feat: added ldaps

applications/ldap.nix

@@ -31,9 +31,14 @@ Gonna use a priper nixos module for this
     };
 
     domain = {
+      tld = mkOption {
+        type = types.str;
+        default = "ie";
+      };
+
       base = mkOption {
         type = types.str;
-        default = "skynet.ie";
+        default = "skynet";
       };
 
       sub = mkOption {
@@ -82,18 +87,37 @@ Gonna use a priper nixos module for this
 
       # for ldap
       389
+      636
     ];
 
+    # using https://nixos.wiki/wiki/OpenLDAP for base config
+
+    systemd.services.openldap = {
+      wants = [ "acme-${cfg.domain.base}.service" ];
+      after = [ "acme-${cfg.domain.base}.service" ];
+    };
+
+    users.groups.certs.members = [ "openldap" ];
+
     services.openldap = {
       enable = true;
 
-      /* enable plain connections only */
+      /* enable plain and secure connections */
-      urlList = [ "ldap:///" ];
+      urlList = [ "ldap:///" "ldaps:///" ];
 
 
       settings = {
         attrs = {
           olcLogLevel = "conns config";
+
+          /* settings for acme ssl */
+          olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
+          olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
+          olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
+          olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+          olcTLSCRLCheck = "none";
+          olcTLSVerifyClient = "never";
+          olcTLSProtocolMin = "3.1";
         };
 
         children = {
@@ -161,7 +185,7 @@ Gonna use a priper nixos module for this
     };
 
 
-    services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}" = {
+    services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
       forceSSL = true;
       useACMEHost = "skynet";
       locations."/".proxyPass = "http://localhost:${cfg.frontend.port}";