From fdc00ec4aae789e5e0f8a208400dd17a153d63ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Fri, 8 Dec 2023 21:53:29 +0100
Subject: [PATCH] feat(services): add lldap

---
 hosts/home-server.nix      |  2 ++
 secrets/lldap/jwt.age      | 13 +++++++++++++
 secrets/lldap/key-seed.age | 12 ++++++++++++
 secrets/lldap/password.age | 11 +++++++++++
 secrets/secrets.nix        |  3 +++
 services/lldap.nix         | 40 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 81 insertions(+)
 create mode 100644 secrets/lldap/jwt.age
 create mode 100644 secrets/lldap/key-seed.age
 create mode 100644 secrets/lldap/password.age
 create mode 100644 services/lldap.nix

diff --git a/hosts/home-server.nix b/hosts/home-server.nix
index 8a42959..2e53b11 100644
--- a/hosts/home-server.nix
+++ b/hosts/home-server.nix
@@ -18,6 +18,7 @@ in {
     ../modules/inadyn.nix
     ../modules/systemdNotify.nix
     ../services/mail.nix
+    ../services/lldap.nix
     ../services/restic/home-server.nix
     ../services/samba/home-server.nix
     # ../services/kodi.nix
@@ -70,6 +71,7 @@ in {
   services.inadyn.domains = [
     "felschr.com"
     "openpgpkey.felschr.com"
+    "ldap.felschr.com"
     "home.felschr.com"
     "esphome.felschr.com"
     "matrix.felschr.com"
diff --git a/secrets/lldap/jwt.age b/secrets/lldap/jwt.age
new file mode 100644
index 0000000..b11f8be
--- /dev/null
+++ b/secrets/lldap/jwt.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBBTmhu
+ZWI1aDlUZWhTMjNNS2YzZWkxcit0dzRUK3NCL3ppM0d3QkRwNWtFCkJHeE5HQi9R
+SGU3cll5UUFBK0dkRjBhMWszYXR1U2RCbnUxZEJkdm9td0EKLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IHdJNTVabm5XQlhTcUNYMWdXdnJ5M2FwcnZ6OTZncUI5ZkNxWW9x
+Nk1QVnMKL1QxdlgrV2pkakgyZ1c3MURuZk91UjVBMm1nQ1JsaDYrdjZTOTg3SGRG
+bwotPiBXanFbSi1ncmVhc2UgJXlJKCpjJy8gcSQzd3k8aDAgJGZ1JApEOEFGUnNi
+Wm94WVVyREJRc1ovZnY4ZDdzY2pVc0RiNHcrRmdHYnVoYXM5NlRSc0g4Wk9NZ1hG
+R1dvc0R2TTc5Ck5SSEh5QnlJNFowRlpzTDRheElydEJpK3pJcXAxR3dubEQrb2VS
+K2NCVjcrenVPc0xjSnVOTDgKLS0tIGNKbmRYc2hZcGFXTDdQZnVRLy9VdlEvOHBH
+M0FCNnFOSHZJeHBaWjhPcDAKzHHjMjYciW12Nit/gpsfTpZ4GS+f/GHd06kcNgA+
+FziInFPQSUbAZwFzunv/PjHF0H9oeCQojw/dOPV2htzoKrZNtCpvSu8KQg==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/lldap/key-seed.age b/secrets/lldap/key-seed.age
new file mode 100644
index 0000000..8cea71b
--- /dev/null
+++ b/secrets/lldap/key-seed.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSArVGhX
+OTU0VFZTYkFOdWlyVVRCekNIbzEydmN2RWJQQURUclEwZUgvN2tFCkFtdXBoK3dD
+d2FlZk1lbFRMYWtqUitMOTFBU0xhOCsyMGNVd1docUlhZXcKLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IERIZDA3a1FMLzZ0K2I4WExkWXl4MXFwRW9rTHR2UDJZNTIyeGpi
+SkQrVkkKSjRna3BxK1Y1YVh1VUVWRjZicUo3YzgzTTlkSkVWdG1RWmkzU2FIRnBn
+cwotPiA5XS1ncmVhc2UgJiAoIGlCeSAoCkhIZGpQZGZ4S2lQSktPSGxDNXp2MHR1
+VW9SdlJQdnpoCi0tLSA5RzZtUGJJQ2kxWit3Mlh1K1poVlMyNVY1a0hqVUloaUY4
+MXZkNzRCdUVrCtpYEIg/0kdB3Wi+EE6flaFdJKA+h37lDDch4IblSN/yia1xFodW
+h+DAl97K1Dr7UqhHGwQg/jGmNrS7u5NVHruajklAr1SmFaPXTyEzuOf6C//r65c+
+CJKcsjVO5fK6Rvk=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/lldap/password.age b/secrets/lldap/password.age
new file mode 100644
index 0000000..de29669
--- /dev/null
+++ b/secrets/lldap/password.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSB6R1M1
+aTdhc3FqZ0hMUHNaeEpINlg0SmhOMjhvVW5TdnN6OHFwc0NLblNnClk3SW1ObVc1
+TnI0K1VCUTVUNGVFeHRiLzM0TjF4WHhoY3NJTXhqUFhFblUKLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IFluSVBoOTUycnNtVi9YRVBnUG1BZUc0amhqNVZWQUdFMXg5cUI0
+cUdweFkKTGJuOGFpQkdTZDBIMHZsZzlVN1pDQWxXWUFaSGtGYnZaYVJ2UWJ6YXcw
+RQotPiB4LyxJLWdyZWFzZSBSOmEKWnV5VzNVSThMNGphNlFpRytmV3FzbzB5Ynh4
+VkxMMlRZREdVekxnCi0tLSBwQWw4OEpoNzdsSU5JNStJVCtBSWlwVDhPSTcydXJm
+c08vTitBZ21yc0owCgKj/75iP60JaABafpvJGBOMzULTfUFJX6zupVWYwJWOhjJf
+B4UpuJHjwZaoEqtVbmD1sW0SmB7UCtkiCUnsMRDkPiCppYxBW/s=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2ff8196..39ec069 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -30,6 +30,9 @@ in {
 
   # home-server
   "home-server/hostKey.age".publicKeys = [ felschr home-server ];
+  "lldap/key-seed.age".publicKeys = [ felschr home-server ];
+  "lldap/jwt.age".publicKeys = [ felschr home-server ];
+  "lldap/password.age".publicKeys = [ felschr home-server ];
   "hass/secrets.age".publicKeys = [ felschr home-server ];
   "esphome/password.age".publicKeys = [ felschr home-server ];
   "focalboard/.env.age".publicKeys = [ felschr home-server ];
diff --git a/services/lldap.nix b/services/lldap.nix
new file mode 100644
index 0000000..a164370
--- /dev/null
+++ b/services/lldap.nix
@@ -0,0 +1,40 @@
+{ config, ... }:
+
+let
+  domain = "ldap.felschr.com";
+  cfg = config.services.lldap;
+  port = cfg.settings.http_port;
+in {
+  age.secrets.lldap-key-seed.file = ../secrets/lldap/key-seed.age;
+  age.secrets.lldap-jwt.file = ../secrets/lldap/jwt.age;
+  age.secrets.lldap-password.file = ../secrets/lldap/password.age;
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      http_url = "https://${domain}";
+      ldap_base_dn = "dc=felschr,dc=com";
+    };
+    environment = {
+      LLDAP_KEY_SEED = "%d/key-seed";
+      LLDAP_JWT_SECRET_FILE = "%d/jwt";
+      LLDAP_LDAP_USER_PASS_FILE = "%d/password";
+    };
+  };
+
+  systemd.services.lldap = {
+    serviceConfig.LoadCredential = [
+      "key-seed:${config.age.secrets.lldap-key-seed.path}"
+      "jwt:${config.age.secrets.lldap-jwt.path}"
+      "password:${config.age.secrets.lldap-password.path}"
+    ];
+  };
+
+  services.nginx = {
+    virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://[::1]:${toString port}";
+    };
+  };
+}