X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fopenldap.nix;h=542e209413a82c43158fc7cc7d75b6548933616a;hb=1a7188052f235fb632700478fad0108e4306107d;hp=f49adc8c7439b45bb453d04102f1d48b68289748;hpb=18fdf47041026412e365224f21c258b436ceda18;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index f49adc8..542e209 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix @@ -29,7 +29,7 @@ let database hdb suffix "${myconfig.env.ldap.base}" rootdn "${myconfig.env.ldap.root_dn}" - rootpw ${myconfig.env.ldap.root_pw} + include /var/secrets/ldap/password directory /var/lib/openldap overlay memberof @@ -41,7 +41,7 @@ let #TLSCipherSuite DEFAULT sasl-host kerberos.immae.eu - ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} + include /var/secrets/ldap/access ''; in { options.services.myDatabases = { @@ -56,12 +56,29 @@ in { }; config = lib.mkIf cfg.enable { + secrets.keys = [ + { + dest = "ldap/password"; + permissions = "0400"; + user = "openldap"; + group = "openldap"; + text = "rootpw ${myconfig.env.ldap.root_pw}"; + } + { + dest = "ldap/access "; + permissions = "0400"; + user = "openldap"; + group = "openldap"; + text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; + } + ]; + users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; services.cron = { systemCronJobs = [ '' - 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif + 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" '' ]; };