WIP: bekkalokk: init idp-simplesamlphp
This commit is contained in:
parent
1d0255644a
commit
a570060bf7
|
@ -83,6 +83,7 @@
|
|||
autoreconfHook = final.buildPackages.autoreconfHook269;
|
||||
};
|
||||
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
|
||||
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
|
||||
})
|
||||
];
|
||||
};
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
./services/kerberos
|
||||
./services/webmail
|
||||
# ./services/mediawiki.nix
|
||||
./services/idp-simplesamlphp
|
||||
];
|
||||
|
||||
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
<?php
|
||||
$config = array(
|
||||
|
||||
/* This is the name of this authentication source, and will be used to access it later. */
|
||||
'default-sp' => array(
|
||||
'saml:SP',
|
||||
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
|
||||
'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
|
||||
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||
),
|
||||
);
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,96 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
pwAuthScript = pkgs.writeShellApplication {
|
||||
name = "pwauth";
|
||||
text = ''
|
||||
read -r user1
|
||||
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
|
||||
if test "$user1" != "$user2"
|
||||
then
|
||||
read -r _
|
||||
exit 2
|
||||
fi
|
||||
${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
|
||||
'';
|
||||
};
|
||||
|
||||
package = (pkgs.simplesamlphp.override {
|
||||
authsourcesFile = pkgs.writeText "idp-authsources.php" ''
|
||||
<?php
|
||||
$config = array(
|
||||
'pwauth' => array(
|
||||
'authpwauth:PwAuth',
|
||||
'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth',
|
||||
'mail_domain' => '@pvv.ntnu.no',
|
||||
),
|
||||
);
|
||||
'';
|
||||
saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" '''';
|
||||
configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
|
||||
cp ${./config.php} "$out"
|
||||
|
||||
substituteInPlace "$out" \
|
||||
--replace '$SAML_COOKIE_SECURE' 'true' \
|
||||
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
|
||||
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
|
||||
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )'
|
||||
'';
|
||||
}).overrideAttrs (prev: {
|
||||
postInstall = prev.postInstall + ''
|
||||
install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php
|
||||
'';
|
||||
});
|
||||
in
|
||||
{
|
||||
users.groups."idp" = { };
|
||||
users.users."idp" = {
|
||||
description = "PVV Identity Provider Service User";
|
||||
group = "idp";
|
||||
createHome = false;
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
services.phpfpm.pools.idp = {
|
||||
user = "idp";
|
||||
group = "idp";
|
||||
settings = let
|
||||
listenUser = config.services.nginx.user;
|
||||
listenGroup = config.services.nginx.group;
|
||||
in {
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 32;
|
||||
"pm.max_requests" = 500;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 2;
|
||||
"pm.max_spare_servers" = 4;
|
||||
"listen.owner" = listenUser;
|
||||
"listen.group" = listenGroup;
|
||||
|
||||
"catch_workers_output" = true;
|
||||
"php_admin_flag[log_errors]" = true;
|
||||
# "php_admin_value[error_log]" = "stderr";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "${package}/share/php/simplesamlphp/public";
|
||||
locations = {
|
||||
"/".index = "index.php";
|
||||
|
||||
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
"~ /(.+\\.php)" = {
|
||||
extraConfig = ''
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
|
||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||
|
||||
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$request_filename;
|
||||
fastcgi_param SCRIPT_NAME $request_filename;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
<?php
|
||||
$metadata['https://idp.pvv.ntnu.no/'] = array (
|
||||
'metadata-set' => 'saml20-idp-remote',
|
||||
'entityid' => 'https://idp.pvv.ntnu.no/',
|
||||
'SingleSignOnService' =>
|
||||
array (
|
||||
0 =>
|
||||
array (
|
||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
|
||||
),
|
||||
),
|
||||
'SingleLogoutService' =>
|
||||
array (
|
||||
0 =>
|
||||
array (
|
||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||
),
|
||||
),
|
||||
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
|
||||
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
||||
);
|
Loading…
Reference in New Issue