feat(deertopia): LLDAP server

2025-02-18 23:00:50 -07:00
parent 68ba3064d9
commit a7d6bc0905
4 changed files with 80 additions and 2 deletions
--- a/modules/nixos/deertopia/bepasty.nix
+++ b/modules/nixos/deertopia/bepasty.nix
@@ -33,6 +33,7 @@ in {
      servers."bin.deertopia.net" = {
        secretKeyFile = "/run/secrets/bepasty-secret-key";
        extraConfig = ''
+          # HACK: The fact that this is evaluated is UB.
          $(cat /run/secrets/bepasty-secret-config)
        '';
        bind = "127.0.0.1:${builtins.toString cfg.port}";
--- a/modules/nixos/deertopia/lldap.nix
+++ b/modules/nixos/deertopia/lldap.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.lldap;
+in {
+  options.sydnix.deertopia.lldap = {
+    enable = lib.mkEnableOption ''
+      Deertopia's lldap, a lightweight authentication server that provides an
+      opinionated, simplified LDAP interface for authentication.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
+    # secrets' owner as the user does not yet exist.
+    users.users.lldap = {
+      isSystemUser = true;
+      group = "lldap";
+    };
+    users.groups.lldap = {};
+
+    sydnix.sops.secrets =
+      let e = {
+            mode = "0600";
+            owner = "lldap";
+            group = "lldap";
+          };
+      in {
+        lldap-ldap-user-pass = e;
+        lldap-jwt-secret = e;
+        lldap-secret-env = {};
+      };
+
+    networking.firewall.allowedTCPPorts = [
+      config.services.lldap.settings.http_port
+      config.services.lldap.settings.ldap_port
+    ];
+
+    services.lldap = {
+      enable = true;
+      environment = {
+        LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
+        LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
+      };
+      environmentFile = "/run/secrets/lldap-secret-env";
+      settings = {
+        ldap_base_dn = "dc=identify,dc=deertopia,dc=net";
+        ldap_user_dn = "lain";
+        ldap_user_email = "lain@deertopia.net";
+      };
+    };
+
+    sydnix.deertopia.nginx.vhosts."identify".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          let port = builtins.toString config.services.lldap.settings.http_port;
+          in "http://localhost:${port}";
+      };
+    };
+
+    sydnix.deertopia.nginx.vhosts."ldap".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          let port = builtins.toString config.services.lldap.settings.ldap_port;
+          in "http://localhost:${port}";
+      };
+    };
+  };
+}