]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/databases/openldap/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


f4851b5f885a09d3d98ff6994526619b873f2897
[perso/Immae/Config/Nix.git] / modules / private / databases / openldap / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 cfg = config.myServices.databases.openldap;
4 ldapConfig = let
5 eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
6 in ''
7 ${eldiron_schemas}
8
9 pidfile ${cfg.pids.pid}
10 argsfile ${cfg.pids.args}
11
12 moduleload back_hdb
13 backend hdb
14
15 TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
16 TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
17 TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
18 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
19 #This makes openldap crash
20 #TLSCipherSuite DEFAULT
21
22 sasl-host kerberos.immae.eu
23 '';
24 in
25 {
26 options.myServices.databases = {
27 openldap = {
28 enable = lib.mkOption {
29 default = false;
30 example = true;
31 description = "Whether to enable ldap";
32 type = lib.types.bool;
33 };
34 baseDn = lib.mkOption {
35 type = lib.types.str;
36 description = ''
37 Base DN for LDAP
38 '';
39 };
40 rootDn = lib.mkOption {
41 type = lib.types.str;
42 description = ''
43 Root DN
44 '';
45 };
46 rootPw = lib.mkOption {
47 type = lib.types.str;
48 description = ''
49 Root (Hashed) password
50 '';
51 };
52 accessFile = lib.mkOption {
53 type = lib.types.path;
54 description = ''
55 The file path that defines the access
56 '';
57 };
58 dataDir = lib.mkOption {
59 type = lib.types.path;
60 default = "/var/lib/openldap";
61 description = ''
62 The directory where Openldap stores its data.
63 '';
64 };
65 socketsDir = lib.mkOption {
66 type = lib.types.path;
67 default = "/run/slapd";
68 description = ''
69 The directory where Openldap puts sockets and pid files.
70 '';
71 };
72 # Output variables
73 pids = lib.mkOption {
74 type = lib.types.attrsOf lib.types.path;
75 default = {
76 pid = "${cfg.socketsDir}/slapd.pid";
77 args = "${cfg.socketsDir}/slapd.args";
78 };
79 readOnly = true;
80 description = ''
81 Slapd pid files
82 '';
83 };
84 };
85 };
86
87 config = lib.mkIf cfg.enable {
88 secrets.keys = [
89 {
90 dest = "ldap/password";
91 permissions = "0400";
92 user = "openldap";
93 group = "openldap";
94 text = "rootpw ${cfg.rootPw}";
95 }
96 {
97 dest = "ldap/access";
98 permissions = "0400";
99 user = "openldap";
100 group = "openldap";
101 text = builtins.readFile cfg.accessFile;
102 }
103 {
104 dest = "ldap";
105 permissions = "0500";
106 user = "openldap";
107 group = "openldap";
108 isDir = true;
109 }
110 ];
111 users.users.openldap.extraGroups = [ "keys" ];
112 networking.firewall.allowedTCPPorts = [ 636 389 ];
113
114 security.acme.certs."ldap" = config.myServices.databasesCerts // {
115 user = "openldap";
116 group = "openldap";
117 domain = "ldap.immae.eu";
118 postRun = ''
119 systemctl restart openldap.service
120 '';
121 };
122
123 services.filesWatcher.openldap = {
124 restart = true;
125 paths = [ config.secrets.fullPaths."ldap" ];
126 };
127
128 services.openldap = {
129 enable = true;
130 dataDir = cfg.dataDir;
131 urlList = [ "ldap://" "ldaps://" ];
132 logLevel = "none";
133 extraConfig = ldapConfig;
134 extraDatabaseConfig = ''
135 moduleload memberof
136 overlay memberof
137
138 moduleload syncprov
139 overlay syncprov
140 syncprov-checkpoint 100 10
141
142 include ${config.secrets.fullPaths."ldap/access"}
143 '';
144 rootpwFile = config.secrets.fullPaths."ldap/password";
145 suffix = cfg.baseDn;
146 rootdn = cfg.rootDn;
147 database = "hdb";
148 };
149 };
150 }
My infrastructure configuration