]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/databases/openldap/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


d7d61db1f696598fd71a86d87e341e98ff0ca477
[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 cfg = config.myServices.databases.openldap;
4 ldapConfig = let
5 eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
6 in ''
7 ${eldiron_schemas}
8
9 pidfile ${cfg.pids.pid}
10 argsfile ${cfg.pids.args}
11
12 moduleload back_hdb
13 backend hdb
14
15 moduleload memberof
16 database hdb
17 suffix "${cfg.baseDn}"
18 rootdn "${cfg.rootDn}"
19 include ${config.secrets.location}/ldap/password
20 directory ${cfg.dataDir}
21 overlay memberof
22
23 moduleload syncprov
24 overlay syncprov
25 syncprov-checkpoint 100 10
26
27 TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem
28 TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem
29 TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem
30 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
31 #This makes openldap crash
32 #TLSCipherSuite DEFAULT
33
34 sasl-host kerberos.immae.eu
35 include ${config.secrets.location}/ldap/access
36 '';
37 in
38 {
39 options.myServices.databases = {
40 openldap = {
41 enable = lib.mkOption {
42 default = false;
43 example = true;
44 description = "Whether to enable ldap";
45 type = lib.types.bool;
46 };
47 baseDn = lib.mkOption {
48 type = lib.types.str;
49 description = ''
50 Base DN for LDAP
51 '';
52 };
53 rootDn = lib.mkOption {
54 type = lib.types.str;
55 description = ''
56 Root DN
57 '';
58 };
59 rootPw = lib.mkOption {
60 type = lib.types.str;
61 description = ''
62 Root (Hashed) password
63 '';
64 };
65 accessFile = lib.mkOption {
66 type = lib.types.path;
67 description = ''
68 The file path that defines the access
69 '';
70 };
71 dataDir = lib.mkOption {
72 type = lib.types.path;
73 default = "/var/lib/openldap";
74 description = ''
75 The directory where Openldap stores its data.
76 '';
77 };
78 socketsDir = lib.mkOption {
79 type = lib.types.path;
80 default = "/run/slapd";
81 description = ''
82 The directory where Openldap puts sockets and pid files.
83 '';
84 };
85 # Output variables
86 pids = lib.mkOption {
87 type = lib.types.attrsOf lib.types.path;
88 default = {
89 pid = "${cfg.socketsDir}/slapd.pid";
90 args = "${cfg.socketsDir}/slapd.args";
91 };
92 readOnly = true;
93 description = ''
94 Slapd pid files
95 '';
96 };
97 };
98 };
99
100 config = lib.mkIf cfg.enable {
101 secrets.keys = [
102 {
103 dest = "ldap/password";
104 permissions = "0400";
105 user = "openldap";
106 group = "openldap";
107 text = "rootpw ${cfg.rootPw}";
108 }
109 {
110 dest = "ldap/access";
111 permissions = "0400";
112 user = "openldap";
113 group = "openldap";
114 text = builtins.readFile "${cfg.accessFile}";
115 }
116 ];
117 users.users.openldap.extraGroups = [ "keys" ];
118 networking.firewall.allowedTCPPorts = [ 636 389 ];
119
120 security.acme2.certs."ldap" = config.myServices.databasesCerts // {
121 user = "openldap";
122 group = "openldap";
123 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
124 domain = "ldap.immae.eu";
125 postRun = ''
126 systemctl restart openldap.service
127 '';
128 };
129
130 services.filesWatcher.openldap = {
131 restart = true;
132 paths = [ "${config.secrets.location}/ldap/" ];
133 };
134
135 services.openldap = {
136 enable = true;
137 dataDir = cfg.dataDir;
138 urlList = [ "ldap://" "ldaps://" ];
139 extraConfig = ldapConfig;
140 };
141 };
142 }
My infrastructure configuration