switched modules to flakes

2023-12-24 18:48:52 +01:00
parent aca834a717
commit 469038e980
37 changed files with 150 additions and 2197 deletions
--- a/modules/hydra.nix
+++ b/modules/hydra.nix
@ -1,91 +0,0 @@
-{ config, lib, libS, ... }:
-
-let
-  cfg = config.services.hydra.ldap;
-  inherit (config.security) ldap;
-in
-{
-  options = {
-    services.hydra.ldap = {
-      enable = lib.mkEnableOption (lib.mdDoc ''
-        login only via LDAP.
-        The bind user password must be placed at `/var/lib/hydra/ldap-password.conf` in the format `bindpw = "PASSWORD"
-        It is recommended to use a password without special characters because the perl config parser has weird escaping rule like that comment characters `#` must be escape with backslash
-      '');
-
-      roleMappings = lib.mkOption {
-        type = with lib.types; listOf (attrsOf str);
-        example = [{ hydra-admins = "admins"; }];
-        default = [ ];
-        description = lib.mdDoc "Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping.";
-      };
-
-      userGroup = libS.ldap.mkUserGroupOption;
-    };
-  };
-
-  config.services.hydra.extraConfig = lib.mkIf cfg.enable /* xml */ ''
-    # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
-    <ldap>
-      <config>
-        <credential>
-          class = Password
-          password_field = password
-          password_type = self_check
-        </credential>
-        <store>
-          class = LDAP
-          ldap_server = "${ldap.domainName}"
-          <ldap_server_options>
-            scheme = ldaps
-            timeout = 10
-          </ldap_server_options>
-          binddn = "${ldap.bindDN}"
-          include ldap-password.conf
-          start_tls = 0
-          <start_tls_options>
-            ciphers = TLS_AES_256_GCM_SHA384
-            sslversion = tlsv1_3
-          </start_tls_options>
-          user_basedn = "${ldap.userBaseDN}"
-          user_filter = "${ldap.searchFilterWithGroupFilter cfg.userGroup (ldap.userFilter "%s")}"
-          user_scope = one
-          user_field = ${ldap.userField}
-          <user_search_options>
-            deref = always
-          </user_search_options>
-          # Important for role mappings to work:
-          use_roles = 1
-          role_basedn = "${ldap.roleBaseDN}"
-          role_filter = "${ldap.roleFilter}"
-          role_scope = one
-          role_field = ${ldap.roleField}
-          role_value = ${ldap.roleValue}
-          <role_search_options>
-            deref = always
-          </role_search_options>
-        </store>
-      </config>
-      <role_mapping>
-        # Make all users in the hydra-admin group Hydra admins
-        # hydra-admins = admin
-        # Allow all users in the dev group to restart jobs and cancel builds
-        # dev = restart-jobs
-        # dev = cancel-build
-        ${lib.concatStringsSep "\n" (lib.concatMap (lib.mapAttrsToList (name: value: "${name} = ${value}")) cfg.roleMappings)}
-      </role_mapping>
-    </ldap>
-  '';
-
-  config.services.portunus.seedSettings.groups = [
-    (lib.mkIf (cfg.userGroup != null) {
-      long_name = "Hydra Users";
-      name = cfg.userGroup;
-      permissions = { };
-    })
-  ] ++ lib.flatten (map lib.attrValues (map (lib.mapAttrs (ldapGroup: _: {
-    long_name = "Hydra Role ${ldapGroup}";
-    name = ldapGroup;
-    permissions = { };
-  })) cfg.roleMappings));
-}