/* Gonna use a priper nixos module for this */ { config, pkgs, lib, ... }: with lib; let cfg = config.services.skynet_ldap; base = "dc=skynet,dc=ie"; in { # these are needed for teh program in question imports = [ ./acme.nix ./nginx.nix ]; options.services.skynet_ldap = { # options that need to be passed in to make this work enable = mkEnableOption "Skynet LDAP service"; host = { ip = mkOption { type = types.str; }; name = mkOption { type = types.str; }; }; subdomain = mkOption { type = types.str; default = "sso"; }; port = mkOption { type = types.port; default = 8080; }; }; config = mkIf cfg.enable { # this is athe actual configuration that we need to do # after changing teh password openldap.service has to be restarted age.secrets.ldap_pw = { file = ../secrets/ldap/pw.age; mode = "440"; owner = "openldap"; group = "openldap"; }; # openldap age.secrets.ldap_self_service.file = ../secrets/ldap/self_service.age; skynet_dns.records.cname = [ "${cfg.subdomain} CNAME ${cfg.host.name}" ]; # firewall on teh computer itself networking.firewall.allowedTCPPorts = [ 80 443 # for ldap 389 ]; services.openldap = { enable = true; /* enable plain connections only */ urlList = [ "ldap:///" ]; settings = { attrs = { olcLogLevel = "conns config"; }; children = { "cn=schema".includes = [ "${pkgs.openldap}/etc/schema/core.ldif" "${pkgs.openldap}/etc/schema/cosine.ldif" "${pkgs.openldap}/etc/schema/inetorgperson.ldif" "${pkgs.openldap}/etc/schema/nis.ldif" ./ldap/openssh-lpk.ldif ./ldap/skMemberOf.ldif ]; "cn=modules".attrs = { objectClass = [ "olcModuleList" ]; cn = "modules"; olcModuleLoad = ["dynlist" "memberof"]; }; "olcDatabase={1}mdb" = { attrs = { objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = base; /* your admin account, do not use writeText on a production system */ olcRootDN = "cn=admin,${base}"; olcRootPW.path = config.age.secrets.ldap_pw.path; #olcOverlay = "memberof"; olcAccess = [ /* custom access rules for userPassword attributes */ ''{0}to attrs=userPassword by self write by anonymous auth by * none'' /* allow read on anything else */ ''{1}to * by * read'' ]; }; # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ children = { "olcOverlay=dynlist".attrs = { objectClass = [ "olcOverlayConfig" "olcDynamicList" ]; olcOverlay = "dynlist"; olcDlAttrSet = "skPerson labeledURI skMemberOf"; }; }; }; }; }; }; services.nginx.virtualHosts."${cfg.subdomain}.skynet.ie" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:8888"; }; virtualisation.arion = { backend = "docker"; projects = { ldap_reset.settings.services.ldap_reset.service = { image = "docker.io/ltbproject/self-service-password:1.5.3"; # setting these here as they arent special environment = { # this is what it last ran on SPIGOT_VER="1.18.2"; EULA="true"; }; # where the config files are stored volumes = [ "${config.age.secrets.ldap_self_service.path}:/var/www/conf/config.inc.local.php" ]; ports = [ "8888:80/tcp" ]; }; }; }; }; }