server-configs/machines/gerd/services/lldap.nix

142 lines
4.4 KiB
Nix
Raw Normal View History

{ config, lib, ... }:
2024-08-09 19:37:40 +00:00
2024-08-11 12:50:32 +00:00
let
svc_domain = "ldap.${config.mine.shared.settings.domain}";
2024-08-11 12:50:32 +00:00
in {
2024-08-09 19:37:40 +00:00
services.lldap = {
enable = true;
settings = {
verbose = true;
ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
ldap_base_dn = config.mine.shared.settings.ldap.dc;
2024-08-09 19:37:40 +00:00
};
environment = {
# always set admin password on startup
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-admin-user-pass.path;
2024-08-09 19:37:40 +00:00
# only available on the newest master branch, will be enabled when a
# new version is released.
# https://github.com/lldap/lldap/issues/790
# LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
};
};
2024-08-11 12:50:32 +00:00
services.nginx.virtualHosts."${svc_domain}" = {
2024-08-09 19:37:40 +00:00
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
};
# persistent files
environment.persistence.root.directories = [
{ directory = "/var/lib/private/lldap"; mode = "0700"; }
];
# lldap user + setup secrets owner (need to add user for secrets to work)
users.users.lldap = { group = "lldap"; isSystemUser = true; };
users.groups.lldap = {};
age.secrets = {
lldap-admin-user-pass.owner = "lldap";
2024-08-09 19:37:40 +00:00
};
# set settings other services can use
# CN = Common Name
# OU = Organizational Unit
# DC = Domain Component
#
# The users are all located in ou=people, + the base DN, so by default user bob is at cn=bob,ou=people,dc=example,dc=com.
# Similarly, the groups are located in ou=groups, so the group family will be at cn=family,ou=groups,dc=example,dc=com.
# Testing group membership through memberOf is supported, so you can have a filter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).
mine.shared.settings.ldap = rec {
host = "localhost";
port = 3890;
url = "ldap://${host}:${builtins.toString port}";
dc = "dc=${config.mine.shared.settings.domain_sld},dc=${config.mine.shared.settings.domain_tld}";
bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
search_base = "ou=${ou.users},${dc}";
user_filter = ph: let
attrs = [ attr.uid attr.email ];
in config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
llib.mkAnd [
(llib.mkGroup lconfig.groups.member)
(llib.mkOr (lib.forEach attrs (v: llib.mkSearch v ph)))
]
);
oc = {
person = "person";
mailAccount = "mailAccount";
groupOfUniqueNames = "groupOfUniqueNames";
};
users = {
admin = "admin";
bind = "bind_user";
};
groups = {
admin = "lldap_admin";
member = "base_member";
};
ou = {
groups = "groups";
users = "people";
};
attr = {
uid = "uid";
firstname = "givenName";
lastname = "sn";
email = "mail";
avatar = "jpegPhoto";
2024-08-11 12:50:32 +00:00
groupname = "cn";
};
age_secret = config.age.secrets.lldap-bind-user-pass.path;
};
mine.shared.lib.ldap = rec {
mkGroup = group_name: "memberof=cn=${group_name},ou=${config.mine.shared.settings.ldap.ou.groups},${config.mine.shared.settings.ldap.dc}";
mkOC = object_class_name: "objectclass=${object_class_name}";
mkSearch = attribute: ph: "${attribute}=${ph}";
mkFilterAdvanced = expr: let
isExpr = value: if value ? type then true else false;
__mkExpr = value: if isExpr value then mkFilterAdvanced value else "(${value})";
_mkExpr = op: value: "(${op}" + (builtins.concatStringsSep "" (lib.forEach value (v: __mkExpr v))) + ")";
mkExpr = expr: assert isExpr expr; if expr.type == "and" then _mkExpr "&" expr.values else _mkExpr "|" expr.values;
in mkExpr expr;
mkAndOr = andExprs: orExprs: mkFilterAdvanced {
type = "and";
values = andExprs ++ [
{ type = "or"; values = orExprs; }
];
};
mkFilter = t: mkFilterAdvanced (t config.mine.shared.settings.ldap config.mine.shared.lib.ldap);
mkScope = t: t config.mine.shared.settings.ldap config.mine.shared.lib.ldap;
mkAnd = v: { type = "and"; values = v; };
mkOr = v: { type = "or"; values = v; };
};
mine.shared.meta.lldap = {
name = "LDAP";
description = "We host our own LDAP server, you can use it to change your displayname, name, password, etc.";
url = "https://${svc_domain}";
package = let
pkg = config.services.lldap.package;
in {
name = pkg.pname;
version = pkg.version;
meta = pkg.meta;
};
};
2024-08-09 19:37:40 +00:00
}