feat(lldap): Use LDAPS

modules/nixos/deertopia/lldap.nix

@@ -7,8 +7,16 @@ in {
       Deertopia's lldap, a lightweight authentication server that provides an
       opinionated, simplified LDAP interface for authentication.
     '';
+    baseDN = lib.mkOption {
+      type = lib.types.str;
+      default = "dc=deertopia,dc=net";
+    };
   };
 
+  imports = [
+    ./lldap/pam.nix
+  ];
+
   config = lib.mkIf cfg.enable {
     # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
     # secrets' owner as the user does not yet exist.
@@ -33,11 +41,13 @@ in {
         lldap-ldap-user-pass = e;
         lldap-jwt-secret = e;
         lldap-secret-env = {};
+        lldap-ldaps-key = e;
       };
 
     networking.firewall.allowedTCPPorts = [
       config.services.lldap.settings.http_port
       config.services.lldap.settings.ldap_port
+      config.services.lldap.settings.ldaps_options.port
     ];
 
     services.lldap = {
@@ -45,12 +55,19 @@ in {
       environment = {
         LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
         LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
+        LLDAP_LDAPS_OPTIONS__ENABLED = "true";
       };
       environmentFile = "/run/secrets/lldap-secret-env";
       settings = {
-        ldap_base_dn = "dc=deertopia,dc=net";
+        ldap_base_dn = cfg.baseDN;
         ldap_user_dn = "lain";
         ldap_user_email = "lain@deertopia.net";
+        ldaps_options = {
+          enabled = true;
+          port = 6360;
+          cert_file = ./lldap/cert.pem;
+          key_file = "/run/secrets/lldap-ldaps-key";
+        };
       };
     };