From e88f8477dad340054bd7f864bf2ba7977a581e4a Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Fri, 9 Aug 2024 21:37:40 +0200
Subject: [PATCH] gerd.lldap: adds ldap service

---
 machines/gerd/services/lldap.nix | 40 ++++++++++++++++++++++++++++++++
 secrets/default.nix              |  1 +
 secrets/lldap/user-pass.age      | 10 ++++++++
 secrets/secrets.nix              |  1 +
 4 files changed, 52 insertions(+)
 create mode 100644 machines/gerd/services/lldap.nix
 create mode 100644 secrets/lldap/user-pass.age

diff --git a/machines/gerd/services/lldap.nix b/machines/gerd/services/lldap.nix
new file mode 100644
index 0000000..19e8eef
--- /dev/null
+++ b/machines/gerd/services/lldap.nix
@@ -0,0 +1,40 @@
+{ config, ... }:
+
+{
+  services.lldap = {
+    enable = true;
+
+    settings = {
+      verbose = true;
+      ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
+      ldap_base_dn = "dc=fricloud,dc=dk";
+    };
+
+    environment = {
+      # always set admin password on startup
+      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-user-pass.path;
+      # only available on the newest master branch, will be enabled when a 
+      # new version is released.
+      # https://github.com/lldap/lldap/issues/790
+      # LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
+    };
+  };
+
+  services.nginx.virtualHosts."ldap.fricloud.dk" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
+  };
+
+  # persistent files
+  environment.persistence.root.directories = [
+    { directory = "/var/lib/private/lldap"; mode = "0700"; }
+  ];
+
+  # lldap user + setup secrets owner (need to add user for secrets to work)
+  users.users.lldap = { group = "lldap"; isSystemUser = true; };
+  users.groups.lldap = {};
+  age.secrets = {
+    lldap-user-pass.owner = "lldap";
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 645e1cb..d3899e0 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,4 +1,5 @@
 {
   age.secrets = {
+    lldap-user-pass.file = ./lldap/user-pass.age;
   };
 }
diff --git a/secrets/lldap/user-pass.age b/secrets/lldap/user-pass.age
new file mode 100644
index 0000000..5f04e40
--- /dev/null
+++ b/secrets/lldap/user-pass.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg GGeJqXdtwwxIlkG/yl4DfkKykQ3uJyWqLguJ680vZlY
+LS19/W+IHFSAeog3c2qAzvgE2VDWF81B5ehqo2xoCVk
+-> ssh-ed25519 n8n9DQ 8xOzOWPQEwAAslYAg71Hf8sf67+QGFKeX280ueXrYVk
+ZdzT710/gB1N7eosXQbyRdyzQvQDuLeCFS6ocpkvooU
+-> ssh-ed25519 BTp6UA RyRdwb7gHk74LgqEmWUJ8SpiS94IHczpO2ZokCFO0QY
+c3t3vZyRqSIWiFnt0slV8AjACKW44PgUvwijLTNigck
+--- emrYR6UhtLGsqpz7q+KAivD5e0sAf6zaA5qh3vD/13A
+Ùüù‚×H@ø­|²aè›>á3­C‰Œ&*µ_8
+~ç7RÛ†)°$aÄçü–]éD©y±±}ß.Ê:
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c3a3bf7..bd2da37 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,5 @@ let
   defaultAccess = users ++ systems;
 in
 {
+  "lldap/user-pass.age".publicKeys = defaultAccess;
 }