feat(deertopia): LLDAP server

hosts/deertopia/configuration.nix

@@ -97,6 +97,7 @@
       nginx.enable = true;
       webdav.enable = true;
       bepasty.enable = true;
+      lldap.enable = true;
 
       # A simple default webpage.  This should probably live somewhere else.
       nginx.vhosts."www" = {
@@ -135,6 +136,7 @@
     neovim
     git
     sshfs
+    waypipe
     sydnix-cli.packages.x86_64-linux.default
   ];
 

modules/nixos/deertopia/bepasty.nix

@@ -33,6 +33,7 @@ in {
       servers."bin.deertopia.net" = {
         secretKeyFile = "/run/secrets/bepasty-secret-key";
         extraConfig = ''
+          # HACK: The fact that this is evaluated is UB.
           $(cat /run/secrets/bepasty-secret-config)
         '';
         bind = "127.0.0.1:${builtins.toString cfg.port}";

modules/nixos/deertopia/lldap.nix

@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.lldap;
+in {
+  options.sydnix.deertopia.lldap = {
+    enable = lib.mkEnableOption ''
+      Deertopia's lldap, a lightweight authentication server that provides an
+      opinionated, simplified LDAP interface for authentication.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
+    # secrets' owner as the user does not yet exist.
+    users.users.lldap = {
+      isSystemUser = true;
+      group = "lldap";
+    };
+    users.groups.lldap = {};
+
+    sydnix.sops.secrets =
+      let e = {
+            mode = "0600";
+            owner = "lldap";
+            group = "lldap";
+          };
+      in {
+        lldap-ldap-user-pass = e;
+        lldap-jwt-secret = e;
+        lldap-secret-env = {};
+      };
+
+    networking.firewall.allowedTCPPorts = [
+      config.services.lldap.settings.http_port
+      config.services.lldap.settings.ldap_port
+    ];
+
+    services.lldap = {
+      enable = true;
+      environment = {
+        LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
+        LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
+      };
+      environmentFile = "/run/secrets/lldap-secret-env";
+      settings = {
+        ldap_base_dn = "dc=identify,dc=deertopia,dc=net";
+        ldap_user_dn = "lain";
+        ldap_user_email = "lain@deertopia.net";
+      };
+    };
+
+    sydnix.deertopia.nginx.vhosts."identify".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          let port = builtins.toString config.services.lldap.settings.http_port;
+          in "http://localhost:${port}";
+      };
+    };
+
+    sydnix.deertopia.nginx.vhosts."ldap".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          let port = builtins.toString config.services.lldap.settings.ldap_port;
+          in "http://localhost:${port}";
+      };
+    };
+  };
+}

secrets.yaml

@@ -2,6 +2,9 @@ nextcloud-admin: ENC[AES256_GCM,data:K1KogDUmyAEm9JMlZ2SmYgekgA==,iv:GOlNIrxDCTS
 bepasty-secret-key: ENC[AES256_GCM,data:N+5keSslQDj1v0t4yOZw+fcxoIPslsb2J1jI8jYX0+nR9exoUdjJJJPsVVjm83+ej6wguzMJgy1/eIufFmau8Q==,iv:Ye3HB2WsF+zrqK8aYDn3BsVKdhl9hNbL1HSZBCEYlSY=,tag:u4jD83/ExzS867QR9k7ObA==,type:str]
 slskd-credentials: ENC[AES256_GCM,data:n3KmG6igp7+BmnHafW0dXp7uKEV/JY54VR/IQf7pV1k/60zDuFIrR3Bp0YL9sBTfT10qJNCd9GJXvdg46bLBoHc6Rr/Y+vHjLIIQZEX3wDfa1C9JCXmAh2Igyx3GCCOvntjYhVy2A/2JxIcvpSPC1Hua74oCbYXZ0hI3aeyu00LTVlpNZUz1JrVj2xgMFMltRL7Xt8hfSBFmG3W8j3kXBJIDxSIOxeYt8K/itBnzBtBOuWw9DqXVHy9F8Pmq2muUhiXGkEr6GWUJhg==,iv:w8p4yygdJv31VcICWFzyJoN47j5ax6N6PdPNM2JVcr8=,tag:lcWtdoiGPBw1uMkyzA3RMw==,type:str]
 bepasty-secret-config: ENC[AES256_GCM,data:QPJBVW272ixtybIk3xmEa1R3qZ09WGpx4kyf2FFwjHLn1f1bNGzvcDfnFMzDiZjI0DvGPA26PzaKe7U0HX3ihX70IhohFqbr3XaGb7Gcr50RV1bkWV1G9ji+V5fFn/xdIkLmHaRISZFfDWdHBnzDaA==,iv:YQ+fcNvdXBTrc20TBBC4EIb4jwYV6AKJaTWJIcPa7A8=,tag:4P/L5FVmf7/bjINoArpMsg==,type:str]
+lldap-ldap-user-pass: ENC[AES256_GCM,data:aBpn+kOiMUT9pQ==,iv:VPNwzXjVc3pdhQprtkzbZWsXhG5zbMPA/NGnaQF+iCo=,tag:exV9IE+tFxcLoR4NEPsOzQ==,type:str]
+lldap-jwt-secret: ENC[AES256_GCM,data:VgI57HMh3iyapgVrdOgZM5HUMUdi+MHpl1yWA/FAPnk=,iv:6Q5Ta+pUs8km64Kpsqt+gJXkqmo+Juplid9CPyzGXDA=,tag:+ZvQGhM5feRIn//g/kkcwg==,type:str]
+lldap-secret-env: ENC[AES256_GCM,data:0d2GaIULE7tQLtpz6hHkopl1eUC3zLzjX+XgOK6tPuHXf4kPookdalPOJuO0CXFF,iv:7yx7hD+dTJSlVKgoT7Zhz0syBrgxFrcSGKdMWqO0ScY=,tag:+0W7NZXTYJFxKh/Ej7STLw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -26,8 +29,8 @@ sops:
             TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp
             ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-18T22:44:54Z"
-    mac: ENC[AES256_GCM,data:fDEXURw1rS57WOHVDr2aIc61/i8+pYsfk2okhBcTbOHIunN8A//naGI3YbEhAI/Z3W3RHajzP0uKrxgjW60vktrnVn25VTH70kp8jp/9LX1cs/Prar4RJZZmkaRSS2WqrZ059vIc4YSg1TA065C7NyaYthlvhagNGWV88cf5I1Q=,iv:8WJK7ROXfIrFAM+/0CI6RT21wIGQuEYlxEdYuHkh5vg=,tag:leZU2qBG4Og4EthUSP+FsQ==,type:str]
+    lastmodified: "2025-02-19T05:23:29Z"
+    mac: ENC[AES256_GCM,data:JQ3iHWwSYjxZMN/Ug/Wl7KQz95q3fIa8dyzhDHJHpmpGhcH8d/xW4Iee19oxGwamuDTxMzRC5om0Hoaz/Pibpj0zjHxkGIltr5z6O83zsvXjx7FndoLXzU2ZiQXMfutYiC6tvQFTmK7NZusLjBkDZ4Zg8xQIx/ReSU7HAQgnMYM=,iv:+Z7qqKjI4nq5SzuQQ06BMaFWWCgMP0lSzzd11Mvj90k=,tag:h8HmZI2ofRYdrxd+RQIkcQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4