Wait actively on ldap being ready (#286)

Looks like this is needed in the end, other we get into some flaky situations
2024-08-31 23:36:53 -07:00 · 2024-08-31 23:36:53 -07:00 · d711e59f91
commit d711e59f91
parent 8db61af6b3
6 changed files with 22 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,6 +13,7 @@
  - `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
  - `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
  - `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
+  - `shb.authelia.ldapEndpoint` -> `shb.authelia.ldapHostname` and `shb.authelia.ldapPort`

 ## User Facing Backwards Compatible Changes

--- a/modules/blocks/authelia.nix
+++ b/modules/blocks/authelia.nix
@ -39,10 +39,16 @@ in
      default = null;
    };

-    ldapEndpoint = lib.mkOption {
+    ldapHostname = lib.mkOption {
      type = lib.types.str;
-      description = "Endpoint of the LDAP authentication backend.";
-      example = "ldap://ldap.example.com:389";
+      description = "Hostname of the LDAP authentication backend.";
+      example = "ldap.example.com";
+    };
+
+    ldapPort = lib.mkOption {
+      type = lib.types.port;
+      description = "Port of the LDAP authentication backend.";
+      example = "389";
    };

    dcdomain = lib.mkOption {
@ -301,7 +307,7 @@ in
          };
          ldap = {
            implementation = "custom";
-            address = cfg.ldapEndpoint;
+            address = "ldap://${cfg.ldapHostname}:${toString cfg.ldapPort}";
            timeout = "5s";
            start_tls = "false";
            base_dn = cfg.dcdomain;
@ -406,7 +412,9 @@ in
            generator = shblib.replaceSecretsGeneratorAdapter (lib.generators.toYAML {});
          };
      in
-        lib.mkBefore (mkCfg cfg.oidcClients);
+        lib.mkBefore (mkCfg cfg.oidcClients + ''
+        ${pkgs.bash}/bin/bash -c '(while ! ${pkgs.netcat-openbsd}/bin/nc -z -v -w1 ${cfg.ldapHostname} ${toString cfg.ldapPort}; do echo "Waiting for port ${cfg.ldapHostname}:${toString cfg.ldapPort} to open..."; sleep 2; done); sleep 2'
+          '');

    services.nginx.virtualHosts.${fqdn} = {
      forceSSL = !(isNull cfg.ssl);
--- a/modules/services/nextcloud-server/docs/default.md
+++ b/modules/services/nextcloud-server/docs/default.md
@ -196,7 +196,8 @@ shb.authelia = {
  subdomain = "auth";
  ssl = config.shb.certs.certs.selfsigned.auth;

-  ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
+  ldapHostname = "127.0.0.1";
+  ldapPort = config.shb.ldap.ldapPort;
  dcdomain = config.shb.ldap.dcdomain;

  secrets = {
--- a/test/blocks/authelia.nix
+++ b/test/blocks/authelia.nix
@ -40,7 +40,8 @@ in
        enable = true;
        subdomain = "authelia";
        domain = "machine.com";
-        ldapEndpoint = "ldap://${config.shb.ldap.subdomain}.${config.shb.ldap.domain}:${toString config.shb.ldap.ldapPort}";
+        ldapHostname = "${config.shb.ldap.subdomain}.${config.shb.ldap.domain}";
+        ldapPort = config.shb.ldap.ldapPort;
        dcdomain = config.shb.ldap.dcdomain;
        secrets = {
          jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
--- a/test/common.nix
+++ b/test/common.nix
@ -174,7 +174,8 @@ in
      subdomain = "auth";
      ssl = config.shb.certs.certs.selfsigned.n;

-      ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
+      ldapHostname = "127.0.0.1";
+      ldapPort = config.shb.ldap.ldapPort;
      dcdomain = config.shb.ldap.dcdomain;

      secrets = {
--- a/test/services/vaultwarden.nix
+++ b/test/services/vaultwarden.nix
@ -78,7 +78,8 @@ let
  # Not yet supported
  # ldap = { config, ... }: {
  #   # shb.vaultwarden = {
-  #   #   ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.webUIListenPort}";
+  #   #   ldapHostname = "127.0.0.1";
+  #   #   ldapPort = config.shb.ldap.webUIListenPort;
  #   # };
  # };