# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:

let hostname = "servidos.lat";
in {
  services.openldap = {
    enable = true;

    # enable plain and secure connections
    urlList = [ "ldap:///" "ldaps:///" ];

    settings = {
      attrs = {
        olcLogLevel = "conns config";

        # settings for acme ssl
        olcTLSCACertificateFile = "/var/lib/acme/${hostname}/full.pem";
        olcTLSCertificateFile = "/var/lib/acme/${hostname}/cert.pem";
        olcTLSCertificateKeyFile = "/var/lib/acme/${hostname}/key.pem";
        olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
        olcTLSCRLCheck = "none";
        olcTLSVerifyClient = "never";
        olcTLSProtocolMin = "3.1";
      };

      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];

        "olcDatabase={1}mdb".attrs = {
          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

          olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/lib/openldap/data";

          olcSuffix = "dc=example,dc=com";

          # your admin account, do not use writeText on a production system
          olcRootDN = "cn=admin,dc=example,dc=com";
          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";

          olcAccess = [
            # custom access rules for userPassword attributes
            ''
              {0}to attrs=userPassword
                              by self write
                              by anonymous auth
                              by * none''

            # allow read on anything else
            ''
              {1}to *
                              by * read''
          ];
        };
      };
    };
  };

  # ensure openldap is launched after certificates are created
  systemd.services.openldap = {
    wants = [ "acme-${hostname}.service" ];
    after = [ "acme-${hostname}.service" ];
  };

  # make acme certificates accessible by openldap
  security.acme.defaults.group = "certs";
  users.groups.certs.members = [ "openldap" ];

  # trigger the actual certificate generation for your hostname
  security.acme.certs."${hostname}" = { extraDomainNames = [ ]; };

  # example using hetzner dns to run letsencrypt verification
  security.acme.defaults.dnsProvider = "hetzner";
  security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
    HETZNER_API_KEY=<your-hetzner-dns-api-key>
  '';
}