database hdb
suffix "${myconfig.env.ldap.base}"
rootdn "${myconfig.env.ldap.root_dn}"
- rootpw ${myconfig.env.ldap.root_pw}
+ include /run/keys/ldap/ldap-password
directory /var/lib/openldap
overlay memberof
#TLSCipherSuite DEFAULT
sasl-host kerberos.immae.eu
- ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+ include /run/keys/ldap/ldap-access
'';
in {
options.services.myDatabases = {
};
config = lib.mkIf cfg.enable {
+ deployment.keys = {
+ ldap-password = {
+ destDir = "/run/keys/ldap";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = "rootpw ${myconfig.env.ldap.root_pw}";
+ };
+ ldap-access = {
+ destDir = "/run/keys/ldap";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+ };
+ };
+ users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];
services.cron = {