From 10a8bd53dcfbb0a57d20aa1670247b4721d78d27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Madeleine=20Sydney=20=C5=9Alaga?= Date: Thu, 3 Jul 2025 08:31:04 -0600 Subject: [PATCH] feat(lldap): Use LDAPS --- modules/nixos/deertopia/lldap.nix | 19 +++++++++++++++- modules/nixos/deertopia/lldap/cert.pem | 30 ++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 modules/nixos/deertopia/lldap/cert.pem diff --git a/modules/nixos/deertopia/lldap.nix b/modules/nixos/deertopia/lldap.nix index e9848ea..befbef1 100644 --- a/modules/nixos/deertopia/lldap.nix +++ b/modules/nixos/deertopia/lldap.nix @@ -7,8 +7,16 @@ in { Deertopia's lldap, a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. ''; + baseDN = lib.mkOption { + type = lib.types.str; + default = "dc=deertopia,dc=net"; + }; }; + imports = [ + ./lldap/pam.nix + ]; + config = lib.mkIf cfg.enable { # HACK: Why doesn't the lldap module do this? Sops-nix fails to set the # secrets' owner as the user does not yet exist. @@ -33,11 +41,13 @@ in { lldap-ldap-user-pass = e; lldap-jwt-secret = e; lldap-secret-env = {}; + lldap-ldaps-key = e; }; networking.firewall.allowedTCPPorts = [ config.services.lldap.settings.http_port config.services.lldap.settings.ldap_port + config.services.lldap.settings.ldaps_options.port ]; services.lldap = { @@ -45,12 +55,19 @@ in { environment = { LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass"; LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret"; + LLDAP_LDAPS_OPTIONS__ENABLED = "true"; }; environmentFile = "/run/secrets/lldap-secret-env"; settings = { - ldap_base_dn = "dc=deertopia,dc=net"; + ldap_base_dn = cfg.baseDN; ldap_user_dn = "lain"; ldap_user_email = "lain@deertopia.net"; + ldaps_options = { + enabled = true; + port = 6360; + cert_file = ./lldap/cert.pem; + key_file = "/run/secrets/lldap-ldaps-key"; + }; }; }; diff --git a/modules/nixos/deertopia/lldap/cert.pem b/modules/nixos/deertopia/lldap/cert.pem new file mode 100644 index 0000000..5d0af43 --- /dev/null +++ b/modules/nixos/deertopia/lldap/cert.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFLTCCAxWgAwIBAgIUPitaeHEseFIQJuuPR8ke+FV4SSswDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNZGVlcnRvcGlhLm5ldDAgFw0yNTA3MDMxNTUwNDVaGA8y +MTI1MDYwOTE1NTA0NVowGDEWMBQGA1UEAwwNZGVlcnRvcGlhLm5ldDCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMNnAsx6lK2h0WIkyExlgXeOkY1bFx88 +4SyRU5Muu4fV2JsHf6ocQgeuP7e8Rg7uKawi842L92Ya3m1rcIPcD52b7jGwjlLy +6r3voV/FIeRa5y2Zyb+S0KQjCqURz/DEqVspqpODmNFPUAkKYRk23P7+W430HoTY +hZKfXMBkqbO7sPLSdxNnst3wShpFFMWLYZYuqZzS+MFGfuHcfpjWVTZz3o8q/KmS +RLKkTeh46pUeiObi4SCMsxSv/2qZ/elEZfM07CWXWB9eSnA4W2ILNTUtd+k4/m/z +EbXtoIMi4gdsKaaCFq6SaTNH8WeBmHCoPhsH7XhYvsI7QT3pGkhHa2RbdPjF6pqT +vjX7vF3hptFLp3XX5TdsjeW3ycSV8ncVllDrP3/eKaQBJybxQ0Do1PJM7cPbFhTu +2ClFCRfmthlX38PFH5EVp5sbVstGa0qgXvYptTQ46zRUTTCqmLBF1tjycehhUbe7 +xndpkaLoctXVxFqnejoYP55BftPszV0p0nVG16+6GFo+i8297bYPk3GYARIeDKE0 +x11BVgIfKRppK+npq3v3DUI6PyE9oxSVwoMJqPE2bVEtI4vp0cMaQMBv0UOj5zfE +KRZitH/WecPoDXuOBhqxnn+kaFDC+N/sOSpqNoqEhYgc4E9yFk/qJ0CfV49bNuVr +aF34EMlqZkD9AgMBAAGjbTBrMB0GA1UdDgQWBBQ6OnZCABlM1CTAHwyjvUf6YdAQ +3TAfBgNVHSMEGDAWgBQ6OnZCABlM1CTAHwyjvUf6YdAQ3TAPBgNVHRMBAf8EBTAD +AQH/MBgGA1UdEQQRMA+CDWRlZXJ0b3BpYS5uZXQwDQYJKoZIhvcNAQELBQADggIB +ALyhXvzR70BgaYpQJrhdBjlXiGcvHESqxt/vTWfmwGqqsupFr4EDU82sArW89DGx +ci7KQayQUWG/mjrfNQxa2cix+IK9ryW1wDomN4meOBz998Ixw+8T/lgipvv6hoyo +RIkSOUCa+Tdoqn7ChtdUzIBih94QMbaRueqJxg5N2y7TnS6klxG/Vy+FPmZ9A3+F +5iisO+h0tQMB1t3V0b7UKckO82mEbqfZYysa29CufeXOsvfSiEG/hr1L8NNtFDS+ +o4qP5GdJOXtyI1WB4wOi0x0Kj0KWzqf2ytdXFylcsxMt6Tb5pam8SwLpib2HfAD+ +C4yHtGA9hW8PIQYYRtZNo7E4zu1VUVlx3AlH1zsvwhEIAGjCacjbvshzN63rzUFl +U/lsFDkbkAV5dV+TxstBzuYdX5FMahzIq0IFNsIVc9vhpvbadkq4NZhKhPfAX2Yf +JLLYjBMyGp15KZqz5JaxLjtTpXyFLJ5YEgxirO56qxebGLWrDujPAbYcZ9qrrJE4 +ZWJBpakDZof5bggklijTXFXNNVRjdovBCfVMg1NoNrh8QGfi9fODArjhsri7Dx2S +acOzPMKG8c8I5MJY9HX4SsWFqc/e1Q4odRBWZfJXIVVNTm5BpXnwfmrRqSfRUdDT +9xmrrGlBO02WtElgHsf9dTHzTVkOAZtAouhdKXUDIo5t +-----END CERTIFICATE-----