blob: ba19761c685c9a52c8633f0f20eb534090ba4f3b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.modules.services.ldap;
in
{
options.modules.services.ldap = {
enable = mkEnableOption "OpenLDAP server";
package = mkOption { type = types.package; default = pkgs.openldap; };
dc = mkOption { type = types.str; };
tld = mkOption { type = types.str; };
tls.acmeHost = mkOption { type = types.str; default = "${cfg.dc}.${cfg.tld}"; };
secrets.rootPass = mkOption { type = types.str; description = "path to the root password file"; };
};
config = mkIf cfg.enable {
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
olcTLSCACertificateFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/full.pem";
olcTLSCertificateFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/cert.pem";
olcTLSCertificateKeyFile = "${config.security.acme.certs.${cfg.tls.acmeHost}.directory}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${cfg.package}/etc/schema/core.ldif"
"${cfg.package}/etc/schema/cosine.ldif"
"${cfg.package}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=${cfg.dc},dc=${cfg.tld}";
olcRootDN = "cn=admin,dc=${cfg.dc},dc=${cfg.tld}";
olcRootPW.path = cfg.secrets.rootPass;
olcAccess = [
# ''{0}to <changeme>
# by <changeme>''
''{0}to *
by * none'' # Should be changed to {1}
];
};
};
};
};
systemd.services.openldap = {
after = [ "acme-finished-${cfg.tls.acmeHost}.target" ];
};
users.groups.acme.members = [ "openldap" ];
environment.persistence."/persist".directories = [
"/var/lib/openldap"
];
};
}
|