{ lib, pkgs, config, ... }: let cfg = config.myServices.databases.openldap; ldapConfig = let kerberosSchema = pkgs.fetchurl { url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; }; puppetSchema = pkgs.fetchurl { url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; }; in '' include ${pkgs.openldap}/etc/schema/core.schema include ${pkgs.openldap}/etc/schema/cosine.schema include ${pkgs.openldap}/etc/schema/inetorgperson.schema include ${pkgs.openldap}/etc/schema/nis.schema include ${puppetSchema} include ${kerberosSchema} include ${./immae.schema} pidfile ${cfg.pids.pid} argsfile ${cfg.pids.args} moduleload back_hdb backend hdb moduleload memberof database hdb suffix "${cfg.baseDn}" rootdn "${cfg.rootDn}" include ${config.secrets.location}/ldap/password directory ${cfg.dataDir} overlay memberof TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ #This makes openldap crash #TLSCipherSuite DEFAULT sasl-host kerberos.immae.eu include ${config.secrets.location}/ldap/access ''; in { options.myServices.databases = { openldap = { enable = lib.mkOption { default = false; example = true; description = "Whether to enable ldap"; type = lib.types.bool; }; baseDn = lib.mkOption { type = lib.types.str; description = '' Base DN for LDAP ''; }; rootDn = lib.mkOption { type = lib.types.str; description = '' Root DN ''; }; rootPw = lib.mkOption { type = lib.types.str; description = '' Root (Hashed) password ''; }; accessFile = lib.mkOption { type = lib.types.path; description = '' The file path that defines the access ''; }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/openldap"; description = '' The directory where Openldap stores its data. ''; }; socketsDir = lib.mkOption { type = lib.types.path; default = "/run/slapd"; description = '' The directory where Openldap puts sockets and pid files. ''; }; # Output variables pids = lib.mkOption { type = lib.types.attrsOf lib.types.path; default = { pid = "${cfg.socketsDir}/slapd.pid"; args = "${cfg.socketsDir}/slapd.args"; }; readOnly = true; description = '' Slapd pid files ''; }; }; }; config = lib.mkIf cfg.enable { secrets.keys = [ { dest = "ldap/password"; permissions = "0400"; user = "openldap"; group = "openldap"; text = "rootpw ${cfg.rootPw}"; } { dest = "ldap/access"; permissions = "0400"; user = "openldap"; group = "openldap"; text = builtins.readFile "${cfg.accessFile}"; } ]; users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; services.cron = { systemCronJobs = [ '' 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" '' ]; }; security.acme.certs."ldap" = config.myServices.databasesCerts // { user = "openldap"; group = "openldap"; plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; domain = "ldap.immae.eu"; postRun = '' systemctl restart openldap.service ''; }; services.filesWatcher.openldap = { restart = true; paths = [ "${config.secrets.location}/ldap/" ]; }; services.openldap = { enable = true; dataDir = cfg.dataDir; urlList = [ "ldap://" "ldaps://" ]; extraConfig = ldapConfig; }; }; }