nixos/services.portunus: remove with lib;

This commit is contained in:
Felix Buehler 2024-08-30 00:46:42 +02:00
parent 1f34eeb672
commit cd7695ae97

View File

@ -1,23 +1,20 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.portunus;
in
{
options.services.portunus = {
enable = mkEnableOption "Portunus, a self-contained user/group management and authentication service for LDAP";
enable = lib.mkEnableOption "Portunus, a self-contained user/group management and authentication service for LDAP";
domain = mkOption {
type = types.str;
domain = lib.mkOption {
type = lib.types.str;
example = "sso.example.com";
description = "Subdomain which gets reverse proxied to Portunus webserver.";
};
port = mkOption {
type = types.port;
port = lib.mkOption {
type = lib.types.port;
default = 8080;
description = ''
Port where the Portunus webserver should listen on.
@ -26,10 +23,10 @@ in
'';
};
package = mkPackageOption pkgs "portunus" { };
package = lib.mkPackageOption pkgs "portunus" { };
seedPath = mkOption {
type = types.nullOr types.path;
seedPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Path to a portunus seed file in json format.
@ -46,26 +43,26 @@ in
'';
};
stateDir = mkOption {
type = types.path;
stateDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/portunus";
description = "Path where Portunus stores its state.";
};
user = mkOption {
type = types.str;
user = lib.mkOption {
type = lib.types.str;
default = "portunus";
description = "User account under which Portunus runs its webserver.";
};
group = mkOption {
type = types.str;
group = lib.mkOption {
type = lib.types.str;
default = "portunus";
description = "Group account under which Portunus runs its webserver.";
};
dex = {
enable = mkEnableOption ''
enable = lib.mkEnableOption ''
Dex ldap connector.
To activate dex, first a search user must be created in the Portunus web ui
@ -73,15 +70,15 @@ in
in the [](#opt-services.dex.environmentFile) setting
'';
oidcClients = mkOption {
type = types.listOf (types.submodule {
oidcClients = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
options = {
callbackURL = mkOption {
type = types.str;
callbackURL = lib.mkOption {
type = lib.types.str;
description = "URL where the OIDC client should redirect";
};
id = mkOption {
type = types.str;
id = lib.mkOption {
type = lib.types.str;
description = "ID of the OIDC client";
};
};
@ -105,23 +102,23 @@ in
'';
};
port = mkOption {
type = types.port;
port = lib.mkOption {
type = lib.types.port;
default = 5556;
description = "Port where dex should listen on.";
};
};
ldap = {
package = mkOption {
type = types.package;
package = lib.mkOption {
type = lib.types.package;
default = pkgs.openldap;
defaultText = lib.literalExpression "pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }";
description = "The OpenLDAP package to use.";
};
searchUserName = mkOption {
type = types.str;
searchUserName = lib.mkOption {
type = lib.types.str;
default = "";
example = "admin";
description = ''
@ -130,8 +127,8 @@ in
'';
};
suffix = mkOption {
type = types.str;
suffix = lib.mkOption {
type = lib.types.str;
example = "dc=example,dc=org";
description = ''
The DN of the topmost entry in your LDAP directory.
@ -139,8 +136,8 @@ in
'';
};
tls = mkOption {
type = types.bool;
tls = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable LDAPS protocol.
@ -151,21 +148,21 @@ in
'';
};
user = mkOption {
type = types.str;
user = lib.mkOption {
type = lib.types.str;
default = "openldap";
description = "User account under which Portunus runs its LDAP server.";
};
group = mkOption {
type = types.str;
group = lib.mkOption {
type = lib.types.str;
default = "openldap";
description = "Group account under which Portunus runs its LDAP server.";
};
};
};
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.dex.enable -> cfg.ldap.searchUserName != "";
@ -177,13 +174,13 @@ in
environment.systemPackages = [ cfg.ldap.package ];
# allow connecting via ldaps /w certificate without opening ports
networking.hosts = mkIf cfg.ldap.tls {
networking.hosts = lib.mkIf cfg.ldap.tls {
"::1" = [ cfg.domain ];
"127.0.0.1" = [ cfg.domain ];
};
services = {
dex = mkIf cfg.dex.enable {
dex = lib.mkIf cfg.dex.enable {
enable = true;
settings = {
issuer = "https://${cfg.domain}/dex";
@ -219,7 +216,7 @@ in
};
}];
staticClients = forEach cfg.dex.oidcClients (client: {
staticClients = lib.forEach cfg.dex.oidcClients (client: {
inherit (client) id;
redirectURIs = [ client.callbackURL ];
name = "OIDC for ${client.id}";
@ -232,7 +229,7 @@ in
};
systemd.services = {
dex = mkIf cfg.dex.enable {
dex = lib.mkIf cfg.dex.enable {
serviceConfig = {
# `dex.service` is super locked down out of the box, but we need some
# place to write the SQLite database. This creates $STATE_DIRECTORY below
@ -261,9 +258,9 @@ in
PORTUNUS_SLAPD_GROUP = cfg.ldap.group;
PORTUNUS_SLAPD_USER = cfg.ldap.user;
PORTUNUS_SLAPD_SCHEMA_DIR = "${cfg.ldap.package}/etc/schema";
} // (optionalAttrs (cfg.seedPath != null) ({
} // (lib.optionalAttrs (cfg.seedPath != null) ({
PORTUNUS_SEED_PATH = cfg.seedPath;
})) // (optionalAttrs cfg.ldap.tls (
})) // (lib.optionalAttrs cfg.ldap.tls (
let
acmeDirectory = config.security.acme.certs."${cfg.domain}".directory;
in
@ -277,14 +274,14 @@ in
};
};
users.users = mkMerge [
(mkIf (cfg.ldap.user == "openldap") {
users.users = lib.mkMerge [
(lib.mkIf (cfg.ldap.user == "openldap") {
openldap = {
group = cfg.ldap.group;
isSystemUser = true;
};
})
(mkIf (cfg.user == "portunus") {
(lib.mkIf (cfg.user == "portunus") {
portunus = {
group = cfg.group;
isSystemUser = true;
@ -292,15 +289,15 @@ in
})
];
users.groups = mkMerge [
(mkIf (cfg.ldap.user == "openldap") {
users.groups = lib.mkMerge [
(lib.mkIf (cfg.ldap.user == "openldap") {
openldap = { };
})
(mkIf (cfg.user == "portunus") {
(lib.mkIf (cfg.user == "portunus") {
portunus = { };
})
];
};
meta.maintainers = [ maintainers.majewsky ] ++ teams.c3d2.members;
meta.maintainers = [ lib.maintainers.majewsky ] ++ lib.teams.c3d2.members;
}