path: root/modules/private/databases/openldap/default.nix

{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.databases.openldap;
  ldapConfig = let
    eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
  in ''
    ${eldiron_schemas}

    pidfile         ${cfg.pids.pid}
    argsfile        ${cfg.pids.args}

    moduleload      back_hdb
    backend         hdb

    TLSCertificateFile    ${config.security.acme.certs.ldap.directory}/cert.pem
    TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
    TLSCACertificateFile  ${config.security.acme.certs.ldap.directory}/fullchain.pem
    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
    #This makes openldap crash
    #TLSCipherSuite        DEFAULT

    sasl-host kerberos.immae.eu
    '';
in
{
  options.myServices.databases = {
    openldap = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable ldap";
        type = lib.types.bool;
      };
      baseDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Base DN for LDAP
        '';
      };
      rootDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root DN
        '';
      };
      rootPw = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root (Hashed) password
        '';
      };
      accessFile = lib.mkOption {
        type = lib.types.path;
        description = ''
          The file path that defines the access
        '';
      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/openldap";
        description = ''
          The directory where Openldap stores its data.
        '';
      };
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/slapd";
        description = ''
          The directory where Openldap puts sockets and pid files.
          '';
      };
      # Output variables
      pids = lib.mkOption {
        type = lib.types.attrsOf lib.types.path;
        default = {
          pid  = "${cfg.socketsDir}/slapd.pid";
          args = "${cfg.socketsDir}/slapd.args";
        };
        readOnly = true;
        description = ''
          Slapd pid files
          '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = {
       "ldap/password" = {
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw          ${cfg.rootPw}";
      };
      "ldap/access" = {
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = builtins.readFile cfg.accessFile;
      };
      "ldap" = {
        permissions = "0500";
        user = "openldap";
        group = "openldap";
        isDir = true;
      };
    };
    users.users.openldap.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 636 389 ];

    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
      '';
    };

    services.filesWatcher.openldap = {
      restart = true;
      paths = [ config.secrets.fullPaths."ldap" ];
    };

    services.openldap = {
      enable = true;
      dataDir = cfg.dataDir;
      urlList = [ "ldap://" "ldaps://" ];
      logLevel = "none";
      extraConfig = ldapConfig;
      extraDatabaseConfig = ''
        moduleload      memberof
        overlay         memberof

        moduleload      syncprov
        overlay         syncprov
        syncprov-checkpoint 100 10

        include ${config.secrets.fullPaths."ldap/access"}
        '';
      rootpwFile = config.secrets.fullPaths."ldap/password";
      suffix = cfg.baseDn;
      rootdn = cfg.rootDn;
      database = "hdb";
    };
  };
}