From 81b41087feb8088bac8f408a58fa986d885bdfc0 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 21 May 2023 12:17:06 +0100 Subject: [PATCH] feat: added ldaps --- applications/ldap.nix | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/applications/ldap.nix b/applications/ldap.nix index b42d9e3..547c460 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -31,9 +31,14 @@ Gonna use a priper nixos module for this }; domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + base = mkOption { type = types.str; - default = "skynet.ie"; + default = "skynet"; }; sub = mkOption { @@ -82,18 +87,37 @@ Gonna use a priper nixos module for this # for ldap 389 + 636 ]; + # using https://nixos.wiki/wiki/OpenLDAP for base config + + systemd.services.openldap = { + wants = [ "acme-${cfg.domain.base}.service" ]; + after = [ "acme-${cfg.domain.base}.service" ]; + }; + + users.groups.certs.members = [ "openldap" ]; + services.openldap = { enable = true; - /* enable plain connections only */ - urlList = [ "ldap:///" ]; + /* enable plain and secure connections */ + urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcLogLevel = "conns config"; + + /* settings for acme ssl */ + olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem"; + olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem"; + olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem"; + olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; }; children = { @@ -161,7 +185,7 @@ Gonna use a priper nixos module for this }; - services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}" = { + services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:${cfg.frontend.port}";