feat(lldap): Use LDAPS

modules/nixos/deertopia/lldap.nix

@@ -7,7 +7,15 @@ in {
       Deertopia's lldap, a lightweight authentication server that provides an
       opinionated, simplified LDAP interface for authentication.
     '';
+    baseDN = lib.mkOption {
+      type = lib.types.str;
+      default = "dc=deertopia,dc=net";
     };
+  };
+
+  imports = [
+    ./lldap/pam.nix
+  ];
 
   config = lib.mkIf cfg.enable {
     # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
@@ -33,11 +41,13 @@ in {
         lldap-ldap-user-pass = e;
         lldap-jwt-secret = e;
         lldap-secret-env = {};
+        lldap-ldaps-key = e;
       };
 
     networking.firewall.allowedTCPPorts = [
       config.services.lldap.settings.http_port
       config.services.lldap.settings.ldap_port
+      config.services.lldap.settings.ldaps_options.port
     ];
 
     services.lldap = {
@@ -45,12 +55,19 @@ in {
       environment = {
         LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
         LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
+        LLDAP_LDAPS_OPTIONS__ENABLED = "true";
       };
       environmentFile = "/run/secrets/lldap-secret-env";
       settings = {
-        ldap_base_dn = "dc=deertopia,dc=net";
+        ldap_base_dn = cfg.baseDN;
         ldap_user_dn = "lain";
         ldap_user_email = "lain@deertopia.net";
+        ldaps_options = {
+          enabled = true;
+          port = 6360;
+          cert_file = ./lldap/cert.pem;
+          key_file = "/run/secrets/lldap-ldaps-key";
+        };
       };
     };
 

modules/nixos/deertopia/lldap/cert.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLTCCAxWgAwIBAgIUPitaeHEseFIQJuuPR8ke+FV4SSswDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNZGVlcnRvcGlhLm5ldDAgFw0yNTA3MDMxNTUwNDVaGA8y
+MTI1MDYwOTE1NTA0NVowGDEWMBQGA1UEAwwNZGVlcnRvcGlhLm5ldDCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMNnAsx6lK2h0WIkyExlgXeOkY1bFx88
+4SyRU5Muu4fV2JsHf6ocQgeuP7e8Rg7uKawi842L92Ya3m1rcIPcD52b7jGwjlLy
+6r3voV/FIeRa5y2Zyb+S0KQjCqURz/DEqVspqpODmNFPUAkKYRk23P7+W430HoTY
+hZKfXMBkqbO7sPLSdxNnst3wShpFFMWLYZYuqZzS+MFGfuHcfpjWVTZz3o8q/KmS
+RLKkTeh46pUeiObi4SCMsxSv/2qZ/elEZfM07CWXWB9eSnA4W2ILNTUtd+k4/m/z
+EbXtoIMi4gdsKaaCFq6SaTNH8WeBmHCoPhsH7XhYvsI7QT3pGkhHa2RbdPjF6pqT
+vjX7vF3hptFLp3XX5TdsjeW3ycSV8ncVllDrP3/eKaQBJybxQ0Do1PJM7cPbFhTu
+2ClFCRfmthlX38PFH5EVp5sbVstGa0qgXvYptTQ46zRUTTCqmLBF1tjycehhUbe7
+xndpkaLoctXVxFqnejoYP55BftPszV0p0nVG16+6GFo+i8297bYPk3GYARIeDKE0
+x11BVgIfKRppK+npq3v3DUI6PyE9oxSVwoMJqPE2bVEtI4vp0cMaQMBv0UOj5zfE
+KRZitH/WecPoDXuOBhqxnn+kaFDC+N/sOSpqNoqEhYgc4E9yFk/qJ0CfV49bNuVr
+aF34EMlqZkD9AgMBAAGjbTBrMB0GA1UdDgQWBBQ6OnZCABlM1CTAHwyjvUf6YdAQ
+3TAfBgNVHSMEGDAWgBQ6OnZCABlM1CTAHwyjvUf6YdAQ3TAPBgNVHRMBAf8EBTAD
+AQH/MBgGA1UdEQQRMA+CDWRlZXJ0b3BpYS5uZXQwDQYJKoZIhvcNAQELBQADggIB
+ALyhXvzR70BgaYpQJrhdBjlXiGcvHESqxt/vTWfmwGqqsupFr4EDU82sArW89DGx
+ci7KQayQUWG/mjrfNQxa2cix+IK9ryW1wDomN4meOBz998Ixw+8T/lgipvv6hoyo
+RIkSOUCa+Tdoqn7ChtdUzIBih94QMbaRueqJxg5N2y7TnS6klxG/Vy+FPmZ9A3+F
+5iisO+h0tQMB1t3V0b7UKckO82mEbqfZYysa29CufeXOsvfSiEG/hr1L8NNtFDS+
+o4qP5GdJOXtyI1WB4wOi0x0Kj0KWzqf2ytdXFylcsxMt6Tb5pam8SwLpib2HfAD+
+C4yHtGA9hW8PIQYYRtZNo7E4zu1VUVlx3AlH1zsvwhEIAGjCacjbvshzN63rzUFl
+U/lsFDkbkAV5dV+TxstBzuYdX5FMahzIq0IFNsIVc9vhpvbadkq4NZhKhPfAX2Yf
+JLLYjBMyGp15KZqz5JaxLjtTpXyFLJ5YEgxirO56qxebGLWrDujPAbYcZ9qrrJE4
+ZWJBpakDZof5bggklijTXFXNNVRjdovBCfVMg1NoNrh8QGfi9fODArjhsri7Dx2S
+acOzPMKG8c8I5MJY9HX4SsWFqc/e1Q4odRBWZfJXIVVNTm5BpXnwfmrRqSfRUdDT
+9xmrrGlBO02WtElgHsf9dTHzTVkOAZtAouhdKXUDIo5t
+-----END CERTIFICATE-----