+++ /dev/null
-{ lib, pkgs, config, ... }:
-let
- cfg = config.myServices.databases.openldap;
- ldapConfig = let
- eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
- in ''
- ${eldiron_schemas}
-
- pidfile ${cfg.pids.pid}
- argsfile ${cfg.pids.args}
-
- moduleload back_hdb
- backend hdb
-
- TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
- TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
- TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
- TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
- #This makes openldap crash
- #TLSCipherSuite DEFAULT
-
- sasl-host kerberos.immae.eu
- '';
-in
-{
- options.myServices.databases = {
- openldap = {
- enable = lib.mkOption {
- default = false;
- example = true;
- description = "Whether to enable ldap";
- type = lib.types.bool;
- };
- baseDn = lib.mkOption {
- type = lib.types.str;
- description = ''
- Base DN for LDAP
- '';
- };
- rootDn = lib.mkOption {
- type = lib.types.str;
- description = ''
- Root DN
- '';
- };
- rootPw = lib.mkOption {
- type = lib.types.str;
- description = ''
- Root (Hashed) password
- '';
- };
- accessFile = lib.mkOption {
- type = lib.types.path;
- description = ''
- The file path that defines the access
- '';
- };
- dataDir = lib.mkOption {
- type = lib.types.path;
- default = "/var/lib/openldap";
- description = ''
- The directory where Openldap stores its data.
- '';
- };
- socketsDir = lib.mkOption {
- type = lib.types.path;
- default = "/run/slapd";
- description = ''
- The directory where Openldap puts sockets and pid files.
- '';
- };
- # Output variables
- pids = lib.mkOption {
- type = lib.types.attrsOf lib.types.path;
- default = {
- pid = "${cfg.socketsDir}/slapd.pid";
- args = "${cfg.socketsDir}/slapd.args";
- };
- readOnly = true;
- description = ''
- Slapd pid files
- '';
- };
- };
- };
-
- config = lib.mkIf cfg.enable {
- secrets.keys = {
- "ldap/password" = {
- permissions = "0400";
- user = "openldap";
- group = "openldap";
- text = "rootpw ${cfg.rootPw}";
- };
- "ldap/access" = {
- permissions = "0400";
- user = "openldap";
- group = "openldap";
- text = builtins.readFile cfg.accessFile;
- };
- "ldap" = {
- permissions = "0500";
- user = "openldap";
- group = "openldap";
- isDir = true;
- };
- };
- users.users.openldap.extraGroups = [ "keys" ];
- networking.firewall.allowedTCPPorts = [ 636 389 ];
-
- security.acme.certs."ldap" = config.myServices.databasesCerts // {
- user = "openldap";
- group = "openldap";
- domain = "ldap.immae.eu";
- postRun = ''
- systemctl restart openldap.service
- '';
- };
-
- services.filesWatcher.openldap = {
- restart = true;
- paths = [ config.secrets.fullPaths."ldap" ];
- };
-
- services.openldap = {
- enable = true;
- dataDir = cfg.dataDir;
- urlList = [ "ldap://" "ldaps://" ];
- logLevel = "none";
- extraConfig = ldapConfig;
- extraDatabaseConfig = ''
- moduleload memberof
- overlay memberof
-
- moduleload syncprov
- overlay syncprov
- syncprov-checkpoint 100 10
-
- include ${config.secrets.fullPaths."ldap/access"}
- '';
- rootpwFile = config.secrets.fullPaths."ldap/password";
- suffix = cfg.baseDn;
- rootdn = cfg.rootDn;
- database = "hdb";
- };
- };
-}