diff options
author | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-01-06 02:22:00 +0100 |
---|---|---|
committer | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-01-19 11:57:01 +0100 |
commit | fd199bdc5b31e916101c3cc2b42ea6a000e3142e (patch) | |
tree | 753e22d922024907c64de3ad4f66de85c6110205 /nixos | |
parent | 0fa5a936f203acc1b11ed20fe002320944a8363b (diff) | |
download | nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.tar nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.tar.gz nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.tar.bz2 nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.tar.lz nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.tar.xz nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.tar.zst nixlib-fd199bdc5b31e916101c3cc2b42ea6a000e3142e.zip |
nixos/portunus: add seedSettings option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/portunus.nix | 95 |
1 files changed, 54 insertions, 41 deletions
diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 7036a372d1ea..eb3d33844311 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -37,6 +37,15 @@ in ''; }; + seedSettings = lib.mkOption { + type = with lib.types; nullOr (attrsOf (listOf (attrsOf anything))); + default = null; + description = lib.mdDoc '' + Seed settings for users and groups. + See upstream for format <https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration> + ''; + }; + stateDir = mkOption { type = types.path; default = "/var/lib/portunus"; @@ -172,49 +181,53 @@ in "127.0.0.1" = [ cfg.domain ]; }; - services.dex = mkIf cfg.dex.enable { - enable = true; - settings = { - issuer = "https://${cfg.domain}/dex"; - web.http = "127.0.0.1:${toString cfg.dex.port}"; - storage = { - type = "sqlite3"; - config.file = "/var/lib/dex/dex.db"; - }; - enablePasswordDB = false; - connectors = [{ - type = "ldap"; - id = "ldap"; - name = "LDAP"; - config = { - host = "${cfg.domain}:636"; - bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}"; - bindPW = "$DEX_SEARCH_USER_PASSWORD"; - userSearch = { - baseDN = "ou=users,${cfg.ldap.suffix}"; - filter = "(objectclass=person)"; - username = "uid"; - idAttr = "uid"; - emailAttr = "mail"; - nameAttr = "cn"; - preferredUsernameAttr = "uid"; - }; - groupSearch = { - baseDN = "ou=groups,${cfg.ldap.suffix}"; - filter = "(objectclass=groupOfNames)"; - nameAttr = "cn"; - userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }]; - }; + services = { + dex = mkIf cfg.dex.enable { + enable = true; + settings = { + issuer = "https://${cfg.domain}/dex"; + web.http = "127.0.0.1:${toString cfg.dex.port}"; + storage = { + type = "sqlite3"; + config.file = "/var/lib/dex/dex.db"; }; - }]; - - staticClients = forEach cfg.dex.oidcClients (client: { - inherit (client) id; - redirectURIs = [ client.callbackURL ]; - name = "OIDC for ${client.id}"; - secretEnv = "DEX_CLIENT_${client.id}"; - }); + enablePasswordDB = false; + connectors = [{ + type = "ldap"; + id = "ldap"; + name = "LDAP"; + config = { + host = "${cfg.domain}:636"; + bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}"; + bindPW = "$DEX_SEARCH_USER_PASSWORD"; + userSearch = { + baseDN = "ou=users,${cfg.ldap.suffix}"; + filter = "(objectclass=person)"; + username = "uid"; + idAttr = "uid"; + emailAttr = "mail"; + nameAttr = "cn"; + preferredUsernameAttr = "uid"; + }; + groupSearch = { + baseDN = "ou=groups,${cfg.ldap.suffix}"; + filter = "(objectclass=groupOfNames)"; + nameAttr = "cn"; + userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }]; + }; + }; + }]; + + staticClients = forEach cfg.dex.oidcClients (client: { + inherit (client) id; + redirectURIs = [ client.callbackURL ]; + name = "OIDC for ${client.id}"; + secretEnv = "DEX_CLIENT_${client.id}"; + }); + }; }; + + portunus.seedPath = lib.mkIf (cfg.seedSettings != null) (pkgs.writeText "seed.json" (builtins.toJSON cfg.seedSettings)); }; systemd.services = { |