feat(services): add lldap
This commit is contained in:
parent
2978197378
commit
fdc00ec4aa
GPG key ID:
671E39E6744C807D
|
|
@ -18,6 +18,7 @@ in {
|
|||
../modules/inadyn.nix
|
||||
../modules/systemdNotify.nix
|
||||
../services/mail.nix
|
||||
../services/lldap.nix
|
||||
../services/restic/home-server.nix
|
||||
../services/samba/home-server.nix
|
||||
# ../services/kodi.nix
|
||||
|
|
@ -70,6 +71,7 @@ in {
|
|||
services.inadyn.domains = [
|
||||
"felschr.com"
|
||||
"openpgpkey.felschr.com"
|
||||
"ldap.felschr.com"
|
||||
"home.felschr.com"
|
||||
"esphome.felschr.com"
|
||||
"matrix.felschr.com"
|
||||
|
|
|
|||
13
secrets/lldap/jwt.age
Normal file
13
secrets/lldap/jwt.age
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBBTmhu
|
||||
ZWI1aDlUZWhTMjNNS2YzZWkxcit0dzRUK3NCL3ppM0d3QkRwNWtFCkJHeE5HQi9R
|
||||
SGU3cll5UUFBK0dkRjBhMWszYXR1U2RCbnUxZEJkdm9td0EKLT4gc3NoLWVkMjU1
|
||||
MTkgNzJpajd3IHdJNTVabm5XQlhTcUNYMWdXdnJ5M2FwcnZ6OTZncUI5ZkNxWW9x
|
||||
Nk1QVnMKL1QxdlgrV2pkakgyZ1c3MURuZk91UjVBMm1nQ1JsaDYrdjZTOTg3SGRG
|
||||
bwotPiBXanFbSi1ncmVhc2UgJXlJKCpjJy8gcSQzd3k8aDAgJGZ1JApEOEFGUnNi
|
||||
Wm94WVVyREJRc1ovZnY4ZDdzY2pVc0RiNHcrRmdHYnVoYXM5NlRSc0g4Wk9NZ1hG
|
||||
R1dvc0R2TTc5Ck5SSEh5QnlJNFowRlpzTDRheElydEJpK3pJcXAxR3dubEQrb2VS
|
||||
K2NCVjcrenVPc0xjSnVOTDgKLS0tIGNKbmRYc2hZcGFXTDdQZnVRLy9VdlEvOHBH
|
||||
M0FCNnFOSHZJeHBaWjhPcDAKzHHjMjYciW12Nit/gpsfTpZ4GS+f/GHd06kcNgA+
|
||||
FziInFPQSUbAZwFzunv/PjHF0H9oeCQojw/dOPV2htzoKrZNtCpvSu8KQg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
12
secrets/lldap/key-seed.age
Normal file
12
secrets/lldap/key-seed.age
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSArVGhX
|
||||
OTU0VFZTYkFOdWlyVVRCekNIbzEydmN2RWJQQURUclEwZUgvN2tFCkFtdXBoK3dD
|
||||
d2FlZk1lbFRMYWtqUitMOTFBU0xhOCsyMGNVd1docUlhZXcKLT4gc3NoLWVkMjU1
|
||||
MTkgNzJpajd3IERIZDA3a1FMLzZ0K2I4WExkWXl4MXFwRW9rTHR2UDJZNTIyeGpi
|
||||
SkQrVkkKSjRna3BxK1Y1YVh1VUVWRjZicUo3YzgzTTlkSkVWdG1RWmkzU2FIRnBn
|
||||
cwotPiA5XS1ncmVhc2UgJiAoIGlCeSAoCkhIZGpQZGZ4S2lQSktPSGxDNXp2MHR1
|
||||
VW9SdlJQdnpoCi0tLSA5RzZtUGJJQ2kxWit3Mlh1K1poVlMyNVY1a0hqVUloaUY4
|
||||
MXZkNzRCdUVrCtpYEIg/0kdB3Wi+EE6flaFdJKA+h37lDDch4IblSN/yia1xFodW
|
||||
h+DAl97K1Dr7UqhHGwQg/jGmNrS7u5NVHruajklAr1SmFaPXTyEzuOf6C//r65c+
|
||||
CJKcsjVO5fK6Rvk=
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
11
secrets/lldap/password.age
Normal file
11
secrets/lldap/password.age
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSB6R1M1
|
||||
aTdhc3FqZ0hMUHNaeEpINlg0SmhOMjhvVW5TdnN6OHFwc0NLblNnClk3SW1ObVc1
|
||||
TnI0K1VCUTVUNGVFeHRiLzM0TjF4WHhoY3NJTXhqUFhFblUKLT4gc3NoLWVkMjU1
|
||||
MTkgNzJpajd3IFluSVBoOTUycnNtVi9YRVBnUG1BZUc0amhqNVZWQUdFMXg5cUI0
|
||||
cUdweFkKTGJuOGFpQkdTZDBIMHZsZzlVN1pDQWxXWUFaSGtGYnZaYVJ2UWJ6YXcw
|
||||
RQotPiB4LyxJLWdyZWFzZSBSOmEKWnV5VzNVSThMNGphNlFpRytmV3FzbzB5Ynh4
|
||||
VkxMMlRZREdVekxnCi0tLSBwQWw4OEpoNzdsSU5JNStJVCtBSWlwVDhPSTcydXJm
|
||||
c08vTitBZ21yc0owCgKj/75iP60JaABafpvJGBOMzULTfUFJX6zupVWYwJWOhjJf
|
||||
B4UpuJHjwZaoEqtVbmD1sW0SmB7UCtkiCUnsMRDkPiCppYxBW/s=
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
|
|
@ -30,6 +30,9 @@ in {
|
|||
|
||||
# home-server
|
||||
"home-server/hostKey.age".publicKeys = [ felschr home-server ];
|
||||
"lldap/key-seed.age".publicKeys = [ felschr home-server ];
|
||||
"lldap/jwt.age".publicKeys = [ felschr home-server ];
|
||||
"lldap/password.age".publicKeys = [ felschr home-server ];
|
||||
"hass/secrets.age".publicKeys = [ felschr home-server ];
|
||||
"esphome/password.age".publicKeys = [ felschr home-server ];
|
||||
"focalboard/.env.age".publicKeys = [ felschr home-server ];
|
||||
|
|
|
|||
40
services/lldap.nix
Normal file
40
services/lldap.nix
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
{ config, ... }:
|
||||
|
||||
let
|
||||
domain = "ldap.felschr.com";
|
||||
cfg = config.services.lldap;
|
||||
port = cfg.settings.http_port;
|
||||
in {
|
||||
age.secrets.lldap-key-seed.file = ../secrets/lldap/key-seed.age;
|
||||
age.secrets.lldap-jwt.file = ../secrets/lldap/jwt.age;
|
||||
age.secrets.lldap-password.file = ../secrets/lldap/password.age;
|
||||
|
||||
services.lldap = {
|
||||
enable = true;
|
||||
settings = {
|
||||
http_url = "https://${domain}";
|
||||
ldap_base_dn = "dc=felschr,dc=com";
|
||||
};
|
||||
environment = {
|
||||
LLDAP_KEY_SEED = "%d/key-seed";
|
||||
LLDAP_JWT_SECRET_FILE = "%d/jwt";
|
||||
LLDAP_LDAP_USER_PASS_FILE = "%d/password";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.lldap = {
|
||||
serviceConfig.LoadCredential = [
|
||||
"key-seed:${config.age.secrets.lldap-key-seed.path}"
|
||||
"jwt:${config.age.secrets.lldap-jwt.path}"
|
||||
"password:${config.age.secrets.lldap-password.path}"
|
||||
];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts.${domain} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:${toString port}";
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Reference in a new issue