]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/databases/openldap/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use attrs for secrets instead of lists
[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 cfg = config.myServices.databases.openldap;
4 ldapConfig = let
5 eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
6 in ''
7 ${eldiron_schemas}
8
9 pidfile ${cfg.pids.pid}
10 argsfile ${cfg.pids.args}
11
12 moduleload back_hdb
13 backend hdb
14
15 TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
16 TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
17 TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
18 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
19 #This makes openldap crash
20 #TLSCipherSuite DEFAULT
21
22 sasl-host kerberos.immae.eu
23 '';
24 in
25 {
26 options.myServices.databases = {
27 openldap = {
28 enable = lib.mkOption {
29 default = false;
30 example = true;
31 description = "Whether to enable ldap";
32 type = lib.types.bool;
33 };
34 baseDn = lib.mkOption {
35 type = lib.types.str;
36 description = ''
37 Base DN for LDAP
38 '';
39 };
40 rootDn = lib.mkOption {
41 type = lib.types.str;
42 description = ''
43 Root DN
44 '';
45 };
46 rootPw = lib.mkOption {
47 type = lib.types.str;
48 description = ''
49 Root (Hashed) password
50 '';
51 };
52 accessFile = lib.mkOption {
53 type = lib.types.path;
54 description = ''
55 The file path that defines the access
56 '';
57 };
58 dataDir = lib.mkOption {
59 type = lib.types.path;
60 default = "/var/lib/openldap";
61 description = ''
62 The directory where Openldap stores its data.
63 '';
64 };
65 socketsDir = lib.mkOption {
66 type = lib.types.path;
67 default = "/run/slapd";
68 description = ''
69 The directory where Openldap puts sockets and pid files.
70 '';
71 };
72 # Output variables
73 pids = lib.mkOption {
74 type = lib.types.attrsOf lib.types.path;
75 default = {
76 pid = "${cfg.socketsDir}/slapd.pid";
77 args = "${cfg.socketsDir}/slapd.args";
78 };
79 readOnly = true;
80 description = ''
81 Slapd pid files
82 '';
83 };
84 };
85 };
86
87 config = lib.mkIf cfg.enable {
88 secrets.keys = {
89 "ldap/password" = {
90 permissions = "0400";
91 user = "openldap";
92 group = "openldap";
93 text = "rootpw ${cfg.rootPw}";
94 };
95 "ldap/access" = {
96 permissions = "0400";
97 user = "openldap";
98 group = "openldap";
99 text = builtins.readFile cfg.accessFile;
100 };
101 "ldap" = {
102 permissions = "0500";
103 user = "openldap";
104 group = "openldap";
105 isDir = true;
106 };
107 };
108 users.users.openldap.extraGroups = [ "keys" ];
109 networking.firewall.allowedTCPPorts = [ 636 389 ];
110
111 security.acme.certs."ldap" = config.myServices.databasesCerts // {
112 user = "openldap";
113 group = "openldap";
114 domain = "ldap.immae.eu";
115 postRun = ''
116 systemctl restart openldap.service
117 '';
118 };
119
120 services.filesWatcher.openldap = {
121 restart = true;
122 paths = [ config.secrets.fullPaths."ldap" ];
123 };
124
125 services.openldap = {
126 enable = true;
127 dataDir = cfg.dataDir;
128 urlList = [ "ldap://" "ldaps://" ];
129 logLevel = "none";
130 extraConfig = ldapConfig;
131 extraDatabaseConfig = ''
132 moduleload memberof
133 overlay memberof
134
135 moduleload syncprov
136 overlay syncprov
137 syncprov-checkpoint 100 10
138
139 include ${config.secrets.fullPaths."ldap/access"}
140 '';
141 rootpwFile = config.secrets.fullPaths."ldap/password";
142 suffix = cfg.baseDn;
143 rootdn = cfg.rootDn;
144 database = "hdb";
145 };
146 };
147 }
My infrastructure configuration