felschr/nixos-config
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat(services): add lldap

Browse source
This commit is contained in:
Felix Schröter 2023-12-08 21:53:29 +01:00
parent 2978197378
commit fdc00ec4aa
Signed by: felschr
GPG key ID: 671E39E6744C807D
6 changed files with 81 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/home-server.nix
View file

@ -18,6 +18,7 @@ in {
../modules/inadyn.nix ../modules/inadyn.nix
../modules/systemdNotify.nix ../modules/systemdNotify.nix
../services/mail.nix ../services/mail.nix
../services/lldap.nix
../services/restic/home-server.nix ../services/restic/home-server.nix
../services/samba/home-server.nix ../services/samba/home-server.nix
# ../services/kodi.nix # ../services/kodi.nix
@ -70,6 +71,7 @@ in {
services.inadyn.domains = [ services.inadyn.domains = [
"felschr.com" "felschr.com"
"openpgpkey.felschr.com" "openpgpkey.felschr.com"
"ldap.felschr.com"
"home.felschr.com" "home.felschr.com"
"esphome.felschr.com" "esphome.felschr.com"
"matrix.felschr.com" "matrix.felschr.com"

13
secrets/lldap/jwt.age Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBBTmhu
ZWI1aDlUZWhTMjNNS2YzZWkxcit0dzRUK3NCL3ppM0d3QkRwNWtFCkJHeE5HQi9R
SGU3cll5UUFBK0dkRjBhMWszYXR1U2RCbnUxZEJkdm9td0EKLT4gc3NoLWVkMjU1
MTkgNzJpajd3IHdJNTVabm5XQlhTcUNYMWdXdnJ5M2FwcnZ6OTZncUI5ZkNxWW9x
Nk1QVnMKL1QxdlgrV2pkakgyZ1c3MURuZk91UjVBMm1nQ1JsaDYrdjZTOTg3SGRG
bwotPiBXanFbSi1ncmVhc2UgJXlJKCpjJy8gcSQzd3k8aDAgJGZ1JApEOEFGUnNi
Wm94WVVyREJRc1ovZnY4ZDdzY2pVc0RiNHcrRmdHYnVoYXM5NlRSc0g4Wk9NZ1hG
R1dvc0R2TTc5Ck5SSEh5QnlJNFowRlpzTDRheElydEJpK3pJcXAxR3dubEQrb2VS
K2NCVjcrenVPc0xjSnVOTDgKLS0tIGNKbmRYc2hZcGFXTDdQZnVRLy9VdlEvOHBH
M0FCNnFOSHZJeHBaWjhPcDAKzHHjMjYciW12Nit/gpsfTpZ4GS+f/GHd06kcNgA+
FziInFPQSUbAZwFzunv/PjHF0H9oeCQojw/dOPV2htzoKrZNtCpvSu8KQg==
-----END AGE ENCRYPTED FILE-----

12
secrets/lldap/key-seed.age Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSArVGhX
OTU0VFZTYkFOdWlyVVRCekNIbzEydmN2RWJQQURUclEwZUgvN2tFCkFtdXBoK3dD
d2FlZk1lbFRMYWtqUitMOTFBU0xhOCsyMGNVd1docUlhZXcKLT4gc3NoLWVkMjU1
MTkgNzJpajd3IERIZDA3a1FMLzZ0K2I4WExkWXl4MXFwRW9rTHR2UDJZNTIyeGpi
SkQrVkkKSjRna3BxK1Y1YVh1VUVWRjZicUo3YzgzTTlkSkVWdG1RWmkzU2FIRnBn
cwotPiA5XS1ncmVhc2UgJiAoIGlCeSAoCkhIZGpQZGZ4S2lQSktPSGxDNXp2MHR1
VW9SdlJQdnpoCi0tLSA5RzZtUGJJQ2kxWit3Mlh1K1poVlMyNVY1a0hqVUloaUY4
MXZkNzRCdUVrCtpYEIg/0kdB3Wi+EE6flaFdJKA+h37lDDch4IblSN/yia1xFodW
h+DAl97K1Dr7UqhHGwQg/jGmNrS7u5NVHruajklAr1SmFaPXTyEzuOf6C//r65c+
CJKcsjVO5fK6Rvk=
-----END AGE ENCRYPTED FILE-----

11
secrets/lldap/password.age Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSB6R1M1
aTdhc3FqZ0hMUHNaeEpINlg0SmhOMjhvVW5TdnN6OHFwc0NLblNnClk3SW1ObVc1
TnI0K1VCUTVUNGVFeHRiLzM0TjF4WHhoY3NJTXhqUFhFblUKLT4gc3NoLWVkMjU1
MTkgNzJpajd3IFluSVBoOTUycnNtVi9YRVBnUG1BZUc0amhqNVZWQUdFMXg5cUI0
cUdweFkKTGJuOGFpQkdTZDBIMHZsZzlVN1pDQWxXWUFaSGtGYnZaYVJ2UWJ6YXcw
RQotPiB4LyxJLWdyZWFzZSBSOmEKWnV5VzNVSThMNGphNlFpRytmV3FzbzB5Ynh4
VkxMMlRZREdVekxnCi0tLSBwQWw4OEpoNzdsSU5JNStJVCtBSWlwVDhPSTcydXJm
c08vTitBZ21yc0owCgKj/75iP60JaABafpvJGBOMzULTfUFJX6zupVWYwJWOhjJf
B4UpuJHjwZaoEqtVbmD1sW0SmB7UCtkiCUnsMRDkPiCppYxBW/s=
-----END AGE ENCRYPTED FILE-----

3
secrets/secrets.nix
View file

@ -30,6 +30,9 @@ in {
# home-server # home-server
"home-server/hostKey.age".publicKeys = [ felschr home-server ]; "home-server/hostKey.age".publicKeys = [ felschr home-server ];
"lldap/key-seed.age".publicKeys = [ felschr home-server ];
"lldap/jwt.age".publicKeys = [ felschr home-server ];
"lldap/password.age".publicKeys = [ felschr home-server ];
"hass/secrets.age".publicKeys = [ felschr home-server ]; "hass/secrets.age".publicKeys = [ felschr home-server ];
"esphome/password.age".publicKeys = [ felschr home-server ]; "esphome/password.age".publicKeys = [ felschr home-server ];
"focalboard/.env.age".publicKeys = [ felschr home-server ]; "focalboard/.env.age".publicKeys = [ felschr home-server ];

40
services/lldap.nix Normal file
View file

@ -0,0 +1,40 @@
{ config, ... }:
let
domain = "ldap.felschr.com";
cfg = config.services.lldap;
port = cfg.settings.http_port;
in {
age.secrets.lldap-key-seed.file = ../secrets/lldap/key-seed.age;
age.secrets.lldap-jwt.file = ../secrets/lldap/jwt.age;
age.secrets.lldap-password.file = ../secrets/lldap/password.age;
services.lldap = {
enable = true;
settings = {
http_url = "https://${domain}";
ldap_base_dn = "dc=felschr,dc=com";
};
environment = {
LLDAP_KEY_SEED = "%d/key-seed";
LLDAP_JWT_SECRET_FILE = "%d/jwt";
LLDAP_LDAP_USER_PASS_FILE = "%d/password";
};
};
systemd.services.lldap = {
serviceConfig.LoadCredential = [
"key-seed:${config.age.secrets.lldap-key-seed.path}"
"jwt:${config.age.secrets.lldap-jwt.path}"
"password:${config.age.secrets.lldap-password.path}"
];
};
services.nginx = {
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:${toString port}";
};
};
}