1 files changed, 68 insertions, 1 deletions

diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix
index 1115a29..1940b62 100644
--- a/nixops/modules/databases/default.nix
+++ b/nixops/modules/databases/default.nix
@@ -30,6 +30,15 @@ in {
         type = lib.types.bool;
       };
     };
+
+    ldap = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable ldap";
+        type = lib.types.bool;
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -55,7 +64,7 @@ in {
       });
     };
 
-    networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+    networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
 
     # for adminer, ssl is implemented with mysqli only, which is
     # currently disabled because it’s not compatible with pam.
@@ -94,6 +103,16 @@ in {
       '';
     };
 
+    security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
+      user = "openldap";
+      group = "openldap";
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      domain = "ldap.immae.eu";
+      postRun = ''
+        systemctl restart openldap.service
+      '';
+    };
+
     system.activationScripts.postgresql = ''
       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
       '';
@@ -202,5 +221,53 @@ in {
       mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
       chown redis $(dirname ${myconfig.env.databases.redis.socket})
     '';
+
+    services.openldap = let
+      kerberosSchema = pkgs.fetchurl {
+        url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+        sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+      };
+      puppetSchema = pkgs.fetchurl {
+        url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+        sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+      };
+    in {
+      enable = config.services.myDatabases.ldap.enable;
+      dataDir = "/var/lib/openldap";
+      urlList = [ "ldap://" "ldaps://" ];
+      extraConfig = ''
+        include         ${pkgs.openldap}/etc/schema/core.schema
+        include         ${pkgs.openldap}/etc/schema/cosine.schema
+        include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
+        include         ${pkgs.openldap}/etc/schema/nis.schema
+        include         ${puppetSchema}
+        include         ${kerberosSchema}
+        include         ${./immae.schema}
+
+        pidfile         /run/slapd/slapd.pid
+        argsfile        /run/slapd/slapd.args
+
+        moduleload      back_hdb
+        backend         hdb
+
+        moduleload      memberof
+        database        hdb
+        suffix          "${myconfig.env.ldap.base}"
+        rootdn          "${myconfig.env.ldap.root_dn}"
+        rootpw          ${myconfig.env.ldap.root_pw}
+        directory       /var/lib/openldap
+        overlay         memberof
+
+        TLSCertificateFile    /var/lib/acme/ldap/cert.pem
+        TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+        TLSCACertificateFile  /var/lib/acme/ldap/fullchain.pem
+        TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
+        #This makes openldap crash
+        #TLSCipherSuite        DEFAULT
+
+        sasl-host kerberos.immae.eu
+        ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+        '';
+    };
   };
 }