1 { lib, pkgs, config, ... }:
3 cfg = config.myServices.databases.openldap;
5 eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
9 pidfile ${cfg.pids.pid}
10 argsfile ${cfg.pids.args}
15 TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
16 TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
17 TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
18 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
19 #This makes openldap crash
20 #TLSCipherSuite DEFAULT
22 sasl-host kerberos.immae.eu
26 options.myServices.databases = {
28 enable = lib.mkOption {
31 description = "Whether to enable ldap";
32 type = lib.types.bool;
34 baseDn = lib.mkOption {
40 rootDn = lib.mkOption {
46 rootPw = lib.mkOption {
49 Root (Hashed) password
52 accessFile = lib.mkOption {
53 type = lib.types.path;
55 The file path that defines the access
58 dataDir = lib.mkOption {
59 type = lib.types.path;
60 default = "/var/lib/openldap";
62 The directory where Openldap stores its data.
65 socketsDir = lib.mkOption {
66 type = lib.types.path;
67 default = "/run/slapd";
69 The directory where Openldap puts sockets and pid files.
74 type = lib.types.attrsOf lib.types.path;
76 pid = "${cfg.socketsDir}/slapd.pid";
77 args = "${cfg.socketsDir}/slapd.args";
87 config = lib.mkIf cfg.enable {
93 text = "rootpw ${cfg.rootPw}";
99 text = builtins.readFile cfg.accessFile;
102 permissions = "0500";
108 users.users.openldap.extraGroups = [ "keys" ];
109 networking.firewall.allowedTCPPorts = [ 636 389 ];
111 security.acme.certs."ldap" = config.myServices.databasesCerts // {
114 domain = "ldap.immae.eu";
116 systemctl restart openldap.service
120 services.filesWatcher.openldap = {
122 paths = [ config.secrets.fullPaths."ldap" ];
125 services.openldap = {
127 dataDir = cfg.dataDir;
128 urlList = [ "ldap://" "ldaps://" ];
130 extraConfig = ldapConfig;
131 extraDatabaseConfig = ''
137 syncprov-checkpoint 100 10
139 include ${config.secrets.fullPaths."ldap/access"}
141 rootpwFile = config.secrets.fullPaths."ldap/password";