};
config = lib.mkIf cfg.enable {
- secrets.keys = [
- {
- dest = "ldap/password";
+ secrets.keys = {
+ "ldap/password" = {
permissions = "0400";
user = "openldap";
group = "openldap";
text = "rootpw ${cfg.rootPw}";
- }
- {
- dest = "ldap/access";
+ };
+ "ldap/access" = {
permissions = "0400";
user = "openldap";
group = "openldap";
text = builtins.readFile cfg.accessFile;
- }
- {
- dest = "ldap";
+ };
+ "ldap" = {
permissions = "0500";
user = "openldap";
group = "openldap";
isDir = true;
- }
- ];
+ };
+ };
users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];