-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.databases.openldap;
ldapConfig = let
- kerberosSchema = pkgs.fetchurl {
- url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
- sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
- };
- puppetSchema = pkgs.fetchurl {
- url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
- sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
- };
+ eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
in ''
- include ${pkgs.openldap}/etc/schema/core.schema
- include ${pkgs.openldap}/etc/schema/cosine.schema
- include ${pkgs.openldap}/etc/schema/inetorgperson.schema
- include ${pkgs.openldap}/etc/schema/nis.schema
- include ${puppetSchema}
- include ${kerberosSchema}
- include ${./immae.schema}
+ ${eldiron_schemas}
pidfile ${cfg.pids.pid}
argsfile ${cfg.pids.args}
moduleload memberof
database hdb
- suffix "${myconfig.env.ldap.base}"
- rootdn "${myconfig.env.ldap.root_dn}"
+ suffix "${cfg.baseDn}"
+ rootdn "${cfg.rootDn}"
include ${config.secrets.location}/ldap/password
directory ${cfg.dataDir}
overlay memberof
- TLSCertificateFile /var/lib/acme/ldap/cert.pem
- TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
- TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
+ moduleload syncprov
+ overlay syncprov
+ syncprov-checkpoint 100 10
+
+ TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem
+ TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
+ TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem
TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
#This makes openldap crash
#TLSCipherSuite DEFAULT
options.myServices.databases = {
openldap = {
enable = lib.mkOption {
- default = cfg.enable;
+ default = false;
example = true;
description = "Whether to enable ldap";
type = lib.types.bool;
};
+ baseDn = lib.mkOption {
+ type = lib.types.str;
+ description = ''
+ Base DN for LDAP
+ '';
+ };
+ rootDn = lib.mkOption {
+ type = lib.types.str;
+ description = ''
+ Root DN
+ '';
+ };
+ rootPw = lib.mkOption {
+ type = lib.types.str;
+ description = ''
+ Root (Hashed) password
+ '';
+ };
+ accessFile = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ The file path that defines the access
+ '';
+ };
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/openldap";
permissions = "0400";
user = "openldap";
group = "openldap";
- text = "rootpw ${myconfig.env.ldap.root_pw}";
+ text = "rootpw ${cfg.rootPw}";
}
{
- dest = "ldap/access ";
+ dest = "ldap/access";
permissions = "0400";
user = "openldap";
group = "openldap";
- text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+ text = builtins.readFile "${cfg.accessFile}";
}
];
users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];
- services.cron = {
- systemCronJobs = [
- ''
- 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
- ''
- ];
- };
-
security.acme.certs."ldap" = config.myServices.databasesCerts // {
user = "openldap";
group = "openldap";
'';
};
+ services.filesWatcher.openldap = {
+ restart = true;
+ paths = [ "${config.secrets.location}/ldap/" ];
+ };
+
services.openldap = {
enable = true;
dataDir = cfg.dataDir;