gerd.lldap: adds ldap service

2024-08-09 21:37:40 +02:00 · 2024-08-09 21:37:40 +02:00 · e88f8477da
commit e88f8477da
parent 4ba7d237b7
4 changed files with 52 additions and 0 deletions
--- a/machines/gerd/services/lldap.nix
+++ b/machines/gerd/services/lldap.nix
@ -0,0 +1,40 @@
+{ config, ... }:
+
+{
+  services.lldap = {
+    enable = true;
+
+    settings = {
+      verbose = true;
+      ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
+      ldap_base_dn = "dc=fricloud,dc=dk";
+    };
+
+    environment = {
+      # always set admin password on startup
+      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-user-pass.path;
+      # only available on the newest master branch, will be enabled when a 
+      # new version is released.
+      # https://github.com/lldap/lldap/issues/790
+      # LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
+    };
+  };
+
+  services.nginx.virtualHosts."ldap.fricloud.dk" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
+  };
+
+  # persistent files
+  environment.persistence.root.directories = [
+    { directory = "/var/lib/private/lldap"; mode = "0700"; }
+  ];
+
+  # lldap user + setup secrets owner (need to add user for secrets to work)
+  users.users.lldap = { group = "lldap"; isSystemUser = true; };
+  users.groups.lldap = {};
+  age.secrets = {
+    lldap-user-pass.owner = "lldap";
+  };
+}
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -1,4 +1,5 @@
 {
  age.secrets = {
+    lldap-user-pass.file = ./lldap/user-pass.age;
  };
 }
--- a/secrets/lldap/user-pass.age
+++ b/secrets/lldap/user-pass.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg GGeJqXdtwwxIlkG/yl4DfkKykQ3uJyWqLguJ680vZlY
+LS19/W+IHFSAeog3c2qAzvgE2VDWF81B5ehqo2xoCVk
+-> ssh-ed25519 n8n9DQ 8xOzOWPQEwAAslYAg71Hf8sf67+QGFKeX280ueXrYVk
+ZdzT710/gB1N7eosXQbyRdyzQvQDuLeCFS6ocpkvooU
+-> ssh-ed25519 BTp6UA RyRdwb7gHk74LgqEmWUJ8SpiS94IHczpO2ZokCFO0QY
+c3t3vZyRqSIWiFnt0slV8AjACKW44PgUvwijLTNigck
+--- emrYR6UhtLGsqpz7q+KAivD5e0sAf6zaA5qh3vD/13A
+Ùüù‚×H@ø|²aè›>á3C‰Œ&*µ_8
+~ç7RÛ†)°$<24>aÄçü–]éD©y±±}ß.Ê:
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -10,4 +10,5 @@ let
  defaultAccess = users ++ systems;
 in
 {
+  "lldap/user-pass.age".publicKeys = defaultAccess;
 }