1 files changed, 76 insertions, 0 deletions

diff --git a/modules/services/ldap.nix b/modules/services/ldap.nix
new file mode 100644
index 0000000..e75d739
--- /dev/null
+++ b/modules/services/ldap.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.ldap;
+in
+{
+  options.modules.services.ldap = {
+    enable = mkEnableOption "OpenLDAP server";
+    package = mkOption { type = types.package; default = pkgs.openldap; };
+    dc = mkOption { type = types.str; };
+    tld = mkOption { type = types.str; };
+    tls.acmeHost = mkOption { type = types.str; default = "${cfg.dc}.${cfg.tld}"; };
+    secrets.rootPass = mkOption { type = types.path; description = "path to the root password file"; };
+  };
+
+  config = mkIf cfg.enable {
+    services.openldap = {
+      enable = true;
+
+      urlList = [ "ldap:///" "ldaps:///" ];
+
+      settings = {
+        attrs = {
+          olcLogLevel = "conns config";
+
+          olcTLSCACertificateFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/full.pem";
+          olcTLSCertificateFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem";
+          olcTLSCertificateKeyFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem";
+          olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+          olcTLSCRLCheck = "none";
+          olcTLSVerifyClient = "never";
+          olcTLSProtocolMin = "3.1";
+        };
+
+        children = {
+          "cn=schema".includes = [
+            "${cfg.package}/etc/schema/core.ldif"
+            "${cfg.package}/etc/schema/cosine.ldif"
+            "${cfg.package}/etc/schema/inetorgperson.ldif"
+          ];
+
+          "olcDatabase={1}mdb".attrs = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/var/lib/openldap/data";
+
+            olcSuffix = "dc=${cfg.dc},dc=${cfg.tld}";
+
+            olcRootDN = "cn=admin,dc=${cfg.dc},dc=${cfg.tld}";
+            olcRootPW.path = cfg.secrets.rootPass;
+
+            olcAccess = [
+              # ''{0}to <changeme>
+              # by <changeme>''
+
+              ''{0}to *
+                  by * none'' # Should be changed to {1}
+            ];
+          };
+        };
+      };
+    };
+
+    systemd.services.openldap = {
+      after = [ "acme-finished-${cfg.tls.acmeHost}.target" ];
+    };
+
+    users.groups.acme.members = [ "openldap" ];
+
+    modules.persistence.directories = [
+      "/var/lib/openldap"
+    ];
+  };
+}