From 865e1251dec56e8dcfb44dba5beb39c33d64ff40 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Sun, 11 Aug 2024 14:21:45 +0200
Subject: [PATCH] gerd.lldap: utilise settings module for LDAP

---
 machines/gerd/services/forgejo.nix  | 22 +++++++-------
 machines/gerd/services/hedgedoc.nix | 10 +++----
 machines/gerd/services/lldap.nix    | 45 +++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 16 deletions(-)

diff --git a/machines/gerd/services/forgejo.nix b/machines/gerd/services/forgejo.nix
index a5be269..64ee69e 100644
--- a/machines/gerd/services/forgejo.nix
+++ b/machines/gerd/services/forgejo.nix
@@ -29,19 +29,19 @@ let
       --active \
       --security-protocol unencrypted \
       --skip-tls-verify \
-      --host localhost \
-      --port 3890 \
-      --bind-dn "uid=bind_user,ou=people,dc=fricloud,dc=dk" \
+      --host ${config.mine.settings.ldap.host} \
+      --port ${builtins.toString config.mine.settings.ldap.port} \
+      --bind-dn "${config.mine.settings.ldap.bind_dn}" \
       --bind-password "$BIND_USERPASS" \
-      --user-filter '(&(memberof=cn=base_member,ou=groups,dc=fricloud,dc=dk)(|(uid=%[1]s)(mail=%[1]s)))' \
-      --admin-filter '(memberof=cn=lldap_admin,ou=groups,dc=fricloud,dc=dk)' \
-      --username-attribute uid \
-      --firstname-attribute givenName  \
-      --surname-attribute sn \
-      --email-attribute mail \
-      --avatar-attribute jpegPhoto \
+      --user-filter '(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}=%[1]s)(${config.mine.settings.ldap.attr.email}=%[1]s)))' \
+      --admin-filter '${config.mine.settings.ldap.admin_filter}' \
+      --username-attribute ${config.mine.settings.ldap.attr.uid} \
+      --firstname-attribute ${config.mine.settings.ldap.attr.firstname}  \
+      --surname-attribute ${config.mine.settings.ldap.attr.lastname} \
+      --email-attribute ${config.mine.settings.ldap.attr.email} \
+      --avatar-attribute ${config.mine.settings.ldap.attr.avatar} \
       --synchronize-users \
-      --user-search-base 'ou=people,dc=fricloud,dc=dk' \
+      --user-search-base '${config.mine.settings.ldap.search_base}' \
 
     echo "PRERUN-LDAP: Finished adding/updating..."
   '';
diff --git a/machines/gerd/services/hedgedoc.nix b/machines/gerd/services/hedgedoc.nix
index d66fda6..fad47f6 100644
--- a/machines/gerd/services/hedgedoc.nix
+++ b/machines/gerd/services/hedgedoc.nix
@@ -28,11 +28,11 @@ in {
       # setup ldap
       # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
       ldap = {
-        url = "ldap://localhost:3890";
-        bindDn = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
-        searchBase = "ou=people,dc=fricloud,dc=dk";
-        searchFilter = "(&(memberOf=cn=base_member,ou=groups,dc=fricloud,dc=dk)(uid={{username}}))";
-        useridField = "uid";
+        url = config.mine.settings.ldap.url;
+        bindDn = config.mine.settings.ldap.bind_dn;
+        searchBase = config.mine.settings.ldap.search_base;
+        searchFilter = "(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}={{username}})(${config.mine.settings.ldap.attr.email}={{username}})))";
+        useridField = config.mine.settings.ldap.attr.uid;
       };
     };
   };
diff --git a/machines/gerd/services/lldap.nix b/machines/gerd/services/lldap.nix
index cf58b29..bbf2af2 100644
--- a/machines/gerd/services/lldap.nix
+++ b/machines/gerd/services/lldap.nix
@@ -37,4 +37,49 @@
   age.secrets = {
     lldap-admin-user-pass.owner = "lldap";
   };
+
+  # set settings other services can use
+  #  CN = Common Name
+  #  OU = Organizational Unit
+  #  DC = Domain Component
+  #
+  # The users are all located in ou=people, + the base DN, so by default user bob is at cn=bob,ou=people,dc=example,dc=com.
+  # Similarly, the groups are located in ou=groups, so the group family will be at cn=family,ou=groups,dc=example,dc=com.
+  # Testing group membership through memberOf is supported, so you can have a filter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).
+  mine.settings.ldap = rec {
+    host = "localhost";
+    port = 3890;
+    url = "ldap://${host}:${builtins.toString port}";
+
+    dc = "dc=fricloud,dc=dk";
+    bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
+    search_base = "ou=${ou.users},${dc}";
+    user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
+    admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})";
+
+    users = {
+      admin = "admin";
+      bind = "bind_user";
+    };
+
+    groups = {
+      admin = "lldap_admin";
+      member = "base_member";
+    };
+
+    ou = {
+      groups = "groups";
+      users = "people";
+    };
+
+    attr = {
+      uid = "uid";
+      firstname = "givenName";
+      lastname = "sn";
+      email = "mail";
+      avatar = "jpegPhoto";
+    };
+
+    age_secret = config.age.secrets.lldap-bind-user-pass.path;
+  };
 }