2024-08-09 19:37:40 +00:00
|
|
|
{ config, ... }:
|
|
|
|
|
|
2024-08-11 12:50:32 +00:00
|
|
|
let
|
|
|
|
|
svc_domain = "ldap.${config.mine.settings.domain}";
|
|
|
|
|
in {
|
2024-08-09 19:37:40 +00:00
|
|
|
services.lldap = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
verbose = true;
|
|
|
|
|
ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
|
2024-08-11 12:50:32 +00:00
|
|
|
ldap_base_dn = config.mine.settings.ldap.dc;
|
2024-08-09 19:37:40 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
|
# always set admin password on startup
|
2024-08-10 17:23:17 +00:00
|
|
|
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-admin-user-pass.path;
|
2024-08-09 19:37:40 +00:00
|
|
|
# only available on the newest master branch, will be enabled when a
|
|
|
|
|
# new version is released.
|
|
|
|
|
# https://github.com/lldap/lldap/issues/790
|
|
|
|
|
# LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2024-08-11 12:50:32 +00:00
|
|
|
services.nginx.virtualHosts."${svc_domain}" = {
|
2024-08-09 19:37:40 +00:00
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# persistent files
|
|
|
|
|
environment.persistence.root.directories = [
|
|
|
|
|
{ directory = "/var/lib/private/lldap"; mode = "0700"; }
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# lldap user + setup secrets owner (need to add user for secrets to work)
|
|
|
|
|
users.users.lldap = { group = "lldap"; isSystemUser = true; };
|
|
|
|
|
users.groups.lldap = {};
|
|
|
|
|
age.secrets = {
|
2024-08-10 17:23:17 +00:00
|
|
|
lldap-admin-user-pass.owner = "lldap";
|
2024-08-09 19:37:40 +00:00
|
|
|
};
|
2024-08-11 12:21:45 +00:00
|
|
|
|
|
|
|
|
# set settings other services can use
|
|
|
|
|
# CN = Common Name
|
|
|
|
|
# OU = Organizational Unit
|
|
|
|
|
# DC = Domain Component
|
|
|
|
|
#
|
|
|
|
|
# The users are all located in ou=people, + the base DN, so by default user bob is at cn=bob,ou=people,dc=example,dc=com.
|
|
|
|
|
# Similarly, the groups are located in ou=groups, so the group family will be at cn=family,ou=groups,dc=example,dc=com.
|
|
|
|
|
# Testing group membership through memberOf is supported, so you can have a filter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).
|
|
|
|
|
mine.settings.ldap = rec {
|
|
|
|
|
host = "localhost";
|
|
|
|
|
port = 3890;
|
|
|
|
|
url = "ldap://${host}:${builtins.toString port}";
|
|
|
|
|
|
2024-08-11 12:50:32 +00:00
|
|
|
dc = "dc=${config.mine.settings.domain_sld},dc=${config.mine.settings.domain_tld}";
|
2024-08-11 12:21:45 +00:00
|
|
|
bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
|
|
|
|
|
search_base = "ou=${ou.users},${dc}";
|
|
|
|
|
user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
|
|
|
|
|
admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})";
|
|
|
|
|
|
|
|
|
|
users = {
|
|
|
|
|
admin = "admin";
|
|
|
|
|
bind = "bind_user";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
groups = {
|
|
|
|
|
admin = "lldap_admin";
|
|
|
|
|
member = "base_member";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
ou = {
|
|
|
|
|
groups = "groups";
|
|
|
|
|
users = "people";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
attr = {
|
|
|
|
|
uid = "uid";
|
|
|
|
|
firstname = "givenName";
|
|
|
|
|
lastname = "sn";
|
|
|
|
|
email = "mail";
|
|
|
|
|
avatar = "jpegPhoto";
|
2024-08-11 12:50:32 +00:00
|
|
|
groupname = "cn";
|
2024-08-11 12:21:45 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
age_secret = config.age.secrets.lldap-bind-user-pass.path;
|
|
|
|
|
};
|
2024-08-09 19:37:40 +00:00
|
|
|
}
|
