diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index 6472a0f0..3c84447c 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -9,6 +9,7 @@ let passwordManagerDomain = subdomain "pass"; codeForgeDomain = subdomain "code"; authDomain = subdomain "auth"; + ldapDomain = subdomain "ldap"; certs = config.security.acme.certs; @@ -44,6 +45,8 @@ in 80 # HTTP servers. 433 # HTTPS servers. + 389 # LDAP servers. + 636 # LDAPS servers. ]; }; @@ -95,9 +98,15 @@ in # DNS-related settings. This is nice for automating them putting DNS records # and other types of stuff. - security.acme.defaults = { - dnsProvider = "porkbun"; - credentialsFile = config.sops.secrets."plover/lego/env".path; + security.acme = { + defaults = { + dnsProvider = "porkbun"; + credentialsFile = config.sops.secrets."plover/lego/env".path; + }; + + certs = { + "${ldapDomain}".group = config.services.openldap.group; + }; }; services.openssh.hostKeys = [{ @@ -226,6 +235,62 @@ in ]; }; + # How to overkill your multi-purpose single-user-oriented server that is + # typically accessed from the web with a single step. + services.openldap = let + openldapPackage = config.services.openldap.package; + in { + enable = true; + + mutableConfig = true; + + urlList = [ "ldap:///" "ldaps:///" "ldapi://" ]; + + settings = { + attrs = { + olcLogLevel = [ "stats" ]; + olcTLSCACertificateFile = "${certs.${ldapDomain}.directory}/fullchain.pem"; + olcTLSCertificateFile = "${certs.${ldapDomain}.directory}/chain.pem"; + olcTLSCertificateKeyFile = "${certs.${ldapDomain}.directory}/key.pem"; + }; + + children = { + "olcDatabase={-1}frontend".attrs = { + objectClass = "olcDatabaseConfig"; + olcDatabase = "{-1}frontend"; + olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ]; + }; + + "olcDatabase={0}config".attrs = { + objectClass = "olcDatabaseConfig"; + olcDatabase = "{0}config"; + olcAccess = [ "{0}to * by * none break" ]; + }; + + "olcDatabase={1}mdb".attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/ldap"; + olcDbIndex = [ + "objectClass eq" + "cn pres,eq" + "uid pres,eq" + "sn pres,eq,subany" + ]; + olcSuffix = "dc=foodogsquared,dc=one"; + olcRootDN = "cn=Manager,dc=foodogsquared,dc=one"; + olcAccess = [ "{0}to * by * read break" ]; + }; + + "cn=schema".includes = [ + "${openldapPackage}/etc/schema/core.ldif" + "${openldapPackage}/etc/schema/cosine.ldif" + "${openldapPackage}/etc/schema/inetorgperson.ldif" + ]; + }; + }; + }; + # Hey, the hub for your application sign-in. services.keycloak = { enable = true;