/* Gonna use a priper nixos module for this */ { config, pkgs, lib, ... }: with lib; let cfg = config.services.skynet_ldap; in { # these are needed for teh program in question imports = [ ./acme.nix ./dns.nix ./nginx.nix ]; options.services.skynet_ldap = { # options that need to be passed in to make this work enable = mkEnableOption "Skynet LDAP service"; host = { ip = mkOption { type = types.str; }; name = mkOption { type = types.str; }; }; domain = { tld = mkOption { type = types.str; default = "ie"; }; base = mkOption { type = types.str; default = "skynet"; }; sub = mkOption { type = types.str; default = "sso"; }; }; frontend.port = mkOption { type = types.port; default = 8888; }; base = mkOption { type = types.str; default = "dc=skynet,dc=ie"; }; }; config = mkIf cfg.enable { # this is athe actual configuration that we need to do # after changing teh password openldap.service has to be restarted age.secrets.ldap_pw = { file = ../secrets/ldap/pw.age; mode = "440"; owner = "openldap"; group = "openldap"; }; # openldap age.secrets.ldap_self_service = { file = ../secrets/ldap/self_service.age; # not ideal but non admins should never be on this system mode = "444"; }; skynet_dns.records.cname = [ "${cfg.domain.sub} CNAME ${cfg.host.name}" ]; # firewall on teh computer itself networking.firewall.allowedTCPPorts = [ 80 443 # for ldap 389 636 ]; # using https://nixos.wiki/wiki/OpenLDAP for base config systemd.services.openldap = { wants = [ "acme-${cfg.domain.base}.service" ]; after = [ "acme-${cfg.domain.base}.service" ]; }; users.groups.acme.members = [ "openldap" ]; services.openldap = { # backup /var/lib/openldap/slapd.d enable = true; /* enable plain and secure connections */ urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcLogLevel = "conns config"; /* settings for acme ssl */ olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem"; olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem"; olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem"; # got teh ciphers from https://access.redhat.com/articles/1474813 # the ones provided on the nixos page didnt work olcTLSCipherSuite = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL"; olcTLSCRLCheck = "none"; olcTLSVerifyClient = "never"; olcTLSProtocolMin = "3.3"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" "${pkgs.openldap}/etc/schema/cosine.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" ./ldap/openssh-lpk.ldif ./ldap/skMemberOf.ldif ]; "cn=modules".attrs = { objectClass = [ "olcModuleList" ]; cn = "modules"; olcModuleLoad = ["dynlist" "memberof" "pw-sha2"]; }; "olcDatabase={-1}frontend".attrs = { objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ]; olcPasswordHash = "{SSHA512}"; }; "olcDatabase={1}mdb" = { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = cfg.base; /* your admin account, do not use writeText on a production system */ olcRootDN = "cn=admin,${cfg.base}"; olcRootPW.path = config.age.secrets.ldap_pw.path; #olcOverlay = "memberof"; olcAccess = [ /* custom access rules for userPassword attributes */ ''{0}to attrs=userPassword by self write by anonymous auth by * none'' ''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord by self write by * read'' /* allow read on anything else */ ''{2}to * by * read'' ]; }; # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ children = { "olcOverlay=dynlist".attrs = { objectClass = [ "olcOverlayConfig" "olcDynamicList" ]; olcOverlay = "dynlist"; olcDlAttrSet = "skPerson labeledURI skMemberOf"; }; }; }; }; }; }; services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:${toString cfg.frontend.port}"; }; virtualisation.arion = { backend = "docker"; projects = { ldap_reset.settings.services.ldap_reset.service = { user = "root"; image = "docker.io/ltbproject/self-service-password:1.5.3"; # setting these here as they arent special # where the config files are stored volumes = [ "${config.age.secrets.ldap_self_service.path}:/var/www/conf/config.inc.local.php" ]; ports = [ "${toString cfg.frontend.port}:80/tcp" ]; }; }; }; }; }