wm: add noctalia shell plugins

system/dev/dn-server/services/dns.nix

@@ -4,6 +4,7 @@ let
   inherit (lib) nameValuePair mkForce;
   inherit (config.sops) secrets;
   inherit (config.networking) domain;
+  infraIP = "10.10.0.0";
 
   splitDNS = listToAttrs (
     map (x: nameValuePair x "127.0.0.1:5359") [
@@ -71,8 +72,8 @@ in
       dnsupdate=yes
       primary=yes
       secondary=no
-      allow-dnsupdate-from=10.0.0.0/24
-      allow-axfr-ips=10.0.0.0/24
+      allow-dnsupdate-from=${infraIP}/24
+      allow-axfr-ips=${infraIP}/24
       also-notify=10.0.0.148:53
     '';
     secretFile = secrets.powerdns.path;
@@ -98,7 +99,7 @@ in
     dnssecValidation = "off";
     dns.allowFrom = [
       "127.0.0.0/8"
-      "10.0.0.0/24"
+      "${infraIP}/24"
       "192.168.100.0/24"
     ];
     dns.port = 5300;

system/dev/dn-server/services/identity-provider/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./ldap.nix
+  ];
+}

system/dev/dn-server/services/identity-provider/keycloak.nix

@@ -0,0 +1,49 @@
+{ config, ... }:
+let
+  inherit (config.networking) domain;
+  inherit (config.sops) secrets;
+  hostname = "login";
+  cfg = config.services.keycloak;
+in
+{
+  sops.secrets = {
+    "oauth/password" = { };
+  };
+
+  # ==== Keycloak Service ==== #
+  systemd.services.keycloak = {
+    owner = "keycloak";
+    group = "keycloak";
+    mode = "440"; # Read Only
+  };
+
+  # ==== Keycloak Service ==== #
+  services.keycloak = {
+    enable = true;
+
+    database = {
+      type = "postgresql";
+      name = "keycloak";
+      createLocally = true;
+      passwordFile = secrets."oauth/password".path;
+    };
+
+    settings = {
+      hostname = "${hostname}.${domain}";
+      proxy-headers = "xforwarded";
+      http-port = 38080;
+      http-enabled = true;
+      health-enabled = true;
+      http-management-port = 38081;
+    };
+  };
+
+  services.nginx.virtualHosts."${cfg.settings.hostname}" = {
+    useACMEHost = domain;
+    forceSSL = true;
+
+    locations."/".proxyPass = "http://127.0.0.1:${toString cfg.settings.http-port}";
+    locations."/health".proxyPass =
+      "http://127.0.0.1:${toString cfg.settings.http-management-port}/health";
+  };
+}

system/dev/dn-server/services/identity-provider/ldap.nix

@@ -0,0 +1,184 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (config.networking) domain;
+  inherit (lib)
+    concatStringsSep
+    splitString
+    getExe
+    getExe'
+    ;
+  inherit (config.sops) secrets;
+
+  getOlcSuffix = domain: concatStringsSep "," (map (dc: "dc=${dc}") (splitString "." domain));
+
+  ldapHostname = "ldap";
+  olcSuffix = getOlcSuffix domain;
+  adminDN = "cn=admin,ou=people,${olcSuffix}";
+  localDN = "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth";
+  cfg = config.services.openldap.package;
+in
+{
+
+  # ==== Admin Password ==== #
+  sops.secrets."ldap/password" = { };
+
+  systemd.services.openldap-pre =
+    let
+      passwordPath = cfg.settings.children."olcDatabase={1}mdb".attrs.olcRootPW.path;
+    in
+    {
+      before = [ "openldap.service" ];
+      requiredBy = [ "openldap.service" ];
+      serviceConfig = {
+        User = "openldap";
+        ExecStart = "${getExe pkgs.bash} -c '${getExe' cfg.package "slappasswd"} -T ${secrets."ldap/password".path} > ${passwordPath}";
+        ExecStartPost = [
+          "${getExe' pkgs.busybox.out "chmod"} 700 ${passwordPath}"
+        ];
+        Type = "oneshot";
+        StateDirectory = [
+          "openldap"
+        ];
+        StateDirectoryMode = "700";
+      };
+    };
+
+  # ==== TLS Cert ===== #
+  systemd.services.openldap = {
+    wants = [ "acme-finished-${domain}.target" ];
+    serviceConfig.LoadCredential =
+      let
+        certDir = config.security.acme.certs."${domain}".directory;
+      in
+      [
+        "full.pem:${certDir}/full.pem"
+        "cert.pem:${certDir}/cert.pem"
+        "key.pem:${certDir}/key.pem"
+      ];
+  };
+
+  # ===== Openldap Service ==== #
+  services.openldap =
+    let
+      credsDir = "/run/credentials/openldap.service";
+      caDir = "${credsDir}/full.pem";
+      certDir = "${credsDir}/cert.pem";
+      keyDir = "${credsDir}/key.pem";
+    in
+    {
+      enable = true;
+
+      urlList = [
+        "ldap:///"
+        "ldapi:///"
+        "ldaps:///" # TLS
+      ];
+
+      settings = {
+        attrs = {
+          olcLogLevel = "conns config";
+
+          olcTLSCACertificateFile = caDir;
+          olcTLSCertificateFile = certDir;
+          olcTLSCertificateKeyFile = keyDir;
+          olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+          olcTLSCRLCheck = "none";
+          olcTLSVerifyClient = "never";
+          olcTLSProtocolMin = "3.1";
+        };
+
+        children = {
+          "cn=schema".includes = [
+            "${cfg.package}/etc/schema/core.ldif"
+            "${cfg.package}/etc/schema/cosine.ldif"
+            "${cfg.package}/etc/schema/inetorgperson.ldif"
+          ];
+
+          "olcDatabase={1}mdb" = {
+            attrs = {
+              objectClass = [
+                "olcDatabaseConfig"
+                "olcMdbConfig"
+              ];
+
+              olcDatabase = "{1}mdb";
+              olcDbDirectory = "/var/lib/openldap/data";
+
+              olcSuffix = olcSuffix;
+
+              olcRootDN = "cn=admin,${olcSuffix}";
+              olcRootPW.path = "/var/lib/openldap/olcPasswd";
+
+              olcAccess = [
+                ''
+                  {0}to attrs=userPassword
+                      by peername="${localDN}" manage 
+                      by dn.exact="${adminDN}" manage
+                      by self write
+                      by anonymous auth
+                      by * none
+                ''
+                ''
+                  {1}to *
+                      by peername="${localDN}" manage 
+                      by dn.exact="${adminDN}" manage
+                      by self read
+                      by anonymous auth
+                      by * none
+                ''
+              ];
+            };
+
+            children = {
+              # ==== Password Policy ==== #
+              "olcOverlay={2}ppolicy".attrs = {
+                objectClass = [
+                  "olcOverlayConfig"
+                  "olcPPolicyConfig"
+                  "top"
+                ];
+                olcOverlay = "{2}ppolicy";
+                olcPPolicyHashCleartext = "TRUE";
+              };
+
+              # ==== Group ==== #
+              "olcOverlay={3}memberof".attrs = {
+                objectClass = [
+                  "olcOverlayConfig"
+                  "olcMemberOf"
+                  "top"
+                ];
+                olcOverlay = "{3}memberof";
+                olcMemberOfRefInt = "TRUE";
+                olcMemberOfDangling = "ignore";
+                olcMemberOfGroupOC = "groupOfNames";
+                olcMemberOfMemberAD = "member";
+                olcMemberOfMemberOfAD = "memberOf";
+              };
+
+              "olcOverlay={4}refint".attrs = {
+                objectClass = [
+                  "olcOverlayConfig"
+                  "olcRefintConfig"
+                  "top"
+                ];
+                olcOverlay = "{4}refint";
+                olcRefintAttribute = [
+                  "memberof"
+                  "member"
+                  "manager"
+                  "owner"
+                ];
+              };
+            };
+          };
+        };
+      };
+    };
+
+}

system/dev/dn-server/services/netbird.nix

@@ -35,6 +35,7 @@ in
   ];
 
   services.netbird = {
+    useRoutingFeatures = "server";
     ui.enable = mkForce false;
 
     clients.wt0 = {

system/dev/dn-server/services/nextcloud.nix

@@ -59,6 +59,7 @@ in
   ];
 
   services.nextcloud = {
+    package = pkgs.nextcloud32;
     extraApps = {
       inherit (config.services.nextcloud.package.packages.apps) music spreed;