1 { lib, pkgs, config, myconfig, ... }:
3 cfg = config.myServices.databases.openldap;
5 kerberosSchema = pkgs.fetchurl {
6 url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
7 sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
9 puppetSchema = pkgs.fetchurl {
10 url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
11 sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
14 include ${pkgs.openldap}/etc/schema/core.schema
15 include ${pkgs.openldap}/etc/schema/cosine.schema
16 include ${pkgs.openldap}/etc/schema/inetorgperson.schema
17 include ${pkgs.openldap}/etc/schema/nis.schema
18 include ${puppetSchema}
19 include ${kerberosSchema}
20 include ${./immae.schema}
22 pidfile ${cfg.pids.pid}
23 argsfile ${cfg.pids.args}
30 suffix "${myconfig.env.ldap.base}"
31 rootdn "${myconfig.env.ldap.root_dn}"
32 include ${config.secrets.location}/ldap/password
33 directory ${cfg.dataDir}
36 TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem
37 TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
38 TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem
39 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
40 #This makes openldap crash
41 #TLSCipherSuite DEFAULT
43 sasl-host kerberos.immae.eu
44 include ${config.secrets.location}/ldap/access
48 options.myServices.databases = {
50 enable = lib.mkOption {
53 description = "Whether to enable ldap";
54 type = lib.types.bool;
56 dataDir = lib.mkOption {
57 type = lib.types.path;
58 default = "/var/lib/openldap";
60 The directory where Openldap stores its data.
63 socketsDir = lib.mkOption {
64 type = lib.types.path;
65 default = "/run/slapd";
67 The directory where Openldap puts sockets and pid files.
72 type = lib.types.attrsOf lib.types.path;
74 pid = "${cfg.socketsDir}/slapd.pid";
75 args = "${cfg.socketsDir}/slapd.args";
85 config = lib.mkIf cfg.enable {
88 dest = "ldap/password";
92 text = "rootpw ${myconfig.env.ldap.root_pw}";
95 dest = "ldap/access ";
99 text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
102 users.users.openldap.extraGroups = [ "keys" ];
103 networking.firewall.allowedTCPPorts = [ 636 389 ];
108 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
113 security.acme.certs."ldap" = config.myServices.databasesCerts // {
116 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
117 domain = "ldap.immae.eu";
119 systemctl restart openldap.service
123 services.openldap = {
125 dataDir = cfg.dataDir;
126 urlList = [ "ldap://" "ldaps://" ];
127 extraConfig = ldapConfig;