X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fopenldap.nix;h=542e209413a82c43158fc7cc7d75b6548933616a;hb=1a7188052f235fb632700478fad0108e4306107d;hp=165a02908f6288544aff053171104f3845b5bb0c;hpb=24dbd8d2011aa3b13f81acd252d257652a9a9f9a;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 165a029..542e209 100644
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
       database        hdb
       suffix          "${myconfig.env.ldap.base}"
       rootdn          "${myconfig.env.ldap.root_dn}"
-      rootpw          ${myconfig.env.ldap.root_pw}
+      include         /var/secrets/ldap/password
       directory       /var/lib/openldap
       overlay         memberof
 
@@ -41,7 +41,7 @@ let
       #TLSCipherSuite        DEFAULT
 
       sasl-host kerberos.immae.eu
-      ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+      include /var/secrets/ldap/access
       '';
 in {
   options.services.myDatabases = {
@@ -56,6 +56,23 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    secrets.keys = [
+       {
+        dest = "ldap/password";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = "rootpw          ${myconfig.env.ldap.root_pw}";
+      }
+      {
+        dest = "ldap/access ";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+      }
+    ];
+    users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
     services.cron = {