01d8e5986c
By 'foundational,' I mean that a demo is working correctly. Work will continue in a follow-up commit integrating existing services with LDAP and Authelia. ♥
68 lines
1.8 KiB
Nix
68 lines
1.8 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let cfg = config.sydnix.deertopia.lldap;
|
|
in {
|
|
options.sydnix.deertopia.lldap = {
|
|
enable = lib.mkEnableOption ''
|
|
Deertopia's lldap, a lightweight authentication server that provides an
|
|
opinionated, simplified LDAP interface for authentication.
|
|
'';
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# HACK: Why doesn't the lldap module do this? Sops-nix fails to set the
|
|
# secrets' owner as the user does not yet exist.
|
|
users.users.lldap = {
|
|
isSystemUser = true;
|
|
group = "lldap";
|
|
};
|
|
users.groups.lldap = {};
|
|
|
|
sydnix.sops.secrets =
|
|
let e = {
|
|
mode = "0440";
|
|
owner = "lldap";
|
|
group = "lldap";
|
|
};
|
|
in {
|
|
lldap-ldap-user-pass = e;
|
|
lldap-jwt-secret = e;
|
|
lldap-secret-env = {};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
config.services.lldap.settings.http_port
|
|
config.services.lldap.settings.ldap_port
|
|
];
|
|
|
|
services.lldap = {
|
|
enable = true;
|
|
environment = {
|
|
LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
|
|
LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
|
|
};
|
|
environmentFile = "/run/secrets/lldap-secret-env";
|
|
settings = {
|
|
ldap_base_dn = "dc=identify,dc=deertopia,dc=net";
|
|
ldap_user_dn = "lain";
|
|
ldap_user_email = "lain@deertopia.net";
|
|
};
|
|
};
|
|
|
|
sydnix.deertopia.nginx.vhosts."identify".vhost = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass =
|
|
let port = builtins.toString config.services.lldap.settings.http_port;
|
|
in "http://localhost:${port}";
|
|
};
|
|
};
|
|
|
|
services.nginx.proxyCachePath."cache/" = {
|
|
enable = true;
|
|
keysZoneName = "auth_cache";
|
|
};
|
|
};
|
|
}
|