]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/databases/openldap/default.nix
efe93795c79f1901c03ff0c737230e4ff4eb61a4
[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 cfg = config.myServices.databases.openldap;
4 ldapConfig = let
5 eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
6 in ''
7 ${eldiron_schemas}
8
9 pidfile ${cfg.pids.pid}
10 argsfile ${cfg.pids.args}
11
12 moduleload back_hdb
13 backend hdb
14
15 TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
16 TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
17 TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
18 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
19 #This makes openldap crash
20 #TLSCipherSuite DEFAULT
21
22 sasl-host kerberos.immae.eu
23 '';
24 in
25 {
26 options.myServices.databases = {
27 openldap = {
28 enable = lib.mkOption {
29 default = false;
30 example = true;
31 description = "Whether to enable ldap";
32 type = lib.types.bool;
33 };
34 baseDn = lib.mkOption {
35 type = lib.types.str;
36 description = ''
37 Base DN for LDAP
38 '';
39 };
40 rootDn = lib.mkOption {
41 type = lib.types.str;
42 description = ''
43 Root DN
44 '';
45 };
46 rootPw = lib.mkOption {
47 type = lib.types.str;
48 description = ''
49 Root (Hashed) password
50 '';
51 };
52 accessFile = lib.mkOption {
53 type = lib.types.path;
54 description = ''
55 The file path that defines the access
56 '';
57 };
58 dataDir = lib.mkOption {
59 type = lib.types.path;
60 default = "/var/lib/openldap";
61 description = ''
62 The directory where Openldap stores its data.
63 '';
64 };
65 socketsDir = lib.mkOption {
66 type = lib.types.path;
67 default = "/run/slapd";
68 description = ''
69 The directory where Openldap puts sockets and pid files.
70 '';
71 };
72 # Output variables
73 pids = lib.mkOption {
74 type = lib.types.attrsOf lib.types.path;
75 default = {
76 pid = "${cfg.socketsDir}/slapd.pid";
77 args = "${cfg.socketsDir}/slapd.args";
78 };
79 readOnly = true;
80 description = ''
81 Slapd pid files
82 '';
83 };
84 };
85 };
86
87 config = lib.mkIf cfg.enable {
88 secrets.keys = [
89 {
90 dest = "ldap/password";
91 permissions = "0400";
92 user = "openldap";
93 group = "openldap";
94 text = "rootpw ${cfg.rootPw}";
95 }
96 {
97 dest = "ldap/access";
98 permissions = "0400";
99 user = "openldap";
100 group = "openldap";
101 text = builtins.readFile "${cfg.accessFile}";
102 }
103 ];
104 users.users.openldap.extraGroups = [ "keys" ];
105 networking.firewall.allowedTCPPorts = [ 636 389 ];
106
107 security.acme.certs."ldap" = config.myServices.databasesCerts // {
108 user = "openldap";
109 group = "openldap";
110 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
111 domain = "ldap.immae.eu";
112 postRun = ''
113 systemctl restart openldap.service
114 '';
115 };
116
117 services.filesWatcher.openldap = {
118 restart = true;
119 paths = [ "${config.secrets.location}/ldap/" ];
120 };
121
122 services.openldap = {
123 enable = true;
124 dataDir = cfg.dataDir;
125 urlList = [ "ldap://" "ldaps://" ];
126 extraConfig = ldapConfig;
127 extraDatabaseConfig = ''
128 moduleload memberof
129 overlay memberof
130
131 moduleload syncprov
132 overlay syncprov
133 syncprov-checkpoint 100 10
134
135 include ${config.secrets.location}/ldap/access
136 '';
137 rootpwFile = "${config.secrets.location}/ldap/password";
138 suffix = cfg.baseDn;
139 rootdn = cfg.rootDn;
140 database = "hdb";
141 };
142 };
143 }