+{ lib, pkgs, config, myconfig, ... }:
+let
+ cfg = config.myServices.databases.openldap;
+ ldapConfig = let
+ kerberosSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+ sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+ };
+ puppetSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+ sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+ };
+ in ''
+ include ${pkgs.openldap}/etc/schema/core.schema
+ include ${pkgs.openldap}/etc/schema/cosine.schema
+ include ${pkgs.openldap}/etc/schema/inetorgperson.schema
+ include ${pkgs.openldap}/etc/schema/nis.schema
+ include ${puppetSchema}
+ include ${kerberosSchema}
+ include ${./immae.schema}
+
+ pidfile ${cfg.pids.pid}
+ argsfile ${cfg.pids.args}
+
+ moduleload back_hdb
+ backend hdb
+
+ moduleload memberof
+ database hdb
+ suffix "${myconfig.env.ldap.base}"
+ rootdn "${myconfig.env.ldap.root_dn}"
+ include ${config.secrets.location}/ldap/password
+ directory ${cfg.dataDir}
+ overlay memberof
+
+ TLSCertificateFile /var/lib/acme/ldap/cert.pem
+ TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+ TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
+ TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
+ #This makes openldap crash
+ #TLSCipherSuite DEFAULT
+
+ sasl-host kerberos.immae.eu
+ include ${config.secrets.location}/ldap/access
+ '';
+in
+{
+ options.myServices.databases = {
+ openldap = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable ldap";
+ type = lib.types.bool;
+ };
+ dataDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/openldap";
+ description = ''
+ The directory where Openldap stores its data.
+ '';
+ };
+ socketsDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/run/slapd";
+ description = ''
+ The directory where Openldap puts sockets and pid files.
+ '';
+ };
+ # Output variables
+ pids = lib.mkOption {
+ type = lib.types.attrsOf lib.types.path;
+ default = {
+ pid = "${cfg.socketsDir}/slapd.pid";
+ args = "${cfg.socketsDir}/slapd.args";
+ };
+ readOnly = true;
+ description = ''
+ Slapd pid files
+ '';
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ secrets.keys = [
+ {
+ dest = "ldap/password";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = "rootpw ${myconfig.env.ldap.root_pw}";
+ }
+ {
+ dest = "ldap/access ";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+ }
+ ];
+ users.users.openldap.extraGroups = [ "keys" ];
+ networking.firewall.allowedTCPPorts = [ 636 389 ];
+
+ services.cron = {
+ systemCronJobs = [
+ ''
+ 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
+ ''
+ ];
+ };
+
+ security.acme.certs."ldap" = config.myServices.databasesCerts // {
+ user = "openldap";
+ group = "openldap";
+ plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+ domain = "ldap.immae.eu";
+ postRun = ''
+ systemctl restart openldap.service
+ '';
+ };
+
+ services.openldap = {
+ enable = true;
+ dataDir = cfg.dataDir;
+ urlList = [ "ldap://" "ldaps://" ];
+ extraConfig = ldapConfig;
+ };
+ };
+}