diff options
Diffstat (limited to 'modules/private/databases/openldap/default.nix')
-rw-r--r-- | modules/private/databases/openldap/default.nix | 147 |
1 files changed, 0 insertions, 147 deletions
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix deleted file mode 100644 index d35aca0..0000000 --- a/modules/private/databases/openldap/default.nix +++ /dev/null | |||
@@ -1,147 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.databases.openldap; | ||
4 | ldapConfig = let | ||
5 | eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; | ||
6 | in '' | ||
7 | ${eldiron_schemas} | ||
8 | |||
9 | pidfile ${cfg.pids.pid} | ||
10 | argsfile ${cfg.pids.args} | ||
11 | |||
12 | moduleload back_hdb | ||
13 | backend hdb | ||
14 | |||
15 | TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem | ||
16 | TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem | ||
17 | TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem | ||
18 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | ||
19 | #This makes openldap crash | ||
20 | #TLSCipherSuite DEFAULT | ||
21 | |||
22 | sasl-host kerberos.immae.eu | ||
23 | ''; | ||
24 | in | ||
25 | { | ||
26 | options.myServices.databases = { | ||
27 | openldap = { | ||
28 | enable = lib.mkOption { | ||
29 | default = false; | ||
30 | example = true; | ||
31 | description = "Whether to enable ldap"; | ||
32 | type = lib.types.bool; | ||
33 | }; | ||
34 | baseDn = lib.mkOption { | ||
35 | type = lib.types.str; | ||
36 | description = '' | ||
37 | Base DN for LDAP | ||
38 | ''; | ||
39 | }; | ||
40 | rootDn = lib.mkOption { | ||
41 | type = lib.types.str; | ||
42 | description = '' | ||
43 | Root DN | ||
44 | ''; | ||
45 | }; | ||
46 | rootPw = lib.mkOption { | ||
47 | type = lib.types.str; | ||
48 | description = '' | ||
49 | Root (Hashed) password | ||
50 | ''; | ||
51 | }; | ||
52 | accessFile = lib.mkOption { | ||
53 | type = lib.types.path; | ||
54 | description = '' | ||
55 | The file path that defines the access | ||
56 | ''; | ||
57 | }; | ||
58 | dataDir = lib.mkOption { | ||
59 | type = lib.types.path; | ||
60 | default = "/var/lib/openldap"; | ||
61 | description = '' | ||
62 | The directory where Openldap stores its data. | ||
63 | ''; | ||
64 | }; | ||
65 | socketsDir = lib.mkOption { | ||
66 | type = lib.types.path; | ||
67 | default = "/run/slapd"; | ||
68 | description = '' | ||
69 | The directory where Openldap puts sockets and pid files. | ||
70 | ''; | ||
71 | }; | ||
72 | # Output variables | ||
73 | pids = lib.mkOption { | ||
74 | type = lib.types.attrsOf lib.types.path; | ||
75 | default = { | ||
76 | pid = "${cfg.socketsDir}/slapd.pid"; | ||
77 | args = "${cfg.socketsDir}/slapd.args"; | ||
78 | }; | ||
79 | readOnly = true; | ||
80 | description = '' | ||
81 | Slapd pid files | ||
82 | ''; | ||
83 | }; | ||
84 | }; | ||
85 | }; | ||
86 | |||
87 | config = lib.mkIf cfg.enable { | ||
88 | secrets.keys = { | ||
89 | "ldap/password" = { | ||
90 | permissions = "0400"; | ||
91 | user = "openldap"; | ||
92 | group = "openldap"; | ||
93 | text = "rootpw ${cfg.rootPw}"; | ||
94 | }; | ||
95 | "ldap/access" = { | ||
96 | permissions = "0400"; | ||
97 | user = "openldap"; | ||
98 | group = "openldap"; | ||
99 | text = builtins.readFile cfg.accessFile; | ||
100 | }; | ||
101 | "ldap" = { | ||
102 | permissions = "0500"; | ||
103 | user = "openldap"; | ||
104 | group = "openldap"; | ||
105 | isDir = true; | ||
106 | }; | ||
107 | }; | ||
108 | users.users.openldap.extraGroups = [ "keys" ]; | ||
109 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | ||
110 | |||
111 | security.acme.certs."ldap" = config.myServices.databasesCerts // { | ||
112 | user = "openldap"; | ||
113 | group = "openldap"; | ||
114 | domain = "ldap.immae.eu"; | ||
115 | postRun = '' | ||
116 | systemctl restart openldap.service | ||
117 | ''; | ||
118 | }; | ||
119 | |||
120 | services.filesWatcher.openldap = { | ||
121 | restart = true; | ||
122 | paths = [ config.secrets.fullPaths."ldap" ]; | ||
123 | }; | ||
124 | |||
125 | services.openldap = { | ||
126 | enable = true; | ||
127 | dataDir = cfg.dataDir; | ||
128 | urlList = [ "ldap://" "ldaps://" ]; | ||
129 | logLevel = "none"; | ||
130 | extraConfig = ldapConfig; | ||
131 | extraDatabaseConfig = '' | ||
132 | moduleload memberof | ||
133 | overlay memberof | ||
134 | |||
135 | moduleload syncprov | ||
136 | overlay syncprov | ||
137 | syncprov-checkpoint 100 10 | ||
138 | |||
139 | include ${config.secrets.fullPaths."ldap/access"} | ||
140 | ''; | ||
141 | rootpwFile = config.secrets.fullPaths."ldap/password"; | ||
142 | suffix = cfg.baseDn; | ||
143 | rootdn = cfg.rootDn; | ||
144 | database = "hdb"; | ||
145 | }; | ||
146 | }; | ||
147 | } | ||