{ lib, pkgs, config, ... }: { services = { lldap = { enable = true; settings = { ldap_base_dn = "dc=tlater,dc=net"; database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql"; ldap_host = "127.0.0.1"; http_host = "127.0.0.1"; http_url = "https://lldap.${config.services.nginx.domain}"; force_ldap_user_pass_reset = "always"; smtp_options.enable_password_reset = false; environment = { LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path; LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path; LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path; }; }; }; nginx.virtualHosts = { "lldap.${config.services.nginx.domain}" = { useACMEHost = "tlater.net"; forceSSL = true; enableHSTS = true; locations."/".proxyPass = "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}"; }; }; }; systemd.services.lldap.after = [ config.systemd.services.postgresql.name ]; systemd.services.lldap-provisioning = { requisite = [ config.systemd.services.lldap.name ]; wantedBy = [ config.systemd.services.lldap.name ]; after = [ config.systemd.services.lldap.name ]; path = [ pkgs.nushell pkgs.lldap-cli ]; script = "exec nu ${./lldap-provisioning.nu}"; environment = { LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path; # LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath; }; serviceConfig.Type = "oneshot"; }; }