foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover: add LDAP server

Browse Source
This commit is contained in:
Gabriel Arazas 2022-12-26 13:23:40 +08:00
parent 85545ad810
commit 7b5c25bf18
1 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
hosts/plover/default.nix
View File

@ -9,6 +9,7 @@ let
passwordManagerDomain = subdomain "pass"; passwordManagerDomain = subdomain "pass";
codeForgeDomain = subdomain "code"; codeForgeDomain = subdomain "code";
authDomain = subdomain "auth"; authDomain = subdomain "auth";
ldapDomain = subdomain "ldap";
certs = config.security.acme.certs; certs = config.security.acme.certs;
@ -44,6 +45,8 @@ in
80 # HTTP servers. 80 # HTTP servers.
433 # HTTPS servers. 433 # HTTPS servers.
389 # LDAP servers.
636 # LDAPS servers.
]; ];
}; };
@ -95,9 +98,15 @@ in
# DNS-related settings. This is nice for automating them putting DNS records # DNS-related settings. This is nice for automating them putting DNS records
# and other types of stuff. # and other types of stuff.
security.acme.defaults = { security.acme = {
dnsProvider = "porkbun"; defaults = {
credentialsFile = config.sops.secrets."plover/lego/env".path; dnsProvider = "porkbun";
credentialsFile = config.sops.secrets."plover/lego/env".path;
};
certs = {
"${ldapDomain}".group = config.services.openldap.group;
};
}; };
services.openssh.hostKeys = [{ services.openssh.hostKeys = [{
@ -226,6 +235,62 @@ in
]; ];
}; };
# How to overkill your multi-purpose single-user-oriented server that is
# typically accessed from the web with a single step.
services.openldap = let
openldapPackage = config.services.openldap.package;
in {
enable = true;
mutableConfig = true;
urlList = [ "ldap:///" "ldaps:///" "ldapi://" ];
settings = {
attrs = {
olcLogLevel = [ "stats" ];
olcTLSCACertificateFile = "${certs.${ldapDomain}.directory}/fullchain.pem";
olcTLSCertificateFile = "${certs.${ldapDomain}.directory}/chain.pem";
olcTLSCertificateKeyFile = "${certs.${ldapDomain}.directory}/key.pem";
};
children = {
"olcDatabase={-1}frontend".attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
};
"olcDatabase={0}config".attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/ldap";
olcDbIndex = [
"objectClass eq"
"cn pres,eq"
"uid pres,eq"
"sn pres,eq,subany"
];
olcSuffix = "dc=foodogsquared,dc=one";
olcRootDN = "cn=Manager,dc=foodogsquared,dc=one";
olcAccess = [ "{0}to * by * read break" ];
};
"cn=schema".includes = [
"${openldapPackage}/etc/schema/core.ldif"
"${openldapPackage}/etc/schema/cosine.ldif"
"${openldapPackage}/etc/schema/inetorgperson.ldif"
];
};
};
};
# Hey, the hub for your application sign-in. # Hey, the hub for your application sign-in.
services.keycloak = { services.keycloak = {
enable = true; enable = true;