X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fopenldap%2Fdefault.nix;h=d35aca08de4a51858ea979ba33d961145e078121;hb=fa25ffd4583cc362075cd5e1b4130f33306103f0;hp=efe93795c79f1901c03ff0c737230e4ff4eb61a4;hpb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index efe9379..d35aca0 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -85,29 +85,32 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = [
-       {
-        dest = "ldap/password";
+    secrets.keys = {
+       "ldap/password" = {
         permissions = "0400";
         user = "openldap";
         group = "openldap";
         text = "rootpw          ${cfg.rootPw}";
-      }
-      {
-        dest = "ldap/access";
+      };
+      "ldap/access" = {
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = builtins.readFile "${cfg.accessFile}";
-      }
-    ];
+        text = builtins.readFile cfg.accessFile;
+      };
+      "ldap" = {
+        permissions = "0500";
+        user = "openldap";
+        group = "openldap";
+        isDir = true;
+      };
+    };
     users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
     security.acme.certs."ldap" = config.myServices.databasesCerts // {
       user = "openldap";
       group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
       domain = "ldap.immae.eu";
       postRun = ''
         systemctl restart openldap.service
@@ -116,13 +119,14 @@ in
 
     services.filesWatcher.openldap = {
       restart = true;
-      paths = [ "${config.secrets.location}/ldap/" ];
+      paths = [ config.secrets.fullPaths."ldap" ];
     };
 
     services.openldap = {
       enable = true;
       dataDir = cfg.dataDir;
       urlList = [ "ldap://" "ldaps://" ];
+      logLevel = "none";
       extraConfig = ldapConfig;
       extraDatabaseConfig = ''
         moduleload      memberof
@@ -132,9 +136,9 @@ in
         overlay         syncprov
         syncprov-checkpoint 100 10
 
-        include ${config.secrets.location}/ldap/access
+        include ${config.secrets.fullPaths."ldap/access"}
         '';
-      rootpwFile = "${config.secrets.location}/ldap/password";
+      rootpwFile = config.secrets.fullPaths."ldap/password";
       suffix = cfg.baseDn;
       rootdn = cfg.rootDn;
       database = "hdb";