X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fopenldap%2Fdefault.nix;h=f4851b5f885a09d3d98ff6994526619b873f2897;hb=da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2;hp=d7d61db1f696598fd71a86d87e341e98ff0ca477;hpb=981fa80354fd6f00f49446777c38f77bd8a65f65;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index d7d61db..f4851b5 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -12,27 +12,14 @@ let
     moduleload      back_hdb
     backend         hdb
 
-    moduleload      memberof
-    database        hdb
-    suffix          "${cfg.baseDn}"
-    rootdn          "${cfg.rootDn}"
-    include         ${config.secrets.location}/ldap/password
-    directory       ${cfg.dataDir}
-    overlay         memberof
-
-    moduleload      syncprov
-    overlay         syncprov
-    syncprov-checkpoint 100 10
-
-    TLSCertificateFile    ${config.security.acme2.certs.ldap.directory}/cert.pem
-    TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem
-    TLSCACertificateFile  ${config.security.acme2.certs.ldap.directory}/fullchain.pem
+    TLSCertificateFile    ${config.security.acme.certs.ldap.directory}/cert.pem
+    TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
+    TLSCACertificateFile  ${config.security.acme.certs.ldap.directory}/fullchain.pem
     TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
     #This makes openldap crash
     #TLSCipherSuite        DEFAULT
 
     sasl-host kerberos.immae.eu
-    include ${config.secrets.location}/ldap/access
     '';
 in
 {
@@ -111,16 +98,22 @@ in
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = builtins.readFile "${cfg.accessFile}";
+        text = builtins.readFile cfg.accessFile;
+      }
+      {
+        dest = "ldap";
+        permissions = "0500";
+        user = "openldap";
+        group = "openldap";
+        isDir = true;
       }
     ];
     users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
-    security.acme2.certs."ldap" = config.myServices.databasesCerts // {
+    security.acme.certs."ldap" = config.myServices.databasesCerts // {
       user = "openldap";
       group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
       domain = "ldap.immae.eu";
       postRun = ''
         systemctl restart openldap.service
@@ -129,14 +122,29 @@ in
 
     services.filesWatcher.openldap = {
       restart = true;
-      paths = [ "${config.secrets.location}/ldap/" ];
+      paths = [ config.secrets.fullPaths."ldap" ];
     };
 
     services.openldap = {
       enable = true;
       dataDir = cfg.dataDir;
       urlList = [ "ldap://" "ldaps://" ];
+      logLevel = "none";
       extraConfig = ldapConfig;
+      extraDatabaseConfig = ''
+        moduleload      memberof
+        overlay         memberof
+
+        moduleload      syncprov
+        overlay         syncprov
+        syncprov-checkpoint 100 10
+
+        include ${config.secrets.fullPaths."ldap/access"}
+        '';
+      rootpwFile = config.secrets.fullPaths."ldap/password";
+      suffix = cfg.baseDn;
+      rootdn = cfg.rootDn;
+      database = "hdb";
     };
   };
 }