diff options
| author | m4siri <git@m4siri.com> | 2025-11-23 10:36:43 +0545 |
|---|---|---|
| committer | m4siri <git@m4siri.com> | 2025-11-23 10:36:56 +0545 |
| commit | 3424cfd40c046c038df0335212e8000ebd473602 (patch) | |
| tree | fc800399450284e77be346311952968591a5534e /hosts/experimental-nixos/services/ldap.nix | |
repo init
Diffstat (limited to 'hosts/experimental-nixos/services/ldap.nix')
| -rw-r--r-- | hosts/experimental-nixos/services/ldap.nix | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/hosts/experimental-nixos/services/ldap.nix b/hosts/experimental-nixos/services/ldap.nix new file mode 100644 index 0000000..47e67d5 --- /dev/null +++ b/hosts/experimental-nixos/services/ldap.nix @@ -0,0 +1,57 @@ +{ + pkgs, + config, + ... +}: { + secrets.ldap-root = { + file = ./secrets/ldap-root.age; + mode = "444"; + }; + + secrets.ldap-search = { + file = ./secrets/ldap-search-pw.age; + mode = "444"; + }; + services.openldap = { + enable = true; + urlList = ["ldap:///"]; + # mutableConfig = true; + settings = { + attrs = { + olcLogLevel = "conns config"; + }; + + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/misc.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + + "olcDatabase={1}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + olcSuffix = "dc=m4siri,dc=com"; + olcRootDN = "cn=admin,dc=m4siri,dc=com"; + olcRootPW.path = config.secrets.ldap-root.path; + olcAccess = [ + '' {0}to attrs=userPassword + by dn="cn=searchuser,ou=users,dc=m4siri,dc=com" read + by self write + by anonymous auth + by * none'' + '' {1}to * + by * read'' + ]; + }; + }; + }; + + declarativeContents = { + "dc=m4siri,dc=com" = builtins.readFile ./secrets/ldap-content; + }; + }; +} |