ldap: now got secure mode

2023-05-21 22:45:20 +01:00 · 2023-05-21 22:45:20 +01:00 · de76e8eee6
commit de76e8eee6
parent a660a60346
1 changed files with 5 additions and 3 deletions
--- a/applications/ldap.nix
+++ b/applications/ldap.nix
@ -97,7 +97,7 @@ Gonna use a priper nixos module for this
      after = [ "acme-${cfg.domain.base}.service" ];
    };

-    users.groups.certs.members = [ "openldap" ];
+    users.groups.acme.members = [ "openldap" ];

    services.openldap = {
      enable = true;
@ -114,10 +114,12 @@ Gonna use a priper nixos module for this
          olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
          olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
          olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
-          olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+          # got teh ciphers from https://access.redhat.com/articles/1474813
+          # the ones provided on the nixos page didnt work
+          olcTLSCipherSuite = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL";
          olcTLSCRLCheck = "none";
          olcTLSVerifyClient = "never";
-          olcTLSProtocolMin = "3.1";
+          olcTLSProtocolMin = "3.3";
        };

        children = {