1
0
Fork 0
selfhostblocks/modules/blocks/ldap.nix

179 lines
4.6 KiB
Nix
Raw Normal View History

2023-07-17 09:01:45 +02:00
{ config, pkgs, lib, ... }:
let
cfg = config.shb.ldap;
2024-01-12 08:22:46 +01:00
contracts = pkgs.callPackage ../contracts {};
2023-07-17 09:01:45 +02:00
fqdn = "${cfg.subdomain}.${cfg.domain}";
in
{
options.shb.ldap = {
2023-12-01 07:08:38 +01:00
enable = lib.mkEnableOption "the LDAP service";
2023-07-17 09:01:45 +02:00
dcdomain = lib.mkOption {
type = lib.types.str;
2023-12-01 07:08:38 +01:00
description = "dc domain to serve.";
2023-07-17 09:01:45 +02:00
example = "dc=mydomain,dc=com";
};
subdomain = lib.mkOption {
type = lib.types.str;
2023-12-01 07:08:38 +01:00
description = "Subdomain under which the LDAP service will be served.";
2023-07-17 09:01:45 +02:00
example = "grafana";
};
domain = lib.mkOption {
type = lib.types.str;
2023-12-01 07:08:38 +01:00
description = "Domain under which the LDAP service will be served.";
2023-07-17 09:01:45 +02:00
example = "mydomain.com";
};
2023-10-17 22:41:33 +02:00
ldapPort = lib.mkOption {
2023-10-15 06:17:59 +02:00
type = lib.types.port;
description = "Port on which the server listens for the LDAP protocol.";
default = 3890;
};
2024-01-12 08:22:46 +01:00
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
default = null;
};
2023-12-01 07:08:38 +01:00
webUIListenPort = lib.mkOption {
2023-10-15 06:17:59 +02:00
type = lib.types.port;
description = "Port on which the web UI is exposed.";
default = 17170;
};
ldapUserPassword = contracts.secret.mkOption {
description = "LDAP admin user secret.";
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
2023-12-01 07:08:38 +01:00
};
jwtSecret = contracts.secret.mkOption {
description = "JWT secret.";
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
2023-12-01 07:08:38 +01:00
restrictAccessIPRange = lib.mkOption {
type = lib.types.nullOr lib.types.str;
2023-12-01 07:08:38 +01:00
description = "Set a local network range to restrict access to the UI to only those IPs.";
2023-07-31 02:44:50 +02:00
example = "192.168.1.1/24";
default = null;
2023-07-31 02:44:50 +02:00
};
2023-12-01 07:08:38 +01:00
debug = lib.mkOption {
description = "Enable debug logging.";
type = lib.types.bool;
default = false;
};
2024-08-12 01:25:06 +02:00
mount = lib.mkOption {
type = contracts.mount;
description = ''
Mount configuration. This is an output option.
Use it to initialize a block implementing the "mount" contract.
For example, with a zfs dataset:
```
shb.zfs.datasets."ldap" = {
poolName = "root";
} // config.shb.ldap.mount;
```
'';
readOnly = true;
default = { path = "/var/lib/lldap"; };
};
backup = lib.mkOption {
type = contracts.backup;
description = ''
Backup configuration. This is an output option.
Use it to initialize a block implementing the "backup" contract.
For example, with the restic block:
```
shb.restic.instances."lldap" = {
enable = true;
# Options specific to Restic.
} // config.shb.lldap.backup;
```
'';
readOnly = true;
default = {
2024-10-24 21:21:01 +02:00
# TODO: is there a workaround that avoid needing to use root?
# root because otherwise we cannot access the private StateDiretory
user = "root";
# /private because the systemd service uses DynamicUser=true
sourceDirectories = [
2024-10-24 21:21:01 +02:00
"/var/lib/private/lldap"
];
};
};
2023-07-17 09:01:45 +02:00
};
config = lib.mkIf cfg.enable {
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
2024-01-12 08:22:46 +01:00
forceSSL = !(isNull cfg.ssl);
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
2023-07-17 09:01:45 +02:00
locations."/" = {
extraConfig = ''
proxy_set_header Host $host;
2023-12-01 07:08:38 +01:00
'' + (if isNull cfg.restrictAccessIPRange then "" else ''
allow ${cfg.restrictAccessIPRange};
2023-07-31 02:44:50 +02:00
deny all;
'');
2023-07-17 09:01:45 +02:00
proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/";
};
};
};
users.users.lldap = {
name = "lldap";
group = "lldap";
isSystemUser = true;
};
users.groups.lldap = {};
2023-07-17 09:01:45 +02:00
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = toString cfg.jwtSecret.result.path;
LLDAP_LDAP_USER_PASS_FILE = toString cfg.ldapUserPassword.result.path;
2023-07-20 08:19:08 +02:00
2023-12-01 07:08:38 +01:00
RUST_LOG = lib.mkIf cfg.debug "debug";
2023-07-17 09:01:45 +02:00
};
settings = {
http_url = "https://${fqdn}";
http_host = "127.0.0.1";
2023-12-01 07:08:38 +01:00
http_port = cfg.webUIListenPort;
2023-07-17 09:01:45 +02:00
ldap_host = "127.0.0.1";
2023-10-17 22:41:33 +02:00
ldap_port = cfg.ldapPort;
2023-07-17 09:01:45 +02:00
ldap_base_dn = cfg.dcdomain;
2023-07-20 08:19:08 +02:00
2023-12-01 07:08:38 +01:00
verbose = cfg.debug;
2023-07-17 09:01:45 +02:00
};
};
};
}