feat(lldap): Use LDAPS
This commit is contained in:
@@ -7,8 +7,16 @@ in {
|
||||
Deertopia's lldap, a lightweight authentication server that provides an
|
||||
opinionated, simplified LDAP interface for authentication.
|
||||
'';
|
||||
baseDN = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "dc=deertopia,dc=net";
|
||||
};
|
||||
};
|
||||
|
||||
imports = [
|
||||
./lldap/pam.nix
|
||||
];
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# HACK: Why doesn't the lldap module do this? Sops-nix fails to set the
|
||||
# secrets' owner as the user does not yet exist.
|
||||
@@ -33,11 +41,13 @@ in {
|
||||
lldap-ldap-user-pass = e;
|
||||
lldap-jwt-secret = e;
|
||||
lldap-secret-env = {};
|
||||
lldap-ldaps-key = e;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
config.services.lldap.settings.http_port
|
||||
config.services.lldap.settings.ldap_port
|
||||
config.services.lldap.settings.ldaps_options.port
|
||||
];
|
||||
|
||||
services.lldap = {
|
||||
@@ -45,12 +55,19 @@ in {
|
||||
environment = {
|
||||
LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
|
||||
LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
|
||||
LLDAP_LDAPS_OPTIONS__ENABLED = "true";
|
||||
};
|
||||
environmentFile = "/run/secrets/lldap-secret-env";
|
||||
settings = {
|
||||
ldap_base_dn = "dc=deertopia,dc=net";
|
||||
ldap_base_dn = cfg.baseDN;
|
||||
ldap_user_dn = "lain";
|
||||
ldap_user_email = "lain@deertopia.net";
|
||||
ldaps_options = {
|
||||
enabled = true;
|
||||
port = 6360;
|
||||
cert_file = ./lldap/cert.pem;
|
||||
key_file = "/run/secrets/lldap-ldaps-key";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
30
modules/nixos/deertopia/lldap/cert.pem
Normal file
30
modules/nixos/deertopia/lldap/cert.pem
Normal file
@@ -0,0 +1,30 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFLTCCAxWgAwIBAgIUPitaeHEseFIQJuuPR8ke+FV4SSswDQYJKoZIhvcNAQEL
|
||||
BQAwGDEWMBQGA1UEAwwNZGVlcnRvcGlhLm5ldDAgFw0yNTA3MDMxNTUwNDVaGA8y
|
||||
MTI1MDYwOTE1NTA0NVowGDEWMBQGA1UEAwwNZGVlcnRvcGlhLm5ldDCCAiIwDQYJ
|
||||
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMNnAsx6lK2h0WIkyExlgXeOkY1bFx88
|
||||
4SyRU5Muu4fV2JsHf6ocQgeuP7e8Rg7uKawi842L92Ya3m1rcIPcD52b7jGwjlLy
|
||||
6r3voV/FIeRa5y2Zyb+S0KQjCqURz/DEqVspqpODmNFPUAkKYRk23P7+W430HoTY
|
||||
hZKfXMBkqbO7sPLSdxNnst3wShpFFMWLYZYuqZzS+MFGfuHcfpjWVTZz3o8q/KmS
|
||||
RLKkTeh46pUeiObi4SCMsxSv/2qZ/elEZfM07CWXWB9eSnA4W2ILNTUtd+k4/m/z
|
||||
EbXtoIMi4gdsKaaCFq6SaTNH8WeBmHCoPhsH7XhYvsI7QT3pGkhHa2RbdPjF6pqT
|
||||
vjX7vF3hptFLp3XX5TdsjeW3ycSV8ncVllDrP3/eKaQBJybxQ0Do1PJM7cPbFhTu
|
||||
2ClFCRfmthlX38PFH5EVp5sbVstGa0qgXvYptTQ46zRUTTCqmLBF1tjycehhUbe7
|
||||
xndpkaLoctXVxFqnejoYP55BftPszV0p0nVG16+6GFo+i8297bYPk3GYARIeDKE0
|
||||
x11BVgIfKRppK+npq3v3DUI6PyE9oxSVwoMJqPE2bVEtI4vp0cMaQMBv0UOj5zfE
|
||||
KRZitH/WecPoDXuOBhqxnn+kaFDC+N/sOSpqNoqEhYgc4E9yFk/qJ0CfV49bNuVr
|
||||
aF34EMlqZkD9AgMBAAGjbTBrMB0GA1UdDgQWBBQ6OnZCABlM1CTAHwyjvUf6YdAQ
|
||||
3TAfBgNVHSMEGDAWgBQ6OnZCABlM1CTAHwyjvUf6YdAQ3TAPBgNVHRMBAf8EBTAD
|
||||
AQH/MBgGA1UdEQQRMA+CDWRlZXJ0b3BpYS5uZXQwDQYJKoZIhvcNAQELBQADggIB
|
||||
ALyhXvzR70BgaYpQJrhdBjlXiGcvHESqxt/vTWfmwGqqsupFr4EDU82sArW89DGx
|
||||
ci7KQayQUWG/mjrfNQxa2cix+IK9ryW1wDomN4meOBz998Ixw+8T/lgipvv6hoyo
|
||||
RIkSOUCa+Tdoqn7ChtdUzIBih94QMbaRueqJxg5N2y7TnS6klxG/Vy+FPmZ9A3+F
|
||||
5iisO+h0tQMB1t3V0b7UKckO82mEbqfZYysa29CufeXOsvfSiEG/hr1L8NNtFDS+
|
||||
o4qP5GdJOXtyI1WB4wOi0x0Kj0KWzqf2ytdXFylcsxMt6Tb5pam8SwLpib2HfAD+
|
||||
C4yHtGA9hW8PIQYYRtZNo7E4zu1VUVlx3AlH1zsvwhEIAGjCacjbvshzN63rzUFl
|
||||
U/lsFDkbkAV5dV+TxstBzuYdX5FMahzIq0IFNsIVc9vhpvbadkq4NZhKhPfAX2Yf
|
||||
JLLYjBMyGp15KZqz5JaxLjtTpXyFLJ5YEgxirO56qxebGLWrDujPAbYcZ9qrrJE4
|
||||
ZWJBpakDZof5bggklijTXFXNNVRjdovBCfVMg1NoNrh8QGfi9fODArjhsri7Dx2S
|
||||
acOzPMKG8c8I5MJY9HX4SsWFqc/e1Q4odRBWZfJXIVVNTm5BpXnwfmrRqSfRUdDT
|
||||
9xmrrGlBO02WtElgHsf9dTHzTVkOAZtAouhdKXUDIo5t
|
||||
-----END CERTIFICATE-----
|
||||
Reference in New Issue
Block a user