From d711e59f912b6adb6abfc97d165de873f3b513d9 Mon Sep 17 00:00:00 2001 From: Pierre Penninckx Date: Sat, 31 Aug 2024 23:36:53 -0700 Subject: [PATCH] Wait actively on ldap being ready (#286) Looks like this is needed in the end, other we get into some flaky situations --- CHANGELOG.md | 1 + modules/blocks/authelia.nix | 18 +++++++++++++----- .../services/nextcloud-server/docs/default.md | 3 ++- test/blocks/authelia.nix | 3 ++- test/common.nix | 3 ++- test/services/vaultwarden.nix | 3 ++- 6 files changed, 22 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e187a5..92690b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id` - `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name` - `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret` + - `shb.authelia.ldapEndpoint` -> `shb.authelia.ldapHostname` and `shb.authelia.ldapPort` ## User Facing Backwards Compatible Changes diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix index 4f9acf5..d27db34 100644 --- a/modules/blocks/authelia.nix +++ b/modules/blocks/authelia.nix @@ -39,10 +39,16 @@ in default = null; }; - ldapEndpoint = lib.mkOption { + ldapHostname = lib.mkOption { type = lib.types.str; - description = "Endpoint of the LDAP authentication backend."; - example = "ldap://ldap.example.com:389"; + description = "Hostname of the LDAP authentication backend."; + example = "ldap.example.com"; + }; + + ldapPort = lib.mkOption { + type = lib.types.port; + description = "Port of the LDAP authentication backend."; + example = "389"; }; dcdomain = lib.mkOption { @@ -301,7 +307,7 @@ in }; ldap = { implementation = "custom"; - address = cfg.ldapEndpoint; + address = "ldap://${cfg.ldapHostname}:${toString cfg.ldapPort}"; timeout = "5s"; start_tls = "false"; base_dn = cfg.dcdomain; @@ -406,7 +412,9 @@ in generator = shblib.replaceSecretsGeneratorAdapter (lib.generators.toYAML {}); }; in - lib.mkBefore (mkCfg cfg.oidcClients); + lib.mkBefore (mkCfg cfg.oidcClients + '' + ${pkgs.bash}/bin/bash -c '(while ! ${pkgs.netcat-openbsd}/bin/nc -z -v -w1 ${cfg.ldapHostname} ${toString cfg.ldapPort}; do echo "Waiting for port ${cfg.ldapHostname}:${toString cfg.ldapPort} to open..."; sleep 2; done); sleep 2' + ''); services.nginx.virtualHosts.${fqdn} = { forceSSL = !(isNull cfg.ssl); diff --git a/modules/services/nextcloud-server/docs/default.md b/modules/services/nextcloud-server/docs/default.md index 4d69464..a89a84d 100644 --- a/modules/services/nextcloud-server/docs/default.md +++ b/modules/services/nextcloud-server/docs/default.md @@ -196,7 +196,8 @@ shb.authelia = { subdomain = "auth"; ssl = config.shb.certs.certs.selfsigned.auth; - ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}"; + ldapHostname = "127.0.0.1"; + ldapPort = config.shb.ldap.ldapPort; dcdomain = config.shb.ldap.dcdomain; secrets = { diff --git a/test/blocks/authelia.nix b/test/blocks/authelia.nix index 07b6928..6b01f31 100644 --- a/test/blocks/authelia.nix +++ b/test/blocks/authelia.nix @@ -40,7 +40,8 @@ in enable = true; subdomain = "authelia"; domain = "machine.com"; - ldapEndpoint = "ldap://${config.shb.ldap.subdomain}.${config.shb.ldap.domain}:${toString config.shb.ldap.ldapPort}"; + ldapHostname = "${config.shb.ldap.subdomain}.${config.shb.ldap.domain}"; + ldapPort = config.shb.ldap.ldapPort; dcdomain = config.shb.ldap.dcdomain; secrets = { jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile"; diff --git a/test/common.nix b/test/common.nix index 3533b26..b626bd0 100644 --- a/test/common.nix +++ b/test/common.nix @@ -174,7 +174,8 @@ in subdomain = "auth"; ssl = config.shb.certs.certs.selfsigned.n; - ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}"; + ldapHostname = "127.0.0.1"; + ldapPort = config.shb.ldap.ldapPort; dcdomain = config.shb.ldap.dcdomain; secrets = { diff --git a/test/services/vaultwarden.nix b/test/services/vaultwarden.nix index f79d2df..0439054 100644 --- a/test/services/vaultwarden.nix +++ b/test/services/vaultwarden.nix @@ -78,7 +78,8 @@ let # Not yet supported # ldap = { config, ... }: { # # shb.vaultwarden = { - # # ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.webUIListenPort}"; + # # ldapHostname = "127.0.0.1"; + # # ldapPort = config.shb.ldap.webUIListenPort; # # }; # };