1
0
Fork 0
selfhostblocks/modules/blocks/ldap.nix

133 lines
3.3 KiB
Nix
Raw Normal View History

2023-07-17 09:01:45 +02:00
{ config, pkgs, lib, ... }:
let
cfg = config.shb.ldap;
fqdn = "${cfg.subdomain}.${cfg.domain}";
in
{
options.shb.ldap = {
enable = lib.mkEnableOption "selfhostblocks.home-assistant";
dcdomain = lib.mkOption {
type = lib.types.str;
description = "dc domain for ldap.";
example = "dc=mydomain,dc=com";
};
subdomain = lib.mkOption {
type = lib.types.str;
description = "Subdomain under which home-assistant will be served.";
example = "grafana";
};
domain = lib.mkOption {
type = lib.types.str;
description = "domain under which home-assistant will be served.";
example = "mydomain.com";
};
2023-10-17 22:41:33 +02:00
ldapPort = lib.mkOption {
2023-10-15 06:17:59 +02:00
type = lib.types.port;
description = "Port on which the server listens for the LDAP protocol.";
default = 3890;
};
httpPort = lib.mkOption {
type = lib.types.port;
description = "Port on which the web UI is exposed.";
default = 17170;
};
2023-07-17 09:01:45 +02:00
sopsFile = lib.mkOption {
type = lib.types.path;
description = "Sops file location";
example = "secrets/ldap.yaml";
};
2023-07-31 02:44:50 +02:00
localNetworkIPRange = lib.mkOption {
type = lib.types.nullOr lib.types.str;
2023-07-31 02:44:50 +02:00
description = "Local network range, to restrict access to the UI to only those IPs.";
example = "192.168.1.1/24";
default = null;
2023-07-31 02:44:50 +02:00
};
2023-07-17 09:01:45 +02:00
};
config = lib.mkIf cfg.enable {
sops.secrets."lldap/user_password" = {
inherit (cfg) sopsFile;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
inherit (cfg) sopsFile;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
forceSSL = lib.mkIf config.shb.ssl.enable true;
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
2023-07-17 09:01:45 +02:00
locations."/" = {
extraConfig = ''
proxy_set_header Host $host;
'' + (if isNull cfg.localNetworkIPRange then "" else ''
2023-07-31 02:44:50 +02:00
allow ${cfg.localNetworkIPRange};
deny all;
'');
2023-07-17 09:01:45 +02:00
proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/";
};
};
};
users.users.lldap = {
name = "lldap";
group = "lldap";
isSystemUser = true;
};
users.groups.lldap = {
members = [ "backup" ];
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap/jwt_secret";
LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap/user_password";
2023-07-20 08:19:08 +02:00
# RUST_LOG = "debug";
2023-07-17 09:01:45 +02:00
};
settings = {
http_url = "https://${fqdn}";
http_host = "127.0.0.1";
2023-10-15 06:17:59 +02:00
http_port = cfg.httpPort;
2023-07-17 09:01:45 +02:00
ldap_host = "127.0.0.1";
2023-10-17 22:41:33 +02:00
ldap_port = cfg.ldapPort;
2023-07-17 09:01:45 +02:00
ldap_base_dn = cfg.dcdomain;
2023-07-20 08:19:08 +02:00
# verbose = true;
2023-07-17 09:01:45 +02:00
};
};
shb.backup.instances.lldap = {
sourceDirectories = [
"/var/lib/lldap"
];
};
};
}