openldap first wip

2023-09-02 13:37:36 -06:00 · 2023-09-02 13:37:36 -06:00 · 76cc42659e
commit 76cc42659e
parent 5dc9b6bef4
2 changed files with 84 additions and 0 deletions
--- a/configuration.org
+++ b/configuration.org
@ -62,6 +62,7 @@ cluttered, for example, I may create a module for systemd units.
 imports = [
  ./hardware-configuration.nix
  ./nginx.nix
+  # ./openldap.nix
  <home-manager/nixos>
  <agenix/modules/age.nix>
  "${nix-gaming}/modules/pipewireLowLatency.nix"
--- a/openldap.nix
+++ b/openldap.nix
@ -0,0 +1,83 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+let hostname = "servidos.lat";
+in {
+  services.openldap = {
+    enable = true;
+
+    # enable plain and secure connections
+    urlList = [ "ldap:///" "ldaps:///" ];
+
+    settings = {
+      attrs = {
+        olcLogLevel = "conns config";
+
+        # settings for acme ssl
+        olcTLSCACertificateFile = "/var/lib/acme/${hostname}/full.pem";
+        olcTLSCertificateFile = "/var/lib/acme/${hostname}/cert.pem";
+        olcTLSCertificateKeyFile = "/var/lib/acme/${hostname}/key.pem";
+        olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+        olcTLSCRLCheck = "none";
+        olcTLSVerifyClient = "never";
+        olcTLSProtocolMin = "3.1";
+      };
+
+      children = {
+        "cn=schema".includes = [
+          "${pkgs.openldap}/etc/schema/core.ldif"
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+        ];
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+          olcDbDirectory = "/var/lib/openldap/data";
+
+          olcSuffix = "dc=example,dc=com";
+
+          # your admin account, do not use writeText on a production system
+          olcRootDN = "cn=admin,dc=example,dc=com";
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcAccess = [
+            # custom access rules for userPassword attributes
+            ''
+              {0}to attrs=userPassword
+                              by self write
+                              by anonymous auth
+                              by * none''
+
+            # allow read on anything else
+            ''
+              {1}to *
+                              by * read''
+          ];
+        };
+      };
+    };
+  };
+
+  # ensure openldap is launched after certificates are created
+  systemd.services.openldap = {
+    wants = [ "acme-${hostname}.service" ];
+    after = [ "acme-${hostname}.service" ];
+  };
+
+  # make acme certificates accessible by openldap
+  security.acme.defaults.group = "certs";
+  users.groups.certs.members = [ "openldap" ];
+
+  # trigger the actual certificate generation for your hostname
+  security.acme.certs."${hostname}" = { extraDomainNames = [ ]; };
+
+  # example using hetzner dns to run letsencrypt verification
+  security.acme.defaults.dnsProvider = "hetzner";
+  security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
+    HETZNER_API_KEY=<your-hetzner-dns-api-key>
+  '';
+}