|
1 | 1 | { config, lib, libS, ... }:
|
2 | 2 |
|
3 | 3 | let
|
4 |
| - cfg = config.services.hydra.ldap; |
| 4 | + cfg = config.services.hydra; |
| 5 | + cfgl = cfg.ldap; |
5 | 6 | inherit (config.security) ldap;
|
6 | 7 | in
|
7 | 8 | {
|
8 | 9 | options = {
|
9 |
| - services.hydra.ldap = { |
10 |
| - enable = lib.mkEnableOption '' |
11 |
| - login only via LDAP. |
12 |
| - The bind user password must be placed at `/var/lib/hydra/ldap-password.conf` in the format `bindpw = "PASSWORD" |
13 |
| - It is recommended to use a password without special characters because the perl config parser has weird escaping rule like that comment characters `#` must be escape with backslash |
14 |
| - ''; |
15 |
| - |
16 |
| - roleMappings = lib.mkOption { |
17 |
| - type = with lib.types; listOf (attrsOf str); |
18 |
| - example = [{ hydra-admins = "admins"; }]; |
19 |
| - default = [ ]; |
20 |
| - description = "Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping."; |
| 10 | + services.hydra = { |
| 11 | + configurePostgres = lib.mkOption { |
| 12 | + type = lib.types.bool; |
| 13 | + default = false; |
| 14 | + example = true; |
| 15 | + description = "Whether to configure and create a local PostgreSQL database."; |
21 | 16 | };
|
22 | 17 |
|
23 |
| - userGroup = libS.ldap.mkUserGroupOption; |
| 18 | + ldap = { |
| 19 | + enable = lib.mkEnableOption '' |
| 20 | + login only via LDAP. |
| 21 | + The bind user password must be placed at `/var/lib/hydra/ldap-password.conf` in the format `bindpw = "PASSWORD" |
| 22 | + It is recommended to use a password without special characters because the perl config parser has weird escaping rule |
| 23 | + like that comment characters `#` must be escape with backslash |
| 24 | + ''; |
| 25 | + |
| 26 | + roleMappings = lib.mkOption { |
| 27 | + type = with lib.types; listOf (attrsOf str); |
| 28 | + example = [{ hydra-admins = "admins"; }]; |
| 29 | + default = [ ]; |
| 30 | + description = "Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping."; |
| 31 | + }; |
| 32 | + |
| 33 | + userGroup = libS.ldap.mkUserGroupOption; |
| 34 | + }; |
24 | 35 | };
|
25 | 36 | };
|
26 | 37 |
|
27 |
| - config.services.hydra.extraConfig = lib.mkIf cfg.enable /* xml */ '' |
| 38 | + config.services.hydra.extraConfig = lib.mkIf cfgl.enable /* xml */ '' |
28 | 39 | # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
|
29 | 40 | <ldap>
|
30 | 41 | <config>
|
|
48 | 59 | sslversion = tlsv1_3
|
49 | 60 | </start_tls_options>
|
50 | 61 | user_basedn = "${ldap.userBaseDN}"
|
51 |
| - user_filter = "${ldap.searchFilterWithGroupFilter cfg.userGroup (ldap.userFilter "%s")}" |
| 62 | + user_filter = "${ldap.searchFilterWithGroupFilter cfgl.userGroup (ldap.userFilter "%s")}" |
52 | 63 | user_scope = one
|
53 | 64 | user_field = ${ldap.userField}
|
54 | 65 | <user_search_options>
|
|
72 | 83 | # Allow all users in the dev group to restart jobs and cancel builds
|
73 | 84 | # dev = restart-jobs
|
74 | 85 | # dev = cancel-build
|
75 |
| - ${lib.concatStringsSep "\n" (lib.concatMap (lib.mapAttrsToList (name: value: "${name} = ${value}")) cfg.roleMappings)} |
| 86 | + ${lib.concatStringsSep "\n" (lib.concatMap (lib.mapAttrsToList (name: value: "${name} = ${value}")) cfgl.roleMappings)} |
76 | 87 | </role_mapping>
|
77 | 88 | </ldap>
|
78 | 89 | '';
|
79 | 90 |
|
80 | 91 | config.services.portunus.seedSettings.groups = [
|
81 |
| - (lib.mkIf (cfg.userGroup != null) { |
| 92 | + (lib.mkIf (cfgl.userGroup != null) { |
82 | 93 | long_name = "Hydra Users";
|
83 |
| - name = cfg.userGroup; |
| 94 | + name = cfgl.userGroup; |
84 | 95 | permissions = { };
|
85 | 96 | })
|
86 | 97 | ] ++ lib.flatten (map lib.attrValues (map
|
|
89 | 100 | name = ldapGroup;
|
90 | 101 | permissions = { };
|
91 | 102 | }))
|
92 |
| - cfg.roleMappings)); |
| 103 | + cfgl.roleMappings)); |
| 104 | + |
| 105 | + config.services.postgresql = lib.mkIf cfg.configurePostgres { |
| 106 | + ensureDatabases = [ "hydra" ]; |
| 107 | + ensureUsers = [ { |
| 108 | + name = "hydra"; |
| 109 | + ensureDBOwnership = true; |
| 110 | + } ]; |
| 111 | + }; |
93 | 112 | }
|
0 commit comments