64 lines
1.7 KiB
Nix
64 lines
1.7 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
services = {
|
|
lldap = {
|
|
enable = true;
|
|
settings = {
|
|
ldap_base_dn = "dc=tlater,dc=net";
|
|
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
|
|
ldap_host = "127.0.0.1";
|
|
|
|
http_host = "127.0.0.1";
|
|
http_url = "https://lldap.${config.services.nginx.domain}";
|
|
|
|
force_ldap_user_pass_reset = "always";
|
|
|
|
smtp_options.enable_password_reset = false;
|
|
|
|
environment = {
|
|
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
|
|
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
|
|
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
|
|
};
|
|
};
|
|
};
|
|
|
|
nginx.virtualHosts = {
|
|
"lldap.${config.services.nginx.domain}" = {
|
|
useACMEHost = "tlater.net";
|
|
forceSSL = true;
|
|
enableHSTS = true;
|
|
|
|
locations."/".proxyPass =
|
|
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
|
|
|
|
systemd.services.lldap-provisioning = {
|
|
requisite = [ config.systemd.services.lldap.name ];
|
|
wantedBy = [ config.systemd.services.lldap.name ];
|
|
after = [ config.systemd.services.lldap.name ];
|
|
|
|
path = [
|
|
pkgs.nushell
|
|
pkgs.lldap-cli
|
|
];
|
|
|
|
script = "exec nu ${./lldap-provisioning.nu}";
|
|
|
|
environment = {
|
|
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
|
|
# LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
|
|
};
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
};
|
|
}
|