database hdb
suffix "${myconfig.env.ldap.base}"
rootdn "${myconfig.env.ldap.root_dn}"
- include /run/keys/ldap/ldap-password
+ include /var/secrets/ldap/password
directory /var/lib/openldap
overlay memberof
#TLSCipherSuite DEFAULT
sasl-host kerberos.immae.eu
- include /run/keys/ldap/ldap-access
+ include /var/secrets/ldap/access
'';
in {
options.services.myDatabases = {
};
config = lib.mkIf cfg.enable {
- deployment.keys = {
- ldap-password = {
- destDir = "/run/keys/ldap";
+ mySecrets.keys = [
+ {
+ dest = "ldap/password";
permissions = "0400";
user = "openldap";
group = "openldap";
text = "rootpw ${myconfig.env.ldap.root_pw}";
- };
- ldap-access = {
- destDir = "/run/keys/ldap";
+ }
+ {
+ dest = "ldap/access ";
permissions = "0400";
user = "openldap";
group = "openldap";
text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
- };
- };
+ }
+ ];
users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];