31e916101c3cc2b42ea6a000e3142e (diff) | |
| download | nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.tar nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.tar.gz nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.tar.bz2 nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.tar.lz nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.tar.xz nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.tar.zst nixlib-8219e2c1bc61831236d8427fea90d639f2bd3042.zip | |
Merge pull request #279050 from SuperSandro2000/portunus-seedsettings
nixos/portunus: add seedSettings option
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/portunus.nix | 95 |
1 files changed, 54 insertions, 41 deletions
diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 47af24f024cd..ebb3bc8f0851 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -37,6 +37,15 @@ in ''; }; + seedSettings = lib.mkOption { + type = with lib.types; nullOr (attrsOf (listOf (attrsOf anything))); + default = null; + description = lib.mdDoc '' + Seed settings for users and groups. + See upstream for format <https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration> + ''; + }; + stateDir = mkOption { type = types.path; default = "/var/lib/portunus"; @@ -172,49 +181,53 @@ in "127.0.0.1" = [ cfg.domain ]; }; - services.dex = mkIf cfg.dex.enable { - enable = true; - settings = { - issuer = "https://${cfg.domain}/dex"; - web.http = "127.0.0.1:${toString cfg.dex.port}"; - storage = { - type = "sqlite3"; - config.file = "/var/lib/dex/dex.db"; - }; - enablePasswordDB = false; - connectors = [{ - type = "ldap"; - id = "ldap"; - name = "LDAP"; - config = { - host = "${cfg.domain}:636"; - bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}"; - bindPW = "$DEX_SEARCH_USER_PASSWORD"; - userSearch = { - baseDN = "ou=users,${cfg.ldap.suffix}"; - filter = "(objectclass=person)"; - username = "uid"; - idAttr = "uid"; - emailAttr = "mail"; - nameAttr = "cn"; - preferredUsernameAttr = "uid"; - }; - groupSearch = { - baseDN = "ou=groups,${cfg.ldap.suffix}"; - filter = "(objectclass=groupOfNames)"; - nameAttr = "cn"; - userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }]; - }; + services = { + dex = mkIf cfg.dex.enable { + enable = true; + settings = { + issuer = "https://${cfg.domain}/dex"; + web.http = "127.0.0.1:${toString cfg.dex.port}"; + storage = { + type = "sqlite3"; + config.file = "/var/lib/dex/dex.db"; }; - }]; - - staticClients = forEach cfg.dex.oidcClients (client: { - inherit (client) id; - redirectURIs = [ client.callbackURL ]; - name = "OIDC for ${client.id}"; - secretEnv = "DEX_CLIENT_${client.id}"; - }); + enablePasswordDB = false; + connectors = [{ + type = "ldap"; + id = "ldap"; + name = "LDAP"; + config = { + host = "${cfg.domain}:636"; + bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}"; + bindPW = "$DEX_SEARCH_USER_PASSWORD"; + userSearch = { + baseDN = "ou=users,${cfg.ldap.suffix}"; + filter = "(objectclass=person)"; + username = "uid"; + idAttr = "uid"; + emailAttr = "mail"; + nameAttr = "cn"; + preferredUsernameAttr = "uid"; + }; + groupSearch = { + baseDN = "ou=groups,${cfg.ldap.suffix}"; + filter = "(objectclass=groupOfNames)"; + nameAttr = "cn"; + userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }]; + }; + }; + }]; + + staticClients = forEach cfg.dex.oidcClients (client: { + inherit (client) id; + redirectURIs = [ client.callbackURL ]; + name = "OIDC for ${client.id}"; + secretEnv = "DEX_CLIENT_${client.id}"; + }); + }; }; + + portunus.seedPath = lib.mkIf (cfg.seedSettings != null) (pkgs.writeText "seed.json" (builtins.toJSON cfg.seedSettings)); }; systemd.services = { |