1 { lib, pkgs, config, ... }:
3 cfg = config.myServices.databases.openldap;
5 eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
9 pidfile ${cfg.pids.pid}
10 argsfile ${cfg.pids.args}
15 TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
16 TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
17 TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
18 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
19 #This makes openldap crash
20 #TLSCipherSuite DEFAULT
22 sasl-host kerberos.immae.eu
26 options.myServices.databases = {
28 enable = lib.mkOption {
31 description = "Whether to enable ldap";
32 type = lib.types.bool;
34 baseDn = lib.mkOption {
40 rootDn = lib.mkOption {
46 rootPw = lib.mkOption {
49 Root (Hashed) password
52 accessFile = lib.mkOption {
53 type = lib.types.path;
55 The file path that defines the access
58 dataDir = lib.mkOption {
59 type = lib.types.path;
60 default = "/var/lib/openldap";
62 The directory where Openldap stores its data.
65 socketsDir = lib.mkOption {
66 type = lib.types.path;
67 default = "/run/slapd";
69 The directory where Openldap puts sockets and pid files.
74 type = lib.types.attrsOf lib.types.path;
76 pid = "${cfg.socketsDir}/slapd.pid";
77 args = "${cfg.socketsDir}/slapd.args";
87 config = lib.mkIf cfg.enable {
90 dest = "ldap/password";
94 text = "rootpw ${cfg.rootPw}";
101 text = builtins.readFile "${cfg.accessFile}";
104 users.users.openldap.extraGroups = [ "keys" ];
105 networking.firewall.allowedTCPPorts = [ 636 389 ];
107 security.acme.certs."ldap" = config.myServices.databasesCerts // {
110 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
111 domain = "ldap.immae.eu";
113 systemctl restart openldap.service
117 services.filesWatcher.openldap = {
119 paths = [ "${config.secrets.location}/ldap/" ];
122 services.openldap = {
124 dataDir = cfg.dataDir;
125 urlList = [ "ldap://" "ldaps://" ];
126 extraConfig = ldapConfig;
127 extraDatabaseConfig = ''
133 syncprov-checkpoint 100 10
135 include ${config.secrets.location}/ldap/access
137 rootpwFile = "${config.secrets.location}/ldap/password";