gerd.lldap: adds ldap service

This commit is contained in:
eyjhb 2024-08-09 21:37:40 +02:00
parent 4ba7d237b7
commit e88f8477da
No known key found for this signature in database
GPG key ID: 609F508E3239F920
4 changed files with 52 additions and 0 deletions

View file

@ -0,0 +1,40 @@
{ config, ... }:
{
services.lldap = {
enable = true;
settings = {
verbose = true;
ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
ldap_base_dn = "dc=fricloud,dc=dk";
};
environment = {
# always set admin password on startup
LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-user-pass.path;
# only available on the newest master branch, will be enabled when a
# new version is released.
# https://github.com/lldap/lldap/issues/790
# LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
};
};
services.nginx.virtualHosts."ldap.fricloud.dk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
};
# persistent files
environment.persistence.root.directories = [
{ directory = "/var/lib/private/lldap"; mode = "0700"; }
];
# lldap user + setup secrets owner (need to add user for secrets to work)
users.users.lldap = { group = "lldap"; isSystemUser = true; };
users.groups.lldap = {};
age.secrets = {
lldap-user-pass.owner = "lldap";
};
}

View file

@ -1,4 +1,5 @@
{ {
age.secrets = { age.secrets = {
lldap-user-pass.file = ./lldap/user-pass.age;
}; };
} }

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 QSDXqg GGeJqXdtwwxIlkG/yl4DfkKykQ3uJyWqLguJ680vZlY
LS19/W+IHFSAeog3c2qAzvgE2VDWF81B5ehqo2xoCVk
-> ssh-ed25519 n8n9DQ 8xOzOWPQEwAAslYAg71Hf8sf67+QGFKeX280ueXrYVk
ZdzT710/gB1N7eosXQbyRdyzQvQDuLeCFS6ocpkvooU
-> ssh-ed25519 BTp6UA RyRdwb7gHk74LgqEmWUJ8SpiS94IHczpO2ZokCFO0QY
c3t3vZyRqSIWiFnt0slV8AjACKW44PgUvwijLTNigck
--- emrYR6UhtLGsqpz7q+KAivD5e0sAf6zaA5qh3vD/13A
Ùüù×H@ø­|² >á3­C‰Œ&*µ_8
~ç7RÛ†)°$<24>çü]éD©y±±}ß.Ê:

View file

@ -10,4 +10,5 @@ let
defaultAccess = users ++ systems; defaultAccess = users ++ systems;
in in
{ {
"lldap/user-pass.age".publicKeys = defaultAccess;
} }