hosts/plover: add LDAP server

2025-01-31 10:58:02 +00:00 · 2022-12-26 13:23:40 +08:00 · 2022-12-26 13:23:40 +08:00 · 7b5c25bf18
commit 7b5c25bf18
parent 85545ad810
1 changed files with 68 additions and 3 deletions
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -9,6 +9,7 @@ let
  passwordManagerDomain = subdomain "pass";
  codeForgeDomain = subdomain "code";
  authDomain = subdomain "auth";
+  ldapDomain = subdomain "ldap";

  certs = config.security.acme.certs;

@ -44,6 +45,8 @@ in
      80 # HTTP servers.
      433 # HTTPS servers.

+      389 # LDAP servers.
+      636 # LDAPS servers.
    ];
  };

@ -95,9 +98,15 @@ in

  # DNS-related settings. This is nice for automating them putting DNS records
  # and other types of stuff.
-  security.acme.defaults = {
-    dnsProvider = "porkbun";
-    credentialsFile = config.sops.secrets."plover/lego/env".path;
+  security.acme = {
+    defaults = {
+      dnsProvider = "porkbun";
+      credentialsFile = config.sops.secrets."plover/lego/env".path;
+    };
+
+    certs = {
+      "${ldapDomain}".group = config.services.openldap.group;
+    };
  };

  services.openssh.hostKeys = [{
@ -226,6 +235,62 @@ in
    ];
  };

+  # How to overkill your multi-purpose single-user-oriented server that is
+  # typically accessed from the web with a single step.
+  services.openldap = let
+    openldapPackage = config.services.openldap.package;
+  in {
+    enable = true;
+
+    mutableConfig = true;
+
+    urlList = [ "ldap:///" "ldaps:///" "ldapi://" ];
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" ];
+        olcTLSCACertificateFile = "${certs.${ldapDomain}.directory}/fullchain.pem";
+        olcTLSCertificateFile = "${certs.${ldapDomain}.directory}/chain.pem";
+        olcTLSCertificateKeyFile = "${certs.${ldapDomain}.directory}/key.pem";
+      };
+
+      children = {
+        "olcDatabase={-1}frontend".attrs = {
+          objectClass = "olcDatabaseConfig";
+          olcDatabase = "{-1}frontend";
+          olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
+        };
+
+        "olcDatabase={0}config".attrs = {
+          objectClass = "olcDatabaseConfig";
+          olcDatabase = "{0}config";
+          olcAccess = [ "{0}to * by * none break" ];
+        };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+          olcDatabase = "{1}mdb";
+          olcDbDirectory = "/var/lib/openldap/ldap";
+          olcDbIndex = [
+            "objectClass eq"
+            "cn pres,eq"
+            "uid pres,eq"
+            "sn pres,eq,subany"
+          ];
+          olcSuffix = "dc=foodogsquared,dc=one";
+          olcRootDN = "cn=Manager,dc=foodogsquared,dc=one";
+          olcAccess = [ "{0}to * by * read break" ];
+        };
+
+        "cn=schema".includes = [
+          "${openldapPackage}/etc/schema/core.ldif"
+          "${openldapPackage}/etc/schema/cosine.ldif"
+          "${openldapPackage}/etc/schema/inetorgperson.ldif"
+        ];
+      };
+    };
+  };
+
  # Hey, the hub for your application sign-in.
  services.keycloak = {
    enable = true;