Working NixOS port: all core services operational

- Fix Caddy cfProxy helper for cloudflared http:// vhosts (X-Forwarded-Proto) - Fix Authelia LDAP bind (readonly user ACL + password sync) - Add gitea-admin-setup oneshot service to survive rebuilds - Update Authelia forward_auth with header_up X-Forwarded-Proto https - Update TODO.org with completed tasks and LDAP config details - Remove old Helm/k8s artifacts (Chart.yaml, templates/, values/, scripts) - Add result to .gitignore Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-23 14:46:21 +03:00
parent 05619d12fc
commit 0b73d493d8
22 changed files with 1410 additions and 355 deletions
@@ -50,8 +50,10 @@ in
    virtualisation.oci-containers.containers.openldap = {
      image = cfg.image;

-      # Bind only to localhost — no external exposure
-      ports = [ "127.0.0.1:${toString cfg.port}:389" ];
+      # No ports mapping — --network=host means the container shares the host
+      # network stack. OpenLDAP binds to 0.0.0.0:389, but the firewall
+      # (common.nix) only opens 22/80/443, so port 389 is unreachable from
+      # the LAN or internet.

      environment = {
        LDAP_ORGANISATION  = homeyConfig.organization;
@@ -76,8 +78,8 @@ in
      ];

      extraOptions = [
-        "--network=host"   # simplest for single-host: services talk on 127.0.0.1
-        "--hostname=openldap"
+        "--network=host"
+        "--env-file=/run/openldap-secrets.env"
      ];
    };

@@ -88,18 +90,25 @@ in
    # podman-<container-name>.service
    systemd.services."podman-openldap" = {
      serviceConfig = {
-        # Write an env file with secret values before the container starts,
-        # then pass it to podman run via EnvironmentFile.
+        # LoadCredential stages the sops secrets into a per-invocation
+        # credential directory before any Exec* step, so they are available
+        # when ExecStartPre runs.  ExecStartPre writes the env file that
+        # podman --env-file reads; this avoids the EnvironmentFile ordering
+        # race (EnvironmentFile is evaluated before ExecStartPre).
+        LoadCredential = [
+          "openldap_admin_password:${config.sops.secrets."openldap/admin_password".path}"
+          "openldap_config_password:${config.sops.secrets."openldap/config_password".path}"
+          "openldap_ro_password:${config.sops.secrets."openldap/ro_password".path}"
+        ];
        ExecStartPre = [
          (pkgs.writeShellScript "openldap-secrets-env" ''
            set -euo pipefail
            install -m 600 /dev/null /run/openldap-secrets.env
-            echo "LDAP_ADMIN_PASSWORD=$(cat ${config.sops.secrets."openldap/admin_password".path})"   >> /run/openldap-secrets.env
-            echo "LDAP_CONFIG_PASSWORD=$(cat ${config.sops.secrets."openldap/config_password".path})" >> /run/openldap-secrets.env
-            echo "LDAP_READONLY_USER_PASSWORD=$(cat ${config.sops.secrets."openldap/ro_password".path})" >> /run/openldap-secrets.env
+            echo "LDAP_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/openldap_admin_password")"         >> /run/openldap-secrets.env
+            echo "LDAP_CONFIG_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/openldap_config_password")"       >> /run/openldap-secrets.env
+            echo "LDAP_READONLY_USER_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/openldap_ro_password")"    >> /run/openldap-secrets.env
          '')
        ];
-        EnvironmentFile = "/run/openldap-secrets.env";
      };
      # Clean up the env file on stop
      postStop = "rm -f /run/openldap-secrets.env";
@@ -109,8 +118,8 @@ in
    };

    # -----------------------------------------------------------------------
-    # Firewall — openldap port is NOT opened externally (localhost only)
+    # Firewall — openldap port is NOT opened externally
    # -----------------------------------------------------------------------
-    # No firewall rule needed; bound to 127.0.0.1.
+    # No firewall rule needed; common.nix only opens 22/80/443.
  };
 }