{ config, pkgs, lib, inputs, ... }: with lib; let cfg = config.services.ldap_backend; port_backend = "8087"; in { imports = [ ../acme.nix ../dns.nix ../nginx.nix inputs.skynet_ldap_backend.nixosModule."x86_64-linux" ]; options.services.ldap_backend = { enable = mkEnableOption "Skynet LDAP backend server"; host = { ip = mkOption { type = types.str; }; name = mkOption { type = types.str; }; }; domain = { tld = mkOption { type = types.str; default = "ie"; }; base = mkOption { type = types.str; default = "skynet"; }; sub = mkOption { type = types.str; default = "api.account"; }; }; }; config = mkIf cfg.enable { #backups = [ "/etc/silver_ul_ical/database.db" ]; age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; skynet_acme.domains = [ "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" ]; skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:${port_backend}"; extraConfig = '' add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}"; ''; }; services.skynet_ldap_backend = { enable = true; # contains teh password in env form envFile = config.age.secrets.ldap_self_service.path; ldap = { host = "ldaps://account.skynet.ie"; admin = "uid=ldap_api,ou=users,dc=skynet,dc=ie"; }; users = { admin = [ "silver" "evanc" "eoghanconlon73" ]; committee = [ "grym" "dawidk5" "leo" "silver" "eoghanconlon73" ]; lifetime = []; banned = []; }; host_port = "127.0.0.1:${port_backend}"; }; }; }