database hdb
suffix "${myconfig.env.ldap.base}"
rootdn "${myconfig.env.ldap.root_dn}"
- rootpw ${myconfig.env.ldap.root_pw}
+ include /var/secrets/ldap/password
directory /var/lib/openldap
overlay memberof
#TLSCipherSuite DEFAULT
sasl-host kerberos.immae.eu
- ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+ include /var/secrets/ldap/access
'';
in {
options.services.myDatabases = {
};
config = lib.mkIf cfg.enable {
+ secrets.keys = [
+ {
+ dest = "ldap/password";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = "rootpw ${myconfig.env.ldap.root_pw}";
+ }
+ {
+ dest = "ldap/access ";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+ }
+ ];
+ users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];
services.cron = {
systemCronJobs = [
''
- 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif
+ 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
''
];
};