openldap first wip
This commit is contained in:
parent
5dc9b6bef4
commit
76cc42659e
@ -62,6 +62,7 @@ cluttered, for example, I may create a module for systemd units.
|
|||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
|
# ./openldap.nix
|
||||||
<home-manager/nixos>
|
<home-manager/nixos>
|
||||||
<agenix/modules/age.nix>
|
<agenix/modules/age.nix>
|
||||||
"${nix-gaming}/modules/pipewireLowLatency.nix"
|
"${nix-gaming}/modules/pipewireLowLatency.nix"
|
||||||
|
|||||||
83
openldap.nix
Executable file
83
openldap.nix
Executable file
@ -0,0 +1,83 @@
|
|||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
let hostname = "servidos.lat";
|
||||||
|
in {
|
||||||
|
services.openldap = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# enable plain and secure connections
|
||||||
|
urlList = [ "ldap:///" "ldaps:///" ];
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
attrs = {
|
||||||
|
olcLogLevel = "conns config";
|
||||||
|
|
||||||
|
# settings for acme ssl
|
||||||
|
olcTLSCACertificateFile = "/var/lib/acme/${hostname}/full.pem";
|
||||||
|
olcTLSCertificateFile = "/var/lib/acme/${hostname}/cert.pem";
|
||||||
|
olcTLSCertificateKeyFile = "/var/lib/acme/${hostname}/key.pem";
|
||||||
|
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
|
||||||
|
olcTLSCRLCheck = "none";
|
||||||
|
olcTLSVerifyClient = "never";
|
||||||
|
olcTLSProtocolMin = "3.1";
|
||||||
|
};
|
||||||
|
|
||||||
|
children = {
|
||||||
|
"cn=schema".includes = [
|
||||||
|
"${pkgs.openldap}/etc/schema/core.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||||
|
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||||
|
];
|
||||||
|
|
||||||
|
"olcDatabase={1}mdb".attrs = {
|
||||||
|
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
|
||||||
|
|
||||||
|
olcDatabase = "{1}mdb";
|
||||||
|
olcDbDirectory = "/var/lib/openldap/data";
|
||||||
|
|
||||||
|
olcSuffix = "dc=example,dc=com";
|
||||||
|
|
||||||
|
# your admin account, do not use writeText on a production system
|
||||||
|
olcRootDN = "cn=admin,dc=example,dc=com";
|
||||||
|
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
|
||||||
|
|
||||||
|
olcAccess = [
|
||||||
|
# custom access rules for userPassword attributes
|
||||||
|
''
|
||||||
|
{0}to attrs=userPassword
|
||||||
|
by self write
|
||||||
|
by anonymous auth
|
||||||
|
by * none''
|
||||||
|
|
||||||
|
# allow read on anything else
|
||||||
|
''
|
||||||
|
{1}to *
|
||||||
|
by * read''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# ensure openldap is launched after certificates are created
|
||||||
|
systemd.services.openldap = {
|
||||||
|
wants = [ "acme-${hostname}.service" ];
|
||||||
|
after = [ "acme-${hostname}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# make acme certificates accessible by openldap
|
||||||
|
security.acme.defaults.group = "certs";
|
||||||
|
users.groups.certs.members = [ "openldap" ];
|
||||||
|
|
||||||
|
# trigger the actual certificate generation for your hostname
|
||||||
|
security.acme.certs."${hostname}" = { extraDomainNames = [ ]; };
|
||||||
|
|
||||||
|
# example using hetzner dns to run letsencrypt verification
|
||||||
|
security.acme.defaults.dnsProvider = "hetzner";
|
||||||
|
security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
|
||||||
|
HETZNER_API_KEY=<your-hetzner-dns-api-key>
|
||||||
|
'';
|
||||||
|
}
|
||||||
Loading…
x
Reference in New Issue
Block a user