fooker
/
ldap-linuxlab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Initial

main
Dustin Frisch 1 month ago
commit
03e2106ff0
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
14 changed files with 736 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      .gitignore
  2. 12
      .sops.yaml
  3. 34
      disk.nix
  4. 151
      flake.lock
  5. 68
      flake.nix
  6. 33
      hardware.nix
  7. 186
      ldap.nix
  8. 35
      network.nix
  9. 19
      readme.md
  10. 26
      secrets/ldap.tls.crt
  11. 26
      secrets/ldap.tls.key
  12. 42
      secrets/ldap.yaml
  13. 37
      secrets/root.yaml
  14. 63
      system.nix

4
.gitignore
View File

@ -0,0 +1,4 @@
.direnv
.envrc
/result

12
.sops.yaml
View File

@ -0,0 +1,12 @@
keys:
- &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
- &server_ldap age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7
creation_rules:
- path_regex: secrets/.*$
key_groups:
- pgp:
- *admin_fooker
age:
- *server_ldap

34
disk.nix
View File

@ -0,0 +1,34 @@
{
disko.devices = {
disk = {
main = {
device = "/dev/disk/by-diskseq/1";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

151
flake.lock
View File

@ -0,0 +1,151 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728673344,
"narHash": "sha256-O0QVhsj9I/hmcIqJ4qCqFyzvjYL+dtzJP0C5MFd8O/Y=",
"owner": "nix-community",
"repo": "disko",
"rev": "ff0a471763faaaca1859fd6de80f44fa0fce91a6",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "latest",
"repo": "disko",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"ldap-sync": {
"flake": false,
"locked": {
"lastModified": 1705328305,
"narHash": "sha256-PPc16Obzg53YVLSMP2pCOXBF6+q7/BIG6FF7EiI0st8=",
"ref": "refs/heads/main",
"rev": "49edeafeaf7fbadbfe59e4763223593cab989317",
"revCount": 14,
"type": "git",
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
},
"original": {
"type": "git",
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1729684354,
"narHash": "sha256-yQcvyCyqsgGJtMg1D14+RYdeH6MSmvbPzsCaaztgMn8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "962f7b27ee7c7ae4648bd7c4e6e8429eddc56100",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1729357638,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1729265718,
"narHash": "sha256-4HQI+6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ccc0c2126893dd20963580b6478d1a10a4512185",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"flake-utils": "flake-utils",
"ldap-sync": "ldap-sync",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1729669122,
"narHash": "sha256-SpS3rSwYcskdOpx+jeCv1lcZDdkT/K5qT8dlenCBQ8c=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a4c33bfecb93458d90f9eb26f1cf695b47285243",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

68
flake.nix
View File

@ -0,0 +1,68 @@
{
description = "LDAP server for unix env in HS-Fulda";
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs";
disko = {
url = "github:nix-community/disko/latest";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix.url = "github:Mic92/sops-nix";
ldap-sync = {
type = "git";
url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git";
flake = false;
};
};
outputs = { self, flake-utils, nixpkgs, disko, sops-nix, ... }@inputs: {
nixosConfigurations.ldap = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
disko.nixosModules.disko
sops-nix.nixosModules.sops
./hardware.nix
./disk.nix
./network.nix
./system.nix
./ldap.nix
{
_module.args = {
inherit inputs;
};
system.stateVersion = "24.05";
disko.devices.disk.main.imageSize = "20G";
sops = {
defaultSopsFormat = "yaml";
};
}
];
};
devShells = flake-utils.lib.eachDefaultSystemPassThrough (system: {
${system}.default =
let
pkgs = nixpkgs.legacyPackages.${system};
in
pkgs.mkShell {
buildInputs = with pkgs; [
bash
git
sops
];
};
});
};
}

33
hardware.nix
View File

@ -0,0 +1,33 @@
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.systemd.enable = true;
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
}

186
ldap.nix
View File

@ -0,0 +1,186 @@
{ pkgs, lib, config, inputs, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." "informatik.hs-fulda.de");
ldap-sync =
let
wrapped = pkgs.callPackage inputs.ldap-sync { };
env = pkgs.runCommand "ldap-sync-env" { } ''
mkdir -p $out
ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
'';
in
pkgs.runCommand "ldap-sync-wrapper"
{
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
--chdir "${env}"
'';
in
{
services.openldap = {
enable = true;
package = (pkgs.openldap.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
"--enable-overlays"
"--enable-remoteauth"
"--enable-spasswd"
"--with-cyrus-sasl"
];
doCheck = false;
})).override {
cyrus_sasl = pkgs.cyrus_sasl.override {
enableLdap = true;
};
};
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "config ACL stats stats2 trace";
olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcSaslHost = "localhost";
olcSaslSecProps = "none";
olcSizeLimit = "unlimited";
};
children = {
"cn=schema".includes = [
"${config.services.openldap.package}/etc/schema/core.ldif"
"${config.services.openldap.package}/etc/schema/cosine.ldif"
"${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
"${config.services.openldap.package}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/db";
olcSuffix = baseDN;
olcRootDN = "cn=root,${baseDN}";
olcRootPW.path = config.sops.secrets."ldap/root/password".path;
olcAccess = [
# Custom access rules for userPassword attributes
''{0}to attrs=userPassword
by self read
by anonymous auth
by * none
''
# Synced is managed by sync
''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
by * break
''
# Allow login to read users
''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
by self read
by * break
''
# Prevent access
''{3}to *
by * none
''
];
};
children = {
"olcOverlay={0}remoteauth" = {
attrs = {
objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
olcOverlay = "{0}remoteauth";
olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
olcRemoteAuthDNAttribute = "seeAlso";
olcRemoteAuthDomainAttribute = "associatedDomain";
olcRemoteAuthDefaultDomain = "upstream";
olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
olcRemoteAuthRetryCount = "3";
olcRemoteAuthStore = "false";
};
};
};
};
};
};
};
systemd.services.openldap = {
environment = {
SASL_PATH = pkgs.writeTextFile {
name = "openldap-sasl-path";
destination = "/slapd.conf";
text = ''
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: GSSAPI EXTERNAL PLAIN NTLM
'';
};
};
};
systemd.services."ldap-sync" = {
script = "${ldap-sync}/bin/ldap-sync";
startAt = "hourly";
};
sops.secrets."ldap/root/password" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/upstream" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/tls/key" = {
sopsFile = ./secrets/ldap.tls.key;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/tls/crt" = {
sopsFile = ./secrets/ldap.tls.crt;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/sync/config" = {
sopsFile = ./secrets/ldap.yaml;
};
networking.firewall.allowedTCPPorts = [
22
389
636
];
}

35
network.nix
View File

@ -0,0 +1,35 @@
{
networking = {
hostName = "ldap-linuxlab";
domain = "informatik.hs-fulda.de";
useDHCP = false;
interfaces."eth0" = {
ipv4.addresses = [ {
address = "10.32.31.25";
prefixLength = 24;
} ];
ipv6.addresses = [ {
address = "2001:638:301:201f::25";
prefixLength = 64;
} ];
};
defaultGateway = {
address = "10.32.31.1";
interface = "eth0";
};
defaultGateway6 = {
address = "2001:638:301:201f::1";
interface = "eth0";
};
nameservers = [
"10.0.0.53"
];
nftables.enable = true;
};
}

19
readme.md
View File

@ -0,0 +1,19 @@
## Build disk image
```bash
nix build .#nixosConfigurations.ldap.config.system.build.diskoImages
```
## Updates
Run the following command and deploy afterwards
```bash
nix flake update
```
## Deploy
```bash
nix build .#nixosConfigurations.ldap.config.system.build.toplevel
nix copy --to ssh://root@<ip-of-target> .#nixosConfigurations.ldap.config.system.build.toplevel
ssh root@<ip-of-target> "$(nix path-info .#nixosConfigurations.ldap.config.system.build.toplevel)/bin/switch-to-configuration switch"
```

26
secrets/ldap.tls.crt
File diff suppressed because it is too large
View File

26
secrets/ldap.tls.key
View File

@ -0,0 +1,26 @@
{
"data": "ENC[AES256_GCM,data:kX2fP6oI4d4ssW+XDv5lF1dn7zAOEH1Qg+tY1AlKkRiWnQmKt5ik2ot6/jcoq9w2hv3Rnrh4Zb6Ndy/OJi3JzPb8Je+lOKC8nTekYz7ZTqdO8CKfONmGaMJO9crR6bJrIXkw3GLd8m14wmFg2tYSYOz918t91BTNpujcDS0t4VpNdgRjX7TFq4+SOOO0oqQDyuXrnK830NvUranO4tNkFCRzIuW0nMeXqE8lehp9wPfJJ9vhNXk8nizgQaazvtjl2An34BQeZFHp7ff+C6XrLoFFX0CkewAkwZ9EUVFzJwShrKjRGgdTqd9u6CuuP02UQrxyfyj8MqRThnyTtZ3GPFGcO6bsPEfQav5PjdhAuoM3XTqLkYIsoyNK+XGNmYy7lEn+optXJxfpzEt1TT7uSftyCsJ13fQOG1JsXNaGrORagSp0ngDyOVMFMZTWDpavB+hweV1ITeMqN6pukWGtYCW/KRpBWDxUQUZGXTdLyt8SL+LZZgPzgLuKxWwmwsbjTZh01EB32VdRfiSSEano8nhM+Z1Xq+Zxpf7PwCrv1CXBHkcj+j856ywE1+J2KayI3mzOB6zV1Hauw/HuIvw4Y9a7QNk1YwWn21XBJtI0Qc8luV8cJCGryElOJUXXF+RE5QveHKX4QOPXZ4kUib6qZqN9BsPmnEskJq8seKGdfufFLuqUNEdaGKwrK3zH9BFKTLk2sA7JRaMsSlOwFNF+HcK6Sjyn46ZWRRCX6fmdHaJv2ECHVVeZdlFY5x2TZz5LQB4XALKcTXyvlwoytrboGm2S4X1qwqfpUSSd4WIQ3l+Ygtd9MwbcazwDjlASVDU7mFQEElWS//KV1VZjr5KrT0ZCCdLMdwA7BooUqk9q/nePvuW7hssvFNw+GiiGKGDgVPlxMRY6NaVv59/k5lw0x40HOXWs9LuhhvQ51KQtMyIKMygWsJ6IQYyZrhf8c4T9K+llt5CUrUQr3OFh1mhhancw0n9Uvnn5npV4Ig17+di9EhPWDbVbYSoGm4r4SD6aR8BBFQ1Q1yeFsoBGJnm2b3N/l0xyw94H6fD4dDw+BROH6LpbpcMAZGK/WTn1vrgMjbLWpJUa4T2gBkYzDt67lETygQ8iYhFBW+U0TvK4Dh8VSJFiA4T3UpAgl/+LN2TjFogkHbhYuMDYXChr9mcJ+rhq5ztd0HQw9Wi1xsC7w/PPSV25aOfpXq9PucYkb1WU0MT0qyU/T9jrMqs2FzkG5J8L/dzll92ZbXgzKE+017MA+YXFulPKd4oio1qFXYKa9n9KPTRCE4uq6tBfuPQ/JtQFuzd8j3pds6oM0hiuuSujqk5Ci5Tj9/fAjk0jM4RcTsHRtOUoS/JFyzTmJ9B4sWBDzB+GD1QfKAJaVgmmEULLEhNpaB6DtUTXAp/9zm041LWlk+XzL3f2gwPvPTxKm64cOQPoDbyQk8ZV1+5KqrleEc1lyj1nL+RXf8CO93Y5IWZg855cY5EugKlwCeL2zR647JD/Yn9BjbsCp5DVjo+VjwEDBcYgCBHbvK6HHt6T2SEYcCUTmLpVpXaTPBYXL8xsanABAixlcdgtk4X1ZoNqEnS0+HBwdZBwDtwF2OPDOJHbtozOGdA/aqpxamjm0tfcaPf/1I4S6pHUONZ2J/o3bDKf2RITMoDMeC8G3w9tHrqWzYs6iWbFz/vTsYw622KrkFMAwO14zBwyUoG6R7o160hy7T6R/KKUyw7M+b1yKRFNuuhFEATNC4BhG60N0nyWfKdFP3cMeJEG8OMCzl4M/xHXX9Y81GTK1Yd1vpR3IhGo2wDWwiXEUic4r7gD8paEkgvXefOqIVBg7eE7MMofOk45sEKmD11h0ao5scEQ3ObtkVP8iJlH5tQ52r1vlSHnvCvbwNX5rurH6JqvU0/bH2JhcbkGvvFWIExn+8usmuJFy1ffJ2gOS5Z1AMJHsQJ+0bmny26BgN76zVJHJ0PLAUjY+M0PsgyxZTNJJUqc72h+4AF2nTSbdzlkAaxS92g7xxkZCRNnVgI04nDkqbxu12ej8y1kB1p3s1JWoI63bsflkI9boPqAWNYqlBRHnZT5v+/SOXq3RCOvsTbiBi/Mq2PGQs4YVXh2iE/AxtORUqGkg5slXsb7AmogXSn+U+EscwopMm1NknREmNFMGYvOU5PffBspW+3JRbRsTUymRLcHyUN1p1NhIyWQ9Kdxs9LJx6eKDoi7duYYokmK0isQj8fndgjwwguyjN4VLxsud7W/57O5izOO0C0N/G/mKbhe9ZCRxcLhfvwJq6EEWiTyf9DLQcO8A988JPzMU/oJTpKPkt/9JjK9P2imPKNQMKrV+09+lC3ZqYEP0kRrSCnVvcB1XPiaXLfr2CkO0U48xMHf52A238BtcTGO1rSNU3FkWiHVu3U+rW9woW7y8/f1F4sVy4xzFKnyYvVSrTyLIEW9d7sUX6m70of2bxvWkVcU/m2SYe5MPVyvdLTy1KbllKbA6mLPqGeGMDVbHRsc7Pyht5hZda6ahZCuadaCsU1klkmof2OhpLy9Lzq0rNJ3eMmxrqnNfCe35HWOK9iEA9O52kLbhmmo+K0jDsC3hoc1Bsu03754rePapLFi4oRtxw2ahLpVTfNEgHGNguJSUUpKV28pvVhN133+Bysod9KrJxYtjWzjJpaf2U2sbyb2IUSwPLCGsUe6whCZwVLI53qeUgBIq/i7eBWwhMezvjUU6i08V1oQPBTq+3QNOTg8qVdLETYAiApO+9wsZ+7ko8QbV+hfCWiHepFSSVw8mmsooiOZucs3TRrw6e7skEOzrrQKDwbnltP4h0oW0KRStF10VhH6GqsNv5gusKhMVQ85q5HjbDmR1mhL6Weg1olrAhDiFSqSqTRqrLfU96UPQ99wUo+Z/x/XftnYthK3AePGgNJc9OoSewTvQtYWj4GWTES46fft9RqjCgUi5RudlOsDE876jQTsIMb70+TicGZn6cTaj49ECmUFwG6pq0ZqzYkgNFTVahrLPWQoV3HjhO95SczAAwK+gf9a/11h5Doa+3ViqJ/GC6r/5nhzmFC6nP+fsM041SiVtlQcQdFmu7EKOcDk9h+MZijh0J4Ta93/XbCUTEpvXKB8uscLa2jsocMyyy+THjwDY3XXdN9asKi+XDYQ87WN3bX2h3rfm0QuwBdqosApiCtt5a73GUXxyGIPogOHf/cOrZhIu7x+mJfkjLO2gtGspkvZ8dDZolff2LTTNJ/+ne9MJN6bowzWsY8isTCtvRugAdytKOdJ/gkkTUAVP/2+rQNTX0BBgQgJzIqBMLu+FDT4Sc3ySCqnqPpgQJqiH5y9faLdx4p23ZKxh4WSc0zqidHkibFvMzsouXMDNgKVeRuExWCPZyNrNl6c6220oIjmExUIlvmNDOFaeAedN+tMljJiORL70XI63ebwkNfc/BFwFr2kG1J96bNXHgGXmdAZ2Xt2+Do+MGWFuP52B2rk9Q/pF4XYTWjGSAJNzWyMfs4Z5eG6J2vNN0JWYXnu8tEeXzCXwmarYrxafoblBEVzbt0UON2TwzCqkk3G33k3wWwPZLuvnW5muCtyK9bDTmOIaaPlWPyQ0g/c29tlNKRtfSGGT71B/LT895S85G0p4mahUj7KPchCeB0xRsnd3xQQCzBoOUGgIn3b61pYjL/kLyO4Znr15L84o1osXsW+OzvbTD2yxn7KND6iG+7OaqCyt9TwYZN94dMl+0c0thmNrluhaJ3VioYacC+TJG9GhoE4GCZP4hz6urw5I0CLNtKLv+botrCvAq+daAE9dt/8GcZDkT9GBGidmyX12v03pkOpkOx8mLffE/Ccl9Mt6//sK5t019Q/myIt+i5YTrHGerAdWQTFdxQj3LG6xbWf9BRPU81Z9XqLO+KNnzdA18cGlxMAlR0Fodq8iVCtO9c7uS5XgkSFdNOWdhAw2we6qMmBp/pwDtZUxdeepj7TQfVynx//lT1tg7WOxd3nf0V9U94759Vvz7r7wvREwcjqa4AjJLoUQGfhddpmOd4ycqxreqx1MCKqY+E3kU36zedB7eO/P2hD6OkFDFacZUBXzIw+csTwT0ehSv6zHGSPvF1H0gXzjgoB6CgDznPfRLWnGBfBggK2O3CIjP9wjzs4hXlP14U+0KL9sycPfV32WDTLzLIzyhek4CpVT5nUMLz5uXgkCdiIW6yYs3e46+eZKkXC21bVh7O6PVvwsJci5gZAz3PGM7Bpgqz0WbSItVAJpkOqCNivdim88vD+CT/m9sIppz9USqCMOfx9/UplwXbVtfSUQXPlIRprDIV1vJWka3oY2uN0oz1VPDHgN5VJ4PSO1mnQPmFg4B/hPoNCo2HVu49DrQL86uuAw6xkfL0=,iv:dQC+JMRPyNFqbIYRSDMBXEmTVK5QmRbBpEYXG+06l+M=,tag:brQ2Fl9jtvmlT5N/gaN4jA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzeHJIMVM4N3Fmek5YK0Q2\nSUVkZjNTZDVSWm94R1pJM0VmQzFBRXc5ZWtzCmNKcGx4bUs3S1Q0Z3UvZzZnVG5E\ncXZ5ckh3bW9aOVJiQUVwWkhuOURId1EKLS0tIEVJTXkvNzd3MmhqUHNlOWhUNUpD\nZ1RIaFM3KzJEV3hIYzhpRHdnUWNqdlUKYrwm7YzhziAcj+m/T+8KNlsbbvBPTomG\nFY0gVbcWg91K4LKBom/bKZqv+mFoy1q+Yg/sjHwEnENeFNofxw1sIg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-23T13:42:58Z",
"mac": "ENC[AES256_GCM,data:BUQmiBa481d2vggylNYkIKBuOg579REAnxMxX/je+IOvGwx/ODC7W0Zm+bzUYtNa/hmvW4fxwmA8VBHNUPgHrmI7zbNQlXdegg3QcXabr0jr3tqcFkLU7LeOt72tCRSGiZSZ3Pz0GXLzhZo9u+t1d/NVVO3p6ZFp/8Ta5fxq0ns=,iv:8PZROLEwl9wdVXsEMMBNKkbnlboeZQiVKDvjiyGJW38=,tag:d+y/GgHHgcSS8SGqIiPs8g==,type:str]",
"pgp": [
{
"created_at": "2024-10-23T13:42:46Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/bkqUTlPJyz9V389jPm1Y+G0WFPU9MpatGvcPbHrp0c6P\npfEjIoAbi7BO5jxrPL1Qca1QrxWTNqaFqQgtK87CWWY4yJ+I4Er+aAJ9VPvH1xk2\nmdDRxRjPm+Bt/QPT/RGyUK/ZHM4NlOdiU+JHAwcPR/+KG9F4G5KMKmrUA9HO8hBm\nlRHzrM2E+9Y+Eh1Az53CMwA6OXz0mx+/tRLuWjydQ5uLTzqV+HdDdegGdw4Cr6nb\n8wqwWhDRCoo/DhCJPVsbKAwCpjdQzPQgTx9gm2bH0pDVyE76OgOIiAEZDThamyVM\n+eJcs8Ydt2cSFXoH2nnxtyd3lL+rAuq1WbKeCtq5atJeAVpct1B3RMvv2M1TdZSR\nLUs0f8Kj3JP8iCtj07NBVD6+izRgHXH7cMVautDCfD6ojooXOZ4s38o1B0PECwx7\nYrwb+Vb0kHLYTXcQbWnCx8ox9OdWfOSZDBOqt88hMg==\n=saB9\n-----END PGP MESSAGE-----",
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

42
secrets/ldap.yaml
View File

@ -0,0 +1,42 @@
ldap:
root:
username: ENC[AES256_GCM,data:h6YGYg==,iv:QaCy9dRJNnI4UiQwgeboAxl8XZ+xGyYK8mLyybLNyF4=,tag:PQpKFwltnyRvmYJbPoGxvQ==,type:str]
password: ENC[AES256_GCM,data:3np5tR14nxbZe0hlX0Wd4/kDNRb3z3y3z13SyqTY3wE=,iv:yXz45Tsfof0U2JljSRxuUICRjNZ1U3YD4IlXsU4E0/o=,tag:XABl21e6uaj96ApLcRMSpA==,type:str]
upstream: ENC[AES256_GCM,data:KT6x/jm+p9+3e69yWE/hUMWlNrVuecUK3TcnRdqOJWA=,iv:n5P8NE7xUkOz68g/OcemnpZdEjT8aSEgzC4AS0kyStc=,tag:r+gEb4DIzdyBAsavBucvFQ==,type:str]
sync:
config: ENC[AES256_GCM,data:sgobPqiTsGDNfJKvIYiv+6E3s8Ipfog+2EVgz16ZPMwIU6u1id6cxPnE0nnCQcGVKc80owHmy/zYPzsPF7bHhSebGgZN8dN/xnP1xStIssqRP3XhSitNIMREImHs7iKT7f1/Km9CfZxm2WL2XPlaalK/oC/VJ9TiKcJjjnKuQvFbk1Ph2Pe2wPnd6/tZ8/EPGpRm1s+28YzaxWABFjLG/VEdrCJt45rOxpFXDXzQN/3iIRc7EM/CGQZEoJLky2QBd5597UuB9DBU7mkRUPv9JO7euMX9KH8CAYvHutOMpzEaD/LoRMmZxhpBhn3jQGj/uIyr13nJynQ39xkh58UYsENgyTMeAtr7MBzUDuAe1FC7f1NPbKpNuhaab25IqVwnGoOGOj5B8JcWZR1hDU5OTsp5xLTQn3K/SlWeii79EGwgS/pmtyCziQqtd+oS46dnWJupS5ESoU3gdXDvgzNnJsD3qCqrgY+pw3bcQY9D5HhhLdkYByiAbVgtTDVO9EZDxeyHG0APq1J3rkEZxTGunlx9M/wVWD2h/lVsY45KCD+0S9ukhxcEM89LTlI5jeiKbt689uPp6WjmfFo4sdFFm0XbpxTew1YXXORFC+nyM/nh9IhK3G9Jo2LvRDoX0XeZkH+Zmy8J5BZ7kwpdw6de8KEnpj+jyxFD15D5gQfGQC8vfiKA0yNoKdUNGPkkF4vRCFoJLIRnqJfmqWmXcW4E8BjiQId8nx6QGDty+i5HJnYktR7AvK61Q8VMjTYsT12Uwk9Buqn5AbC1Z7pwM7CgiRR7hpUIRYAlB6VBuqXK0xBqSqRIlT5izSyjCRz2W+njeWhPrKF4rSglzHr0/wB3lwpBF7VEOBuvItxhuTpdhZdN3RTAqehj/KRuPx1vdLKdH8s9xTx6leHvaBnVQJ4jCcO8wTMrHXVmGUPtZ852OIQpKjeLQqzSs9mDK/jT0zz5gQXChBiYIP+2XOVFuyoSqTKkMBf0zuPqcq8ZD9gSYc53/XWNGUFGWvzlb/PvnfkKnaetOlyIYelAgm0Tb9VNye1HPODxXnZ1DXhZwGw7CLfxtavu8PrmiQDZwD8FbOWwyDoQA+6rCijZ2gHnoyDP,iv:uX/5gv+bQEKXZPVJDXiBajaWasxmh/mZZq66UNaKe3Q=,tag:kvAZYD+kqcWtc/Oo+ym20g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cld3OWl1aGhXVVBNVU1V
a2ZyUXYzZVpxRDRlRWNudWxyVk1DbVBTL1dFCjArL1dHYWMxWmRxWi85UXF6THZj
M0VTd1ZzL0VuelZhc2R3dDhwT3gyWkUKLS0tIEUwTERSZm5oQi9Mby9GK2lIbHN0
ZWpqODU3OFV5aFJtbWw1Z1RoZkFOWFkKx5XiXqHILOWKgsGawnIX402AzwmWOWz9
vZW2P/jP+HHDZOIae6seh1MNkBvlxu5wMSkwMTvrirBEtb0lkVbBmg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T15:39:50Z"
mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str]
pgp:
- created_at: "2024-10-23T13:36:04Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQgAlPaof4Xuuq4D4J+b4KCa4HEh98ez1IYwn3b6x+8X2nyJ
BtV0KWf3R0OzD+KQTc93/LdHOowJ77iybzXtdCK9WZYfeBDzbpAXZrvzVL1xTPV8
o39m99VGx92l5vc4hqsaQmqORs1lMc82Uham/dJVt2Ly/0mJPaaoCo0YPSvLqdGB
ls3+tLUu76iD89eKtkYAM787EVRJpT5sZxfnKxKSoa2S1oAqj3H6OxfWnvXuUYNt
qiRaCZATrUHWnp1hM/Wi7eTMHNikKSKRIB3zZ2OJspX5LEWdB+bK/JDRSN6QJM20
SqMdIXcj7aBAKUN1GdKjF0kTw6Zj4hgseeOItaHIwtJeAUIFaFfPsshCNKB+pRKv
LkbfytPmWklHUcM3Y2X7JKco2CLNHL9+yFJxjfPsM4DbzgpT3gQ8woHbTD0bSXWC
XVGj4DuqEMRD8vJile6gbTZX2y7qZ5xdFlIVCLbG7w==
=t24P
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted
version: 3.9.1

37
secrets/root.yaml
View File

@ -0,0 +1,37 @@
root:
password: ENC[AES256_GCM,data:jRFQQV37t3q9LR77Y7Kb53WyqAhmuBiBFabp6DghGU3nSeHtI5YR3XeWP5h1UoPjj690EVHdE3Tz99jMJAl0EH7r4HrxzWEdRw==,iv:PdkPRKbm320PoaiHumQ2Dp/hswaiRFVv9qWVPDYdh3g=,tag:vmLJjAlvVhSZdf4rhVbemA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MFEwK1N2a3pnUkxYbWJx
Q0hITURYNDQ0WkV5aExsc2k5YVlqblY5cEgwCjlTckp1bDRSWTdYZ1Q2bWM0MXZt
V3d4Zit4ZVBnMUpBdXI5OXBER3Qrcm8KLS0tIEppL3JWeEJrNEpoV2J0eFM2bXA0
OUZKTThWTjdLaWcyL3BvSHBWa3JJNHcKnKf/g3ecf2rTUXjpka+Cq/UQYcQyZm+D
l0qiW6kshYAH2syrKYQ79aPNELuJ+hJIkifRDRcqJQP9jC/x7eBmAw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T12:49:25Z"
mac: ENC[AES256_GCM,data:sLMTdp2dZBeKKicETMyAZMN2FIbgJ282CAKLz57cK7lQrhiM5w1pMaYZp1imxTJYuRCL9mTlH0Zc5Jr3vHPQBVv8lzgqeOu4amponPlLPUa4TZX/FX04sQ/oKocO3wcOl9q7KJSNfur0ZEiFbpXC2KuNopAHCsO4KxHuixVtwlA=,iv:OBMURehlz5Mx4N6UbIDqdBewYwElgX18rHkc7NwDFpc=,tag:HLouzr4jhOFS6zgcuss3WA==,type:str]
pgp:
- created_at: "2024-10-23T13:36:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQf+P8g3YQx4KBqRc6ZqUxGH9U50RkB7QwhNkxDNpOCc1Msv
kUrMFCVO0OG5SMxSNgDSQA9GZNqL4/ovvP36zHoVx87xZd9jHlsLZmbMx7AVMXxA
+6PXej34NHYnNhXIIROapQajRqYyH4MEbdi7RVHayetrPifpUi3LDyCEZA3LozzS
WvoGKpaDMM9v2VyjvFguI9skDbs+1QDMogmuLeObVMVnzldCH37wKvVcPD9HslGW
6RlCopM+tMgTltfi3CkOKmwyqgGK3XOxIfoG43AfHm76nrNv3hMrQUpDhwawPdNt
p2kK81rlP3yMkp3WvlUsVdJMVReTyxSZPmsGflfpO9JeAdcnuP2qGTtWTvuo76Jz
eLCb/6GaCxQuohfhBZ5P4Lor/NsPmsGQwuyA/1Jwp3YALPbK6CYy0gY+FEK+kvXH
RJSkR4Ds/fYEDz1Aa9GHQinm+JJ8NL3zGL6RDta+xQ==
=o20C
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted
version: 3.9.1

63
system.nix
View File

@ -0,0 +1,63 @@
{ pkgs, config, inputs, ...}:
{
time.timeZone = "Europe/Berlin";
console.keyMap = "de";
nix.nixPath = [
"nixpkgs=${inputs.nixpkgs}"
];
users.mutableUsers = false;
users.users."root" = {
hashedPasswordFile = config.sops.secrets."root/password".path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyA8xe6Ej6DpzYSFlyhf3P3QIE1spZAETSa3G/zJ4BjXxO0S4jKsA+Qah6mua2ZIWiRXF6o9JCYsdFKndn1uAzRrHwUk9LCspiI3bsl+EwrBhUbWYnMj2Atp9vMB1SJ6i6RKvDg1YZuvxi4H23MYs3B5a3TBRTlveBxGtZ8Q/YtVDwdW/v1WNAxYe2bz/LFxPNPry6REdGXCuA4cz5s/+ilhRvFQKHbJwC+/SxJIcTY6RAvOFh9wfus2NF0FaEPkwwLLDwxaMOaALwmzGmiBIi/XF3qnSYyPScmEwuq03jmM8qPhJHUHEaxp/cLkjqDWtu+SziEBJ3fu/y/A+vqBS9w== christianpape"
];
packages = with pkgs; [
vim
wget
curl
tmux
fd
ripgrep
htop
iotop
iftop
file
];
};
# system.autoUpgrade = {
# enable = true;
#
# flake = inputs.self.outPath;
# flags = [
# "--update-input" "nixpkgs"
# ];
#
# dates = "02:00";
# randomizedDelaySec = "45min";
# };
services.haveged.enable = true;
services.openssh = {
enable = true;
settings.PermitRootLogin = "without-password";
};
networking.firewall.allowedTCPPorts = [
22
];
sops.secrets."root/password" = {
sopsFile = ./secrets/root.yaml;
neededForUsers = true;
};
}
Write Preview
Loading…
Cancel
Save