{ config, lib, pkgs, ... }: with lib; let cfg = config.modules.services.ldap; in { options.modules.services.ldap = { enable = mkEnableOption "OpenLDAP server"; package = mkOption { type = types.package; default = pkgs.openldap; }; dc = mkOption { type = types.str; }; tld = mkOption { type = types.str; }; tls.acmeHost = mkOption { type = types.str; default = "${cfg.dc}.${cfg.tld}"; }; secrets.rootPass = mkOption { type = types.path; description = "path to the root password file"; }; }; config = mkIf cfg.enable { services.openldap = { enable = true; urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcLogLevel = "conns config"; olcTLSCACertificateFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/full.pem"; olcTLSCertificateFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem"; olcTLSCertificateKeyFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem"; olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; olcTLSCRLCheck = "none"; olcTLSVerifyClient = "never"; olcTLSProtocolMin = "3.1"; }; children = { "cn=schema".includes = [ "${cfg.package}/etc/schema/core.ldif" "${cfg.package}/etc/schema/cosine.ldif" "${cfg.package}/etc/schema/inetorgperson.ldif" ]; "olcDatabase={1}mdb".attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = "dc=${cfg.dc},dc=${cfg.tld}"; olcRootDN = "cn=admin,dc=${cfg.dc},dc=${cfg.tld}"; olcRootPW.path = cfg.secrets.rootPass; olcAccess = [ # ''{0}to # by '' ''{0}to * by * none'' # Should be changed to {1} ]; }; }; }; }; systemd.services.openldap = { after = [ "acme-finished-${cfg.tls.acmeHost}.target" ]; }; users.groups.acme.members = [ "openldap" ]; modules.persistence.directories = [ "/var/lib/openldap" ]; }; }