nixos/applications/ldap.nix

/*
Gonna use a priper nixos module for this
*/

{ config, pkgs, lib, ... }:
  with lib;
  let
    cfg = config.services.skynet_ldap;
  in {

  # these are needed for teh program in question
  imports = [
    ./acme.nix
    ./nginx.nix
  ];


  options.services.skynet_ldap = {
    # options that need to be passed in to make this work

    enable = mkEnableOption "Skynet LDAP service";

    host = {
      ip = mkOption {
        type = types.str;
      };

      name = mkOption {
        type = types.str;
      };
    };

    domain = {
      tld = mkOption {
        type = types.str;
        default = "ie";
      };

      base = mkOption {
        type = types.str;
        default = "skynet";
      };

      sub = mkOption {
        type = types.str;
        default = "sso";
      };
    };

    frontend.port = mkOption {
      type = types.port;
      default = 8888;
    };

    base = mkOption {
      type = types.str;
      default = "dc=skynet,dc=ie";
    };
  };

  config = mkIf cfg.enable {
    # this is athe actual configuration that we need to do

    # after changing teh password openldap.service has to be restarted
    age.secrets.ldap_pw = {
      file = ../secrets/ldap/pw.age;
      mode = "440";
      owner = "openldap";
      group = "openldap";
    };

    # openldap
    age.secrets.ldap_self_service = {
      file = ../secrets/ldap/self_service.age;
      # not ideal but non admins should never be on this system
      mode = "444";
    };

    skynet_dns.records.cname = [
      "${cfg.domain.sub}  CNAME   ${cfg.host.name}"
    ];

    # firewall on teh computer itself
    networking.firewall.allowedTCPPorts = [
      80
      443

      # for ldap
      389
      636
    ];

    # using https://nixos.wiki/wiki/OpenLDAP for base config

    systemd.services.openldap = {
      wants = [ "acme-${cfg.domain.base}.service" ];
      after = [ "acme-${cfg.domain.base}.service" ];
    };

    users.groups.acme.members = [ "openldap" ];

    services.openldap = {
      enable = true;

      /* enable plain and secure connections */
      urlList = [ "ldap:///" "ldaps:///" ];


      settings = {
        attrs = {
          olcLogLevel = "conns config";

          /* settings for acme ssl */
          olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
          olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
          olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
          # got teh ciphers from https://access.redhat.com/articles/1474813
          # the ones provided on the nixos page didnt work
          olcTLSCipherSuite = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!EDH:!EXP:!SSLV2:!eNULL";
          olcTLSCRLCheck = "none";
          olcTLSVerifyClient = "never";
          olcTLSProtocolMin = "3.3";
        };

        children = {
          "cn=schema".includes = [
            "${pkgs.openldap}/etc/schema/core.ldif"
            "${pkgs.openldap}/etc/schema/cosine.ldif"
            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
            "${pkgs.openldap}/etc/schema/nis.ldif"
            ./ldap/openssh-lpk.ldif
            ./ldap/skMemberOf.ldif
          ];


          "cn=modules".attrs = {
            objectClass = [ "olcModuleList" ];
            cn =  "modules";
            olcModuleLoad = ["dynlist" "memberof"];
          };


          "olcDatabase={1}mdb" = {
            attrs = {
              objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

              olcDatabase = "{1}mdb";
              olcDbDirectory = "/var/lib/openldap/data";

              olcSuffix = cfg.base;

              /* your admin account, do not use writeText on a production system */
              olcRootDN = "cn=admin,${cfg.base}";
              olcRootPW.path = config.age.secrets.ldap_pw.path;

              #olcOverlay =  "memberof";

              olcAccess = [
                /* custom access rules for userPassword attributes */
                ''{0}to attrs=userPassword
                    by self write
                    by anonymous auth
                    by * none''

                /* allow read on anything else */
                ''{1}to *
                    by * read''
              ];


            };

            # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
            children = {
              "olcOverlay=dynlist".attrs = {
                objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
                olcOverlay =  "dynlist";
                olcDlAttrSet = "skPerson labeledURI skMemberOf";
              };
            };


          };

        };
      };
    };


    services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
      forceSSL = true;
      useACMEHost = "skynet";
      locations."/".proxyPass = "http://localhost:${toString cfg.frontend.port}";
    };

    virtualisation.arion = {
      backend = "docker";
      projects = {
        ldap_reset.settings.services.ldap_reset.service = {
          user = "root";
          image = "docker.io/ltbproject/self-service-password:1.5.3";
            # setting these here as they arent special


            # where the config files are stored
            volumes = [
              "${config.age.secrets.ldap_self_service.path}:/var/www/conf/config.inc.local.php"
            ];

            ports = [
              "${toString cfg.frontend.port}:80/tcp"
            ];
        };
      };
    };

  };
}